Contenu connexe
Similaire à ISO 28000 Security Management for Supply Chains
Similaire à ISO 28000 Security Management for Supply Chains (20)
Plus de Enterprise Security Risk Management
Plus de Enterprise Security Risk Management (20)
ISO 28000 Security Management for Supply Chains
- 1. Auditing Security Management Systems and the
Supply Chain: ISO28000
ASIS International 3rd Asia-Pacific Conference
Wednesday 4 February 2009 11.50 - 12.35
Dr. Marc Siegel
ASIS International
ISO/TC 8 Delegation Head
© 2008
- 2. Promoting Security in the Supply Chain
Supplier – Manufacturer – Distributor – Retailer – Logistics
Continuity in the supply chain is a key
component of today's global marketplace
© 2008
- 3. Globalization of Supply Chains
Disruption of the Supply Chain a Rising Threat
• Just-in-time manufacturing
• Outsourcing
• Global sourcing
• Specialized factories
• Centralized distribution
• Supply consolidation
• Reduction of the supplier base
• Volatility of demand
• Lack control procedures
© 2008
- 4. So What Could Happen?
• Human trafficking
• Contraband smuggling
• Theft
• Cyber-crime
• Internal sabotage
• Industrial sabotage
• Terrorism
• Counterfeiting
• Insurgency
• Bio-terrorism
• Wholesale and retail supply loss
• Organized crime
• WMD in containers
• Political disruptions
• $$$ Damages
© 2008
- 5. What are the Consequences of an Incident?
• Damage to tangibles:
– Human and physical assets – property, products,
infrastructure, personnel and the environment
• Damage to intangibles:
– Non-physical assets - reputation, market position, goodwill
• The harm to the organization may include;
– Injury or serious harm to persons and property
– Business integrity
– Reputation
– Clients property
– Standing in industry community
– Regulatory issues
© 2008
- 7. The 28000 Series
• Developed in response to demand from industry
against a background of varying international security
regimes.
• Generic management specification to improve the
security in supply chains.
• Requires organizations to:
– assess the security environment in which it operates
– determine if adequate security measures are in place
– improve performance
• Designed to be a sound foundation for complying
efficiently with other international, national and sector
based security requirements and schemes.
© 2008
- 8. The ISO 28000 Series
Standards and codes of practice for supply chain security
• The 28000 series was developed to compliment the
various international initiatives to facilitate uniform
implementation worldwide.
• ISO 28000 - Supply chain security
management
– Published Sept. 2007
– Risked based model
– Plan, Do, Check, Act principles
– Designed for 1st, 2nd & 3rd party auditing
• Certification Standard, similar to:
– ISO 14001, OHSAS 18001, ISO 27001
© 2008
- 9. ISO 28000 Enables an Organization to:
• Establish, implement, maintain and improve a
security management system
• Assure conformity with security management policy
• Demonstrate such conformity
• Seek certification/registration of conformity by an
accredited third party organization
• Make a self-determination and self-declaration of
conformity
© 2008
- 11. ISO 28000 Series of Standards
• ISO 28000:2007
– Specification for security management systems for the supply
chain
• ISO 28001:2007
– Security management systems for the supply chain -- Best
practices for implementing supply chain security, assessments
and plans -- Requirements and guidance
• ISO 28003:2007
– Security management systems for the supply chain --
Requirements for bodies providing audit and certification of
supply chain security management systems
• ISO 28004:2007
– Security management systems for the supply chain --
Guidelines for the implementation of ISO 28000
© 2008
- 12. What Does the ISO 28000 Address?
