How to tackle the ISO 28000 - Supply chain Security Management Systems
The ISO 28000, Supply Chain Security Management System International Standard, has been developed in response to the high demand from industries. Increasingly, organisations are discovering that they must depend on effective supply chains to compete in the global market. Recent threats and incidents relating supply chains and their level of security have demonstrated that it is crucial for organizations to secure their supply chains to prevent risks.
This International Standard has a risk based approach to management systems, However, organisations that have adopted a process approach to management systems (e.g. ISO 9001) may be able to use their existing management system as a foundation for a security management system as prescribed in this International Standard.
The ISO 28000:2007 is based on the methodology known as Plan-Do-Check-Act (PDCA), which can be described as follows.
ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain.
ISO is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:
Key clauses of ISO 28000:2007
Clause 4.2: Security management policy
Top management shall authorize an overall security management policy that will:
Clause 4.3 Security risk assessment and planning
Furthermore, the organization shall prepare the security risk assessment and planning for the supply chain security management system.
Clause 4.3 Security risk assessment and planning
Furthermore, the organization shall prepare the security risk assessment and planning for the supply chain security management system.
Security management objectives– A procedure should be established, implemented and maintained to document security management objectives at relevant functions and levels within the organization, which shall be consistent with the policy.
Security management targets– Documented management targets shall be appropriately established, implemented and maintained to the needs of the organization, which shall be consistent with the security management objectives. These targets shall be:
Clause 4.4 Implementation and operation
After the risk assessment and planning of the security management system, an organization must consider the following processes for the implementation and operation of the management system:
Structure, authority and responsibilities for security management– An organizational structure of roles, responsibilities and authorities shall be established and maintained consistent with the achievement of its security management policy, objectives, targets and programs.
Competence, training and awareness– Personnel responsible for the design, operation and management of security equipment and processes shall be suitably qualified in terms of education, training and/or experience.
Communication– Pertinent security management information shall be communicated to and from relevant employees, contractors and other stakeholders.
Documentation– A security management documentation system shall include, but is not limited to:
Document and data control– All documents, data and information required for this International Standard shall be controlled.
Operational control- Necessary operations and activities shall be identified for achieving:
Emergency preparedness, response and security recovery– The organization shall establish, implement and maintain appropriate plans and procedures to identify the potential for, and responses to, security incidents and emergency situations, and for preventing and mitigating the likely consequences that can be associated with them.
Clause 4.5 Checking and corrective action
Moreover, after the implementation and operation of the supply chain security management system, the following actions shall be taken to evaluate and correct possible inaccuracies relating the management system:
Security performance measurement and monitoring– The performance of the security management system shall be monitored and measured. Associated security threats and risks shall be considered, including potential deterioration mechanisms and their consequences, when setting the frequency for measuring and monitoring the key performance parameters.
System evaluation– Security management plans, procedures, and capabilities shall be evaluated through periodic reviews, testing, post-incident reports, lessons learned, performance evaluations, and exercises. Significant changes must immediately be reflected in the procedure(s).
Security-related failures, incidents, non-conformances and corrective and preventiveaction – Responsibilities and authorities for evaluating and initiating preventive actions, investigating failures/ incidents, initiating and completing corrective actions for these failures/ incidents, and confirming the effectiveness of the corrective actions taken shall be defined.
Control of records- Records shall be established and maintained as necessary to demonstrate conformity to the requirements of its security management system and of this standard, and the results achieved.
Audit– The audits of the security management system shall be carried out at planned intervals.
Clause 4.6 Management review and continual improvement
To conclude, top management shall review the organization's security management system at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. Management reviews shall include assessing opportunities for improvement or changes to the security management system.
This International Standard has a risk based approach to management systems, However, organisations that have adopted a process approach to management systems (e.g. ISO 9001) may be able to use their existing management system as a foundation for a security management system as prescribed in this International Standard.
The ISO 28000:2007 is based on the methodology known as Plan-Do-Check-Act (PDCA), which can be described as follows.
- Plan: establish the objectives and processes necessary to deliver results in accordance with the organization’s security policy.
- Do: implement the processes.
- Check: monitor and measure processes against security policy, objectives, targets, legal and other requirements, and report results.
- Act: take actions to continually improve the performance of the security management system.
ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain.
ISO is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:
- Establish, implement, maintain and improve a security management system;
- Assure conformance with stated security management policy;
- Demonstrate such conformance to others;
- Seek certification/registration of its security management system by an accredited third party certification body;
- Make a self-determination and self-declaration of conformance with ISO 28000:2007.
Key clauses of ISO 28000:2007
Clause 4.2: Security management policy
Top management shall authorize an overall security management policy that will:
- Be consistent with other organizational policies;
- Provide a framework that enables the specific security management objectives, targets and programs to be produced;
- Be consistent with the organization’s overall security threat and risk management framework;
- Be appropriate to the threats of the organization and the nature and scale of its operations;
- Clearly state the overall security management objectives;
- Include a commitment to continual improvement of the security management process;
- Include a commitment to comply with current applicable legislation, regulatory and statutory requirements and with other requirements to which the organization subscribes;
- Be visibly endorsed by top management;
- Be documented, implemented and maintained;
- Be communicated to all relevant employees and third parties;
- Be available to stakeholders where appropriate; and
- Provide for its review.
