28000

ISO 28000
Supply Chain Security

GLC Germanischer Lloyd Certification GmbH
2008-04-03
What is ISO 28000

international standard that enables organizations to establish
an overall supply chain security management system (sms)
specifies the requirements and aspects critical to security

assurance of the supply chain
based on the ISO 14001 risk based approach to management

systems
existing processed based management systems, e.g. ISO 9001

may be used as a foundation for the sms
based on the Plan-Do-Check-Act (PDCA) methodology
ISO 28000 - GLC Germanischer Lloyd Certification GmbH
2008-04-03
No. 2
1. Scope
includes all activities controlled or influenced by the
organization that impact on supply chain security
applicable to all sizes of organizations, from small to

multinational, in
manufacturing,
service,
storage or
transportation
at any stage of the production or supply chain
2008-04-03
No. 3
4.1 General requirements

establish, document, implement, maintain and continually
improve an effective sms for identifying security threats,
assessing risks and controlling and mitigation their
consequences
continually improve effectiveness in accordance with this

standard
define the scope of the sms

outsourced processes that affect conformity with security
requirements must be controlled and identified within the sms
Note: Similarities to ISO 9001 (Quality) and ISO 14001 (Environment)
2008-04-03
No. 4
4.2 Security management policy

The policy shall:
be consistent with other organizational policies and their overall
security threat and risk management framework, which enables

the specific security management objectives, targets and
programs to be produced
be appropriate to the threats to the organization and the nature
and scale of its operations
be visible endorsed by top management, communicated to all
relevant employees and third parties and be available to
stakeholders where appropriate
provide for its review in case of the acquisition or merger with
other organizations
Note: Similarities with ISO 9001 (Quality) and ISO 14001 (Environment)
2008-04-03
No. 5
4.3 Security risk assessment and

planning
4.3.1 Security risk assessment (1)
procedures to identify and assess security threats and
risks (includes likelihood of an event and all of its
consequences):
physical failure threats and risks (functional failure, incidental/
malicious damage, terrorist or criminal actions)

operational threats and risks (activities affecting performance,
condition or safety)
natural environmental events (storms, floods etc. rendering
security measures and equipment ineffective)
Note: Some similarities with TAPA and C-TPAT
2008-04-03
No. 6

planning
factors outside the organizations control (failures in externally
supplied equipment and services)

stakeholder threats and risks (failure to meet regulatory
requirements or damage to reputation or brand)
design and installation of security equipment including
replacement, maintenance, etc.
information, data management and communications
threats to continuity of operations
Note: Some similarities with TAPA and C-TPAT
2008-04-03
No. 7

planning
security risk assessment provides documented and
up to date input for:

security management objectives, targets and programs
determination of requirements for the design, specification and
installation
identification of adequate resources, including staffing levels
identification of training needs
development of operational controls
the organizations overall threat and risk management
framework
Note: Some similarities with TAPA and C-TPAT as well as ISO 9001 and 14001
2008-04-03
No. 8

planning
methodology for threat and risk identification and
assessment shall:
relate to scope, nature and timing to ensure it is proactive rather
than reactive
include the collection of information related to security threats
and risks
provide for the classification of threats/ risks and identification of
those that are to be avoided, eliminated or controlled
include monitoring of actions to ensure effectiveness and
timeliness of implementation
Note: Related to C-TPAT requirements for Risk Assessment
2008-04-03
No. 9

planning
4.3.2 Legal, statutory & other security
requirements
establish, implement and maintain a procedure to:
identify and have access to applicable legal and other
requirements related to security threats and risks

determine how these requirements apply to its security threats
and risks
keep this information up-to-date

communicate relevant information on legal and other
requirements to its employees and other relevant third

parties including contractors
2008-04-03
No. 10

planning
4.3.3 Security management objectives
establish, implement and maintain documented security
management objectives, taking into account:
legal, statutory and other security regulatory requirements
security related threats and risks
technological and other options
financial, operational and business requirements
views of appropriate stakeholders
security management objectives shall be:
consistent with commitment to continual improvement

quantified (where practicable)
communicated to relevant employees, third parties and contractors
reviewed periodically to ensure they remain relevant and consistent with
the security management policy
Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment) standards
2008-04-03
No. 11

planning
4.3.4 Security management targets
establish, implement and maintain documented
security targets to be appropriate to the needs of the

organization, derived from and consistent with
security management objectives:
to an appropriate level of detail
specific, measurable, achievable, relevant and time-based
(where practicable)
communicated to relevant employees, third parties and
contractors
reviewed periodically to ensure they remain relevant; amended
when necessary
2008-04-03
No. 12

planning
4.3.5 Security management programs
establish, implement and maintain security
management programs for achieving objectives and
targets with provision for efficient and cost effective
implementation
documented programs shall describe:
designated responsibility and authority for achieving security
management objectives and targets

means and time-scale by which security management objectives
and targets are to be achieved
periodically review to ensure that they remain
effective and consistent with objectives and targets
2008-04-03
No. 13
4.4 Implementation and operation

