ISO 28000 AND HOW IT RELATES TO TAPA/ C-TPAT
Download
Report
Transcript ISO 28000 AND HOW IT RELATES TO TAPA/ C-TPAT
ISO 28000
Supply Chain Security
GLC Germanischer Lloyd Certification GmbH
2008-04-03
What is ISO 28000
• international standard that enables organizations to establish
an overall supply chain security management system (sms)
• specifies the requirements and aspects critical to security
assurance of the supply chain
• based on the ISO 14001 risk based approach to management
systems
• existing processed based management systems, e.g. ISO 9001
may be used as a foundation for the sms
• based on the Plan-Do-Check-Act (PDCA) methodology
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 2
1. Scope
• includes all activities controlled or influenced by the
organization that impact on supply chain security
• applicable to all sizes of organizations, from small to
multinational, in
• manufacturing,
• service,
• storage or
• transportation
at any stage of the production or supply chain
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 3
4.1 General requirements
• establish, document, implement, maintain and continually
improve an effective sms for identifying security threats,
assessing risks and controlling and mitigation their
consequences
• continually improve effectiveness in accordance with this
standard
• define the scope of the sms
• outsourced processes that affect conformity with security
requirements must be controlled and identified within the sms
Note: Similarities to ISO 9001 (Quality) and ISO 14001 (Environment)
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 4
4.2 Security management policy
• The policy shall:
• be consistent with other organizational policies and their overall
security threat and risk management framework, which enables
the specific security management objectives, targets and
programs to be produced
• be appropriate to the threats to the organization and the nature
and scale of its operations
• be visible endorsed by top management, communicated to all
relevant employees and third parties and be available to
stakeholders where appropriate
• provide for its review in case of the acquisition or merger with
other organizations
Note: Similarities with ISO 9001 (Quality) and ISO 14001 (Environment)
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 5
4.3 Security risk assessment and planning
4.3.1 Security risk assessment (1)
• procedures to identify and assess security threats and
risks (includes likelihood of an event and all of its
consequences):
• physical failure threats and risks (functional failure, incidental/
malicious damage, terrorist or criminal actions)
• operational threats and risks (activities affecting performance,
condition or safety)
• natural environmental events (storms, floods etc. rendering
security measures and equipment ineffective)
Note: Some similarities with TAPA and C-TPAT
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 6
4.3 Security risk assessment and planning
4.3.1 Security risk assessment (2)
• factors outside the organization‘s control (failures in externally
•
•
•
•
supplied equipment and services)
stakeholder threats and risks (failure to meet regulatory
requirements or damage to reputation or brand)
design and installation of security equipment including
replacement, maintenance, etc.
information, data management and communications
threats to continuity of operations
Note: Some similarities with TAPA and C-TPAT
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 7
4.3 Security risk assessment and planning
4.3.1 Security risk assessment (3)
• security risk assessment provides documented and
up to date input for:
• security management objectives, targets and programs
• determination of requirements for the design, specification and
•
•
•
•
installation
identification of adequate resources, including staffing levels
identification of training needs
development of operational controls
the organization’s overall threat and risk management
framework
Note: Some similarities with TAPA and C-TPAT as well as ISO 9001 and 14001
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 8
4.3 Security risk assessment and planning
4.3.1 Security risk assessment (4)
• methodology for threat and risk identification and
assessment shall:
• relate to scope, nature and timing to ensure it is proactive rather
than reactive
• include the collection of information related to security threats
and risks
• provide for the classification of threats/ risks and identification of
those that are to be avoided, eliminated or controlled
• include monitoring of actions to ensure effectiveness and
timeliness of implementation
Note: Related to C-TPAT requirements for Risk Assessment
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 9
4.3 Security risk assessment and planning
4.3.2 Legal, statutory & other security
requirements
• establish, implement and maintain a procedure to:
• identify and have access to applicable legal and other
requirements related to security threats and risks
• determine how these requirements apply to its security threats
and risks
• keep this information up-to-date
• communicate relevant information on legal and other
requirements to its employees and other relevant third
parties including contractors
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 10
4.3 Security risk assessment and planning
4.3.3 Security management objectives
• establish, implement and maintain documented security
management objectives, taking into account:
• legal, statutory and other security regulatory requirements
• security related threats and risks
• technological and other options
• financial, operational and business requirements
• views of appropriate stakeholders
• security management objectives shall be:
•
•
•
•
consistent with commitment to continual improvement
quantified (where practicable)
communicated to relevant employees, third parties and contractors
reviewed periodically to ensure they remain relevant and consistent with
the security management policy
Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment) standards
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 11
4.3 Security risk assessment and planning
4.3.4 Security management targets
• establish, implement and maintain documented
