Conformity &

Performance
ISO 28000
ISO 28000 – Security Management
System
The security of the business operations

NOT

the security operations of the business

• Unless this is the required objective.
Common terms of reference
Conformance & Performance

conformity or conformance
• compliance in actions, behaviour, etc, with certain
standards or norms
• correspondence or likeness in form or appearance;
congruity; agreement

performance
• manner or quality of functioning
• any accomplishment

Collins English Dictionary - Complete & Unabridged 10th Edition

Security Performance

Security is a performance issue

Security must be addressing the needs of the organisation:
• Proactive in addressing plausible security issues
• Alert to changes in organisational security risks
• Responsive to changing organisational security
objectives
• Security management activities must be fit for purpose,
in situ and for meeting security targets

• SECURITY PERFORMANCE MUST MEET OR EXCEED THE

SECURITY REQUIREMENTS OF THE ORGANISATION
– Not just conform to a predefined set of instruments
What is ISO 28000

• A Security Management System that defines best practice

methodologies for managing organisational security needs.

• Four overarching requirements of any security program

A. Consistent with business model and objectives
B. Legal and statutory compliance
C. Identification and understanding of security risks
D. Management of the security risks

• ISO 28000 allows any organisation, public or private, large or

small, to meet these requirements in a structured and
systematic manner – facilitating program reliability and
consistent performance.
Security Management System Know your Organization
Define scope and boundaries
for security program.
Identify critical objectives,
operation, functions,
products and services
Start
Management
Management Commitment Security Policy
Review

Continual
Checking /
Corrective Action Improvement Planning
Legal & Other Requirements
Nonconformance & Security Risks and Threats
Corrective & Preventive Action
Monitoring & Measurement Implementation Objectives & Targets
Records Structure & Responsibility Security Management Program
SMS Audits & Evaluation Training, Awareness, Competence
Operational Control
SMS Documentation
Document Control
Communication
Emergency Preparedness /
Response
 What is the business or operations?
 What do you want to protect?
 How much of the organisation? Know your Organization
Define scope and boundaries
 What are the boundaries? for security program.
 What activities and assets? Identify critical objectives,
operation, functions,
products and services
 The nature and scale of the business? General. 4.1

• Policy is a statement of “WHAT” is to Security Policy

be achieved; supported by procedures 4.2
specifying “HOW” it will be achieved.
 Businesses wants to protect
PEOPLE ASSETS INFORMATION
Employees Confidentiality, Availability &
Capital
•Recruitment
•Physical Assets Integrity
•Staff joining and leaving • Owned or in possession •Classification/ Authorisations
•Industrial relations
•Integrity •Escrow & Guarantees
•OHS
& Control
•Validation & Verification
•Bullying / Harassment •Privacy
•Workplace violence Operations
•Misuse / Access / Release
•Process capability
•Ethics / Governance
•Storage / Archiving / Disposal
•Disruption
•Discipline
•Movement & accountability
•Over-runs / Diversions
•Theft & Fraud
•Records Management
•Version control
Financial
•Governance
Visitors •Transactions
•Access
and funding
•Cash handling
•Safety
•Purchasing and receiving Information Technology (IT)
•Theft
•Working capital •Computer protocols / Encryption
•Access control
Other stakeholders •Backup / Storage

•Customers / suppliers Intangibles •Continuity & Recovery

•Business partners •Intellectual property •Hacking & Virus

•Regulators •Reputation •Physical site

•Community •Goodwill / Market Status

The foundation of the program

• Legal and other requirements,

• Security risk assessment, and
• The design of the security
program contribute to the Planning
planning phase for Legal & Other Requirements (4.3.2)
Security Risks and Threats (4.3.1)
implementing a security
management system. Objectives & Targets (4.3.3 & 4)
Security Management Program (4.3.5)
• This is the FOUNDATION
• If not correct, the security
outcomes and performance
of the entire system may
be flawed.
What Legal requirements?

