3.4.2 BENEFITS OF MANAGEMENT SYSTEMS STANDARDS
A management systems standard can benefit an organization by doing the following:
Establishing benchmarks. These enable the organization to measure its progress and outcomes. The implementer must demonstrate that the management system is effective, and benchmarks help in doing so.
Forcing the organization to systematically identify risks and problems as well as potential solutions. Many organizations skip this step, make false assumptions, and therefore focus on issues that do not matter and ignore important ones.
Including more participants. A management systems standard requires the organization to include all levels of employees and stakeholders in planning. This more inclusive approach encourages normally reserved people to step forward and identify problems the organization may have overlooked. It also gives more people a sense of ownership of the process. They will then be more likely to get involved and participate in reaching the goals of whatever management system is being implemented (e.g., quality, environmental, security).
Providing problem-solving and decision-making tools. The standard also links those tools to personnel training that will help employees do what the organization needs to reach its goal.
Leading the organization to study how standard operating procedures and operational controls can enhance the organization’s performance. Often organizations find that implementing a management systems standard improves their production and quality of service in ways completely separate from the standard’s particular goal.
Protecting the organization’s reputation or brand. In many cases, implementing and conforming with a management systems standard gives others greater confidence in the organization. News reports often show how a minor mistake, such as a breach of information security or a contamination problem, causes a company to lose market share or stock value. Better management systems can help prevent mishaps that lead to reputational damage.
Providing a model for continual improvement. A management systems standard does not call for a one-time action and specific output. Rather, the management system it leads to is an ongoing system. When an organization is audited for conformity, it is checked not for specific performance but for a mechanism for improving performance.
Helping an organization coordinate its resources and programs. These may include structure, responsibility, training, awareness, operational controls, and communication; policy and management commitment; planning and program development; review and improvement; checking and corrective action; knowledge of the organization; and planning, risk assessment, and impact analysis. These are all important, but in the absence of an effective management system, they may be like unconnected puzzle pieces and may not be usable in an effective, coordinated way.
Some specific outcomes that a management systems standard is likely to lead to include better organizational performance through improved capabilities; strategic alignment of improvement activities at all levels of the organization; the flexibility to react quickly to opportunities and a changing environment; and optimization of resources.
3.4.3 PLAN-DO-CHECK-ACT CYCLE
The Plan-Do-Check-Act (PDCA) cycle is the operating principle of ISO’s management systems standards. Also sometimes called the Assess-Protect-Confirm-Improve model, it is an approach to structured problem solving focused on continual improvement. It works as follows:
Plan. This most critical stage calls for identifying and analyzing the organization’s problems—events that could disrupt operations—and assets. One identifies the root causes of those problems and begins to rank them in terms of importance.
Do. Here one looks at the planning analysis, devises a solution, prioritizes next steps, and develops a detailed action plan. The key word is
action. The goal is not to write a manual that sits on the shelf, gathering dust. Rather, the goal is to develop a plan that will be used actively to engage the organization and address problems and their causes—and then to implement that plan.
Check. At this step, one examines the solutions devised to address the problems. The point is to check whether the solutions are producing outcomes that are consistent with the plan. It is necessary to have a way of identifying deviations so one can analyze why some measures might not be working and how they can be improved.
Act. If the solutions are in fact addressing the organization’s problems, it is time to act to standardize those solutions throughout the organization, review the current list of problems, and start defining new problems and issues. This is where the cycle, in effect, begins again.
A good way to start this process is to focus initially on a problem that is relatively easy to solve. Picking a solvable problem provides practice in using the management system and demonstrates the system’s effectiveness before the organization moves on to more serious or difficult problems.
3.4.4 WELL-KNOWN MANAGEMENT SYSTEMS STANDARDS
The most famous management systems standards (used by more than a million organizations in 161 countries) are the ISO quality management systems standard and environmental management systems standard. These have been around for several decades and have proven to be very efficient.
The ISO 9000 family of standards addresses quality management to help an organization meet customers’ quality requirements, enhance their overall satisfaction, satisfy regulatory requirements, and continually improve the organization’s performance in pursuit of these objectives. The ISO 14000 family of standards addresses environmental management, which is a way of looking at the organization’s activities, products, and services to gauge their environmental effect, find ways to minimize any harmful effects, and improve the cost-effectiveness of the organization’s processes.
All ISO management systems standards are implemented using the same process and have the same structure and components. Thus, a single, well-designed management system within an organization can be used to show conformity to several standards.
3.5 ASIS Global Standards Initiative
ASIS began its Global Standards Initiative (GSI) in 2007 to position itself as a world leader in international security standards development. The move was driven by members who noted a lack of a voice for security professionals in the standards being developed within various countries as well as internationally. It was also driven by members involved in cross-border activities, who faced different sets of rules and procedures every time they reached a national or jurisdictional border. These members urged ASIS to get involved at the ISO level to promulgate a more global perspective in security planning.
An early step taken through the GSI was to have ASIS gain approval as a liaison in the major national and international standards bodies. Not being a country, ASIS cannot participate directly in ISO as a national member. However, as an international organization, ASIS was able to seek liaison status, which enables full participation except for voting. Through the GSI, ASIS is also developing strategic partnerships with other standards-developing bodies around the world.
ASIS encourages its members to help identify standards of high priority to security professionals and then to participate in developing drafts for circulation at the national, regional, or international level. The goal is to get involved in the development of standards regarding issues where standardization will make security professionals’ jobs easier and improve the quality of security service delivery. Specifically, ASIS encourages members to participate in developing standards on mirror committees in their home countries.
ASIS is also an ANSI accredited SDO. The GSI is actively developing ANSI American National Standards (ANSI-ANS) in the U.S. As an example of ASIS standards-developing activity, Figure 3-2 illustrates the ANSI-certified process ASIS follows to develop American National Standards.
This chapter focuses on standards. It is worth noting, however, that before becoming involved in standards, ASIS promulgated several guidelines. They were meant to be less formal than standards in the sense that an organization could use some, none, or all of a guideline’s elements—there was no issue of being in formal conformity. ASIS began issuing guidelines in 2001 to help the private sector secure its business assets and critical infrastructure. Where applicable, these guidelines are being modified into different types of documents: either actual standards or handbooks for implementing actual standards. The latter type is appropriate when the original guideline is too detailed and prescriptive to be a standard but contains much useful guidance that practitioners may want to know as they apply a standard.
ASIS conducts the five-day Security Lead Auditor Course for ISO 28000:2007, which is accredited by the Registered Accredited Body, USA and Quality Standards Australia (RAB/QSA). Upon successful completion of the program, participants receive the internationally recognized Lead Auditor Competency Certification.
ASIS is also providing implementation guidance for ISO standards; leading education and training on standards and guidelines issues; and developing auditor training and certification (for auditing conformity with standards).