Craig Willetts ISO & Business Consultant
  • Meet Craig Willetts
    • Never Give Up
    • Change The Game
    • Give Back
  • New Business Tips
    • Train Your Brain
    • Organise Your Workspace
    • Colour use in Business
    • Writing a Business Plan
    • Setting KPI's
    • Website Building Instructions
  • General Business Tips
    • How to Thrive not just Survive in a Global Pandemic
    • Meeting Tips
    • Problem Solving
    • Monitor Profit
    • Ensure Compliance
  • Business Development
    • Sell your product or service
    • Social Media Essentials
    • Daily Hashtag
    • SEO Tips
  • Understanding People
    • Be A Great Employee
    • Understand Customers
    • Talent Management
    • How To Get The Most From Your Team
    • Stress at Work
    • Made it Mindset
  • Sector Related Articles
    • Project Management Sector
    • Security Sector
    • Cleaning & FM Sector
    • Construction Sector
    • Manufacturing Sector
    • Warehouse Sector
    • Training Sector
    • Customer Service Sector
  • ISO Standards & Other Accreditation Tips
    • ISO 9001 Tips
    • ISO 14001 Tips
    • ISO 45001 Tips
    • ISO 31000 Tips
    • ISO 22301 Tips
    • ISO 27001 Tips
    • ISO 17025 Tips
    • ISO 18788 Tips
    • ISO 28000 Tips
    • ISO 28007 Tips
    • ISO 50001 Tips
    • Go Paperless With ISO
  • Meet Craig Willetts
    • Never Give Up
    • Change The Game
    • Give Back
  • New Business Tips
    • Train Your Brain
    • Organise Your Workspace
    • Colour use in Business
    • Writing a Business Plan
    • Setting KPI's
    • Website Building Instructions
  • General Business Tips
    • How to Thrive not just Survive in a Global Pandemic
    • Meeting Tips
    • Problem Solving
    • Monitor Profit
    • Ensure Compliance
  • Business Development
    • Sell your product or service
    • Social Media Essentials
    • Daily Hashtag
    • SEO Tips
  • Understanding People
    • Be A Great Employee
    • Understand Customers
    • Talent Management
    • How To Get The Most From Your Team
    • Stress at Work
    • Made it Mindset
  • Sector Related Articles
    • Project Management Sector
    • Security Sector
    • Cleaning & FM Sector
    • Construction Sector
    • Manufacturing Sector
    • Warehouse Sector
    • Training Sector
    • Customer Service Sector
  • ISO Standards & Other Accreditation Tips
    • ISO 9001 Tips
    • ISO 14001 Tips
    • ISO 45001 Tips
    • ISO 31000 Tips
    • ISO 22301 Tips
    • ISO 27001 Tips
    • ISO 17025 Tips
    • ISO 18788 Tips
    • ISO 28000 Tips
    • ISO 28007 Tips
    • ISO 50001 Tips
    • Go Paperless With ISO
Search by typing & pressing enter

YOUR CART

How to tackle the ISO 28000 - Supply chain Security Management Systems 

The ISO 28000, Supply Chain Security Management System International Standard, has been developed in response to the high demand from industries. Increasingly, organisations are discovering that they must depend on effective supply chains to compete in the global market. Recent threats and incidents relating supply chains and their level of security have demonstrated that it is crucial for organizations to secure their supply chains to prevent risks.
 
This International Standard has a risk based approach to management systems, However, organisations that have adopted a process approach to management systems (e.g. ISO 9001) may be able to use their existing management system as a foundation for a security management system as prescribed in this International Standard.
 
The ISO 28000:2007 is based on the methodology known as Plan-Do-Check-Act (PDCA), which can be described as follows.

  • Plan: establish the objectives and processes necessary to deliver results in accordance with the organization’s security policy.
  • Do: implement the processes.
  • Check: monitor and measure processes against security policy, objectives, targets, legal and other requirements, and report results.
  • Act: take actions to continually improve the performance of the security management system.
 
ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain.

ISO is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to: 
  1. Establish, implement, maintain and improve a security management system;
  2. Assure conformance with stated security management policy;
  3. Demonstrate such conformance to others;
  4. Seek certification/registration of its security management system by an accredited third party certification body;
  5. Make a self-determination and self-declaration of conformance with ISO 28000:2007.
 
Key clauses of ISO 28000:2007
Clause 4.2: Security management policy
Top management shall authorize an overall security management policy that will:
  • Be consistent with other organizational policies;
  • Provide a framework that enables the specific security management objectives, targets and programs to be produced;
  • Be consistent  with  the organization’s   overall security threat and risk management framework;
  • Be appropriate to the threats of the organization and the nature and scale of its operations;
  • Clearly state the overall security management objectives;
  • Include a commitment to continual improvement of the security management process;
  • Include a commitment to comply with current applicable legislation, regulatory and statutory requirements and with other requirements to which the organization subscribes;
  • Be visibly endorsed by top management;
  • Be documented, implemented and maintained;
  • Be communicated to all relevant employees and third parties;
  • Be available to stakeholders where appropriate; and 
  • Provide for its review.
 
