ATTENTION: This page is intended to be viewed online and may not be printed or copied.
F. Qualifiers to Application
The adoption and implementation of a range of ORMS techniques in a systematic manner can contribute to optimal outcomes for all stakeholders and affected parties. However, adoption of this Standard will not by itself guarantee optimal security and resilience outcomes. To achieve its objectives, the ORMS should incorporate the best available practices, techniques, and technologies, where appropriate and where economically viable. The cost-effectiveness of such practices, techniques, and technologies should be taken fully into account.
This Standard does not establish absolute requirements for security and resilience performance beyond commitments in the organization’s policy to:
- Comply with applicable legal, regulatory, and contractual obligations as well as voluntary commitments;
- Support prevention of undesirable and disruptive events and risk minimization; and
- Promote continual improvement.
The main body of this Standard contains only those generic criteria that may be objectively audited. Guidance on supporting ORMS techniques is contained in the other annexes of this document.
This Standard, like other management standards, is not intended to be used to create non-tariff trade barriers or to increase or change an organization’s legal obligations. Indeed, compliance with a standard does not in itself confer immunity from legal obligations. For organizations that so wish, an external or internal auditing process may verify compliance of their ORMS to this Standard. Verification may be by an acceptable first-, second-, or third-party mechanism. Verification does not require third-party certification.
This Standard does not include requirements specific to other management systems, such as those for quality, occupational health and safety, or resilience management – though its elements can be aligned or integrated with those of other management systems. It is possible for an organization to adapt its existing management system(s) to establish an ORMS that conforms to the criteria of this Standard. It should be understood, however, that the application of various elements of the management system might differ depending on the intended purpose and the stakeholders involved.
The level of detail and complexity of the ORMS, the extent of documentation, and the resources devoted to it will be dependent on a number of factors – such as the scope of the system; the size of an organization; and the nature of its activities, products, services, and supply chain. This may be the case in particular for small and medium-sized enterprises.
This Standard provides a common set of criteria for ORMS programs. Terminology used in this Standard emphasizes commonality of concepts, while acknowledging nuances in term usage in the various disciplines. Risk assessment is the process of risk identification, analysis, and evaluation.
Next: Annex G