• ISO 28000 requires the organization to consider the
likelihood of an event and all of its consequences
including:
– Physical failure threats and risks, such as functional failure,
incidental damage, malicious damage or terrorist or criminal
action
– Operational threats and risks, including the control of the
security, human factors and other activities which affect the
organizations performance, condition or safety
– Natural environmental events (storm, floods, etc.), which may
render security measures and equipment ineffective
– Factors outside of the organization's control, such as failures in
externally supplied equipment and services
© 2008
- 13. Built to Be Business Friendly
• Suitable for all sizes and types of organizations that
are involved in purchasing, manufacturing, service,
storage, transportation and/or sales processes
• Aligned with the globally accepted standards:
– ISO 9001:2000 - Quality management
– ISO 14001:2004 - Environmental management
– ISO/IEC 27001:2005 - Information technology security
• Supports consistent and integrated implementation
and operation with related management standards.
• One suitably designed management system can satisfy
the requirements of all these standards
© 2008
- 14. The Standard Can Be Used to:
• Demonstrate a robust and secure supply chain
management system to regulators/authorities and other
interested organizations
• Demonstrate a robust and secure supply chain
management system to their customers/potential
customers
• Provide a consistent approach by all service providers
within a supply chain
• Serve as the basis for an independent assessment
• Demonstrate the ability to meet customer requirements
• Improve services
© 2008
- 15. Commercial & Competitive Advantage
• Unambiguous demonstration the
organization takes security seriously
– Customer confidence that their goods are
protected
– Increased brand equity through the clear
demonstration of commitment to security
– Benefit through increased market share and
through customer retention
• Increased organizational resilience
• Brand and reputation protection
© 2008
- 16. Improved Management
• Effective management of security resources, resulting
in cost savings
• Increased accountability at all levels
• Demonstrates effective corporate governance
• Improved safety and security for employees
• Improved staff and customer satisfaction
• Can be integrated with other internationally recognized
management system standards
© 2008
- 17. Ports Worldwide Adopting ISO 28000
• September 2006 - DP World first to certify
– HQ Dubai
– Ports of Djibouti, Dubai, Vancouver (1st port in the Americas), Porto Caucedo
(Dominican Republic- Latin American gateway to US), Southampton, Tilbury, Le
Havre, Port of Busan, Korea
– All Australia terminals undergoing implementation
– DP World plans to certify all its ports/terminals
• March 2008 - Port of Houston Authority (PHA), Port Police has become the
first port authority in the world to receive ISO 28000:2007 certification
• May 2008 - Singapore-based
logistics and supply chain
management company YCH
Group becomes the first end-
to-end Supply Chain
Management (SCM) provider
to receive the ISO 28000:
2007 Certification.
© 2008
- 18. Mutual Recognition
• ISO 28000 has been recognized by the EU Authorized
Economic Operators (AEO) initiative as compliant to
the AEO Safety and Security requirements
• DP World’s ISO certification has been recognized by US
Customs Border Protection, with the company uniquely
being invited to join C-TPAT.
• US Congress has recognized the relevance of 28000 to
CTPAT and has tasked its research body, GAO, to
confirm technical compatibility.
– Companies that are ISO 28000 compliant may not have to
qualify to join CTPAT but can now enjoy the benefits upon
recognition.
© 2008
- 19. ISO 28000 a New Member
of the Family of ISO
Management Systems
Standards
Identify risks, set priorities
and establish dynamic
programs and plans to cost
effectively improve
performance
Generic framework for organizations of all sizes and types –
private, public, faith-based or not-for-profit organizations.
© 2008
- 20. 28000 is a Management System
• A management system is what the organization
does to manage its processes, functions or
activities.
– Set of interrelated elements used to establish and
achieve an organization’s policy and objectives.
– Includes policies, organizational structure,
responsibilities, planning activities, resources, practices,
procedures and processes.
– Allows an organization to create and manage its
processes and activities to meet its business objectives.
