If you’re an Australian corporate security manager you would be amply aware of the absence of a recommended corporate security framework in the standards sense. There are a few helpful management or governance systems that can be adopted, and indeed the Commonwealth Government has long led the charge in the form of the Protective Security Manual (PSM), which later became the Protective Security Policy Framework (PSPF). The latter is currently accompanied by the Information Security Manual and associated protocols, guidelines and standards, although it has just undergone a major makeover.

The makeover came as a consequence of the ‘Belcher Red Tape Review’, which was commissioned in March 2015 [1]. As a consequence the PSPF is to be scaled back to reduce unnecessary imposts on relevant Departments and Agencies, which are not served well by the currently very prescriptive requirements. Instead, the 36 Mandatory Requirements have been reduced to 16 Core Requirements, and a much greater emphasis has been placed on risk-based security planning. The risk element raises interesting consequences that will be discussed in a separate post; suffice to say, the less prescriptive approach is considered a good thing, but the push into genuine security risk management practices will test levels of competency.

The absence of an equivalent to the PSPF in the private sector makes it difficult at times to create baselines and benchmark against recognised practices. That’s not to say that nothing exists, but what is available is somewhat fractured, lacks authority and in many cases is operational/tactical in focus. ISO 28000:2007 – Specification for security management systems for the supply chain is an exception, and is a versatile management system standard that Industry Risk personnel have used for some time in both corporate and consulting solutions planning. As a security management system it provides for strategic program design and strikes a reasonable balance between risk, security governance and assurance. But it is generalist, and it takes a significant degree of effort to assess and articulate all components of the system, in context.

There is good news then for those who have been waiting for a private sector equivalent to the PSPF. ISO TC (Technical Committee) 292 is currently focused on developing such a standard, which will aim to fill the gap. Titled “ISO 22340 Security and resilience – Protective security – Architecture, framework and guidelines”, the standard has been in development for some time, and it will likely be a little while longer before it is released (such is the nature of the ISO supply chain). Aiming to encompass the entirety of an enterprise security program (i.e. including both protective and cyber-security), the ISO website has this to say about it [2]:

“A clear set of standardized principles, outcomes and controls will be helpful across the global security world, in protecting people, information and assets in a much more coherent and effective fashion than hitherto. Such a standard will bring a number of benefits, including uniformity, increased dialogue among adoptees (and more uniform continual improvement), development of vertical solutions, agility through clear understanding and ease of uptake across the security profession and communities.

Currently, there are many security-related standards which provide guidance on security practices in various domains – transport security, security operations, electronic security, information security and physical security as some examples. While, to various degrees linked by normative referencing, there is yet to be an overarching principles -based architecture within which standards and the practices of entities regarding protective security can be strategically aligned; or actually protective security actually is and how each body of work (standard or enterprise security measure) relates to and assists in delivering it”.

As a member of the associated Working Group I look forward to clear definition of an enterprise security standard that caters for those in Corporate/Agency/Chief Security Officer type roles. Such a standard will afford security managers the ability to get a better focus on recommended industry practice, and this will serve us well in strategising, governing, collaborating and communicating, justifying business cases, resourcing and benchmarking. Perhaps just as importantly, it will also provide for a defensible approach to security program design and threat assumptions for those who need it.

Yours in security risk and resilience,

Konrad Buczynski

Industry Risk

Industry Risk is Australia’s shining light in solutions for Protective Security and Business Resilience. We welcome opportunities to assist entities in getting to a security baseline, then helping guide them in more advanced endeavours.

[1] https://www.finance.gov.au/publications/reducingredtape/findings/

[2] http://www.isotc292online.org/projects/iso-22340/