security targets to be appropriate to the needs of the
organization, derived from and consistent with
security management objectives:
• to an appropriate level of detail
• specific, measurable, achievable, relevant and time-based
(where practicable)
• communicated to relevant employees, third parties and
contractors
• reviewed periodically to ensure they remain relevant; amended
when necessary
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 12
4.3 Security risk assessment and planning
4.3.5 Security management programs
• establish, implement and maintain security
management programs for achieving objectives and
targets with provision for efficient and cost effective
implementation
• documented programs shall describe:
• designated responsibility and authority for achieving security
management objectives and targets
• means and time-scale by which security management objectives
and targets are to be achieved
• periodically review to ensure that they remain
effective and consistent with objectives and targets
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 13
4.4 Implementation and operation
4.4.1 Structure, authority and responsibility for
security management (1)
• establish and maintain a structure of roles, responsibilities and
authorities, consistent with the achievement of its security
management policy, objectives, targets and programs
• define, document and communicate this structure to the
individuals responsible for implementation and maintenance
• provide evidence of commitment to the development,
implementation and continual improvement of the sms, by:
• appointing a member of the top management with overall responsibility
• appointing manager(s) with authority to ensure that the objectives and targets
are implemented
• identify, manage and monitor of stakeholders requirements and expectations
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 14
4.4 Implementation and operation
4.4.1 Structure, authority and responsibility for
security management (2)
• ensuring availability of adequate resources
• consider the adverse impact that the security management policy, objectives,
targets, programs, etc. have on other aspects of the organization
• communicate the importance of meeting its security requirements in order to
comply with its policy
• ensuring evaluation of security-related threats and risks and including them in
assessment, as appropriate
• ensuring viability of the security management objectives, targets and
programs
Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment)
standards
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 15
4.4 Implementation and operation
4.4.2 Competence, training and awareness
• establish and maintain procedures for training to assure
employees working for or on behalf of the organization are
aware of:
• importance of compliance with security management policy, procedures and
requirements of the sms
• roles and responsibilities in achieving compliance with security management
policy, procedures and requirements of the sms, including emergency
preparedness and response requirements
• potential consequences to security by departing from specified operating
procedures
• maintain records of competence and training
Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment) standards, as
well as TAPA and C-TPAT
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 16
4.4 Implementation and operation
4.4.3 Communication
4.4.4 Documentation
• procedures to ensure that pertinent security management information is
communicated to and from relevant employees, contractors and other
stakeholders
• due consideration should be given to the sensitivity prior dissemination
• establish and maintain a security management documentation system,
including:
• security policy, objectives and targets
• description of scope of the sms
• description of main elements of the sms with their interaction and reference to
related documents
• documents and records required by the standard and determined by the
organization to be necessary for effective planning, operation and control of
processes
Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment)
standards, as well as TAPA/ C-TPAT
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 17
4.4 Implementation and operation
4.4.5 Document and data control
• establish and maintain procedures for controlling all
documents, data and information to ensure:
• located and assessed only by authorized individuals
• availability at all locations where essential operations are performed
• periodically reviewed, revised as necessary and approved for adequacy by
authorized personnel
• obsolete documents are promptly removed or otherwise assured against
unintended use
• archival documents retained for legal or knowledge preservation purposes or
both
• documents are secure – if in electronic form are adequately backed up and
retrievable
Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment)
standards, as well as TAPA/ C-TPAT
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 18
4.4 Implementation and operation
4.4.6 Operational control (1)
• Identification of operations and activities necessary
for achieving
• security management policy, objectives and delivery of security
management programs
• control of activities and mitigation of identified security threats/
risks
• compliance with legal, statutory and other regulatory security
requirements
• required level of supply chain security
Note: Some similarities with TAPA/ C-TPAT
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 19
4.4 Implementation and operation
4.4.6 Operational control (2)
• establish, implement and maintain documented procedures to
control situations where their absence could lead to failure to
achieve the operations and activities
• evaluate any threats from upstream activities to mitigate their
impacts to the organization and downstream activities
• establish, maintain and communicate security requirements to
suppliers and contractors
• any new arrangements impacting security shall consider
•
•
•
•
organizational structure, roles and responsibilities
security policy, objectives, targets, programs, processes, procedures
new contractors, suppliers or personnel
new infrastructure, security equipment or technology