© 2008
- 21. PDCA or APCI Model
Approach to structured problem solving
Plan (Assess) - Do (Protect) - Check (Confirm) - Act (Improve)
Plan
• Define & Analyze a
Problem and Identify the
Root Cause
Act Do
• Devise a Solution
• Standardize Solution
• Develop Detailed Action
• Review and Define
• Plan & Implement It
Next Issues
Systematically
Check
• Confirm Outcomes
Against Plan
• Identify Deviations and
Issues
© 2008
- 22. Why Management Systems Work
• Needs focused
• Goals driven
• People oriented
– Leadership driven
– Involves people at all levels
– Promotes cultural change
• Emphasizes process approach
• System approach to management
• Factual basis for decision making
• Continual improvement
Business Advantage
© 2008
- 23. Risk Management
• Establishes risk management as proactive
means of protecting the organization
– Pragmatic and business-centric approach to
risk management
– Promotes risk management as a central
component of effective management
– Key decision making and commitment of
resources is based on a process of effective
risk assessment
© 2008
- 24. What Does the ISO 28000 Say?
M Re .6
an vi
ag ew
Po
em
lic
4.2 y
en
4
t
Security
Management Se
cur
&
Checking System As it
ses y risk
tive Pla s
Correc nn ment
4.5 ing
Action 4.3
Implementation
& operation
4.4
Standards Implementation Requires A
Organization-wide Commitment to Security
© 2008
- 25. Start: Know your Organization
- Define scope and boundaries
for security, preparedness and
continuity management program
- Identify critical objectives, operation,
functions, products and services
- Preliminary determination of likely risk
scenarios and consequences
Security Policy
Management Review - Management Commitment
- Adequacy and Effectiveness - Commitment to Protection of Critical Assets
- Need for Changes - Commitment to Continuous Improvement
- Opportunities for Improvement
Continual
Planning
Improvement
Checking & Corrective Action - Risk Assessment
- Performance and Evaluation - Legal and Other Requirements
- Nonconformity, Corrective - Security Management Objectives
and Preventive Action
- Security Management Targets
- Control of Records
- Security Management Programs
- Audits
Implementation and Operation
- Structure, Authority and Responsibility
- Competence, Training, & Awareness
- Communication
- Documentation
- Document and Data Control
- Operational Control
- Emergency Preparedness, Response
and Security Recovery © 2008
- 26. Start: Know your Organization
- Define scope and boundaries
Start: Know your Organization for security, preparedness and
continuity management program
- Identify critical objectives, operation,
• Define scope and boundaries for security, functions, products and services
preparedness and continuity management - Preliminary determination of likely risk
scenarios and consequences
program Security Policy
• Identify critical objectives, operation,
Management Review - Management Commitment
- Adequacy and Effectiveness - Commitment to Protection of Critical Assets
- Need for Changes functions, products and services
- Commitment to Continuous Improvement
- Opportunities for Improvement
• Preliminary determination of likely risk
scenarios and consequences
Continual
Planning
Improvement
Checking & Corrective Action - Risk Assessment
- Performance and Evaluation - Legal and Other Requirements
- Nonconformity, Corrective - Security Management Objectives
and Preventive Action
- Security Management Targets
- Control of Records
- Security Management Programs
- Audits
Implementation and Operation
- Structure, Authority and Responsibility
- Competence, Training, & Awareness
- Communication
- Documentation
- Document and Data Control
- Operational Control
- Emergency Preparedness, Response
and Security Recovery © 2008
- 27. Start: Know your Organization
- Define scope and boundaries
for security, preparedness and
continuity management program
- Identify critical objectives, operation,
functions, products and services
- Preliminary determination of likely risk
scenarios and consequences
Security Policy Security Policy
Management Review - Management Commitment
- Adequacy and Effectiveness
- Need for Changes
- Management Commitment - Commitment to Protection of Critical Assets
- Commitment to Continuous Improvement
- Opportunities for Improvement
