Topic

Risk & resilience in the public sector

The adoption of risk and resilience standards are becoming crucial in the public sector. Building resilience to disruption is a growing priority for many governments. By planning ahead and using established and innovative risk management solutions, authorities can reduce threats, as well as financial and physical impacts on people, property and infrastructure.

Shaping more resilient societies

Learn how standards support the provision of future-proof public sector services and governance

How to manage information and cyber risks in the public sector
Article

How to manage information and cyber risks in the public sector

The public sector operates in an environment driven by data. From education and healthcare to utilities and housing, data is now as integral to the success of public services as the teams and physical infrastructures through which they are deployed.  With the increase in the volume and complexity of data, however, has come an increased risk of its loss, theft, or misuse through malicious attacks or mismanagement, many of which threaten citizens’ privacy and security and cause serious disruption to essential services.  Recent high-profile data breaches have brought these security concerns into the spotlight, many of which were based on outdated legacy IT platforms.  The adoption of cloud-based IT systems, though not universal, is helping to reduce this risk through robust security safeguards and sophisticated end-to-end data encryption. However, the transition from on-premise or hybrid server data management to remote cloud systems poses its own security challenges. First, around establishing best practices among staff for the management of data that may be shared with other people and organizations due to the rise in the use of collaboration tools.  Second, because of the growth of ‘shadow IT’ - productivity applications downloaded by staff and used on both personal and work devices, often without the knowledge and authorization of IT managers, which can create opportunities for hackers to bypass system security and access sensitive data.  In both cases, the challenge can be met with coordinated staff training and education to make sure everyone in the organization - not just IT teams - understands the risks and commits to the highest standard of Information Security Management Systems (ISMS).  Public services have an obligation to embrace the government’s digital transformation agenda to make the most of the efficiencies modern cloud-based computing brings, however, the pace of this uptake must never be at the expense of security for users, organizations, and above all, citizens.  To read about how to achieve integrity in public sector organizations, click here.  Cyber Threats to Public Sector Organizations  The sheer volume of sensitive information now held and shared across networks means organizations of every kind are targets for cybercriminals wishing to disrupt critical services or profit from the monetary value of data on the dark web. Increasingly, cyber-attacks are being mounted not just by individual malicious actors, but by nation-states via proxy servers that make it even more difficult to trace and attribute blame. Cyber-attacks fall into three main categories: Distributed Denial of Service (DDoS) - DDoS attacks are launched by large linked networks of computers that are used, without their owners’ knowledge, to swamp websites and other networks with connection requests to a point where their capacity to operate is overwhelmed. Those behind such attacks will often demand ransom payments to withdraw them. Ransomware - Ransomware is a harmful virus that infiltrates network systems, often via unscreened email or software downloads, and paralyzes part or all of the network functions. Massive data breaches - Data breaches can be malicious - when criminals hack network systems' security to steal sensitive information - or accidental when information is leaked, lost, or inadvertently placed in the public domain. Information Security Standards in the Public Sector With today’s citizens expecting fast, easy, personalized digital experiences, public organizations need platforms and systems capable of adapting to those demands and helping prevent cyberattacks. The increase of hackers, human errors, data breaches, Bring-Your-Own-Device (BYOD) policies and the necessity to share and protect companies’ information is empowering public organizations to consider digital transformation strategies. Evolving technologies and emerging threats continue to play a part in risk management. It is imperative that as data and applications move to the cloud and remote working is more freely facilitated that the data owners in conjunction with their technology leadership teams are aware of their regulatory requirements and identify the appropriate training and technical processes. Using information security standards can offer a set of powerful business and marketing tools for organizations of all sizes. You can use them to fine-tune your performance and manage the cybersecurity risks you face while operating in more efficient and sustainable ways. They’ll allow you to demonstrate the quality of your information security to your customers, and they help you to see how to embed data protection best practices into your organization. BS EN ISO/IEC 27001 Information security management system (ISMS) - is an excellent framework that helps organizations manage and protect their information assets so that they remain safe and secure. It helps you to continually review and refine the way you do this, not only for today but also for the future. That’s how BS EN ISO/IEC 27001 protects your business, and your reputation and adds value. BS EN ISO/IEC 27701 Privacy information management - provides guidance on the protection of privacy, including how organizations should manage personal information, and assists in demonstrating compliance with privacy regulations around the world. Click here for more information about BS EN ISO/IEC 27701. BS EN ISO/IEC 27002 Security controls - provides guidelines to help organizations select, implement and manage information security controls, taking into account their risk environment. By implementing and maintaining suitable controls, organizations become less susceptible to information security breaches and the financial and reputational damage they cause. Click here for more information about BS EN ISO/IEC 27002. BS EN ISO/IEC 27017 Security controls for cloud services - BS EN ISO/IEC 27017 provides enhanced controls for cloud service providers and cloud service customers. Unlike many other technology-related standards, BS EN ISO/IEC 27017 clarifies both parties’ roles and responsibilities to help make cloud services as safe and secure as the rest of the data included in a certified information management system. BS 10012 Personal information management system - provides a best practice framework for a personal information management system that is aligned to the principles of the EU GDPR. It outlines the core requirements organizations need to consider when collecting, storing, processing, retaining, or disposing of personal records related to individuals. Learn more about BS 10012. To prepare your public service business for facing cybersecurity challenges, add our cybersecurity standards to your collection today. Discover BSI Knowledge In the face of growing cybersecurity threats, all businesses in the public sector need to strengthen their information security. However, knowing which standards can help you and how to share their guidance within your organization can seem like a huge challenge. With a BSI Knowledge subscription, you will have the flexibility and visibility to manage the key standards you need in order to enhance your cybersecurity processes with confidence. Build your own custom collection of standards, or opt for access to one of our pre-built modules, such as GBM24 Information Technology - Software & Networking, and keep up-to-date with any relevant changes to your standards strategy. Request to learn more.Read more
Rethink organizational resilience with the revised BS 65000
Article