• Legal and other requirements to which the organisation is bound

or subscribes to.
• Statue Law

• Traffic and parking laws Planning

Legal & Other Requirements (4.3.2)
• Firearms laws

• Privacy laws

• Security licensing laws & regulations

• Signage and safety laws/regulations

• Government schemes

i.e. PS Prep, TSA – Secure Freight, FDA – Pharma security, etc.

• International Conventions

• Industry codes/standards
Security Risk Assessments

Overall process of risk identification, risk analysis and risk evaluation

(ISO Guide 73 – Risk Management, Vocabulary)

• A procedure detailing how security risks are identified, assessed,

and evaluated, including threats to and from stakeholders.
• Risk assessments shall be conducted by qualified personnel
using recognised methodologies.
• The methodology and grading criterion shall be documented,
allowing for a consistently applied process.
• Plausible threats have been identified and risks evaluated.
• Results of security risk assessments shall be documented and
provided input to other areas of the Security Management System.
 Risk Management Model
The External Context
The Internal Context Establishing the
Assets The Risk Management Context Context
Develop Criteria and Define the Structure

Risk Assessment

Communications & Consultation

Threats What can happen, when, where, how & why Risk Identification
Vulnerabilities

Monitor and Review

Identify existing controls
Likelihood Determine likelihood
Risk Analysis
Determine Consequences
Consequence Determine level of risk

5 Essential Compare the Criteria – Set the priorities Risk Evaluation

Elements
of a NO
Security Risk Treat Risk

Assessment Identify options YES

Assess options
Prepare and implement treatment options Risk Treatment
Analyse & evaluate residual risk

(ISO 31000:2009)
Security Management Objectives,
Targets & Programs
The security risks identified through the assessment – lead to;

• What risks require attention?

Planning
• Where does it need to happen? Objectives & Targets (4.3.3 & 4)
Security Management Program (4.3.5)

• What security outcomes are sought?

• When does it need to happen?

• How will we manage the risk?

Setting objectives

Identified security risks in operational areas are prioritised

• A determination of the desired improvement for each risk.

Some options include;

• Reduce the security risk?

• Reduce the likelihood?

• Reduce the consequence?

• Accept the risk?

• Transfer the risk?

• Improve incident management?

• Improve business performance?

• Cost and resource improvement?

How to achieve this security?

• Who is accountable?
• Who has responsibilities?
• Can they do the job?
• Authorities required at different
levels?
• Competence Implementation
Structure & Responsibility (4.4.1)
• What security tools are needed? Training, Awareness, Competence (4.4.2)
Operational Control (4.4.6)
• Preparations for security emergencies?
• How is the security program captured? SMS Documentation (4.4.4)
Document Control (4.4.5)
Communication (4.4.3)
Emergency Preparedness /
Response (4.4.7)
Implementing the security program
• Policy driven, protecting the business and based on legal
requirements and identified security risks.
• Programs address security objectives and targets.
• The people are competent and authorised for the tasks.
• Utilising “fit-for-purpose" security tools to manage the
security.
• With security emergency plans. Implementation
Structure & Responsibility (4.4.1)
• Security manual and/or procedures. Training, Awareness, Competence (4.4.2)
• Communications and consultative processes.Operational Control (4.4.6)
SMS Documentation (4.4.4)
Document Control (4.4.5)
Communication (4.4.3)
Emergency Preparedness /
Response (4.4.7)
Is the security working
Checking /
• Are the security programs effective? Corrective Action
• Has security been enhanced? Nonconformance &
Corrective & Preventive Action (4.5.3)
• Is the program proactive? Monitoring & Measurement (4.5.1)
Records (4.5.4)
• Are problems being identified, managed SMS Audits (4.5.5)
and rectified? System Evaluation (4.5.2)

• Adequate resources – to do the job?

• The data needed to manage the system is
recorded and managed?
• Consistently compliant with obligations?
• Confirmation of the security program and
system performance?
Management review and Continual
Improvement
• Top management reviews the security management system
at planned intervals.
• Legal and stakeholder considerations reviewed.
• Considers security and management systems
performance and improvements
• Discussions and decisions recorded.
• The review includes the mandatory inputs specified in ISO
28000:2007 and opportunities for improvement or any need
for change.