- Commitment to Protection of Critical Assets
- Commitment to Continuous Improvement
Continual
Planning
Improvement
Checking & Corrective Action - Risk Assessment
- Performance and Evaluation - Legal and Other Requirements
- Nonconformity, Corrective - Security Management Objectives
and Preventive Action
- Security Management Targets
- Control of Records
- Security Management Programs
- Audits
Implementation and Operation
- Structure, Authority and Responsibility
- Competence, Training, & Awareness
- Communication
- Documentation
- Document and Data Control
- Operational Control
- Emergency Preparedness, Response
and Security Recovery © 2008
- 28. Start: Know your Organization
- Define scope and boundaries
for security, preparedness and
continuity management program
- Identify critical objectives, operation,
functions, products and services
- Preliminary determination of likely risk
scenarios and consequences
Security Policy
Management Review - Management Commitment
- Adequacy and Effectiveness - Commitment to Protection of Critical Assets
- Need for Changes - Commitment to Continuous Improvement
- Opportunities for Improvement
Continual
Improvement
Planning Planning
Checking & Corrective Action - Risk Assessment
- Performance and Evaluation - Risk Assessment - Legal and Other Requirements
- Nonconformity, Corrective - Security Management Objectives
and Preventive Action
- Control of Records
- Legal and Other Requirements - Security Management Targets
- Security Management Programs
- Audits
- Security Management Objectives
- Security Management Targets
Implementation and Operation
- Security Management Programs
- Structure, Authority and Responsibility
- Competence, Training, & Awareness
- Communication
- Documentation
- Document and Data Control
- Operational Control
- Emergency Preparedness, Response
and Security Recovery © 2008
- 29. Objectives, Targets and Programs
Policy Road to Success
Threats,
Risks and Legal / Other Views of
Impacts Requirements Interested
Parties
Objectives SMS
And
Program
Targets
Technology Finance Operations Critical Assets
© 2008
- 30. Start: Know your Organization
- Define scope and boundaries
for security, preparedness and
continuity management program
- Identify critical objectives, operation,
functions, products and services
- Preliminary determination of likely risk
scenarios and consequences
Security Policy
Management Review - Management Commitment
- Adequacy and Effectiveness - Commitment to Protection of Critical Assets
- Need for Changes - Commitment to Continuous Improvement
- Opportunities for Improvement
Implementation and Operation
• Structure, Authority and Responsibility
• Competence, Training, and Awareness
Continual
Planning
Improvement
• Communication
Checking & Corrective Action - Risk Assessment
- Performance and Evaluation - Legal and Other Requirements
- Nonconformity, Corrective
• Documentation
- Security Management Objectives
and Preventive Action
- Security Management Targets
- Control of Records
- Security Management Programs
- Audits
• Document and Data Control
• Operational Control
Implementation and Operation
• Emergency Preparedness, Response
- Structure, Authority and Responsibility
- Competence, Training, & Awareness
and Security Recovery
- Communication
- Documentation
- Document and Data Control
- Operational Control
- Emergency Preparedness, Response
and Security Recovery © 2008
- 31. Start: Know your Organization
- Define scope and boundaries
for security, preparedness and
continuity management program
- Identify critical objectives, operation,
functions, products and services
- Preliminary determination of likely risk
scenarios and consequences
Security Policy
Management Review - Management Commitment
- Adequacy and Effectiveness - Commitment to Protection of Critical Assets
- Need for Changes - Commitment to Continuous Improvement
- Opportunities for Improvement
Checking & Corrective Action
- Security Performance Improvement
Monitoring
Continual
Planning
and Measurement
Checking & Corrective Action - Risk Assessment
- Performance and Evaluation - Legal and Other Requirements
- Nonconformity, Corrective
- System Evaluation
- Security Management Objectives
and Preventive Action
- Security Management Targets
- Control of Records
- Security Management Programs
- Nonconformity, Corrective and
