According to ISO, “This document gives guidelines for the application of principles and a process for a complexity assessment of an organization’s systems to improve security and resilience. A complexity assessment process allows an organization to identify potential hidden vulnerabilities of its system and to provide an early indication of risk resulting from complexity.“
The ISO 22375 originates from the UNI 11613 published in 2015 and impulsed by Ontonix. Ontonix is principal co-author of UNI 11613.
Complexity-induced risk is today the most insidious form of risk
“We are pleased to have contributed to the ISO 22375” said Dr. J. Marczyk, the founder and President of Ontonix. “Complexity-induced risk is a new form of risk, introduced by Ontonix and the management of which Ontonix has pioneered since its founding in 2005. Complexity-induced risk is today the most insidious form of risk”, he added. “We do, however, have reservations as to ISO 22375.
First of all, it provides a subjective assessment in that it is based on arbitrarily assigned weights. Second, the analysis procedure has a stong linear flavour and discounts the presence of critical complexity. This last fact indicates that the standard leans heavily towards a qualitative analysis, neglecting such fundamental principles of physics as the Second Law of Thermodynamics. Finally, the standard speaks of resilience but no measure of resilience is proposed or discussed”, he concluded.