4.4.1 Structure, authority and
responsibility for security management
(1)
establish and maintain a structure of roles, responsibilities and
authorities, consistent with the achievement of its security
management policy, objectives, targets and programs
define, document and communicate this structure to the
individuals responsible for implementation and maintenance
provide evidence of commitment to the development,
implementation and continual improvement of the sms, by:

appointing a member of the top management with overall responsibility
appointing manager(s) with authority to ensure that the objectives and targets
are implemented
identify, manage and monitor of stakeholders requirements and expectations
2008-04-03
No. 14

4.4.1 Structure, authority and
responsibility for security management
(2) ensuring availability of adequate resources
consider the adverse impact that the security management policy, objectives,
targets, programs, etc. have on other aspects of the organization

communicate the importance of meeting its security requirements in order to
comply with its policy
ensuring evaluation of security-related threats and risks and including them in
assessment, as appropriate
ensuring viability of the security management objectives, targets and
programs
Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment)
standards
2008-04-03
No. 15

4.4.2 Competence, training and
awareness
establish and maintain procedures for training to assure
employees working for or on behalf of the organization are

aware of:
importance of compliance with security management policy, procedures and
requirements of the sms

roles and responsibilities in achieving compliance with security management
policy, procedures and requirements of the sms, including emergency
preparedness and response requirements
potential consequences to security by departing from specified operating
procedures
maintain records of competence and training

Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment) standards, as
well as TAPA and C-TPAT
2008-04-03
No. 16

4.4.3 Communication
4.4.4 Documentation
procedures to ensure that pertinent security management information is
communicated to and from relevant employees, contractors and other
stakeholders
due consideration should be given to the sensitivity prior dissemination

establish and maintain a security management documentation system,
including:
security policy, objectives and targets
description of scope of the sms
description of main elements of the sms with their interaction and reference to
related documents
documents and records required by the standard and determined by the
organization to be necessary for effective planning, operation and control of
processes
standards, as well as TAPA/ C-TPAT
2008-04-03
No. 17

4.4.5 Document and data control
establish and maintain procedures for controlling all
documents, data and information to ensure:

located and assessed only by authorized individuals
availability at all locations where essential operations are performed
periodically reviewed, revised as necessary and approved for adequacy by
authorized personnel
obsolete documents are promptly removed or otherwise assured against
unintended use
archival documents retained for legal or knowledge preservation purposes or
both
documents are secure if in electronic form are adequately backed up and
retrievable
standards, as well as TAPA/ C-TPAT
2008-04-03
No. 18

4.4.6 Operational control (1)
Identification of operations and activities necessary
for achieving
security management policy, objectives and delivery of security
management programs
control of activities and mitigation of identified security threats/
risks
compliance with legal, statutory and other regulatory security
requirements
required level of supply chain security
Note: Some similarities with TAPA/ C-TPAT
2008-04-03
No. 19

4.4.6 Operational control (2)
establish, implement and maintain documented procedures to
control situations where their absence could lead to failure to
achieve the operations and activities
evaluate any threats from upstream activities to mitigate their

impacts to the organization and downstream activities
establish, maintain and communicate security requirements to

suppliers and contractors
any new arrangements impacting security shall consider
organizational structure, roles and responsibilities

security policy, objectives, targets, programs, processes, procedures
new contractors, suppliers or personnel
new infrastructure, security equipment or technology
Note: Some similarities with TAPA/ C-TPAT
2008-04-03
No. 20

4.4.7 Emergency preparedness,
response and security recovery
establish, implement and maintain appropriate plans

and procedures to identify the potential for and
responses to, security incidents and emergency
situations
periodically review of effectiveness of its emergency
preparedness, response and security recovery plans

and procedures
2008-04-03
No. 21
4.5 Checking and corrective action

4.5.1 Security performance
measurement and monitoring
establish and maintain procedures to monitor and measure the
performance of the sms, which shall provide for:
appropriate qualitative and quantitative measures
monitoring the extent that policy, objectives and targets are met
proactive measures to monitor compliance with security management
programs, operational control criteria, applicable legislation, statutory and

other security regulatory requirements
reactive measures to monitor security-related deteriorations, failures,
incidents and non-conformances (incl. near misses and false alarms)
recording data and results of monitoring and measurement
2008-04-03
No. 22
4.5 Checking and corrective

actions
4.5.2
System
evaluation
evaluation
of security management plans, procedures
and capabilities through periodic reviews, testing,
post-incident reports, lessons learned, performance
evaluations and exercises
periodic evaluation of compliance with relevant
legislation and regulations, industry best practices

and conformance with its own policy and objectives
records kept for periodic evaluations

