ISO 22336:2024

International
Standard
ISO 22336
First edition
Security and resilience —
2024-10
Organizational resilience —
Guidelines for resilience policy and
strategy
Sécurité et résilience — Résilience organisationnelle — Lignes
directrices pour une politique et une stratégie de résilience
Reference number
© ISO 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Principles . 1
4.1 General .1
4.2 Policy formulation .2
4.3 Strategy design . .2
4.4 Strategy implementation .3
5 Organizational context . . 3
6 Attributes of policies and strategies for resilience . 3
6.1 General .3
6.2 P olicy formulation .3
6.2.1 General .3
6.2.2 Shared vision and clarity of purpose .4
6.2.3 Understanding and influencing context .4
6.2.4 Culture supportive of organizational resilience .4
6.3 Strategy design . .4
6.3.1 General .4
6.3.2 Anticipates, absorbs, and manages change .4
6.3.3 Shared information and knowledge.4
6.3.4 Continual improvement and evaluation .4
6.4 Strategy implementation .4
6.4.1 General .4
6.4.2 Availability of resources .4
6.4.3 Effective and empowered leadership .5
6.4.4 Coordination and alignment of systems.5
7 Enabling behaviours . 5
7.1 General .5
7.2 Adaptable . . .5
7.3 Inclusive .5
7.4 Integrated .6
7.5 Reflective .6
7.6 Prepared .6
7.7 Robust . .7
7.8 Innovative .7
8 Framework for resilience policy and strategy . 8
8.1 General .8
8.2 L eadership and commitment .8
8.2.1 General .8
8.2.2 Commitment to enhancing resilience .9
8.3 Policy formulation .9
8.4 Strategy design .10
8.5 Strategy implementation .10
8.6 Evaluation .10
8.6.1 General .10
8.6.2 Key performance indicators .11
9 Process . .11
9.1 General .11
9.2 Understanding the context of the resilience policy and strategy . 12

iii
9.2.1 General . 12
9.2.2 Determining the internal context . 12
9.2.3 Determining the external context . 13
9.2.4 Horizon scanning . 13
9.3 Communication .14
9.4 Policy formulation .14
9.5 Strategy design . 15
9.5.1 General . 15
9.5.2 Designing strategy to achieve resilience policy objectives . 15
9.5.3 Ensuring alignment with organizational goals . 15
9.5.4 Establishing resilience objectives . 15
9.5.5 Prioritizing objectives .16
9.6 Strategy implementation .16
9.6.1 General .16
9.6.2 Developing a strategic implementation plan.16
9.6.3 Allocating resources .17
9.6.4 Roles and responsibilities .17
10 C ont i nu a l i mpr ovement . . 17
10.1 General .17
10.2 P erformance evaluation .18
10.2.1 Monitor and review . . .18
10.2.2 Measuring progress against resilience key performance indicators .18
10.2.3 Reporting .19
10.3 I mplementing continual improvement .19
Bibliography .21

iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 292, Security and resilience.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

v
Introduction
This document provides guidelines on formulating policy, designing strategy and determining priorities for
implementing an organization’s resilience strategy. It describes how organizations can better anticipate and
respond to change that will enable them to deliver their objectives and to survive and prosper.
ISO 22316 established the foundational principles for organizational resilience and a set of common
attributes demonstrated by the organizations that have adopted those principles.
Organizations increasingly recognize the challenges of disruption arising from natural hazards, climate
change, global conflicts, pandemics, epidemics and other human-made crises impacting upon society and
disrupting businesses. Consequently, organizations in the public and private sector are looking to initiatives
that will contribute to an enhanced state of organizational resilience.
This document provides guidelines on how organizations should be alerted to risks. It supports the measure
whereby an organization determines necessary tactics so that its vision and strategic direction provide a
lasting advantage, thus avoiding being complacent of its past or current success.
Figure 1 illustrates the framework for an organizational resilience policy and strategy.
The guidelines in this document are based on the principles of organizational resilience and the development
of essential attributes as set out in ISO 22316.

