We love security standards – they give us a baseline and enable us to consciously diverge from defined industry practice where it suits us. This morning we became aware of a security standard that looks like it will make for very interesting reading.

It seems that the Netherlands are leading the way in enterprise security management for the moment, having just released a “Universal Security Management System Standard” for (protective) security programs. While ISO 28001 (and indeed the Protective Security Policy Framework [PSPF]) filled the need for many, this security management system standard is likely to appeal to a much broader audience.

What such a security standard represents is not only the opportunity to gain insights from the toils of security consultants from another jurisdiction, but also the basis from which to finally gain accreditation for corporate security programs. This has been lacking in the market (outside of ISO 28001) and, pending a detailed review of the standard (it’s in the mail…and seems to be only available in hardcopy for the moment, so we’ll reserve final judgement until it arrives) promises to offer the industry several significant benefits. These include:

1. making it simpler to define a common lexicon and understanding among stakeholders;
2. acting as an aid to defining security program architecture;
3. generating awareness of security system design principles to establish senior management support;
4. providing the basis for conscious divergence from a common philosophy;
5. assisting communication across traditional, functional boundaries;
6. promoting the regard for security management through adoption of mature concepts;
7. providing the platform for additional security standards development;
8. providing flexibility within what might be regarded as an otherwise rigid risk framework;
9. providing the basis for gap analysis with existing systems; and (of course)
10. offering the opportunity for accreditation.

While #10 may not appeal to everyone, many would be more comfortable knowing that their program is formally regarded as standards-based. This can aid in any number of ways, especially when business cases are to be justified and (internal/external) scrutiny is to be applied. The early view also suggests that the standard is heavily risk focused, which is heartening.

There is some other movement in this space, with a similar standard currently being developed by an ISO working group, so expect to have further choices in due course. This will bring similar benefits and opportunities and will consider approaches defined within those standards that were published before it.

The link to the Netherlands Universal Security Management System Standard is: http://www.lulu.com/shop/http://www.lulu.com/shop/marcel-spit/universal-security-management-systems-standard-2017/paperback/product-23299681.html.

Register to be updated as further articles of this type are added.

Yours in security risk and resilience,

Konrad Buczynski

Industry Risk

Industry Risk is Australia’s shining light in solutions for Protective Security and Business Resilience. We welcome opportunities to assist entities in getting to a security baseline, then helping guide them in more advanced endeavours.