- Audits
Preventive Action
Implementation and Operation
- Control of Records - Structure, Authority and Responsibility
- Competence, Training, & Awareness
- Audits - Communication
- Documentation
- Document and Data Control
- Operational Control
- Emergency Preparedness, Response
and Security Recovery © 2008
- 32. Start: Know your Organization
- Define scope and boundaries
for security, preparedness and
continuity management program
Management Review - Identify critical objectives, operation,
functions, products and services
- Preliminary determination of likely risk
scenarios and consequences
- Adequacy and Effectiveness Security Policy
Management Review - Management Commitment
- Need for Changes
- Adequacy and Effectiveness
- Need for Changes
- Commitment to Protection of Critical Assets
- Commitment to Continuous Improvement
- Opportunities for Improvement
- Opportunities for Improvement
Continual
Planning
Improvement
Checking & Corrective Action - Risk Assessment
- Performance and Evaluation - Legal and Other Requirements
- Nonconformity, Corrective - Security Management Objectives
and Preventive Action
- Security Management Targets
- Control of Records
- Security Management Programs
- Audits
Implementation and Operation
- Structure, Authority and Responsibility
- Competence, Training, & Awareness
- Communication
- Documentation
- Document and Data Control
- Operational Control
- Emergency Preparedness, Response
and Security Recovery © 2008
- 33. There’s a Bottleneck
Lead Auditors Needed
Demand for implementation and certification is
currently outpacing the availability of lead auditors
© 2008
- 34. Types of Audits
• First Party
– Internal audit of client
– Self declaration
• Second Party
– External non-certification audit
– Contractually enforced (supply chain)
• Third Party
– Audit by external certified auditors
– Road to certification
© 2008
- 35. Accreditation and Certification Relevant Standards
(Registration) Bodies
Accreditation Bodies ISO/IEC 17011:2004
An organization (usually a national standards body Conformity assessment -- General requirements for accreditation
bodies accrediting conformity assessment bodies
associated with ISO) that checks certification bodies
ISO/IEC 17040:2005
and, provided their certification assessment processes Conformity assessment -- General requirements for peer
pass muster, accredits them i.e. grants them the assessment of conformity assessment bodies and accreditation
authority to issue recognized certificates. bodies
Certification ISO 28003:2007
Security management systems for the supply chain --
(Registration) Bodies Requirements for bodies providing audit and certification of
An independent external body that issues written supply chain security management systems
assurance (the certificate) that it has audited a ISO/IEC 17021:2006
management system and verified that it conforms to Conformity assessment -- Requirements for bodies providing
the requirements specified in the standard. audit and certification of management systems
Certified Lead Auditor
ISO 19011:2002
Guidelines for quality and/or environmental management
systems auditing
Organization
Implements standard – may seek formal recognition ISO 28000:2007
(certification) by a specialized third party body. Specification for security management systems for the supply
chain
© 2008
- 36. Principles that Relate to Auditors
• Ethical conduct: the foundation of professionalism
• Fair presentation: the obligation to report truthfully
and accurately
• Due professional care: the application of diligence
and judgement in auditing
• Independence: the basis for the impartiality of the
audit and objectivity of the audit conclusions
• Evidence-based approach: the rational method for
reaching reliable and reproducible audit conclusions in a
systematic audit process
© 2008
- 37. Lead Auditor Certification
• Knowledge of management systems
• Knowledge of the standard being audit to, as
well as normative documents
• Principles of auditing based on ISO 19011
• Technical knowledge of the activity being
audited
• Understanding risk assessment and
management from a business perspective
• General knowledge of regulatory requirements
• Understanding of security, preparedness
response and recovery management
© 2008
- 38. How Do I Become a Player?
