ATTENTION: This page is intended to be viewed online and may not be printed or copied.
8. Structural Requirements
The organization shall be a legal entity, or a defined part of a legal entity, with transparent ownership such that it can be held legally accountable for all its activities.
8.2 Organizational Structure
A clearly defined management structure shall identify roles, responsibilities, authorities, and accountabilities for its operations and services. The organization shall:
Document its organizational structure, showing sub-divisions, duties, responsibilities, and authorities of management;
Identify information and value chain flows and interactions; and
Define and document if the organization is a defined part of a legal entity and the relationship to other parts of the same legal entity.
8.3 Financial and Administrative Procedures
The organization shall develop financial and administrative procedures and controls to support the provision of effective risk management and security and resilience programs. Financial procedures should consider normal operation conditions as well as procedures in anticipation and in response to an undesirable or disruptive event. Procedures shall be established:
- Clearly defining authorization requirements;
- To expedite fiscal decisions;
- In accordance with authority levels and accounting principles; and
- In consultation and coordination with appropriate stakeholders
The organization shall demonstrate that it has sufficient insurance to cover risks and associated liabilities arising from its operations and activities consistent with its risk assessment. When outsourcing or subcontracting services, activities, functions, or operations, the organization shall ensure sufficient insurance coverage for the subcontracted activities.
8.5 Outsourcing and Subcontracting
The organization shall have a clearly defined process wherein it describes the conditions under which it outsources activities, functions, or operations. The organization shall take responsibility for all activities outsourced to another entity. The organization shall have a legally enforceable agreement covering outsourcing arrangements including:
- Commitment by subcontractors to abide by the same obligations as held by the organization and as described in this Standard;
- Confidentiality and conflict of interest agreements;
- Clear definition of provision of goods and services; and
- Conformance to the applicable provisions of this Standard.
8.6 Documented Information
The ORMS documentation shall be consistent with the complexity, size and type of organization and include:
The ORMS policy, objectives, and targets;
A description of the scope of the ORMS including Statement of Applicability;
A description of the main elements of the ORMS and their interaction, and reference to related documents;
Documented information required for the effective implementation, operation, and performance of the ORMS; and
Documents, including records, required by this Standard.
The organization shall establish and maintain records to demonstrate conformity to the requirements of its ORMS.
Records include, among others:
- Records required by this Standard;
- Personnel screening;
- Training records;
- Process monitoring records;
- Inspection, maintenance, and calibration records;
- Pertinent subcontractor and supplier records;
- Incident reports;
- Records of incident investigations and their disposition;
- Performance indicators, including exercise, testing and audit results;
- Management review results;
- External communications decision;
- Records of applicable legal requirements;
- Records of significant risk and impacts;
- Records of management systems meetings;
- Risk management, security, and resilience performance information;
- Legal, regulatory, and contractual compliance;
- Human rights performance information; and
- Communications with stakeholders.
The organization shall establish, implement, and maintain procedures to protect the sensitivity, confidentiality, and integrity of records including access to, identification, storage, protection, retrieval, retention, and disposal of records. Records shall be retained for a minimum of seven years or as otherwise required or limited by law or contract.
8.6.3 Control of Documented Information
Documents required by the ORMS and by this Standard shall be controlled. The organization shall establish, implement, and maintain procedures to:
- Approve documents for adequacy prior to issue;
- Protect sensitivity and confidentiality of information;
- Review, update as necessary, and re-approve documents;
- Record amendments to documents;
- Make updated and approved documents readily available;
- Ensure that documents remain legible and readily identifiable;
- Ensure that documents of external origin are identified and their distribution controlled;
- Prevent the unintended use of obsolete documents; and
- Ensure the appropriate, lawful, and transparent destruction of obsolete documents.
Organizations shall ensure the integrity of documents by rendering them securely backed-up, accessible only to authorized personnel, and protected from unauthorized disclosure, modification, deletion, damage, deterioration, or loss.