Rethink organizational resilience with the revised BS 65000

A pandemic, climate change, economic crises, and consumer trends are just some of the pitfalls that can dramatically affect the way an organization does business and survives. Organizational resilience is a strategy that will help businesses not only survive change, but to view these challenges as a larger opportunity to re-examine their identity, their vision, how they work, and how they grow. COVID-19, and to an extent Brexit and climate change, have all made organizational resilience a strategic issue.  As we look to the future of business operations, resilience will be a defining strategic issue for many organizations. BS 65000 Guidance on organizational resilience has recently been revised to enable the UK to remain at the forefront in resilience thinking and shape the future of global standard development in this area. This revision also serves to better support organizations as they seek to strengthen their long-term resilience and responsible business agendas.  What does organizational resilience mean for your business? How quickly was your business able to adapt during the COVID-19 pandemic? Could it survive another unforeseen crisis? These are the questions that have no doubt been plaguing the minds of every business owner, executive, investor, and employee since 2020, highlighting the strategic importance of resilience for every business, no matter the size or sector. Organizational resilience is the ability of an organization to respond and adapt to change, anticipate future threats and opportunities, and identify its risks. It includes effective planning and decision-making to build adaptive capacity in complex and rapidly changing circumstances and the agility to manage a broad range of risks unique to its operation. The benefits of resilience are clear, enabling organizations to:  Adapt successfully to unforeseen and disruptive changing environments Gain a competitive edge by identifying gaps and taking advantage of opportunities Be more agile and innovative by learning from trends Reduce costs and increase efficiency by avoiding potential pitfalls Obtain a better understanding of risks and opportunities Preserve and improve their reputation by being seen as vigilant and robust Engender trust amongst external clients and internally amongst staff Cultivate a culture of shared purpose and values The revised BS 65000 will help organizations understand what resilience means to them and provide the necessary guidance to help businesses reap the benefits and build a more resilient future. Discover how a resilience-based approach supported supply chains throughout the COVID-19 pandemic by reading our article ‘Supply chain resilience standards: Responding to COVID-19’. BS 65000: The revised organizational resilience standard Originally published in 2014 as a guidance standard, BS 65000 is a landmark organizational resilience standard, that describes the foundation and action required by organizations to build resilience. It covers an organization’s capacity to anticipate, respond, and adapt – which could be crucial to its survival. BS 65000 has been revised as a code of practice containing more recommendations, as well as guidance. The revision updates the terminology, approach, and scope of resilience across industries, sectors, and organizational types and sizes. It provides guidance and recommendations on what constitutes organizational resilience, the defining attributes, and the practical measures that should be considered and taken.  Currently, several global standards exist within the crisis management and business continuity management arenas which impact the overall governance of an organization. This organizational resilience standard can help to enhance these practices by integrating the disciplines that are essential for resilience. BS 65000 references other activities including risk management, horizon scanning, and change management. BS 65000 and over 100,000 more internationally recognized standards are available for simple and flexible access with a BSI Knowledge subscription. This tailored service provides flexibility, access, visibility, and control over the standards and insights your team needs to achieve your strategic objective. Request to learn more. Ensure your business is incorporating the latest on resilient thinking into its strategies by adding BS 65000 to your collection today.
BS EN ISO 22361: Managing crisis effectively
Article