Note: Some similarities with TAPA/ C-TPAT
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 20
4.4 Implementation and operation
4.4.7 Emergency preparedness, response and
security recovery
• establish, implement and maintain appropriate plans
and procedures to identify the potential for and
responses to, security incidents and emergency
situations
• periodically review of effectiveness of its emergency
preparedness, response and security recovery plans
and procedures
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 21
4.5 Checking and corrective action
4.5.1 Security performance measurement and
monitoring
• establish and maintain procedures to monitor and measure the
performance of the sms, which shall provide for:
• appropriate qualitative and quantitative measures
• monitoring the extent that policy, objectives and targets are met
• proactive measures to monitor compliance with security management
programs, operational control criteria, applicable legislation, statutory and
other security regulatory requirements
• reactive measures to monitor security-related deteriorations, failures,
incidents and non-conformances (incl. near misses and false alarms)
• recording data and results of monitoring and measurement
Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment) standards
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 22
4.5 Checking and corrective actions
4.5.2 System evaluation
• evaluation of security management plans, procedures
and capabilities through periodic reviews, testing,
post-incident reports, lessons learned, performance
evaluations and exercises
• periodic evaluation of compliance with relevant
legislation and regulations, industry best practices
and conformance with its own policy and objectives
• records kept for periodic evaluations
Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment)
standards
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 23
4.5 Checking and corrective action
4.5.3 Security related failures, incidents, nonconformances, corrective and preventive action
• establish, implement and maintain procedures to define
responsibility and authority for:
• evaluating preventive actions to identify potential failures of security
• investigating security-related
• near misses and false alarms
• incidents and emergency situations
• non-conformances
• taking action to mitigate any consequences
• initiating and completion of corrective actions
• confirmation of effectiveness of corrective actions taken
Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment) standards, as
well as TAPA/ C-TPAT
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 24
4.5 Checking and corrective action
4.5.4 Control of records
• establish and maintain records to demonstrate conformity to
the requirements of the sms, the standard and results achieved
• establish, implement and maintain procedures for
identification, storage, protection, retrieval, retention and
disposal of records
• records to remain legible, identifiable and traceable
• electronic records to be tamper proof, securely backed-up and
accessible only to authorized individuals
Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment)
standards
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 25
4.5 Checking and corrective action
4.5.5 Audit
• establish, implement and maintain an audit program to
determine conformance of the sms to ISO 28000
• program based on results of the risk assessment and previous
audits
• audits to be carried out at planned intervals by personnel with
no direct responsibility for the activity being audited
• previous audit results to be reviewed for correction of nonconformances
• information on the results provided to management
Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment) standards
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 26
4.6 Management review and continual
improvement
• sms review by top management to include:
•
•
•
•
•
•
•
results of audits/ evaluations of compliance with legal and other requirements
external communications (including complaints)
security performance of the organization
the extent to which objectives and targets met
status of corrective and preventive actions
follow-up actions from previous management reviews
changing circumstances, including developments in legal and other security
related requirements
• recommendations for improvement
Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment) standards
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 27
Summary (1)
• Who might implement ISO 28000?
• Anyone already ISO 9001 and/ or ISO 14001 certified and/ or compliant to
TAPA or C-TPAT could quite easily integrate this into ISO 28000 as well as
including TAPA requirements in the applicable sections of ISO 28000.
• Companies that feel they could demonstrate an SMS that fits their needs
without implementing all of the requirements of TAPA or C-TPAT may be
interested to the standard
• If ISO 28000 ever becomes customer driven, either of the above may occur
• Would the TAPA organization recognize compliance to ISO
28000 in lieu of TAPA?
• probably not – ISO 28000 does not have specific requirements to
demonstrate parallel compliance to TAPA requirements and does not
specifically prohibit sampling of locations
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 28
Summary (2)
• Would US customs recognize ISO 28000 in lieu of a validated
C-TPAT program?
• There is the possibility that a demonstrable compliance to ISO 28000 could
satisfy the requirements of C-TPAT if all CBP security requirements were met
within the implementation of ISO 28000
• C-TPAT allows each company to determine their own security program, within
certain parameters. Companies would still have to have successful validation
audits by customs based on the C-TPAT security requirements but this would
not „Certify to ISO 28000“.
• Will ISO 28000 ever become an accredited standard through
ANAB in the US?
• Always possible, but not soon – without 3rd party verification requirements,
the accrediting body may not see this as high on their list for their next
accredited product
• Independent audits to ISO 28000 could yield „Letters of conformance“ to the
standard
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 29