vi
Figure 1 — Organizational resilience policy and strategy framework

vii
International Standard ISO 22336:2024(en)
Security and resilience — Organizational resilience —
Guidelines for resilience policy and strategy
1 Scope
This document provides guidelines on the design and development of an organizational resilience policy and
strategy. It includes:
— how to design and formulate a resilience policy;
— how to design strategy to achieve the objectives of a resilience policy;
— how to determine priorities for implementation of the organization’s resilience initiatives;
— how to establish a cooperative and coordinated capability to enhance resilience.
This document is applicable to organizations seeking to enhance resilience. It is not specific to any industry
or sector. It can be applied throughout the life of an organization to enhance resilience.
This document does not provide guidance on the development of an organizational resilience capability.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 22300, Security and resilience — Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions in ISO 22300 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
4 Principles
4.1 General
The resilience policy sets parameters for top management to embed resilience objectives into organizational
strategies.
The resilience strategy, part of the overall organizational strategy, establishes objectives and corresponding
activities in accordance with the policy. The resilience strategy and activities should allow the organization
to develop implementation plans and deliver its broader set of organizational objectives. This should
contribute to the strategic capability to anticipate and respond to change in order to survive and prosper.

There are three key principles that are the foundation for designing and implementing a resilience policy and
strategy. These principles, which are explained in detail in 4.2 to 4.4 and Clause 6, underpin the framework
for the process that will deliver the organization’s policy objectives.
Figure 2 illustrates the principles, attributes and enabling behaviours for designing and implementing the
organizational resilience strategy.
Figure 2 — Designing and implementing the organizational resilience policy and strategy
4.2 Policy formulation
The organization should document its intention to enhance its resilience in a resilience policy and assign
accountability for delivery of the resilience strategy.
The organization should establish a resilience policy that aligns the organization’s values and behaviours
with a shared vision and purpose. Such a policy aims to encourage a shared understanding of the
organization’s vision and purpose among all interested parties and leverage positive elements of its culture
during the design and implementation of the strategy.
4.3 Strategy design
The organization should design a resilience strategy that considers its governance structure and supports
a diversity of skills, leadership, knowledge, and experience. Top management should be effective and
empowered, understand the importance of sharing information and knowledge, and how the resilience
strategy influences other organizational strategies.

4.4 Strategy implementation
When implementing the resilience strategy, the organization should consider how it can effectively manage
risk and adapt to change. The organization should provide adequate resources to implement the strategy and
consider how it can anticipate, identify, absorb, and manage change, and coordinate and align its systems.
5 Organizational context
In highly interconnected societies, which are becoming increasingly common at the time of publication of
this document, organizations exist within a complex environment. The organization operates and achieves
its objectives in multiple global, social, economic and technological systems.
Each of these systems that interface with the organization contains a set of elements or parts interconnected
in such a way that their relationships can produce their own, potentially unexpected patterns of behaviour
over time and become the source of abnormal or extraordinary events, and unstable conditions that can
influence organizational resilience.
The interdependencies between these various systems and the interaction of the systems' respective
components establishes the contexts that an organization should take into consideration when formulating
policy and strategy for resilience.
Sources of opportunity, vulnerability and threats to organizations can arise out of changes in organizational
context. These changes can affect critical interdependencies and their influences on people, organizations,
communities and domains. Understanding the effects of changing context can contribute to more effective
policy formulation, and strategy and plans for resilience.
Threats to organizational resilience can emerge directly from changes in context. The volatility, uncertainty,
complexity, and ambiguity associated with unstable conditions affecting an organization can significantly
influence the rate at which these changes in context can transition to threats to organizational resilience.
The organization should continually scan the relationships and interdependencies between the elements
of its contexts to identify any changes in the conditions of the overall environment of the systems. Early
indicators of change can signify potential opportunities or identify emerging threats to organizational
objectives. By scanning multiple dimensions of the context, organizations can build knowledge that can be
applied as intelligence to formulate effective policies and strategies for organizational resilience.
The significance of any changes in organizational context and their potential impact should be assessed
from a strategic, tactical and operational perspective, as changes can have significant consequences at each
of these levels.
6 Attributes of policies and strategies for resilience
6.1 General
The organization should align the three key principles of policy formulation, strategy design and strategy
implementation with the common attributes and activities described in ISO 22316.
This alignment establishes the importance of applying the resilience attributes to anticipate and respond to
changing circumstances or conditions in an organization's environment which define its context and enable
it to survive and prosper.
NOTE ISO 22316 identifies the common attributes and activities that support an organization in enhancing its
resilience.
6.2 Policy formulation
6.2.1 General
The organization should consider the attributes described in 6.2.2 to 6.2.4 in the resilience policy.