standards
2008-04-03
No. 23
4.5 Checking and corrective action

4.5.3 Security related failures, incidents,
non- conformances, corrective and
establish, implement
preventive
actionand maintain procedures to define
responsibility and authority for:
evaluating preventive actions to identify potential failures of security
investigating security-related
near misses and false alarms
incidents and emergency situations
non-conformances
taking action to mitigate any consequences
initiating and completion of corrective actions
confirmation of effectiveness of corrective actions taken
Note: Some similarities with ISO 9001 (Quality) and ISO 14001 (Environment) standards, as
well as TAPA/ C-TPAT
2008-04-03
No. 24

action
4.5.4
records
establishControl
and maintain of
records
to demonstrate conformity to
the requirements of the sms, the standard and results achieved
establish, implement and maintain procedures for
identification, storage, protection, retrieval, retention and

disposal of records
records to remain legible, identifiable and traceable

electronic records to be tamper proof, securely backed-up and
accessible only to authorized individuals
standards
2008-04-03
No. 25

action
4.5.5
Audit
establish,
implement and maintain an audit program to
determine conformance of the sms to ISO 28000
program based on results of the risk assessment and previous

audits
audits to be carried out at planned intervals by personnel with

no direct responsibility for the activity being audited
previous audit results to be reviewed for correction of nonconformances
information on the results provided to management

2008-04-03
No. 26
4.6 Management review and

continual improvement
sms review by top management to include:
results of audits/ evaluations of compliance with legal and other requirements

external communications (including complaints)
security performance of the organization
the extent to which objectives and targets met
status of corrective and preventive actions
follow-up actions from previous management reviews
changing circumstances, including developments in legal and other security
related requirements
recommendations for improvement
2008-04-03
No. 27
Summary (1)
Who might implement ISO 28000?
Anyone already ISO 9001 and/ or ISO 14001 certified and/ or compliant to
TAPA or C-TPAT could quite easily integrate this into ISO 28000 as well as
including TAPA requirements in the applicable sections of ISO 28000.
Companies that feel they could demonstrate an SMS that fits their needs
without implementing all of the requirements of TAPA or C-TPAT may be
interested to the standard
If ISO 28000 ever becomes customer driven, either of the above may occur
Would the TAPA organization recognize compliance to ISO

28000 in lieu of TAPA?
probably not ISO 28000 does not have specific requirements to
demonstrate parallel compliance to TAPA requirements and does not

specifically prohibit sampling of locations
2008-04-03
No. 28
Summary (2)
Would US customs recognize ISO 28000 in lieu of a validated CTPAT program?
There is the possibility that a demonstrable compliance to ISO 28000 could
satisfy the requirements of C-TPAT if all CBP security requirements were met
within the implementation of ISO 28000
C-TPAT allows each company to determine their own security program, within
certain parameters. Companies would still have to have successful validation
audits by customs based on the C-TPAT security requirements but this would
not Certify to ISO 28000.
Will ISO 28000 ever become an accredited standard through
ANAB in the US?

Always possible, but not soon without 3rd party verification requirements,
the accrediting body may not see this as high on their list for their next
accredited product
Independent audits to ISO 28000 could yield Letters of conformance to the
standard
2008-04-03
No. 29

28000

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

28000

Caricato da

Copyright:

Formati disponibili

ISO 28000

Supply Chain Security

What is ISO 28000

specifies the requirements and aspects critical to security

based on the ISO 14001 risk based approach to management

existing processed based management systems, e.g. ISO 9001

based on the Plan-Do-Check-Act (PDCA) methodology

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

applicable to all sizes of organizations, from small to

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

4.1 General requirements

continually improve effectiveness in accordance with this

define the scope of the sms

requirements must be controlled and identified within the sms

Note: Similarities to ISO 9001 (Quality) and ISO 14001 (Environment)

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

4.2 Security management policy

be consistent with other organizational policies and their overall

security threat and risk management framework, which enables

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

4.3 Security risk assessment and

malicious damage, terrorist or criminal actions)

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

4.3 Security risk assessment and

factors outside the organizations control (failures in externally

supplied equipment and services)

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

4.3 Security risk assessment and

up to date input for:

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

4.3 Security risk assessment and

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

4.3 Security risk assessment and

requirements related to security threats and risks

keep this information up-to-date

requirements to its employees and other relevant third

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

4.3 Security risk assessment and

security management objectives shall be:

consistent with commitment to continual improvement

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

4.3 Security risk assessment and

security targets to be appropriate to the needs of the

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

4.3 Security risk assessment and

documented programs shall describe:

designated responsibility and authority for achieving security

management objectives and targets

periodically review to ensure that they remain

effective and consistent with objectives and targets

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

4.4 Implementation and operation

define, document and communicate this structure to the

individuals responsible for implementation and maintenance

provide evidence of commitment to the development,

implementation and continual improvement of the sms, by:

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

4.4 Implementation and operation

targets, programs, etc. have on other aspects of the organization

ISO 28000 - GLC Germanischer Lloyd Certification GmbH

4.4 Implementation and operation

establish and maintain procedures for training to assure