BS EN ISO 22361: Managing crisis effectively

How prepared is your organization to manage crises? When crises occur, they present organizations with complex challenges – and even opportunities - that can have profound and far-reaching consequences. While every crisis is unique, there are common threats that come with disruption no matter your sector or business structure. For example, financial harm because of a corruption scandal, or workforce turmoil when a pandemic forces teams to a remote situation. With the COVID-19 pandemic still fresh in our minds, many businesses have realized that crisis management needs to be a strategic priority. An organization’s crisis management capability, and its ability to manage a changing environment are key in determining whether a situation will pose a serious threat to the business. Knowing where to start with developing a crisis management capability can seem daunting. To support businesses to become more confident by developing a structured approach to dealing with crises, we have published BS EN ISO 22361 Crisis Management – Guidelines. This is an international standard that provides invaluable guidance on crisis management to help organizations plan, establish, maintain, review and continually improve a strategic crisis management strategy. What is BS EN ISO 22361? The ability of an organization to manage a crisis depends on its preparation. As a crisis usually occurs unexpectedly and potential risks to the business loom heavy, the readiness of an up-to-date crisis management plan offers protection and can limit potential damage. BS EN ISO 22361 is a crisis management standard thatcan help any organization to prepare for, identify and manage a crisis. Its guidance includes: Context, core concepts, principles and challenges Developing an organization’s crisis management capability Crisis leadership The decision-making challenges and complexities facing a crisis team in action Crisis communication Training, validation and learning from crises BS EN ISO 22361 is primarily intended for those who have strategic responsibilities for the delivery of a crisis management response. However, it is relevant to all types and sizes of organizations. It also supports wider discussions on crisis management across organizations with agreed key terms and definitions and includes references to many relevant management system standards which can save time and improve investment decisions. Want to increase the resilience of your organization? Discover how organizations are rethinking their approach to resilience with BS 65000. Read more here. What are the benefits of this crisis management standard? Holistic crisis management that is specific to your business will help your organization withstand disruption, sustain your core business functions and reduce the overall negative impacts of a crisis when it occurs. BS EN ISO 22361 draws on recent and relevant academic evidence, business insights and new thinking to bring organizations benefits such as: Being able to identify crisis situations before they occur Increasing the wellbeing of your employees and customers Limiting negative impacts and helping to maintain business continuity Protecting your company from legal exposure Improving your communication during a crisis Maintaining your reputation Aligning with UN Sustainable Development Goals (SDGs)Goal3 on Good Health & Wellbeing and Goal 11 on Sustainable Cities & Communities Over 100,000 internationally recognized standards are available for simple and flexible access with a BSI Knowledge subscription. This tailored service provides flexibility, access, visibility, and control over the standards and insights your team needs to achieve your strategic objectives. Request to learn more. Reap the benefits of improving your organization’s ability to manage a crisis by adding BS EN ISO 22361 to your collection today.
What should you have set up in an emergency or when disaster strikes?
Article

What should you have set up in an emergency or when disaster strikes?

