28000.ppt

2008-04-03ISO 28000Supply Chain SecurityGLC Germanischer Lloyd Certification GmbH

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * What is ISO 28000international standard that enables organizations to establish an overall supply chain security management system (sms)specifies the requirements and aspects critical to security assurance of the supply chainbased on the ISO 14001 risk based approach to management systemsexisting processed based management systems, e.g. ISO 9001 may be used as a foundation for the sms based on the Plan-Do-Check-Act (PDCA) methodology


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 1. Scopeincludes all activities controlled or influenced by the organization that impact on supply chain securityapplicable to all sizes of organizations, from small to multinational, inmanufacturing,service, storage ortransportationat any stage of the production or supply chain


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.1 General requirementsestablish, document, implement, maintain and continually improve an effective sms for identifying security threats, assessing risks and controlling and mitigation their consequencescontinually improve effectiveness in accordance with this standarddefine the scope of the smsoutsourced processes that affect conformity with security requirements must be controlled and identified within the sms

Note: Similarities to ISO 9001 (Quality) and ISO 14001 (Environment)


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.2 Security management policyThe policy shall:be consistent with other organizational policies and their overall security threat and risk management framework, which enables the specific security management objectives, targets and programs to be producedbe appropriate to the threats to the organization and the nature and scale of its operationsbe visible endorsed by top management, communicated to all relevant employees and third parties and be available to stakeholders where appropriateprovide for its review in case of the acquisition or merger with other organizations Note: Similarities with ISO 9001 (Quality) and ISO 14001 (Environment)


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.3 Security risk assessment and planning4.3.1 Security risk assessment (1)procedures to identify and assess security threats and risks (includes likelihood of an event and all of its consequences):physical failure threats and risks (functional failure, incidental/ malicious damage, terrorist or criminal actions)operational threats and risks (activities affecting performance, condition or safety)natural environmental events (storms, floods etc. rendering security measures and equipment ineffective) Note: Some similarities with TAPA and C-TPAT


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.3 Security risk assessment and planning4.3.1 Security risk assessment (2)factors outside the organizations control (failures in externally supplied equipment and services)stakeholder threats and risks (failure to meet regulatory requirements or damage to reputation or brand)design and installation of security equipment including replacement, maintenance, etc.information, data management and communicationsthreats to continuity of operations

Note: Some similarities with TAPA and C-TPAT


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.3 Security risk assessment and planning4.3.1 Security risk assessment (3)security risk assessment provides documented and up to date input for:security management objectives, targets and programsdetermination of requirements for the design, specification and installationidentification of adequate resources, including staffing levelsidentification of training needsdevelopment of operational controlsthe organizations overall threat and risk management framework

Note: Some similarities with TAPA and C-TPAT as well as ISO 9001 and 14001


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.3 Security risk assessment and planning4.3.1 Security risk assessment (4)methodology for threat and risk identification and assessment shall:relate to scope, nature and timing to ensure it is proactive rather than reactiveinclude the collection of information related to security threats and risksprovide for the classification of threats/ risks and identification of those that are to be avoided, eliminated or controlledinclude monitoring of actions to ensure effectiveness and timeliness of implementation

Note: Related to C-TPAT requirements for Risk Assessment


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.3 Security risk assessment and planning4.3.2 Legal, statutory & other security requirementsestablish, implement and maintain a procedure to: identify and have access to applicable legal and other requirements related to security threats and risksdetermine how these requirements apply to its security threats and riskskeep this information up-to-date communicate relevant information on legal and other requirements to its employees and other relevant third parties including contractors


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.3 Security risk assessment and planning4.3.3 Security management objectivesestablish, implement and maintain documented security management objectives, taking into account:legal, statutory and other security regulatory requirementssecurity related threats and riskstechnological and other optionsfinancial, operational and business requirementsviews of appropriate stakeholderssecurity management objectives shall be:consistent with commitment to continual improvementquantified (where practicable)communicated to relevant employees, third parties and contractors reviewed periodically to ensure they remain relevant and consistent with the security management policy Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment) standards


