conformity & performance iso 28000. iso 28000 – security management system the security of the...

36
Conformity & Performance ISO 28000

Upload: beverly-welch

Post on 26-Dec-2015

235 views

Category:

Documents


5 download

TRANSCRIPT

Page 1: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Conformity &Performance

ISO 28000

Page 2: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

ISO 28000 – Security Management System

The security of the business operations

NOT

the security operations of the business• Unless this is the required objective.

Page 3: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Common terms of referenceConformance & Performance

conformity or conformance• compliance in actions, behaviour, etc, with certain

standards or norms • correspondence or likeness in form or appearance;

congruity; agreement

performance • manner or quality of functioning • any accomplishment

Collins English Dictionary - Complete & Unabridged 10th Edition

Page 4: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Security Performance

Security is a performance issue

Security must be addressing the needs of the organisation:• Proactive in addressing plausible security issues• Alert to changes in organisational security risks• Responsive to changing organisational security

objectives• Security management activities must be fit for

purpose, in situ and for meeting security targets

• SECURITY PERFORMANCE MUST MEET OR EXCEED THE SECURITY REQUIREMENTS OF THE ORGANISATION

– Not just conform to a predefined set of instruments

Page 5: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

What is ISO 28000

• A Security Management System that defines best practice methodologies for managing organisational security needs.

• Four overarching requirements of any security programA. Consistent with business model and objectivesB. Legal and statutory complianceC. Identification and understanding of security risksD. Management of the security risks

• ISO 28000 allows any organisation, public or private, large or small, to meet these requirements in a structured and systematic manner – facilitating program reliability and consistent performance.

Page 6: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Security Management System

StartManagementCommitmentManagement

Review

Checking / Corrective ActionNonconformance &

Corrective & Preventive ActionMonitoring & Measurement

RecordsSMS Audits & Evaluation

PlanningLegal & Other Requirements Security Risks and Threats

Objectives & TargetsSecurity Management Program

ImplementationStructure & Responsibility

Training, Awareness, Competence Operational ControlSMS Documentation

Document Control Communication

Emergency Preparedness / Response

Know your OrganizationDefine scope and boundaries

for security program.Identify critical objectives,

operation, functions, products and services

ContinualContinualImprovementImprovement

Security Policy

Page 7: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

What is the business or operations?

What do you want to protect? How much of the organisation? What are the boundaries? What activities and assets?

The nature and scale of the business?

Know your OrganizationDefine scope and boundaries

for security program.Identify critical objectives,

operation, functions, products and services

General. 4.1

• Policy is a statement of “WHAT” is to be achieved; supported by procedures specifying “HOW” it will be achieved.

Security Policy4.2

Page 8: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Businesses wants to protect

PEOPLE

Other stakeholders•Customers / suppliers•Business partners•Regulators•Community

Visitors•Access•Safety•Theft

Employees•Recruitment•Staff joining and leaving•Industrial relations•OHS•Bullying / Harassment•Workplace violence•Ethics / Governance•Discipline•Theft & Fraud

ASSETS

Intangibles•Intellectual property•Reputation•Goodwill / Market Status

Financial•Governance•Transactions and funding•Cash handling•Purchasing and receiving•Working capital

Operations•Process capability•Disruption•Over-runs / Diversions

Capital•Physical Assets

• Owned or in possession•Integrity & Control

INFORMATION

Information Technology (IT)•Computer protocols / Encryption•Access control•Backup / Storage•Continuity & Recovery•Hacking & Virus•Physical site

Confidentiality, Availability & Integrity•Classification / Authorisations•Escrow & Guarantees•Validation & Verification•Privacy•Misuse / Access / Release•Storage / Archiving / Disposal•Movement & accountability•Records Management•Version control

Page 9: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

The foundation of the program

• Legal and other requirements,• Security risk assessment, and• The design of the security

program contribute to the planning phase for implementing a security management system.

• This is the FOUNDATION• If not correct, the security

outcomes and performance of the entire system may be flawed.

Planning Legal & Other Requirements (4.3.2)

Security Risks and Threats (4.3.1)

Objectives & Targets (4.3.3 & 4)Security Management Program (4.3.5)

Page 10: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

What Legal requirements?

• Legal and other requirements to which the organisation is bound or subscribes to.

• Statue Law• Traffic and parking laws• Firearms laws• Privacy laws• Security licensing laws & regulations• Signage and safety laws/regulations

• Government schemesi.e. PS Prep, TSA – Secure Freight, FDA – Pharma security, etc.

