In today’s rapidly evolving risk environment, organizational resilience is more important than ever. Security leaders are navigating an increasingly volatile landscape, meaning that the ability of an organization to quickly adapt and thrive in spite of new challenges is not just beneficial—it’s essential.
ISO 22336 is the latest addition to the already extensive collection of standards, with around 17 publications supporting organizational resilience such as ISO 22301 for business continuity management and ISO 22316 which outlines resilience principles. In this environment, the purpose of ISO 22336 is to provide a guiding framework to help organizations elevate resilience from an abstract concept to an embedded strategic priority.
To support understanding the role of the new standard, we’ve unpacked what security professionals need to know about ISO 22336, and its practical value in 2024:
ISO 22336:2024 at a Glance
The new ISO 22336 offers detailed guidelines for creating and embedding resilience policies and strategies within an organization. The standard has been designed to move resilience from a theoretical concept to a practical, actionable framework that security leaders can implement across their operations. In essence, ISO 22336 is a new entry to the security and resilience standards environment to support organizations in anticipating, adapting, and responding to disruptions, ensuring they remain operational and effective.
While other resilience and business continuity standards often focus narrowly on recovery, ISO 22336 has been developed to capture a more comprehensive approach. It expands beyond the reactive measures of ISO 22301 and the foundational principles laid out in ISO 22316, which primarily emphasize what resilience is and why it matters. ISO 22336 is intended to provide the how: a roadmap for integrating resilience into the strategic fabric of an organization. This shift is particularly important for security professionals as it aligns resilience with broader risk management and operational goals, rather than treating it as an isolated initiative.
What Matters Most: The Framework for Policy and Strategy
ISO 22336 outlines requirements for a robust framework to design and embed resilience policies and strategies across organizations. Top management is urged to establish a clear strategy that includes:
- Leadership and Commitment: Ensuring that top management endorses and supports resilience as a priority, aligning policy objectives with organizational goals.
- Policy Formulation: Creating a high-level policy that expresses the organization’s vision for resilience, encompassing cultural values and engagement from all levels.
- Strategy Design: Developing a resilience strategy that considers diverse leadership, knowledge-sharing, and resource allocation to manage changes and risks effectively.
- Strategy Implementation: Ensuring resources are allocated effectively and fostering leadership that supports the resilience agenda.
- Continual Evaluation and Improvement: Monitoring performance using key indicators and revising strategies as key steps to adapt to emerging challenges.
Similar to other standards in the series, the approach successfully communicates that resilience cannot be siloed, but needs to integrate into every aspect of an organization’s culture.
What Does The New Standard Mean for Security leaders?
For security leaders, the changes introduced by ISO 22336 may not feel like a game changer. Much of what it proposes—principles such as adaptability, continuous learning, and leadership involvement—echoes concepts found in other ISO standards focused on resilience-building, like ISO 22316 and ISO 22301. This overlap does lead to a logical question on the necessity of adopting ISO 22336, particularly if existing practices already align with these well-known frameworks.
A common critique of resilience standards including ISO 22336 is that they are often too theoretical and may not support substantial, practical changes within an organization. In short, while ISO 22336 provides a structured framework for best practices, leaders may find that it lacks actionable, day-to-day steps that can be implemented seamlessly. Additionally, there is the risk of putting compliance over substance: organizations might adopt ISO 22336 for the sake of certification rather than embedding its principles into the core culture of the organization. This can lead to a “check-the-box” mentality, where adherence becomes more about ticking off requirements than fostering meaningful resilience.
Moreover, the universal design of ISO standards specifically means they can be overly generic, making it challenging for leaders to apply principles to specific industry risks. Combined with ingrained potential for slow adaptation to emerging threats, this can limit their effectiveness. An emphasis on extensive documentation also poses a challenge, pulling attention away from simple, proactive, results-oriented risk management and focusing instead on fulfilling administrative requirements.
In short, while ISO 22336 introduces solid principles that reinforce resilience strategies, standards are only one tool in the organisational resilience toolkit. Security leaders need to be critically aware of this to understand both the benefits and limitations of aligning to the standard.
So What’s The Value?
ISO 22336 is not a major shift for security leaders familiar with existing standards, but it still can add significant value by reinforcing principles and providing a new best-practice calling card for continuous improvement. As a tool to strengthen the business case for investing in initiatives to further embed resilience in organizational culture, the standard is an effective communication tool for top management.
Criticisms of standards — such as their potential for superficial adoption — highlight that leaders shouldn’t expect ISO 22336 to single-handedly drive effective resilience. Instead, the new standard should be viewed as an additional useful step forward. A tool that helps refine best practices and guide the organization’s risk management strategy towards a stronger footing.
The aim of ISO 22336 is to provide leaders with a comprehensive framework for embedding resilience into organizational strategy, moving beyond high-level principles to practical guidance. While it reinforces familiar concepts from other standards, its value does lie in offering a structured, actionable approach to continuous improvement and proactive adaptation.
Critics argue that ISO standards can sometimes be too theoretical or lead to compliance-focused adoption, rarely driving meaningful change. But by recognizing these potential pitfalls and adjusting expectations, security leaders can still find significant value in the new best-practice guide. And an additional tool in the path to embedded organizational resilience.
Interested in learning more about how we work with risk leaders to drive more effective resilience programs?
Human Risks develops scalable tools to help drive consistent security resilience strategies across large operating footprints. Interested in learning more? Connect with the team for a demo.