6.2.2 Shared vision and clarity of purpose
The resilience policy should articulate the organization’s vision and purpose with respect to its strategic
objectives and commitment to continual improvement. These should be shared and understood by all
interested parties.
6.2.3 Understanding and influencing context
The organization should align its organizational resilience policy and strategy with its contexts, recognizing
multiple interdependencies and interactions across all dimensions of the environment in which it achieves
its objectives.
The potential for changes in the organizational context is central to an effective resilience policy and to
influence future conditions.
6.2.4 Culture supportive of organizational resilience
The resilience policy should confirm top management commitment to a diverse culture at all levels of the
organization.
6.3 Strategy design
6.3.1 General
The organization should consider the attributes described in 6.3.2 to 6.3.4 in the resilience strategy.
6.3.2 Anticipates, absorbs, and manages change
The organization should anticipate, identify, absorb and manage change, and effectively manage risk to
consistently deliver on its commitments.
6.3.3 Shared information and knowledge
The organization should share information and knowledge and implement systems so that personnel are
appropriately equipped to perform their roles.
6.3.4 Continual improvement and evaluation
The organization should assign roles to evaluate the effectiveness of the strategy design to achieve continual
improvement, so that performance management criteria are responsive to change.
6.4 Strategy implementation
6.4.1 General
The organization should consider the attributes specified in 6.4.2 to 6.4.4 when implementing the resilience
strategy.
6.4.2 Availability of resources
The organization should allocate adequate resources and systems to support the effective implementation
of the resilience strategy. These resources should be available when required and their suitability and
application routinely reviewed.

6.4.3 Effective and empowered leadership
The organization should assign responsibility to coordinate the resilience activities in the governance
structure and define roles and responsibilities, so that the purpose of the resilience-enhancing activities is
understood and decision-making is effective.
Those responsible for designing and implementing the strategy should come from different areas of the
organization and cover all aspects of the business, contributing a diversity of skills, knowledge, experience
and leadership capabilities.
6.4.4 Coordination and alignment of systems
The organization should align and coordinate systems and eliminate silos that create barriers among
functions as the strategy is implemented to facilitate the sharing of information and skills throughout the
organization.
7 Enabling behaviours
7.1 General
The organization should underpin organizational resilience using the following enabling behaviours (see
Figure 2) that affect how the organization and its personnel interact both internally and externally. The
benefits of the strategy will improve as more enabling behaviours are adopted.
Some enabling behaviours are widely relevant and should therefore be promoted and prioritized across all
organizational systems. Other enabling behaviours however, are more specific and only relevant to certain
organizational systems. For example, being inclusive and integrated enables the organization to implement
each of its systems to enhance resilience, while being prepared and robust can address specific system
vulnerabilities.
7.2 Adaptable
The organization should demonstrate its adaptability by the following factors:
a) accepting uncertainty and change, ability to change, evolve, and adapt in response to changing
circumstances and to apply existing resources to new purpose;
b) having processes to promote the evolution of the organization by improving the efficiency and
effectiveness of activities rather than seeking solutions based on the status quo;
c) designing adaptability and flexibility into the organization's systems so it can evolve and manoeuvre
quickly, understand and adapt to the rapid pace of change and be fit for the future with the agility to
make decisions quickly, manage risks, minimize potential threats and capitalize on opportunities.
7.3 Inclusive
The organization should demonstrate inclusiveness, by the following factors:
a) seeking collaboration with and engagement of its interested parties and working together toward a
common purpose or goal. The inclusion of its personnel in the collaboration creates a sense of shared
ownership or a joint vision to build resilience;
b) conducting broad consultation and engagement activities with interested parties, creating cohesion,
strengthening social contracts and empowering personnel to participate;
c) believing in the vision for its future, being aware of the risks it faces and its role in protecting and
developing the organization into the future;
d) addressing the risks across locations or line of business in isolation to be consistent with resilience;