• International Conventions• Industry codes/standards

Planning Legal & Other Requirements (4.3.2)

Page 11: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Security Risk Assessments

Overall process of risk identification, risk analysis and risk evaluation

• A procedure detailing how security risks are identified, assessed, and evaluated, including threats to and from stakeholders.

• Risk assessments shall be conducted by qualified personnel using recognised methodologies.

• The methodology and grading criterion shall be documented, allowing for a consistently applied process.

• Plausible threats have been identified and risks evaluated.• Results of security risk assessments shall be documented and

provided input to other areas of the Security Management System.

(ISO Guide 73 – Risk Management, Vocabulary)

Page 12: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Identify optionsAssess optionsPrepare and implement treatment optionsAnalyse & evaluate residual risk

Compare the Criteria – Set the priorities

The External ContextThe Internal ContextThe Risk Management ContextDevelop Criteria and Define the Structure

What can happen, when, where, how & why

Identify existing controlsDetermine likelihoodDetermine ConsequencesDetermine level of risk

Risk Management Model

Establishing the Context

Co

mm

un

ica

tio

ns

& C

on

su

lta

tio

n

Mo

nito

r an

d R

ev

iew

Risk Identification

Risk Analysis

Risk Evaluation

Risk Treatment

Risk Assessment

Treat RiskNO

YES

(ISO 31000:2009)

LikelihoodConsequence

ThreatsVulnerabilities

Assets

5 Essential Elements

of a Security Risk Assessment

Page 13: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Security Management Objectives, Targets & Programs

The security risks identified through the assessment – lead to;

• What risks require attention?

• Where does it need to happen?

• What security outcomes are sought?

• When does it need to happen?

• How will we manage the risk?

PlanningObjectives & Targets (4.3.3 & 4)

Security Management Program (4.3.5)

Page 14: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Setting objectives

Identified security risks in operational areas are prioritised• A determination of the desired improvement for each

risk. Some options include;• Reduce the security risk?

• Reduce the likelihood?• Reduce the consequence?

• Accept the risk?• Transfer the risk?• Improve incident management?• Improve business performance?• Cost and resource improvement?

Page 15: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

How to achieve this security?

• Who is accountable?• Who has responsibilities?

• Can they do the job?• Authorities required at different

levels?• Competence

• What security tools are needed?• Preparations for security emergencies?• How is the security program captured?

ImplementationStructure & Responsibility (4.4.1)

Training, Awareness, Competence (4.4.2)Operational Control (4.4.6)

SMS Documentation (4.4.4)Document Control (4.4.5)Communication (4.4.3)

Emergency Preparedness / Response (4.4.7)

Page 16: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Implementing the security program

• Policy driven, protecting the business and based on legal requirements and identified security risks.

• Programs address security objectives and targets.• The people are competent and authorised for the tasks.• Utilising “fit-for-purpose" security tools to manage the

security.• With security emergency plans.• Security manual and/or procedures.• Communications and consultative processes.

ImplementationStructure & Responsibility (4.4.1)

Training, Awareness, Competence (4.4.2)Operational Control (4.4.6)

SMS Documentation (4.4.4)Document Control (4.4.5)Communication (4.4.3)

Emergency Preparedness / Response (4.4.7)

Page 17: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Is the security working

• Are the security programs effective?• Has security been enhanced?• Is the program proactive?• Are problems being identified, managed

and rectified?• Adequate resources – to do the job?• The data needed to manage the system is

recorded and managed?• Consistently compliant with obligations?• Confirmation of the security program and

system performance?

Checking / Corrective ActionNonconformance &

Corrective & Preventive Action (4.5.3)Monitoring & Measurement (4.5.1)

Records (4.5.4)SMS Audits (4.5.5)

System Evaluation (4.5.2)

Page 18: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Management review and Continual Improvement• Top management reviews the security management system

at planned intervals.• Legal and stakeholder considerations reviewed.• Considers security and management systems

performance and improvements• Discussions and decisions recorded.

• The review includes the mandatory inputs specified in ISO 28000:2007 and opportunities for improvement or any need for change.