ISO 28000 is Here – and Rapidly Gaining Momentum
Your Ticket to Play
BECOME A CERTIFIED
ISO 28000 LEAD AUDITOR
© 2008
- 39. Course Objectives
• Knowledge of a systematic and practical approach to security
management system auditing
• Broad understanding of the scope of security management
system auditor responsibilities
• Competency in organizing and directing audit team members
• An in-depth understanding of the ISO 28000 and security risk
management requirements
• The ability to effectively provide management with objective
advice regarding progress towards compliance and certification of
security management systems
• Demonstrable understanding of the intent and application of
relevant Acts, Standards, Codes of Practice, and other documents
relevant to regualtions and legislation
© 2008
- 40. Key Session Topics
• Plan, conduct, and report an actual audit and examine
relevant case studies
• Major elements and scope of risk management
including definitions of common risk management
terms
• Structure and make-up of management system
documentation
• Roles and responsibilities for security management
• Requirements and methods for ensuring continuous
improvement
© 2008
- 41. Key Session Topics
• Audit techniques and methodology according to:
– ISO 28000:2007 Specification for Security Management
Systems for the Supply Chain
– ISO 31000 Risk Management
– ISO 31010 Risk Assessment (Methodologies)
– ASIS International Risk Assessment (Process)
– ISO 19011:2003 Guidelines for Quality and/or Environmental
Management (under revision to add risk-based processes)
• Systems Auditing
– Security threat and vulnerability assessments
– Asset protection and loss protection
– IT and electronic security
– Personnel protection
– Risk to transport and infrastructure from terrorism
© 2008
- 42. Competence of Auditors
Competence =
∑ Personal attributes
+ Generic auditing knowledge and skills
+ Security, Preparedness, Response and
Recovery specific knowledge and skills
© 2008
- 44. Authority to Audit
• The organization’s top management should Process
grant the authority for managing the audit
program. Flow for
• Establish, implement, monitor, review and Audit
improve the audit program
• Identify the necessary resources and ensure Program
they are provided
© 2008
- 45. Process
Plan Flow for
•Objectives of an audit program Audit
•Extent of an audit program
Program
• Scope, objective and duration
• Standards, statutory, regulatory and
contractual requirements
• Language, cultural and social issues
•Audit program responsibilities
•Audit program resources
•Audit program procedures
© 2008
- 46. Competence and evaluation of auditors
• Process
Competence = ∑ (Personal attributes) + (Generic
auditing knowledge and skills) + (Security- knowledge
and skills) Flow for
• Confidentiality and clearances
Audit
Program
Do
•Audit program implementation
•communicating the audit coordinating and scheduling
audits
•establishing and maintaining a process for the evaluation
of the auditors
•selection of audit teams
•providing necessary resources to the audit teams
•conduct of audits according to the audit program
•control of records of the audit activities
•review and approval of audit reports,
•audit follow-up
•Audit program records © 2008
- 47. Process
Flow for
Audit
Program
Check
- Audit program monitoring and reviewing
- Identify needs for corrective and preventive
actions
- Identify opportunities for improvement © 2008
- 48. Process
Flow for
Audit
Program
Act
- Improve the audit program
- Commitment to Continuous Improvement
© 2008
- 49. Initiating the audit
- appointing the audit team leader
- defining audit objectives, scope and criteria
- determining the feasibility of the audit
- selecting the audit team
- establishing initial contact with the auditee
Overview
Conducting document review of typical
- reviewing relevant management system documents, including records,
and determining their adequacy with respect to audit criteria audit
Preparing for the on-site audit activities
activities
- preparing the audit plan
- assigning work to the audit team
- preparing work documents
Conducting on-site audit activities
- conducting opening meeting
- communication during the audit
- roles and responsibilities of guides and observers
- collecting and verifying information
- generating audit findings
- preparing audit conclusions
- conducting closing meeting
Preparing, approving and distributing the audit report
- preparing the audit report
- approving and distributing audit report
Completing the audit
Conducting audit follow-up
© 2008
- 50. Source of Information
Collecting and verifying information by
appropriate sampling techniques Collecting
Information to
Reach Audit
Audit evidence
Conclusions
Evaluating against audit criteria
Audit findings
Reviewing
Audit conclusions
© 2008
- 51. What Does the Future Hold?
• ISO 28002,
Resilience in the
Supply Chain
• ISO 28005, Ships and
marine technology -
Computer
applications -
Electronic port
clearance (EPC)
© 2008
- 52. Thank You
Dr. Marc Siegel
Security Management System Consultant
ASIS International
Phone: +1-858-484-9855
Email: siegel@ASIS-Standards.net
siegel@ymail.com
S
© 2008