Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex E


E. An Integrated Management Systems Approach

E.1 General

The management systems approach considers how local policies, culture, actions, or changes influence the state of the organization as a whole and its environment. The component parts of a system can best be understood in the context of relationships with each other, rather than in isolation. Therefore, a management system examines the linkages and interactions between the elements that compose the entirety of the system. The management systems approach systematically defines activities necessary to obtain desired results and establishes clear responsibility and accountability for managing key activities. This management systems standard provides requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organization's management system. An organization needs to identify and manage many activities in order to function effectively. Any activity which enables the transformation of inputs into outputs, that uses resources and is formally managed, can be considered to be a process. Often the output from one process directly forms the input to the next process.

The management systems approach for ORMS presented in this Standard encourages its users to emphasize the importance of:

  • Understanding an organization’s risk and business management requirements;

  • Establishing a policy and objectives to manage risks;

  • Implementing and operating controls to manage an organization’s risk and enhance resilience;

  • Monitoring and reviewing the performance and effectiveness of the ORMS, administratively and operationally; and

  • Continual improvement based on objective measurement.

This Standard adopts the "Plan-Do-Check-Act" (PDCA) model, which is applied to structure the security and resilience processes. Figure 6 illustrates how an ORMS takes as input the ORMS requirements and expectations of the interested parties and through the necessary actions and processes produces risk management outcomes that meet those requirements and expectations. Figure 6 also illustrates the links in the processes presented in this Standard.

Figure 6-Annex E.png

Figure 6: Plan-Do-Check-Act Model

Table 4-Annex E.png

The PDCA model is a clear, systematic, and documented approach to:

  • Set measurable objectives and targets;

  • Monitor, measure, and evaluate progress;

  • Identify, prevent or remedy problems as they occur;

  • Assess competence requirements and train persons working on the organizations behalf; and

  • Provide top management with a feedback loop to assess progress and make appropriate changes to the management system.

Furthermore, it contributes to information management within the organization, thereby improving operational efficiency.

This Standard is designed so that it can be integrated with quality, safety, environmental, information security, resilience, risk, security, and other management systems within an organization. A suitably designed management system can thus satisfy the requirements of all these standards. Organizations that have adopted a management systems approach (e.g., according to ANSI/ASIS PSC.1-2012, ISO 9001:2015, ISO 14001:2015, ISO/IEC 27001:2013, ISO 28000:2007, ISO 22301:2012, OHSAS 18001:2007) may be able to use their existing management system as a foundation for the ORMS as prescribed in this Standard. Conformance with this Standard can be verified by an auditing process that is compatible and consistent with the methodology of ISO/IEC 17021:2011, Conformity assessment – Requirements for bodies providing audit and certification of management systems.

E.2 Scope of the ORMS

This scope defines the boundaries, extent and applicability of the ORMS within the organization. It also details any exclusions from this Standard’s requirements and the justification for the exclusions. Exclusions as well as risks, activities and functions considered outside the scope are not part of the ORMS.

The scope defines what your ORMS covers within your organization and its supply chain. The scope of the ORMS can include the whole organization, specific risk sources, and functions within the organization and its supply chain, specific divisions of the organization, or one or more functions across a group of organizations. All processes, activities and functions considered within the scope are managed by the ORMS including those of supply chain partners and subcontractors.

When defining scope, the organization should consider:

  • External and internal issues that are relevant to the pursuit of the organization’s objectives;
  • The risk profile and risk environment;
  • Legal, regulatory, and contractual obligations as well as voluntary commitments;
  • The culture and maturity of the organization and relevant stakeholders;
  • The resources, capabilities, and the ability to achieve intended outcomes;
  • Requirements and perceptions of stakeholder;
  • Commercial and financial objectives and constraints;
  • The products and services of the organization; and
  • The organization’s pursuit of opportunities and enhancement of its resilience.

The organization should revisit its scope statement after it conducts the risk assessment to determine if the boundaries and applicability of the ORMS has been set to address the organization’s and its stakeholder’s needs to manage risk, to pursue opportunities and prevent harm.

The scope statement can be expanded, so in many cases, it is advisable to initially set a scope based on resource constraints as well as achievable goals and timelines. When the management framework of the ORMS is established, it can then be used to address a broader range of issues in a continual improvement fashion.

Next: Annex F

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References