ASIS advances its Enterprise Security Risk Management (ESRM) program, including a variety of sessions at GSX 2019. — Illustration by iStock

ESRM Effort Shifts into Higher Gear

By Michael Gips

09 September 2019

Several senior volunteers petitioned the ASIS International Board to adopt Enterprise Security Risk Management (ESRM) as a strategic initiative in July 2016, and in effect place the association’s bets on that philosophy and approach as the future direction of security.

Three years later, a committed team of members, volunteer leaders, subject matter experts, and staff have created the foundation of ASIS’s ESRM program, which is evolving to meet future needs and resource demands.

An ASIS ESRM guideline has been approved and is being introduced at GSX 2019. The guideline is the result of collaboration of dozens of ESRM experts from all over the globe, and the document will be the framework for all additional ESRM content.

The technical committee sorted through more than 800 comments through three iterations of the guideline. The final document, which received unanimous approval, provides guidance for the implementation of an ESRM strategic approach to security risk management. It outlines four processes that constitute the ESRM cycle and describes how organizations can utilize the approach to manage security risks.

ASIS members can access this guideline for free online, and nonmembers can pur- chase a copy in the ASIS Store.

Simultaneously, ASIS released the first version of a survey that will help users gauge the maturity level of their ESRM programs. Security practitioners advance through a series of questions that probe program strategy, governance, awareness, implementation, management, and alignment—scoring their organizations on a scale of zero (nonexistent) to five (optimized).

Even security professionals who do not think they have an ESRM program will be able to identify which aspects they may already have in place and where they may need to improve.

ASIS will use the data from this maturity assessment to identify areas of need and create educational materials to help users advance their program’s level of maturity. The ESRM Maturity Assessment is an exclusive member benefit.

ESRM educational programming is robust. The topic featured prominently in sessions this year at ASIS Europe in Rotterdam and the CSO Summit in Washington, D.C., as well as earlier iterations of the same events. ESRM was featured at regional programming in the United Kingdom and Uruguay, and will debut soon in Nigeria.

July 2019 featured the first ASIS standalone two-day classroom program on ESRM in Atlanta. ESRM programming continues at GSX with a preconference session on Sunday and 13 sessions throughout the week.

Meanwhile, branding and communications efforts are commensurate with other association activities. ASIS produced 101 ESRM documents and presentations for the use of chapters, councils, and other volunteer groups, along with a living glossary of ESRM terms. Those resources are available in ASIS Connects.

What’s next for ESRM? An expanded project management team brought on new leaders, and the ASIS board blessed the next stage of the initiative’s evolution. ESRM is likely to evolve into both a Community on ASIS Connects and a council, with continuing efforts to embed ESRM principles into ASIS standards, education, articles, and other material.