Establishing a Risk-Based Security Strategy

Implementing a security management process is key

There are many management system models. The most well-known are those found in the international standards for Quality Management Systems (ISO 9001), Environment Management Systems (ISO 14001), Information Security Management Systems (ISO 27001) and Supply Chain Security Management Systems (ISO 28001). Each standard defines a management system model based on the Plan-Do-Check-Act cycle, or PDCA for short. PDCA is a four-step process used in quality management and elsewhere as a simplified method of achieving improvements. The PDCA cycle was first proposed by U.S. mathematician Dr. Walter Shewart, and was made popular by the work of Dr. W. Edwards Deming, a visionary leader in the field of quality management.

The PCDA steps are:

1. Plan: recognize an opportunity and plan a change.

2. Do: carry out the plan, on a small-scale first if possible.

3. Check: analyze the results against objectives and specification.

4. Act: take appropriate steps to close the gap between planned and actual results.

The PDCA cycle is an iterative cycle that is repeated at periodic and event-driven intervals, according to the scope and purpose of the management system using it. Specific application of PDCA to security management systems can be found in a new standard developed by ASIS International and released through the American National Standards Institute (ANSI): ASIS SPC.1-2009 Organizational Resilience Standard. Its title is: “Organizational Resilience: Security, Preparedness, and Continuity Management Systems — Requirements with Guidance for Use,” and it can be downloaded at

Security Management Systems and Organizational Resilience

As stated in the Introduction section of the standard, “The management systems approach encourages organizations to analyze organizational and stakeholder requirements and define processes that contribute to success. A management system can provide the framework for continual improvement to increase the probability of enhancing security, preparedness, response, continuity, and resilience.”

In its white paper entitled “Business Resilience: Proactive measures for forward-looking enterprises,” IBM Global Services defines business resilience as, “The ability to rapidly adapt and respond to risks, as well as opportunities, in order to maintain continuous business operations, be a more trusted partner, and enable growth.”

In its work on business resilience, IBM identified six fundamentals to a successful business resilience strategy, shown in the graphic below. Note that the ASIS Organizational Resilience standard addresses all of them — including “market readiness” — as that requires awareness of the security risks inherent in market changes and in the organization’s plans to respond to them.

Using the ASIS Organizational Resilience Standard

Although not necessary, it would be helpful for a security practitioner who has no familiarity with PDCA-based management systems to team up with someone from the business who does, such as a manager from the IT, Quality, or Environment, Health and Safety department.

With a preliminary assessment of the organization’s critical objectives, functions and assets — and an initial idea of the primary risks to them — the various elements of the security function (prevention, avoidance, deterrence, readiness, mitigation, response, continuity and recovery) can be given appropriate weight in the initial implementation of the management system.

The ASIS standards document itself provides more than 11 pages of guidance for applying the standard. It is important to realize that standards documents are necessarily limited in scope and cannot, for example, provide detailed guidance on how to bring an existing security program under a management system, or on using a common management system framework that covers both security and safety (of interest to companies who want to implement OHSAS 18001 — an internationally recognized standard for occupational health and safety management systems).

It is also important to use such standards as tools for management system development, rather than simply a set of compliance requirements. For additional guidance on using the ASIS Resiliency Standard as a tool for improving an existing security program, and on reconciling multiple management systems standards, see

Get Started!

Put a clearly defined process in place for the management of security functions. Practitioners who have done so have commented that their efforts were paid back many times over. To learn more about applying the ASIS Organizational Resilience Standard, attend the ASIS session described in the sidebar on the left.