Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

8. Structural Requirements

8.1 General

The organization shall be a legal entity, or a defined part of a legal entity, with transparent ownership such that it can be held legally accountable for all its activities.

8.2 Organizational Structure

A clearly defined management structure shall identify roles, responsibilities, authorities, and accountabilities for its operations and services. The organization shall:

  • Document its organizational structure, showing sub-divisions, duties, responsibilities, and authorities of management;

  • Identify information and value chain flows and interactions; and

  • Define and document if the organization is a defined part of a legal entity and the relationship to other parts of the same legal entity.

8.3 Financial and Administrative Procedures

The organization shall develop financial and administrative procedures and controls to support the provision of effective risk management and security and resilience programs. Financial procedures should consider normal operation conditions as well as procedures in anticipation and in response to an undesirable or disruptive event. Procedures shall be established:

  • Clearly defining authorization requirements;
  • To expedite fiscal decisions;
  • In accordance with authority levels and accounting principles; and
  • In consultation and coordination with appropriate stakeholders

8.4 Insurance

The organization shall demonstrate that it has sufficient insurance to cover risks and associated liabilities arising from its operations and activities consistent with its risk assessment. When outsourcing or subcontracting services, activities, functions, or operations, the organization shall ensure sufficient insurance coverage for the subcontracted activities.

8.5 Outsourcing and Subcontracting

The organization shall have a clearly defined process wherein it describes the conditions under which it outsources activities, functions, or operations. The organization shall take responsibility for all activities outsourced to another entity. The organization shall have a legally enforceable agreement covering outsourcing arrangements including:

  • Commitment by subcontractors to abide by the same obligations as held by the organization and as described in this Standard;
  • Confidentiality and conflict of interest agreements;
  • Clear definition of provision of goods and services; and
  • Conformance to the applicable provisions of this Standard.

8.6 Documented Information

8.6.1 General
The ORMS documentation shall be consistent with the complexity, size and type of organization and include:

  • The ORMS policy, objectives, and targets;

  • A description of the scope of the ORMS including Statement of Applicability;

  • A description of the main elements of the ORMS and their interaction, and reference to related documents;

  • Documented information required for the effective implementation, operation, and performance of the ORMS; and

  • Documents, including records, required by this Standard.

8.6.2 Records
The organization shall establish and maintain records to demonstrate conformity to the requirements of its ORMS.
Records include, among others:

  • Records required by this Standard;
  • Personnel screening;
  • Training records;
  • Process monitoring records;
  • Inspection, maintenance, and calibration records;
  • Pertinent subcontractor and supplier records; 
  • Incident reports;
  • Records of incident investigations and their disposition;
  • Performance indicators, including exercise, testing and audit results;
  • Management review results;
  • External communications decision;
  • Records of applicable legal requirements;
  • Records of significant risk and impacts;
  • Records of management systems meetings;
  • Risk management, security, and resilience performance information;
  • Legal, regulatory, and contractual compliance;
  • Human rights performance information; and
  • Communications with stakeholders.

The organization shall establish, implement, and maintain procedures to protect the sensitivity, confidentiality, and integrity of records including access to, identification, storage, protection, retrieval, retention, and disposal of records. Records shall be retained for a minimum of seven years or as otherwise required or limited by law or contract.

8.6.3 Control of Documented Information
Documents required by the ORMS and by this Standard shall be controlled. The organization shall establish, implement, and maintain procedures to:

  • Approve documents for adequacy prior to issue;
  • Protect sensitivity and confidentiality of information;
  • Review, update as necessary, and re-approve documents;
  • Record amendments to documents;
  • Make updated and approved documents readily available;
  • Ensure that documents remain legible and readily identifiable;
  • Ensure that documents of external origin are identified and their distribution controlled;
  • Prevent the unintended use of obsolete documents; and
  • Ensure the appropriate, lawful, and transparent destruction of obsolete documents.

Organizations shall ensure the integrity of documents by rendering them securely backed-up, accessible only to authorized personnel, and protected from unauthorized disclosure, modification, deletion, damage, deterioration, or loss.

Next: Operation and Implementation

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References