1 Frank, you have been involved in ISO standardization for quite a while. Tell us how it all started and why you got engaged in ISO!
It all started in 2012 when I »played« on LinkedIn and posted some ideas on risk management. Following this, I was invited to participate in a conference in Paris as a presenter on human factors and risk. This resulted in me being “shanghaied” for standardization. At that time the last revision of ISO 31000 Risk management – Guidelines just started and DIN asked me to be the HoD for Germany. As a lawyer I was used to represent clients and being the HoD was a similar task. I was engaged as we had a confusing situation in Germany at that time.
Due to some special interest groups, we were separated from the rest of the world that had mostly adopted ISO 31000 as a national standard – but DIN had not, principally because there was misguided fear that it could be wrongly understood to be a MSS Type A. I’m proud to report that I was able to defuse this risk and in the follow up the revised ISO 31000 was adopted in Germany to become DIN ISO 31000. This I thought, was a great success. And now just recently ISO 28000 Security and resilience – Security Management Systems – Requirements where I was project leader in the last revision was published as a German standard as well.
2 So, what are the benefits of being involved? Why should people get on board these committees?
If you participate you are at the forefront of the latest development and you can better give advice on the major issues in your discipline – either inhouse in your company or as an external consultant. For example, by now I have written some handbooks advising on an easy three step approach to standardization in the fields of risk management (ISO 31000), business continuity management (ISO 22301 together with Saul Middler) and security management (ISO 28000). They are bilingual English and German and were published by DIN (https://bit.ly/3QlYloW ). A fourth publication (together with Mathias Wernicke) – which unfortunately is available only in German is on the integration of the requirements and recommendations of multiple MSS into your company’s one holistic integrated and sustainable management system.
When mentioning the forefront of the latest developments I mean developments in standardization and, of course, you need to remember that standardization is not about developing new and innovative concepts. If you are interested in innovation you will have to join an academic institution. Standardization is about documenting global consensus on good practices – very practical, very down to earth and thus very useful for the end user, in particular if he or she needs to get quickly up to speed in a new area. In my case the area of intersest is the management of organizations.
3 As the secretary of WG 8 you must know about the future plans. The 2nd edition of ISO 28000 was published last year, but what is happening now? The rest of the ISO 28000 family has existed for a long time. Will there be any more revisions?
Well, WG 8 has already prepared some projects and we are waiting for them to be officially started. For one, there might be the revision of ISO 28003 that could be updated to align to ISO 28000 and to become a member of the 17021 family. Recently the committee manager and I have asked the CASCO support team for advice on the best way forward.
There is also an attempt to create a new work item for a companion standard to ISO 28000 giving guidance on how to apply the standard to the supply chain – and incidentally to the chain of custody which is nearly always part of the supply chain. If published, the new document is intended to replace both ISO 28001 and 28004-1. Finally, TC 292 has already taken a decision to withdraw ISO 28002 as it is in conflict with ISO 22316 which is currently under revision. ISO will have to follow up asap on their website.
4 Besides ISO 28000, you have also been involved in other projects such as ISO 22301 and ISO 31000. How do all these standards relate to each other and how can a user make sure to apply them in an effective way?
All those standards are related to the management of organizations and should be taken into consideration by an organization when creating its holistic integrated management system – of course not all at once but aligned to the organization’s resources in steps potentially in the context of continual improvement. They are also part of »IDC« – the issue – disaster – continuum which I discussed with Saul Midler and Michael Crooymans. The first group to consider how all those terms in that the context relate to each other was ISO/TC 292/WG 9 in ISO 22361. If you look at their figure 2 the continuum will develop quite naturally as follows:
5 What additional activities have you been or are you engaged in in standardization
I was the delegate of DIN to ISO/TMBG/JTCG TF 14 for the revision of the directives Annex SL Appendix 2 which turned out to be a disappointment as the group was not able to achieve consensus on the definition of risk.