e) distributing benefits and impacts justly and equitably across the organization to reduce stress and
disproportionately poor outcomes, providing a high quality of life for personnel, building cohesion and
empowering them to play an active role in its future.
7.4 Integrated
The organization should demonstrate integration by the following factors:
a) recognizing the importance of the diverse nature and characteristics of its personnel and other
interested parties, including a range of capabilities, information sources, and technical elements;
b) implementing diversity by bringing disparate thoughts and strategies into cohesive solutions and
actions, when opportunities arise;
c) integrating and aligning its systems to reduce silos, bringing together decision makers, sectors,
organizational units, budgets, activities, and agendas, making investments that are mutually supportive
of a common outcome and promoting consistency in decision-making;
d) working across the organization to achieve gains in efficiency and effectiveness by taking initiatives
that address more than one issue or realize multiple gains;
e) exchanging information between systems, thereby enabling them to function collectively and respond
rapidly through shorter feedback loops throughout the organization.
7.5 Reflective
The organization should demonstrate reflectiveness by the following factors:
a) understanding its systems and risks, allowing resources to be prioritized to provide maximum benefit,
and applying shared knowledge and learning to innovate and enhance resilience;
b) gathering information; harnessing real-time data and horizon scanning to improve situational
awareness; anticipating change and considering future conditions to inform evidence-based decision
making and build knowledge capital;
c) continuously evolving processes and improving standards or norms based on emerging evidence;
d) examining and systematically learning from their past, leveraging this learning to inform future
decision-making;
e) thinking beyond its current activities, processes, strategy, and organizational boundaries to increase
the organization's capabilities.
7.6 Prepared
The organization should demonstrate preparedness by the following factors:
a) investing when required in the capability to anticipate and respond quickly to changing circumstances;
b) being aware of its priorities, timescales and resource requirements;
c) demonstrating resourcefulness by finding different ways to achieve its goals or meet its needs during
an incident by anticipating future conditions, setting priorities, and mobilizing and coordinating wider
human, financial and physical resources;
d) making provision to make failure predictable, safe, and not disproportionate to the cause;
e) being prepared and resourceful to restore functionality of processes and systems, potentially under
severely constrained conditions and making use of opportunities that arise.

7.7 Robust
The organization should demonstrate robustness by the following factors:
a) having systems that address vulnerabilities through design, redundancy and fail-safe measures,
balancing risk, performance and cost;
b) having systems that are well-conceived, constructed, and managed to withstand significant impacts
without damage or loss of function and anticipate potential failures;
c) avoiding over-reliance on a single asset where cascading failure and design thresholds can lead to
catastrophic collapse;
d) having intentional, cost-effective, diverse prioritized redundancies at an organization-wide scale that
provide multiple ways to achieve a given need or fulfil a particular function;
e) purposely creating spare capacity within systems to withstand disruption, extreme pressures, or
surges in demand;
f) considering suppliers, routes to the end customer and, where appropriate, competitors and regulators,
so that the overall ecosystem (see Clause 5) is robust.
7.8 Innovative
The organization should demonstrate innovation by the following factors:
a) rapidly finding different ways to achieve its objectives or meet its needs under changing circumstances,
transcending traditional ideas, roles, and patterns by using originality of thought and demonstrating
imagination to create something new;
b) fostering creativity by seeking out and promoting new and innovative ideas to achieve its objectives,
adapting and transforming after disasters so that its systems thrives.

