CASSANDRA Approach and the relevant international standards for business resilience

CASSANDRA is a free of charge methodology that focuses on assisting SMEs.

The CASSANDRA Approach fully complies with the requirements of the pertinent international standards and focuses primarily on actions that will improve the organisational resilience of businesses and their operations. It does this by utilising risk management, business continuity and information security principles in an appropriate, effective and efficient way, corresponding with the size and capabilities of average SMEs. SMEs that follows the CASSANDRA Approach will see major improvements in terms of minimizing their exposure to risks, turning threats and vulnerabilities into opportunities, and increasing their resilience.

There are several international standards that apply to the objectives contained in the CASSANDRA Approach:

ISO 31000:2009, Risk management – Principles and guidelines provides principles, a framework and a process for managing risk. It can be used by any organisation, regardless of its size, activity or sector. Using ISO 31000 can help organisations to increase the likelihood of achieving objectives, to improve their identification of opportunities and threats, and effectively to allocate and use resources for risk treatment.

ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems – Requirements is part of the ISO 27000 family of standards that helps organisations keep information assets secure. ISO/IEC 27001 is the most well-known standard in the family. It specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organisations, regardless of type, size or nature.

ISO 22301:2012 Societal security - Business continuity management systems – Requirements specifies requirements for establishing and running a management system to protect against and reduce the likelihood of disruptive incidents occurring, and to prepare for, respond to, and recover from them when they arise. The requirements specified in ISO 22301:2012 are generic and intended to be applicable to all organisations, or parts thereof, regardless of type, size and nature.

ISO 9001:2015 Quality management systems – Requirements is the most well-known part of the ISO 9000 family. It addresses various aspects of quality management that provide guidance and tools for companies and organisations who want to ensure that their products and services consistently meet their customer’s requirements and that quality is consistently improved. ISO 9001 requires the implementation and use of risk management in company operations. The requirements set out in ISO 9001:2015 are generic and are intended to be applicable to all organisations, regardless of type, size or nature.

ISO/DIS 22316 Security and resilience – Guidelines for organizational resilience is an ‘under development status’ standard. It features a framework to help organisations make their business future-proof by creating a resilience culture, improving their capacity to anticipate and respond to threats and opportunities, and enabling the organisation to keep delivering on its commitments in the face of complex changes.