Clause 4.3 Security risk assessment and planning
Furthermore, the organization shall prepare the security risk assessment and planning for the supply chain security management system.
- Security risk assessment - This assessment shall consider the likelihood of an event and all of its consequences which shall include:
- Physical failure threats and risks, such as functional failure, incidental damage, malicious damage or terrorist or criminal action;
- Operational threats and risks, including the control of the security, human factors and other activities which affect the organizations performance, condition or safety;
- Natural environmental events (storm, floods, etc.), which may render security measures and equipment ineffective;
- Factors outside of the organization’s control, such as failures in externally supplied equipment and services;
- Stakeholder threats and risks such as failure to meet regulatory requirements or damage to reputation or brand;
- Design and installation of security equipment including replacement, maintenance, etc.
- Information and data management and communications;
- A threat to continuity of operations.
Clause 4.3 Security risk assessment and planning
Furthermore, the organization shall prepare the security risk assessment and planning for the supply chain security management system.
- Security risk assessment - This assessment shall consider the likelihood of an event and all of its consequences which shall include:
- Physical failure threats and risks, such as functional failure, incidental damage, malicious damage or terrorist or criminal action;
- Operational threats and risks, including the control of the security, human factors and other activities which affect the organizations performance, condition or safety;
- Natural environmental events (storm, floods, etc.), which may render security measures and equipment ineffective;
- Factors outside of the organization’s control, such as failures in externally supplied equipment and services;
- Stakeholder threats and risks such as failure to meet regulatory requirements or damage to reputation or brand;
- Design and installation of security equipment including replacement, maintenance, etc.
- Information and data management and communications;
- A threat to continuity of operations.
Security management objectives– A procedure should be established, implemented and maintained to document security management objectives at relevant functions and levels within the organization, which shall be consistent with the policy.
Security management targets– Documented management targets shall be appropriately established, implemented and maintained to the needs of the organization, which shall be consistent with the security management objectives. These targets shall be:
- To an appropriate level of detail;
- Specific, measurable, achievable, relevant and time-based (where practicable);
- Communicated to all relevant employees and third parties including contractors; and
- Reviewed periodically to ensure that they remain relevant and consistent with the security management objectives. Where necessary the targets shall be amended accordingly.
Clause 4.4 Implementation and operation
After the risk assessment and planning of the security management system, an organization must consider the following processes for the implementation and operation of the management system:
Structure, authority and responsibilities for security management– An organizational structure of roles, responsibilities and authorities shall be established and maintained consistent with the achievement of its security management policy, objectives, targets and programs.
Competence, training and awareness– Personnel responsible for the design, operation and management of security equipment and processes shall be suitably qualified in terms of education, training and/or experience.
Communication– Pertinent security management information shall be communicated to and from relevant employees, contractors and other stakeholders.
Documentation– A security management documentation system shall include, but is not limited to:
- The security policy, objectives and targets,
- Scope of the security management system,
- Main elements of the security management system and their interaction, and reference to related documents,
- Documents, including records, required by this International Standard, and
- Documents, including records determined by the organization that ensure the effective planning, operation and control of processes that relate to its significant security threats and risks.
Document and data control– All documents, data and information required for this International Standard shall be controlled.
Operational control- Necessary operations and activities shall be identified for achieving:
- The security management policy;
- The control of activities and mitigation of threats identified as having significant risk;
- Compliance with legal, statutory and other regulatory security requirements;
- Its security management objectives;
- The delivery of its security management programs; and
- The required level of supply chain security.
Emergency preparedness, response and security recovery– The organization shall establish, implement and maintain appropriate plans and procedures to identify the potential for, and responses to, security incidents and emergency situations, and for preventing and mitigating the likely consequences that can be associated with them.
Clause 4.5 Checking and corrective action
Moreover, after the implementation and operation of the supply chain security management system, the following actions shall be taken to evaluate and correct possible inaccuracies relating the management system:
Security performance measurement and monitoring– The performance of the security management system shall be monitored and measured. Associated security threats and risks shall be considered, including potential deterioration mechanisms and their consequences, when setting the frequency for measuring and monitoring the key performance parameters.
System evaluation– Security management plans, procedures, and capabilities shall be evaluated through periodic reviews, testing, post-incident reports, lessons learned, performance evaluations, and exercises. Significant changes must immediately be reflected in the procedure(s).
Security-related failures, incidents, non-conformances and corrective and preventiveaction – Responsibilities and authorities for evaluating and initiating preventive actions, investigating failures/ incidents, initiating and completing corrective actions for these failures/ incidents, and confirming the effectiveness of the corrective actions taken shall be defined.
Control of records- Records shall be established and maintained as necessary to demonstrate conformity to the requirements of its security management system and of this standard, and the results achieved.
Audit– The audits of the security management system shall be carried out at planned intervals.
Clause 4.6 Management review and continual improvement
To conclude, top management shall review the organization's security management system at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. Management reviews shall include assessing opportunities for improvement or changes to the security management system.