8 Framework for resilience policy and strategy
8.1 General
Figure 3 — Framework
Top management should establish a framework, as shown in Figure 3, to assist the organization in
implementing its resilience policy into significant functions and activities across the organization. The
framework ensures the resilience policy objectives are actionable via the resilience strategy design and
implementation. The framework is integrated into other organizational policies and strategies.
Top management should also consider the previously described principles (see Clause 4), attributes
(see Clause 6) and enabling behaviours (see Clause 7) in establishing its framework for implementing its
resilience policy and strategy.
8.2 Leadership and c ommitment
8.2.1 General
Top management should demonstrate a strong and sustained commitment to design, develop and coordinate
management systems to enhance resilience.
Components of the policy and strategy should be adapted and arrangements supported to the extent
necessary for effective implementation.
Top management should:
a) formulate, endorse and maintain the resilience policy, strategy and implementation plan;
b) align the policy and strategy with the strategic direction of the organization;

c) ensure the resilience policy is consistent with other organizational policies;
d) develop objectives for the resilience policy;
e) determine performance criteria for each strategic objective and initiative, and align them with the
interests of organization;
f) embed resilience objectives in all organizational policies and strategies;
g) provide organizational commitment, collaboration and contribution at all levels;
h) assign accountabilities and responsibilities to achieve the resilience objectives;
i) empower all levels of the organization to make decisions that protect and enhance the resilience of the
organization;
j) take accountability for the effectiveness of the implementation of the strategy;
k) allocate necessary resources to the implementation of the strategy;
l) communicate the importance, benefits and expected outcomes of the policy and strategy;
m) monitor the progress of implementation of the resilience strategy;
n) confirm that the policy and strategy achieve the intended outcome(s).
8.2.2 Commitment to enhancing resilience
Top management should demonstrate its continual commitment to enhance resilience. The commitment
should include, but is not limited to:
a) identifying the purpose for enhancing resilience and links to its strategic objectives and other policies
and strategies;
b) fostering a culture that supports enhancing resilience;
c) establishing resilience leadership roles and responsibilities within the organization and assigning
authorities, responsibilities and accountabilities;
d) coordinating and aligning systems and functions across the organization and linking these to strategic
objectives;
e) providing the necessary resources;
f) dealing with conflicting objectives;
g) measuring and reporting against key performance indicators;
h) continually reviewing and improving resilience.
Decisions on enhancing the policy and strategy design framework should be based on the monitoring and
reviewing of results, and lead to improvements in the resilience culture.
The organization should communicate its commitment to enhancing resilience within the organization and
to external interested parties as appropriate.
8.3 Policy formulation
The organization should formulate its resilience policy by considering its objectives and expectations. Top
management should confirm that the policy:
a) is a high-level statement of its intention and direction for enhancing resilience;
b) calls for commitment from all interested parties to satisfy the organization’s expectations;

c) authorizes and empowers those responsible for supporting the design and implementing the resilience
policy and strategy;
d) specifies the alignment of the objectives of the policy to the desired enhancement of resilience attributes
and enabling behaviours (see Clauses 6 and 7) relevant to the organization;
e) aligns with behaviours that shape organizational culture and foster creativity and innovation, and
transformative thinking;
f) refers to or integrates with new or existing organizational policies and strategies;
g) communicates the importance, benefits and outcomes of the policy;
h) commits to continual improvement and maintenance of the resilience policy.
Top management should communicate the policy, make it available, and maintain it as documented
information, so that it is understood and applied within the organization.
8.4 Strategy design
The resilience strategy should be designed to achieve the objectives of the policy. Top management should:
a) analyse gaps between the current state and the intended outcome(s) of the strategy;
b) develop an appropriate strategy and implementation plan including annual action plans, time frames
and allocate resources;
c) embed resilience objectives into new and existing organizational policies and strategies;
d) create a culture supportive of resilience against which it can be assessed;
e) consult interested parties so that the framework remains appropriate;
f) develop and set objectives and align decision-making with the outcomes of the resilience policy.
8.5 Strategy implementation
Successful implementation of the strategy requires the engagement and awareness of interested parties to
achieve ongoing enhancement of resilience for the organization.
The organization should develop a process to implement its resilience strategy that includes:
a) identifying key products and services, customer segments/markets, channels, obligations and financial/
value-added outcomes;
b) establishing the scope of the implementation;
c) developing action plans to deliver the strategy objectives.
8.6 Evaluation
8.6.1 General
The organization should evaluate the effectiveness of the framework by:
a) measuring the performance of the framework against its purpose, implementation plans, indicators and
expected behaviours;
b) confirming that it remains suitable to support achieving the objectives of the organization.
NOTE The intention
...