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.3 Security risk assessment and planning4.3.4 Security management targetsestablish, implement and maintain documented security targets to be appropriate to the needs of the organization, derived from and consistent with security management objectives:to an appropriate level of detailspecific, measurable, achievable, relevant and time-based (where practicable)communicated to relevant employees, third parties and contractorsreviewed periodically to ensure they remain relevant; amended when necessary


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.3 Security risk assessment and planning4.3.5 Security management programsestablish, implement and maintain security management programs for achieving objectives and targets with provision for efficient and cost effective implementationdocumented programs shall describe:designated responsibility and authority for achieving security management objectives and targetsmeans and time-scale by which security management objectives and targets are to be achievedperiodically review to ensure that they remain effective and consistent with objectives and targets


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.4 Implementation and operation4.4.1 Structure, authority and responsibility for security management (1)establish and maintain a structure of roles, responsibilities and authorities, consistent with the achievement of its security management policy, objectives, targets and programsdefine, document and communicate this structure to the individuals responsible for implementation and maintenance provide evidence of commitment to the development, implementation and continual improvement of the sms, by:appointing a member of the top management with overall responsibilityappointing manager(s) with authority to ensure that the objectives and targets are implementedidentify, manage and monitor of stakeholders requirements and expectations


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.4 Implementation and operation4.4.1 Structure, authority and responsibility for security management (2)ensuring availability of adequate resourcesconsider the adverse impact that the security management policy, objectives, targets, programs, etc. have on other aspects of the organizationcommunicate the importance of meeting its security requirements in order to comply with its policyensuring evaluation of security-related threats and risks and including them in assessment, as appropriateensuring viability of the security management objectives, targets and programs

Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment) standards


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.4 Implementation and operation4.4.2 Competence, training and awarenessestablish and maintain procedures for training to assure employees working for or on behalf of the organization are aware of:importance of compliance with security management policy, procedures and requirements of the smsroles and responsibilities in achieving compliance with security management policy, procedures and requirements of the sms, including emergency preparedness and response requirementspotential consequences to security by departing from specified operating proceduresmaintain records of competence and training

Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment) standards, as well as TAPA and C-TPAT


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.4 Implementation and operation4.4.3 Communication 4.4.4 Documentationprocedures to ensure that pertinent security management information is communicated to and from relevant employees, contractors and other stakeholdersdue consideration should be given to the sensitivity prior disseminationestablish and maintain a security management documentation system, including:security policy, objectives and targetsdescription of scope of the smsdescription of main elements of the sms with their interaction and reference to related documentsdocuments and records required by the standard and determined by the organization to be necessary for effective planning, operation and control of processes

Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment) standards, as well as TAPA/ C-TPAT


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.4 Implementation and operation4.4.5 Document and data controlestablish and maintain procedures for controlling all documents, data and information to ensure:located and assessed only by authorized individualsavailability at all locations where essential operations are performedperiodically reviewed, revised as necessary and approved for adequacy by authorized personnelobsolete documents are promptly removed or otherwise assured against unintended use archival documents retained for legal or knowledge preservation purposes or bothdocuments are secure if in electronic form are adequately backed up and retrievable



2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.4 Implementation and operation4.4.6 Operational control (1)Identification of operations and activities necessary for achievingsecurity management policy, objectives and delivery of security management programscontrol of activities and mitigation of identified security threats/ riskscompliance with legal, statutory and other regulatory security requirementsrequired level of supply chain security

Note: Some similarities with TAPA/ C-TPAT


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.4 Implementation and operation4.4.6 Operational control (2)establish, implement and maintain documented procedures to control situations where their absence could lead to failure to achieve the operations and activitiesevaluate any threats from upstream activities to mitigate their impacts to the organization and downstream activitiesestablish, maintain and communicate security requirements to suppliers and contractorsany new arrangements impacting security shall considerorganizational structure, roles and responsibilities security policy, objectives, targets, programs, processes, proceduresnew contractors, suppliers or personnelnew infrastructure, security equipment or technology