Management
Review
The circle closes

and starts again

ISO 28000
Conformance + Performance
Conformance
• The specifications of the management system, require;
• A security policy
• Compliance with legal and regulatory requirements
• An effective and accurate Security Risk Assessment
• The development of security objectives and targets, as well as
a planning process for meeting them.
• The use of operational controls to manage the identified
security risks
• Audits and reviews
• Top management involvement and continual improvement of
the security management system and objectives.
• Documentation of the program to ensure consistent
application
ISO 28000
Conformance + Performance
Performance
• Through the security management system, organisations are;
• Applying security programs appropriate to the nature and scale of the
organisation
• Identifying and managing those security risks applicable to the site

• Selecting and utilising operational controls that are fit for purpose,
maintained and calibrated where required
• Ensuring that operational controls address the security objectives of
the organisation, these may include business processes and security
tools.
• Evaluating the performance and effectiveness of the security program

• Consistently monitoring the security program and maintaining optimum

performance or adjusting when conditions change.
• Motivating top management involvement and continual improvement
of the security program.
• Maintaining the appropriate levels of security in a consistent manner.
Certification or Validation

Certification to ISO 28000: 2007. (three year certificate)

 Two stage assessment process divided between;

 Stage 1 Assessment
 Stage 2 Assessment

 Followed by systematic ongoing surveillance to confirm

conformance and performance of the security
management system.
Certification - Stage 1
The Stage 1 will be a full assessment of the following:
• Scope, Policy and Legal
• Security Risk Assessment
– Asset identification
– Identification of threat sources
– Consequence analysis
– Vulnerability review and analysis
– Likelihood evaluation
• SRA methodology, including, criteria, risk grading and
prioritization
• Risk mitigation and planning
– Management System “Objectives, Targets and Programs”
• Planning of protective security measures [Operational Controls
(procedures, personnel and technology)] for managing the
security objectives and targets.
Certification - Stage 2

The Stage 2 visit confirms that:

• The policies, objectives, controls and procedures are
effectively in practice
• The required management of significant security processes
within the management system are effective
• Operational controls meet the stated mitigation objectives
and are fit for purpose
• The management system conforms with all the requirements
of ISO28000, and that the documented procedures
consistently ensure systematic performance and
improvement.
• The internal audits have evaluated the Security Management
System and Top Management reviews support continual
improvement.
Surveillance
Once certified, the organisation must demonstrate continuing conformance and
performance through surveillance visits, which normally take place every six
months, but not exceeding 12 months.
This surveillance process ensures that a security program if functional at all
times, and
• the organisation monitors and responds to changes in security risks and is
capable of managing security incident or changes to threats, vulnerabilities
and assets,
• the risk treatment plan is reviewed for progress with actions, and that the
security program is providing the appropriate level of protection.

• Certification surveillance visits ensure the continued optimal performance of the

security program to manage any identified security risks to the operations
throughout the life of the certification cycle.

At this time there is no other verification or certification of any security program that
offers this ongoing assurance that trusted “secure traders” (e.g. C-TPAT, AEO) are
consistently maintaining appropriate security.
Supply Chain Regulations
Production Consolidati Departure Arrivals Storage Und-user
on Ports Ports Distribution Point of
Airports Airports Sale
Boarders Boarders

Air

Transport Transport Land Transport Transport

Maritime

WCO Framework of Standards

CSI
AEO (EU)
OSC
ICOA SST C-TPAT (US)
ISPS 24 Hour
PIP (Canada)
IATA Advanced Smart and
StairSec (Sweden)
EC Regs Manifest Secure
ACP & Frontline (Australia)
831/2006 96 Hour Trade Lane
Secure Exports Scheme (NZ)
2320/2002 notice of Project
Singapore STP
arriving
International Standards
vessel
BASC (Latin America)
TAPA
Advantages through ISO 28000
• The answer to global supply chain security rests in the
hands of the majority of businesses operators within the
global production, storage and movement of goods and
products – the SME/SMB.
• SME/SMB should participate as “secure traders” based on
managing the security issues applicable to their sites.
• Risk based security of businesses within any supply chain.
• SME/SMB not burdened with extensive set – lists of “security
requirement” – both relevant or not applicable.
• ISO 28000 certification delivered by professional auditing
organisations offers a global solution to cross boarder
challenges.
• “Rules of Origin” e.g. Happy Hats of Hainan?
 Rules of Origin
Current difficulties for Customs departments confirming:

