Understanding the New Rules of the Game
During the past decade, ISO has published many management system standards for topics ranging from quality and environment to information security, business continuity management and records management.
Despite sharing common elements, ISO management system standards come in many different shapes and structures because they are developed by numerous committees. While there were many common components, they were not sufficiently aligned, making it difficult for organizations to rationalize their systems and to interface and integrate them. This, in turn, results in some confusion and difficulties at the implementation stage.
As many organizations seek to implement and certify multiple management system standards they need to easily combine or integrate them in an effective and efficient manner.
Therefore, in 2012, ISO completed work to provide a standard for standards. It is effectively a guide to help standards developers write management systems standards and it provides a template for how the management system is written. It is known as Annex SL Directive 1 or more commonly known as the High Level Structure (HLS). (IRCA)
The Annex SL contains identical structure, text and common terms and definitions for management system standards to ensure consistency among future and revised management system standards and make integrated use simpler. It makes the standards easier to read and, in so doing, easier to be understood by users and easier to format in order to meet multiple regulatory and compliance needs, i.e.; implement once, comply many.
This structure has been mandated by the ISO management board with the specific intention that this will enhance consistency in the implementation of management system standards.
The Annex SL consists of eight clauses and four appendices. The audience for this annex is primarily ISO technical committees who develop management system standards; however, the impact of Annex SL will be felt by all users of management system standards in the future in that it defines the common high level structure, identical core text and common terms and core definitions.
In the future, all management system standards will need to have these elements. Although this means that there will be duplication, it will also mean that they will all have the same look and feel. In addition, there will be less confusion and inconsistency because common terms will all have the same definition and there will be common requirements across all the management system standards.
High Level Structure as defined within, Annex SL Directive 1, describes the framework for a generic management system. However, it requires the addition of discipline-specific requirements to make a fully-functional quality, environmental, service management, food safety, business continuity, information security and energy management system standard.
The 10 clauses are as follows:
NIST Cybersecurity Framework and the UK Government Cyber Essentials. NIST, the UK government and BSI Standards communicated closely during the development process of the specific frameworks. They are very similar with the distinction that Cyber Essentials adopted a standard, the ISO/IEC 27000 series of standards, while NIST took the approach of mapping to commonly used standards. One common area they both share is a required measurement of maturity.
The NIST Cybersecurity Framework
The common thread we are seeing throughout the international community is the use of international standards (ISO) because of the consistency, centralized management and development structure and its agnostic approach (not owned by any one entity or country).
If we are to survive the new cyber war environment, consistency, collaboration and information sharing is critical, so we are all speaking the same language, separated only by the specific industry requirements based on risk and classification of information.
What are the next steps?
- “Collect, Reflect, and Connect” (NIST) – Understand where the industry is having success, help others understand those successes, and facilitate relationships that support understanding and use.
- Continue education efforts, including creation of self-help and re-use materials for those who are new to the framework(s).
- Continue awareness and outreach with an eye toward industry communities who are still working toward framework knowledge and implementation.
- Educate on the relationship between framework(s) and the larger risk management process, including how organizations can use a measure of maturity to help drive improvement.
IRCA. (n.d.). The most important event since ISO 9001. Retrieved from http://www.irca.org/Documents/press/2012/IRCA%20Briefing%20note%20-%20Annex%20SL%20(previously%20ISO%20Guide%2083).pdf
John DiMaria; CSSBB, HISP, MHISP, AMBCI, is the Sr. Product Manager, System Certification for BSI Americas and a member of the Shared Assessments Steering Committee. John has 30 years of successful experience in standards and management system development, including information systems, ISMS, business continuity and quality assurance. Connect with John on LinkedIn.
Notice: The views expressed in this blog are those of the author and should not be interpreted to have been endorsed or otherwise represent those of BSI Group, or any other of its employees, officers, directors or anyone otherwise affiliated with BSI Group.