Clause 4.3 Security risk assessment and planning
Furthermore, the organization shall prepare the security risk assessment and planning for the supply chain security management system. 
  • Security risk assessment - This assessment shall consider the likelihood of an event and all of its consequences which shall include:
  • Physical failure threats and risks, such as functional failure, incidental damage, malicious damage or terrorist or criminal action;
  • Operational threats and risks, including the control of the security, human factors and other   activities which affect the organizations performance, condition or safety;
  • Natural environmental events (storm, floods, etc.), which may render security measures and equipment ineffective;
  • Factors outside of the organization’s control, such as failures in externally supplied equipment and services;
  • Stakeholder threats and risks such as failure to meet regulatory requirements or damage to reputation or brand;
  • Design and installation of security equipment including replacement, maintenance, etc.
  • Information and data management and communications;
  • A threat to continuity of operations.
 
Clause 4.3 Security risk assessment and planning
Furthermore, the organization shall prepare the security risk assessment and planning for the supply chain security management system. 
  • Security risk assessment - This assessment shall consider the likelihood of an event and all of its consequences which shall include:
  • Physical failure threats and risks, such as functional failure, incidental damage, malicious damage or terrorist or criminal action;
  • Operational threats and risks, including the control of the security, human factors and other   activities which affect the organizations performance, condition or safety;
  • Natural environmental events (storm, floods, etc.), which may render security measures and equipment ineffective;
  • Factors outside of the organization’s control, such as failures in externally supplied equipment and services;
  • Stakeholder threats and risks such as failure to meet regulatory requirements or damage to reputation or brand;
  • Design and installation of security equipment including replacement, maintenance, etc.
  • Information and data management and communications;
  • A threat to continuity of operations.
Legal, statutory and other security regulatory requirements– A procedure should be established, implemented and maintained to identify and have access to the applicable legal requirements and other requirements to which the organization subscribes related to its security threat and risks, and to determine how these requirements apply to its security threats and risks. 

Security management objectives– A procedure should be established, implemented and maintained to document security management objectives at relevant functions and levels within the organization, which shall be consistent with the policy.

Security management targets– Documented management targets shall be appropriately established, implemented and maintained to the needs of the organization, which shall be consistent with the security management objectives. These targets shall be:
  • To an appropriate level of detail;
  • Specific, measurable, achievable, relevant and time-based (where practicable);
  • Communicated to all relevant employees and third parties including contractors; and 
  • Reviewed periodically to ensure that they remain relevant and consistent with the security management objectives. Where necessary the targets shall be amended accordingly.
Security management programs– Management programs are established, implemented a maintained for achieving objectives and targets, which shall be optimised and then prioritised.

Clause 4.4 Implementation and operation
After the risk assessment and planning of the security management system, an organization must consider the following processes for the implementation and operation of the management system: 

Structure, authority and responsibilities for security management– An organizational structure of roles, responsibilities and authorities shall be established and maintained consistent with the achievement of its security management policy, objectives, targets and programs. 

Competence, training and awareness– Personnel responsible for the design, operation and management of security equipment and processes shall be suitably qualified in terms of education, training and/or experience.

Communication– Pertinent security management information shall be communicated to and from relevant employees, contractors and other stakeholders. 

Documentation– A security management documentation system shall include, but is not limited to: 
  • The security policy, objectives and targets,
  • Scope of the security management system,
  • Main elements of the security management system and their interaction, and reference to related documents,
  • Documents, including records, required by this International Standard, and
  • Documents, including records determined by the organization that ensure the effective planning, operation and control of processes that relate to its significant security threats and risks.

Document and data control– All documents, data and information required for this International Standard shall be controlled. 

Operational control- Necessary operations and activities shall be identified for achieving: 
  • The security management policy;
  • The control of activities and mitigation of threats identified as having significant risk;
  • Compliance with legal, statutory and other regulatory security requirements;
  • Its security management objectives;
  • The delivery of its security management programs; and
  • The required level of supply chain security.

Emergency preparedness, response and security recovery– The organization shall establish, implement and maintain appropriate plans and procedures to identify the potential for, and responses to, security incidents and emergency situations, and for preventing and mitigating the likely consequences that can be associated with them.

Clause 4.5 Checking and corrective action
Moreover, after the implementation and operation of the supply chain security management system, the following actions shall be taken to evaluate and correct possible inaccuracies relating the management system:

Security performance measurement and monitoring– The performance of the security management system shall be monitored and measured. Associated security threats and risks shall be considered, including potential deterioration mechanisms and their consequences, when setting the frequency for measuring and monitoring the key performance parameters. 

System evaluation– Security management plans, procedures, and capabilities shall be evaluated through periodic reviews, testing, post-incident reports, lessons learned, performance evaluations, and exercises. Significant changes must immediately be reflected in the procedure(s). 

Security-related failures, incidents, non-conformances and corrective and preventiveaction – Responsibilities and authorities for evaluating and initiating preventive actions, investigating failures/ incidents, initiating and completing corrective actions for these failures/ incidents, and confirming the effectiveness of the corrective actions taken shall be defined.

​Control of records- Records shall be established and maintained as necessary to demonstrate conformity to the requirements of its security management system and of this standard, and the results achieved. 
Audit– The audits of the security management system shall be carried out at planned intervals.
 
Clause 4.6 Management review and continual improvement
To conclude, top management shall review the organization's security management system at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. Management reviews shall include assessing opportunities for improvement or changes to the security management system.
Picture
Powered by Create your own unique website with customizable templates.