Note: Some similarities with TAPA/ C-TPAT


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.4 Implementation and operation4.4.7 Emergency preparedness, response and security recoveryestablish, implement and maintain appropriate plans and procedures to identify the potential for and responses to, security incidents and emergency situationsperiodically review of effectiveness of its emergency preparedness, response and security recovery plans and procedures


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.5 Checking and corrective action4.5.1 Security performance measurement and monitoringestablish and maintain procedures to monitor and measure the performance of the sms, which shall provide for:appropriate qualitative and quantitative measures monitoring the extent that policy, objectives and targets are metproactive measures to monitor compliance with security management programs, operational control criteria, applicable legislation, statutory and other security regulatory requirementsreactive measures to monitor security-related deteriorations, failures, incidents and non-conformances (incl. near misses and false alarms)recording data and results of monitoring and measurement



2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.5 Checking and corrective actions4.5.2 System evaluationevaluation of security management plans, procedures and capabilities through periodic reviews, testing, post-incident reports, lessons learned, performance evaluations and exercisesperiodic evaluation of compliance with relevant legislation and regulations, industry best practices and conformance with its own policy and objectivesrecords kept for periodic evaluations Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment) standards


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.5 Checking and corrective action4.5.3 Security related failures, incidents, non- conformances, corrective and preventive actionestablish, implement and maintain procedures to define responsibility and authority for:evaluating preventive actions to identify potential failures of securityinvestigating security-relatednear misses and false alarmsincidents and emergency situationsnon-conformancestaking action to mitigate any consequencesinitiating and completion of corrective actionsconfirmation of effectiveness of corrective actions taken



2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.5 Checking and corrective action4.5.4 Control of recordsestablish and maintain records to demonstrate conformity to the requirements of the sms, the standard and results achievedestablish, implement and maintain procedures for identification, storage, protection, retrieval, retention and disposal of recordsrecords to remain legible, identifiable and traceableelectronic records to be tamper proof, securely backed-up and accessible only to authorized individuals



2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.5 Checking and corrective action4.5.5 Auditestablish, implement and maintain an audit program to determine conformance of the sms to ISO 28000program based on results of the risk assessment and previous auditsaudits to be carried out at planned intervals by personnel with no direct responsibility for the activity being auditedprevious audit results to be reviewed for correction of non-conformancesinformation on the results provided to management



2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * 4.6 Management review and continual improvementsms review by top management to include:results of audits/ evaluations of compliance with legal and other requirementsexternal communications (including complaints)security performance of the organization the extent to which objectives and targets metstatus of corrective and preventive actionsfollow-up actions from previous management reviews changing circumstances, including developments in legal and other security related requirementsrecommendations for improvement



2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * Summary (1)Who might implement ISO 28000?Anyone already ISO 9001 and/ or ISO 14001 certified and/ or compliant to TAPA or C-TPAT could quite easily integrate this into ISO 28000 as well as including TAPA requirements in the applicable sections of ISO 28000.Companies that feel they could demonstrate an SMS that fits their needs without implementing all of the requirements of TAPA or C-TPAT may be interested to the standardIf ISO 28000 ever becomes customer driven, either of the above may occurWould the TAPA organization recognize compliance to ISO 28000 in lieu of TAPA?probably not ISO 28000 does not have specific requirements to demonstrate parallel compliance to TAPA requirements and does not specifically prohibit sampling of locations


2008-04-03ISO 28000 - GLC Germanischer Lloyd Certification GmbHNo. * Summary (2)Would US customs recognize ISO 28000 in lieu of a validated C-TPAT program?There is the possibility that a demonstrable compliance to ISO 28000 could satisfy the requirements of C-TPAT if all CBP security requirements were met within the implementation of ISO 28000C-TPAT allows each company to determine their own security program, within certain parameters. Companies would still have to have successful validation audits by customs based on the C-TPAT security requirements but this would not Certify to ISO 28000.Will ISO 28000 ever become an accredited standard through ANAB in the US?Always possible, but not soon without 3rd party verification requirements, the accrediting body may not see this as high on their list for their next accredited productIndependent audits to ISO 28000 could yield Letters of conformance to the standard


28000.ppt

Documents

Transcript of 28000.ppt