Ivano Roveda (Italy), the project leader responsible for the development of ISO 22375, explains:
"Complexity is a fundamental property of many systems. An appropriate level of complexity is required for systems operation but a high degree of complexity can weaken the system, particularly during turbulent times. High system complexity is an obstacle to security, resilience, effectiveness and efficiency of all organizations. As organizational systems, products, processes, technologies, organizational structures, and contracts become more complex, organizations may fail to pay sufficient attention to the introduction and proliferation of more complex and less secure systems that then become unsustainable and lose their integrity."
Moreover, the decisions taken by customers, competitors and suppliers, as well as the enactment of new regulations, induce the organizations to adapt themselves to new scenarios. Increasing the complexity of the external environment may induce the organization to increase the number of functional units and this could improve functional and structural complexity of the organization.
As a result, high complexity needs to be properly managed, since it is often a crucial factor of a new form of risk called “complexity-related risk”. Complexity-related risk must be addressed by every organization to sustain the security and resilience of its system.
The guideline of this Technical Specification provide a means to improve understanding the complexity of the organization’s system and its implications on the organization and to support organizations in making informed decisions about how they will meet their objectives.
The aim of the standard is to stimulate all types of organizations to take in account the threat formed by an excess of complexity and consider the complexity assessment as an integral part of the organization’s plan for security management.
ISO/TS 22375:2018, Security and resilience - Guidelines for business complexity process, is available from ISO national member institutes. It may also be obtained directly from the ISO Central Secretariat, respectively through the ISO Store or by contacting the Marketing, Communication & Information department.