Organizations Make Key Standards Freely Available

ASIS International has joined a growing list of organizations that have opened the firewall to make certain standards available to all organizations as they deal with the COVID-19 pandemic. ASIS has temporarily made the following available:

• Security and Resilience in Organizations and Their Supply Chains—Requirements with Guidance (ORM.1)
• Supply Chain Risk Management: A Compilation of Best Practices
• Risk Assessment

Lisa DuBrock, CPP, is the managing partner at Radian Compliance, LLC, and vice chair of the ASIS Professional Standards Board. In addition, she served as a member of the technical committee that developed ORM.1. “Standards are written broadly,” she says. “Whether you are a small business or a large multinational, no matter where you’re located, you can use the standards. The concepts in ORM.1 are universal. It will help you understand how to approach risk management and the importance of risk mitigation, and it’s going to help now—during a pandemic—and it will also apply to other types of crisis situations an organization might encounter, such as fire or natural disaster.”

In the middle of a crisis—which is the current state of many organizations worldwide—the standards can provide useful context and definitions that can help ensure that all those involved in an organizational response operate on a shared understanding. As DuBrock points out, the real power of the standards comes before and after crisis situations.

“We’re in crisis mode now,” she says. “However, we are not always going to be in this crisis mode, and that’s when the standards become very valuable. They provide organizations the ability to stand up logical tried and true processes as they look toward recovery and returning to business.”

In addition to the three standards, ASIS has made available the Business Continuity Guideline: A Practical Approach for Emergency Preparedness, Crisis Management, and Disaster Recovery. “Even though it’s a little dated,” DuBrock says of the guideline, which was completed in 2005 and is slated for an update within the next year, “I hear from many people who use the guideline. It also provides a security director with information around response, recovery, restoration, and risk mitigation.”

Additional standards from other organizations may also be of interest to security directors, notably ISO 22301, Security and Resilience—Business Continuity Management Systems. Others include:

• ISO 22316: Security and Resilience—Organizational Resilience – Principles and Attributes
• ISO 22320: Security and Resilience—Emergency Management – Guidelines for Incident Management
• ISO 22395: Security and Resilience—Community Resilience – Guidelines for Supporting Vulnerable Persons in an Emergency
• ISO 31000: Risk Management – Guidelines

Accessing these standards requires registration with ANSI and downloading a special viewing extension, but they are otherwise freely available. DuBrock recommends that all security directors download these documents while this window of availability is open. “Once you have them, you can do your research and due diligence and determine which ones best fit your organization.”