1. Standards Development: A Primer for RIMS Members Sponsored by RIMS Standards and Practices Committee

2. Outline What are standards? Standards development National standards institutes –ANSI International organizations –International Standards Organization (ISO) How RIMS is influencing standards development 11-Feb-102

3. What Are Standards? A standard is a document, established by consensus that provides rules, guidelines or characteristics for activities or their results. (ISO/IEC Guide 2:2004) May specify performance of products or personnel May define terms to alleviate as much misunderstanding as possible Examples: –Ensure that light bulbs fit into sockets –Ensure film fits into cameras that can be purchased anywhere in the world –Provide an international definition of “risk” 19-May-153

4. What Standards Are Not Mandated regulations Controls Necessarily “how to” documents Certifications (nor require that an organization be certified to use a standard) 19-May-154

5. Standards Development Standards development is a method of documenting processes, principles, or technical requirements and recommendations that are established by authority, custom, or consent Organizations who develop standards are called standards-setting organizations (SSOs) or standards-development organizations (SDOs) –Standards can be either regional, national, or international. 19-May-15 5

6. Standards Development Products of standards development can be –Informal -Are often referred to as “specifications” -Usually do not involve participation by a significant part of any industry, profession, or pertinent stakeholders -May not use a formal process during development -Over time may be accepted by stakeholders and then become the “de facto” standard, or may be submitted for formal standardization –Formal -Often referred to as “standards” -Based on a formal process -Usually consensus based incorporating viewpoints of several stakeholders -ISO 31000:2009 Risk Management-Principles and Guidelines is an example 6 19-May-15

7. Bottom Up Independent Standards Development Organizations (SDO) drive standardization activities Bottom Up Independent Standards Development Organizations (SDO) drive standardization activities Standards bodies coordinate standardization activities Approach in many economies Approach in the United States Two Primary Approaches to Standards 7 19-May-15

8. National Standards Institutes Many countries have a national standards institute that represents the country in international and regional standards activities Examples include  AFNOR (France) ANSI (US)  BSI (UK) DIN (Germany)  GOST R (Russia) IRAM (Argentina)  JISC (Japan) KEBS (Kenya)  SA (Australia) SAC (China)  SASO (Saudi Arabia) CSA (Canada)  SNZ (New Zealand)DGN (Mexico) 19-May-158

9. National Standards Institutes Example: American National Standards Institute (ANSI) Leading U.S. organization for coordinating and promoting voluntary consensus standards –U.S. representative in non-treaty international and regional standards-setting activities –Entity that provides accreditation for US SDOs  ANSI Essential Requirements outline rules of engagement –RIMS has applied to become an ANSI member [www.ansi.org] 9

10. ANSI Structure: Standards Development View 19-May-1510 ANSI Membership Board of Directors Executive Committee Policy Committees National Policy Committee (NPC) Board of Standards Review (BSR) Executive Standards Council ANSI ISO Council (AIC) ANSI ISO FORUMTechnical Management Committee US National Committee IEC Council (USNC)

11. International organizations usually considered to be those with country membership, e.g., –International Organization for Standardization (ISO) –European Committee for Standardization –International Electrotechnical Commission (IEC) –International Telecommunications Union (ITU) International Non-Governmental Organizations 19-May-1511

12. ISO Developer of International Standards –Central coordination in Geneva, Switzerland –Network of national standards institutes of 162 countries, with one member per country  ANSI is the US representative to ISO –Involved with standardization of various technical areas, including risk management principles and processes  Risk management standards being developed in various technical committees and working groups, including –ISO Technical Committee 223 (TC 223), Societal Security –Technical Management Board (TMB) Working Group on risk management 19-May-1512

13. ISO structure: Standards Development View 19-May-1513 GENERAL ASSEMBLY Principal Officers Delegates of: Member bodies Correspondent members Subscriber members COUNCIL CENTRAL SECRETARIAT TECHNICAL MANAGEMENT BOARD (TMB) Strategic and technical advisory groups and Committee on reference material (REMCO) Technical committees (TCs) Policy development committees Committees on Conformity assessment (CASCO) Consumer policy (COPOLCO) Developing country matters (DEVCO) Technical subcommittees (SCs) Technical working groups (WGs)

14. ISO standards development Three main phases –Need communicated to national member body who proposes the new work item to ISO. Technical scope defined in appropriate working group. –Draft international standard developed in working group, then elevated to the relevant technical committee for approval. The draft international standard (DIS) is then circulated to the countries through the national bodies for comments. 19-May-1514

15. ISO standards development –Requirements for formal approval of the final draft international standard (FDIS):  Approval by two-thirds of the ISO members that participated actively in the standards development  Approval by 75% of all members that vote. –Following approval, the document is published as an International Standard (IS). [www.iso.org] 19-May-1515

16. Standards Hierarchy TOOLS GUIDELINES REQUIREMENTS TERMINOLOGY FRAMEWORK RISKQUALITYTECHNOLOGYENVIRONMENTAL ISO GUIDE 73 ISO 14001 ISO/IEC 27001 ISO/IEC 15408 OHSAS 18001 ISO 31010 NFPA 101 NFPA 75ANSI/ASHRAE 62 HB 436 AS/NZS 4360 ISO 9001 ISO GUIDE 14050 ISO/IEC 27002ISO 10005 SAFETY CSA Q850 SAQ ONR 49001 AFNOR CN FD_X50-252 ISO 31000 PRINCIPLES 1619-May-15

17. How RIMS Is Influencing Standards Development –Collaborating with existing SDOs who submit standards to ISO for adoption –Developing liaison relationships with ISO technical committees –Submitting comments through ANSI technical advisory groups (TAGs) to ISO technical committees that are in the process of developing standards –Educating RIMS Members 19-May-1517

18. Presentation Developed By: Yvette Ho Sang Risk Management Analyst IEEE Standards Association Member of RIMS Standards and Practices Committee y.hosang@ieee.org With contributions from members of RIMS Standards and Practices Committee If you have questions, please contact Nathan Bacchus at nbacchus@rims.org. nbacchus@rims.org 19-May-1518

19. ISO 31000: 2009 Risk Management – Principles and Guidelines AS/NZS 4360:2004 Risk Management Australian/New Zealand Standard ISO GUIDE 73:2009 Risk Management – Vocabulary HB 436:2004 Risk Management Guidelines: a Companion to AS/NZS 4360:2004 ISO 31010:2009 Risk Management – Risk Assessment NFPA 101:2009 Life Safety Code® ANSI/ASHRAE 62.1-2007 Standard on Ventilation for Acceptable Indoor Air Quality OHSAS 18001:2007 Occupational Health and Safety ISO 9001:2008 Quality Management Systems – Requirements NFPA 75:2009 Standard for the Protection of Information Technology Equipment ISO/IEC 27001:2005 Information Security Management Systems – Requirements ISO/IEC 27002:2005 Information Technology – Code of Practice ISO/IEC 15408:2005/2008 (3 parts) Evaluation Criteria for IT Security ISO 14001:2004 Environmental Management Systems - Requirements ISO 14050:2009 Environmental - Vocabulary CSA Q850-10 Risk Management – Implementation of CAN/CSA-ISO 31000 ISO 10005:2005 Quality Management Systems – Guidelines for Quality Plans ISO 28000:2007 Security Management Systems for the Supply Chain ANSI / ASIS SPC.1:2009 Organizational Resilience: Security Preparedness, and Continuity Management Systems – Requirements with Guidance for Use Referenced Standards