Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

Annex F


F. Qualifiers to Application

The adoption and implementation of a range of ORMS techniques in a systematic manner can contribute to optimal outcomes for all stakeholders and affected parties. However, adoption of this Standard will not by itself guarantee optimal security and resilience outcomes. To achieve its objectives, the ORMS should incorporate the best available practices, techniques, and technologies, where appropriate and where economically viable. The cost-effectiveness of such practices, techniques, and technologies should be taken fully into account.

This Standard does not establish absolute requirements for security and resilience performance beyond commitments in the organization’s policy to:

  • Comply with applicable legal, regulatory, and contractual obligations as well as voluntary commitments;
  • Support prevention of undesirable and disruptive events and risk minimization; and
  • Promote continual improvement.

The main body of this Standard contains only those generic criteria that may be objectively audited. Guidance on supporting ORMS techniques is contained in the other annexes of this document.

This Standard, like other management standards, is not intended to be used to create non-tariff trade barriers or to increase or change an organization’s legal obligations. Indeed, compliance with a standard does not in itself confer immunity from legal obligations. For organizations that so wish, an external or internal auditing process may verify compliance of their ORMS to this Standard. Verification may be by an acceptable first-, second-, or third-party mechanism. Verification does not require third-party certification.

This Standard does not include requirements specific to other management systems, such as those for quality, occupational health and safety, or resilience management – though its elements can be aligned or integrated with those of other management systems. It is possible for an organization to adapt its existing management system(s) to establish an ORMS that conforms to the criteria of this Standard. It should be understood, however, that the application of various elements of the management system might differ depending on the intended purpose and the stakeholders involved.

The level of detail and complexity of the ORMS, the extent of documentation, and the resources devoted to it will be dependent on a number of factors – such as the scope of the system; the size of an organization; and the nature of its activities, products, services, and supply chain. This may be the case in particular for small and medium-sized enterprises.

This Standard provides a common set of criteria for ORMS programs. Terminology used in this Standard emphasizes commonality of concepts, while acknowledging nuances in term usage in the various disciplines. Risk assessment is the process of risk identification, analysis, and evaluation.

Next: Annex G

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References