In 2021 I was delegated by TC 292 to represent them both in ISO/TMBG/JTFRiaT and in ISO/TMBG/JTCG TF 15. TC 292 mirrored the work of both groups in its AHG 2 to which I was the rapporteur. The final report of AHG 2 has been submitted to TC 292. While the latter task force was well chaired by its convenor Martin Cottam with the support of Sally Swingewood as secretary the former failed to come close to achieving its task as there were too many representatives of special interest groups not willing to accept a common interest of the ISO community. I chair the German mirror group to AHG 2 which is also in charge of coordinating the initiatives regarding standards in the context of the management of organizations.
As the chair of DIN NA 175-00-05 GA which is mirroring working groups 2, 6 and 8 of ISO/TC 292 I’m involved in practically all their projects and are in particular interested in the establishment of ISO 22363 and the revision of ISO 22316 which I personally believe to be a very important standard. In DIN NA 175-00-05 GA we have prepared the very recent publication of ISO 28000 as a German standard.
We are also preparing a NWIP for ISO 22343-3 which will be submitted to ISO/TC 292/WG 6. It will cover vehicle security barriers complimentary to ISO 22343-1 and ISO 22343-2. Also, we intend to propose two NWIPs for ISO/TC 292/WG 2, one regarding a process reference model regarding business continuity following ISO 22301 and one with the general requirements of an integrated management system. Both will be presented informally in WG 2 to learn whether there is some appetite for those projects before initiating official steps.
Finally, I have been shanghaied (again) to support the German delegates in ISO/PC 343 (Management Systems for UN Sustainable development goals) – an issue that will become more and more important for standardization. (currently there are already 34,000 claims of supporting the UN SDGs by ISO standards).
6 Recently TC 292 published ISO 22342 which gives guidance on how to develop a security plan. This is also a topic covered by ISO 28000 so how do these documents relate to eachother?
ISO 28000 is meant to be a generic standard in the field of security management. In August I have published a brief summary of ISO 28000 in DIN-Mitteilungen 2023 (pgs. 102 – 105) as a preview of my bilingual book on security management mentioned above in my answer to question 2.
Implementing the requirements and recommendations of ISO 28000 can help but will not replace other useful standards in the field of security. In particular end users should consider ISO 27001 in the field of information security. Like always, the specific requirements (e. g. ISO 27001) will precede the generic requirements of ISO 28000. In the future, the relationship of the two standards might be analyzed and evaluated more closely – maybe in a joint initiative of ISO/IEC JTC1/SC 27 and TC 292 WG 8. But this is an issue of continual improvement that is applicable to standards as it is applicable to management systems.
In my view, the relationship between ISO 28000 and ISO 22342 is more complex as the first of them makes it quite clear that security management is more than just the assessment and treatment of security related risk. Unfortunately, this might be the impression you get if you take ISO 22342 as a stand-alone document. By now there are two concepts for a security plan and both were created in TC 292. ISO 28000, published in March of 2022 includes a long section on security plan.
ISO 22342, published only one year later has its own description of the components of a security plan.
End users will have to decide how to handle this situation. Maybe WG 6 and WG 8 should join forces and together establish a small task group to write a handbook on security management and explain the situation. It is a delicate political issue I did not touch m my handbook.
7 Quo vadis?
Well, one never knows what the future will bring – neither for standardization in general nor for the experts active in the field of standardization. So, I can only quote the song »que sera, sera«. For now, I will focus on my work as the secretary of WG 8 supporting its convenor Rajeev Thykatt as best as I can.
Additionally, I will focus on PC 343 work – currently my colleague Prof. Annette Kleinfeld and I are discussing to initiate an anthology on the benefits of supporting the SDGs as an organization. I hope that we will have agreement on the skeleton of the anthology by the end of the year and can ask potential authors to participate in the book with a chapter on one of the 17 SDGs so that the finished book can be on the table for presents for next year’s Christmas.
As Germany’s HoD in TC 262 I might have to take a more active role in the upcoming revision of ISO 31000. Germany has suggested to migrate the standard to become an ISO MSS Type B standard to better align it with ISO’s management system standards and to facilitate integration of its recommendations to the management systems of organizations. Also, this would enable to withdraw IWA 31 which is more or less »a bare bone« on the integration of risk management.
Finally, we will see what challenges TC 292 will provide for me. Process reference models are quite intriguing tools that should make life much easier for end users and, in the future, we might develop one for security management as well.