Management Review

Page 19: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

The circle closes

and starts again

Page 20: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

ISO 28000Conformance + Performance

Conformance• The specifications of the management system, require;

• A security policy• Compliance with legal and regulatory requirements• An effective and accurate Security Risk Assessment• The development of security objectives and targets, as well

as a planning process for meeting them.• The use of operational controls to manage the identified

security risks• Audits and reviews• Top management involvement and continual improvement

of the security management system and objectives.• Documentation of the program to ensure consistent

application

Page 21: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

ISO 28000Conformance + PerformancePerformance• Through the security management system, organisations are;

• Applying security programs appropriate to the nature and scale of the organisation

• Identifying and managing those security risks applicable to the site• Selecting and utilising operational controls that are fit for purpose,

maintained and calibrated where required• Ensuring that operational controls address the security objectives of

the organisation, these may include business processes and security tools.

• Evaluating the performance and effectiveness of the security program• Consistently monitoring the security program and maintaining

optimum performance or adjusting when conditions change.• Motivating top management involvement and continual improvement

of the security program.• Maintaining the appropriate levels of security in a consistent manner.

Page 22: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Certification or Validation

Certification to ISO 28000: 2007. (three year certificate)

Two stage assessment process divided between;

Stage 1 Assessment

Stage 2 Assessment

Followed by systematic ongoing surveillance to confirm conformance and performance of the security management system.

Page 23: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Certification - Stage 1

The Stage 1 will be a full assessment of the following:• Scope, Policy and Legal• Security Risk Assessment

– Asset identification– Identification of threat sources– Consequence analysis– Vulnerability review and analysis– Likelihood evaluation

• SRA methodology, including, criteria, risk grading and prioritization

• Risk mitigation and planning– Management System “Objectives, Targets and Programs”

• Planning of protective security measures [Operational Controls (procedures, personnel and technology)] for managing the security objectives and targets.

Page 24: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Certification - Stage 2

The Stage 2 visit confirms that:• The policies, objectives, controls and procedures are

effectively in practice• The required management of significant security

processes within the management system are effective• Operational controls meet the stated mitigation objectives

and are fit for purpose• The management system conforms with all the

requirements of ISO28000, and that the documented procedures consistently ensure systematic performance and improvement.

• The internal audits have evaluated the Security Management System and Top Management reviews support continual improvement.

Page 25: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

SurveillanceOnce certified, the organisation must demonstrate continuing conformance and

performance through surveillance visits, which normally take place every six months, but not exceeding 12 months.This surveillance process ensures that a security program if functional at all times, and

• the organisation monitors and responds to changes in security risks and is capable of managing security incident or changes to threats, vulnerabilities and assets,

• the risk treatment plan is reviewed for progress with actions, and that the security program is providing the appropriate level of protection.

• Certification surveillance visits ensure the continued optimal performance of the security program to manage any identified security risks to the operations throughout the life of the certification cycle.

At this time there is no other verification or certification of any security program that offers this ongoing assurance that trusted “secure traders” (e.g. C-TPAT, AEO) are consistently maintaining appropriate security.

Page 26: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Supply Chain RegulationsProduction Consolidati

onDeparture

PortsAirportsBoarders

ArrivalsPorts

AirportsBoarders

StorageDistribution

Und-userPoint of

Sale

Air

Land

Maritime

Transport TransportTransport Transport

ICOAIATA

EC Regs831/20062320/2002

ISPS

CSIOSC

24 Hour Advanced Manifest 96 Hour notice of arriving vessel

SSTSmart and

Secure Trade Lane

Project

WCO Framework of StandardsAEO (EU)

C-TPAT (US)PIP (Canada)

StairSec (Sweden)ACP & Frontline (Australia)

Secure Exports Scheme (NZ)Singapore STP

International StandardsBASC (Latin America)

TAPA

Page 27: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Advantages through ISO 28000

• The answer to global supply chain security rests in the hands of the majority of businesses operators within the global production, storage and movement of goods and products – the SME/SMB.

• SME/SMB should participate as “secure traders” based on managing the security issues applicable to their sites.

• Risk based security of businesses within any supply chain.• SME/SMB not burdened with extensive set – lists of “security

requirement” – both relevant or not applicable.• ISO 28000 certification delivered by professional auditing

organisations offers a global solution to cross boarder challenges.

• “Rules of Origin” e.g. Happy Hats of Hainan?

Page 28: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Rules of Origin

Happy Hats of Hainan1.Legitimate company2.Makes Hats3.Business site in Hainan

Current difficulties for Customs departments confirming:

What alternative ?

Page 29: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Using ISO 28000 for a Risk Based AEO Model• WCO SAFE recommends all of WCO SFoS 5.2 to be applied. A – M (13)

Conditions and Requirements for AEO. • In 5.2 par 1, “These are the standards, practices and procedures

which members of the trade business community aspiring to AEO status are expected to adopt into routine usage, based on risk assessment and AEO business model”

• Note: based on risk and business model• Using ISO 28000 to identify the security risks and therefore the need

to apply the “security related” AEO Criteria meets and/or exceed all existing major National programs.