You are at work and there’s an emergency! Thankfully, all your people are safe, but what else is at risk? What resources do you need to protect those important assets? Who can help? What do you do first? Thinking about the worst that could happen is an uncomfortable task. Yet if a natural disaster strikes or a fire breaks out, thorough preparation could well be what saves your organization’s assets and documents. BS ISO 21110:2019 Information and documentation — Emergency preparedness and response provides an outline for preparing for, responding to and recovering from an emergency in your workplace. The standard is not about human lives, but specifically about immobile irreplaceable assets. It sets out how you can put flexible and comprehensive arrangements in place to respond to small events, which can be scaled up for larger emergencies. BS ISO 21110 is orientated towards the heritage sector, with a focus on the rescue and preservation of records and artefacts, yet the bulk of its lessons can be applied to many organizations’ assets. How to make decisions in when facing a crisis? If disaster strikes, you will need to make several key decisions fast and emergencies can make the most level-headed people panic. Therefore, it’s best to have decided in advance what needs to be done and who will be responsible. The standard sets out how to prepare for an event that forces the relocation of a collection or archive. In the case of a museum affected by a small flood, for example, somebody will need to take the decision to move the collection out of the way. Such a decision depends upon factors such as human safety, available means, evacuation routes and the risk of building collapse. Other people will be responsible for communicating this to staff, the public and the authorities. Another key area of action will be in coordinating response teams, planning an evacuation route, logistics and transport. This might entail liaising with others outside the organization, such as the police, to escort transport. Items in the collection will need to be packed carefully and registered as they leave the damaged site and registered again on arrival at the alternative location. The standard provides a useful template that you can adapt to the needs of your own organization. Emergency supplies for businesses You should keep an easy-to-carry or easy-to-push emergency kit for immediate use, which must always include personal protective equipment. In the heritage sector, this kit should also contain everything you might need in the first instance to protect, evacuate and stabilize your collections. It should be supplemented by equipment that can be found or bought elsewhere on your site. The template supplied in BS ISO 21110 covers: health and safety equipment, such as gloves and goggles equipment you might need in the affected zone, such as tarpaulins, tarpaulin tape and fans equipment for a treatment area, such as ziplock bags for damaged items communications kit, such as mobile phones and walkie talkies. You should also have a list of service suppliers who can help in the aftermath of an emergency, such as companies that control mould and damp, security contractors and conservators. Make sure you check your emergency supplies and lists regularly and update them if necessary. The role of stakeholders in times of business crisis You should also identify in advance what stakeholders would be affected and what their roles should be at each stage of the incident and recovery. In terms of first response, you might need to contact the police, fire brigade and other emergency services. You should also communicate with neighbours if the emergency could affect them. In the immediate aftermath, you will also need to speak to your insurance provider and possibly the media. Local officials and agencies should also be involved. Contractors, non-profit agencies and donors could be vital for rebuilding efforts. Other sector-relevant bodies, such as the International Council of Museums, could provide vital expertise. By identifying all stakeholders and their potential roles in advance, you are maximizing your chances of protecting your organization’s archives and artefacts and swiftly restoring it to its former glory. Understanding the role of standards in preparing for business crisis BS ISO 21110:2019 provides a context for key emergency planning and response and recovery moves for the protection and conservation of your assets. It addresses the consequences of an emergency event, not the causes. Although there is no single approach that covers every site, this publication enables you to plan an approach that meets your organization’s needs, to be carried out in conjunction with other relevant plans. You might also consider implementing more general resilience principles into your organization. BS 65000:2022 Organizational resilience. Code of practice is the standard in this area, helping organizations understand what resilience means and providing guidance to build a more resilient future. Discover BSI Knowledge Over 100,000 internationally recognized standards are available for simple and flexible access with a BSI Knowledge subscription. Our tailored subscription service allows you to build your own custom collection of standards or opt for access to one of our pre-built modules, keeping you up to date with any changes. With support from a dedicated BSI account manager, our subscription service helps you achieve a more coherent and effective approach to best practice. Request to learn more.

Key Risk & Resilience Standards for the Public Sector

Browse or Search our Public Sector Standards Catalogue

Trending Topics in Public Sector Risk & Resilience