ISO/TS 22375:2018 Security and resilience - Guidelines for complexity assessment process

This Technical Specification describes the application of the principles, framework and process for complexity assessment of organization’s systems to improve security and resilience. A complexity assessment process allows the organization to identify the hidden vulnerabilities of its system and provide an early indication of risk resulting from complexity.

Ivano Roveda (Italy), the project leader responsible for the development of ISO 22375, explains:

"Complexity is a fundamental property of many systems. An appropriate level of complexity is required for Ivano systems operation but a high degree of complexity can weaken the system, particularly during turbulent times. High system complexity is an obstacle to security, resilience, effectiveness and efficiency of all organizations. As organizational systems, products, processes, technologies, organizational structures, and contracts become more complex, organizations may fail to pay sufficient attention to the introduction and proliferation of more complex and less secure systems that then become unsustainable and lose their integrity."

Moreover, the decisions taken by customers, competitors and suppliers, as well as the enactment of new regulations, induce the organizations to adapt themselves to new scenarios. Increasing the complexity of the external environment may induce the organization to increase the number of functional units and this could improve functional and structural complexity of the organization.

As a result, high complexity needs to be properly managed, since it is often a crucial factor of a new form of risk called “complexity-related risk”. Complexity-related risk must be addressed by every organization to sustain the security and resilience of its system.

The guideline of this Technical Specification provide a means to improve understanding the complexity of the organization’s system and its implications on the organization and to support organizations in making informed decisions about how they will meet their objectives.

The aim of the standard is to stimulate all types of organizations to take in account the threat formed by an excess of complexity and consider the complexity assessment as an integral part of the organization’s plan for security management.

ISO/TS 22375:2018, Security and resilience - Guidelines for business complexity process, is available from ISO national member institutes. It may also be obtained directly from the ISO Central Secretariat, respectively through the ISO Store or by contacting the Marketing, Communication & Information department.

Upcoming events

28 Feb, Zoom
Working Group 1

5 March, Zoom
Communication Group meeting

[tbd], 2024
11th ISO/TC 292 plenary meeting

Topics

Authenticity, integrity and trust for products and documents
Business continuity management
Community resilience
Crisis management
Emergency management
Event management
Organizational resilience
Protective security
Supply chain security
Terminology

This website has been developed by Swedish Civil Contingencies Agency in collaboration with ISO and Swedish Institute for Standards responsible for the ISO/TC 292 secretariat

An overview of ISO/TC 292 can also be found at the ISO webpage.

ISO

SIS