ISO 22375 Security and resilience - Guidelines for business complexity analysis

This project will result in a Technical Specification that describes the application of the principles, framework and process for complexity assessment of organization’s systems to improve security and resilience. A complexity assessment process allows the organization to identify the hidden vulnerabilities of its system and provide an early indication of risk resulting from complexity.

Ivano Roveda (Italy), the project leader responsible for the development of ISO 22375, explains:

"Complexity is a fundamental property of many systems. An appropriate level of complexity is required for Ivanosystems operation but a high degree of complexity can weaken the system, particularly during turbulent times. High system complexity is an obstacle to security, resilience, effectiveness and efficiency of all organizations. As organizational systems, products, processes, technologies, organizational structures, and contracts become more complex, organizations may fail to pay sufficient attention to the introduction and proliferation of more complex and less secure systems that then become unsustainable and lose their integrity."  

Moreover, the decisions taken by customers, competitors and suppliers, as well as the enactment of new regulations, induce the organizations to adapt themselves to new scenarios. Increasing the complexity of the external environment may induce the organization to increase the number of functional units and this could  improve functional and structural complexity of the organization.

As a result, high complexity needs to be properly managed, since it is often a crucial factor of a new form of risk called “complexity-related risk”. Complexity-related risk must be addressed by every organization to sustain the security and resilience of its system.

The guideline of this Technical Specification provide a means to improve understanding the complexity of the organization’s system and its implications on the organization and to support organizations in making informed decisions about how they will meet their objectives.

The aim of the standard is to stimulate all types of organizations to take in account the threat formed by an excess of complexity and consider the complexity assessment as an integral part of the organization’s plan for security management.

Working Group 6 is responsible for the development of this document and is seeking participants for this work with background and interest in Complexity theory as used in the fields of strategic management and organizational studies.