• A combined WCO-AEO & ISO 28000 model should facilitate the opportunities for mutual recognition in respect to similar programs based on Section 5.2 WCO SAFE Framework of Standards.

• WCO SAFE 5.4 mandates for the design of validation and authorisation process.

Page 30: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Security Schemes

WCO SFoS, AEO CriteriaNZ

SESEU

AEOUS CBPC-TPAT

WBOBASC

SingaporeSTP +

APECSecurity 03

ISO 28000

Demonstrated Compliance with Customs Requirements

4.3.2

Satisfactory System for Management of Commercial Records

4.4.3, 4.4.5, 4.5.4,

Financial Viability 4.3.3

Consultation, Cooperation and Communication

4.4.1, 4.3.2, 4.4.3.

Education, Training and Awareness

4.4.2

Information Exchange, Access and Confidentiality

4.4.3, 4.4.4, 4.4.5, 4,4,6,

Cargo Security 4.4.6.

Conveyance Security 4.4.6.

Premises Security 4.4.6.

Personnel Security 4.4.6.

Trading Partner Security4.3.1, 4.3.3.

Crisis Management and Incident Recovery

4.4.7.

Measurement, Analysis and Improvement

4.5.1, 4.5.2, 4.5.3, 4.5.5, 4.6.

Criteria met 13 9 10 8 9 10 9 13

Where business and security risk needs exist

Page 31: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

WCO requires Validation

WCO SAFE 5.4 and 5.5 – Validation process required.• Customs Departments retain ultimate authority for

accrediting, suspending or revoking AEO status.• Validation processes may be delegated to 3rd Parties. • 3rd Party validation should not inhibit mutual recognition.

• Customs administrations should not burden the international trade community with different sets of requirements.

Page 32: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Validation of conformity

Self- validating. - adjective; • requiring no external confirmation, sanction, or validation.

Random House Dictionary, © Random House, Inc. 2010.

• There are currently some government and industry security schemes that allow self-validation, either during initial accreditation/licence issue or during annual self-declarations of continued compliance by business.

Validation. - vb, validation, - n1. to confirm or corroborate 2. to give legal force or official confirmation to; declare legally

validCollins English Dictionary - Complete & Unabridged 10th Edition

Page 33: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

When is a Secure Business not a “Secure Trader”Is a business that is professionally validated as;

• accurately identifying, analysing and evaluating all their security risk,

• managing those risk, • monitoring the performance of their security program, • proactively adaptive to changes in the security environment• maintaining optimum security programs for business advantage,

and• consistently seeking to improve their security and business

benefits

any less secure than the business that; • adopts a list of government specified security measures – needed

or not, thereafter applying a fix & forget approach until next licence/approval application cycle.

Page 34: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

Government Benefits of 3rd Party Validation• It is anticipated that the EU may have up to 600,000 businesses

eligible for EU AEO on a three-year cycle, which equates to 200,000 visits per year, excluding performance monitoring.

• Hong Kong may have up to 200,000 businesses eligible to apply for AEO, again on a three-year cycle.

• 48 full working weeks pa = 240 days• 200,000 ÷ 3 = 66,000 per year, ÷ 240 = 278 audits per day

• Alternatively Governments “Licence” a number of International Certification Bodies and manage the auditing performance.

• Government establish standards, appraise and maintain AEO certification service delivery, including ongoing performance reviews of Licensed AEO auditing companies.

Page 35: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

• The US Government is already preparing for independent (3rd Party) validation of some national security programs,

• The EU and Asia are familiar with and widely utilise ISO management system standards,

• Promoting the model of “secure supply chains” globally must involve a broader business acceptance and participation,

• Conformity to WCO AEO principles, coupled with the security performance processes through verified/certified ISO 28000 offers a model that can cross boarders.

Manage the global AEO / C-TPAT consistency and quality,

not just conformity.

Page 36: Conformity & Performance ISO 28000. ISO 28000 – Security Management System The security of the business operations NOT the security operations of the

For more information, please contact:

Peter BoyceSenior Business Manager, Security Management Systems

Lloyd’s Register Quality Assurance Limited3501, China Merchants TowerConnaught Rd, Central, Hong Kong.

T +852 2287 9307E [email protected] www.lrqa.com