Happy Hats of Hainan

1. Legitimate company
2. Makes Hats
3. Business site in Hainan

What alternative ?
Using ISO 28000 for a Risk Based
AEO Model
• WCO SAFE recommends all of WCO SFoS 5.2 to be applied. A – M (13)
Conditions and Requirements for AEO.
• In 5.2 par 1, “These are the standards, practices and procedures which
members of the trade business community aspiring to AEO status are
expected to adopt into routine usage, based on risk assessment and AEO
business model”
• Note: based on risk and business model
• Using ISO 28000 to identify the security risks and therefore the need to
apply the “security related” AEO Criteria meets and/or exceed all existing
major National programs.
• A combined WCO-AEO & ISO 28000 model should facilitate the
opportunities for mutual recognition in respect to similar programs based
on Section 5.2 WCO SAFE Framework of Standards.
• WCO SAFE 5.4 mandates for the design of validation and authorisation
process.
 Security Schemes
NZ EU US CBP WBO Singapore APEC
WCO SFoS, AEO Criteria ISO 28000
SES AEO C-TPAT BASC STP + Security 03

Demonstrated Compliance
4.3.2
with Customs Requirements

Satisfactory System for 4.4.3,

Management of Commercial 4.4.5,
Records 4.5.4,

Financial Viability 4.3.3

4.4.1,
Consultation, Cooperation
4.3.2,
and Communication
4.4.3.

Education, Training and

4.4.2
Awareness

4.4.3,
Information Exchange, 4.4.4,
Access and Confidentiality 4.4.5,
4,4,6,

Cargo Security 4.4.6.

Conveyance Security 4.4.6.

Premises Security 4.4.6.

Personnel Security 4.4.6.

4.3.1,
Trading Partner Security
4.3.3.

Crisis Management and

4.4.7.
Incident Recovery

4.5.1,
4.5.2,
Measurement, Analysis and
4.5.3,
Improvement
4.5.5,
4.6.

Criteria met 13 9 10 8 9 10 9 13

Where business and security risk needs exist

WCO requires Validation

WCO SAFE 5.4 and 5.5 – Validation process required.

• Customs Departments retain ultimate authority for
accrediting, suspending or revoking AEO status.
• Validation processes may be delegated to 3rd Parties.
• 3rd Party validation should not inhibit mutual recognition.

• Customs administrations should not burden the

international trade community with different sets of
requirements.
Validation of conformity
Validation. - vb, validation, - n
1. to confirm or corroborate
2. to give legal force or official confirmation to; declare legally
valid
Collins English Dictionary - Complete & Unabridged 10th Edition

Self- validating. - adjective;

• requiring no external confirmation, sanction, or
validation. Random House Dictionary, © Random House, Inc. 2010.

• There are currently some government and industry

security schemes that allow self-validation, either during
initial accreditation/licence issue or during annual self-
declarations of continued compliance by business.
When is a Secure Business not a
“Secure Trader”
Is a business that is professionally validated as;
• accurately identifying, analysing and evaluating all their security
risk,
• managing those risk,
• monitoring the performance of their security program,
• proactively adaptive to changes in the security environment
• maintaining optimum security programs for business advantage,
and
• consistently seeking to improve their security and business benefits

any less secure than the business that;

• adopts a list of government specified security measures – needed or
not, thereafter applying a fix & forget approach until next
licence/approval application cycle.
Government Benefits of 3rd Party Validation

• It is anticipated that the EU may have up to 600,000 businesses

eligible for EU AEO on a three-year cycle, which equates to
200,000 visits per year, excluding performance monitoring.
• Hong Kong may have up to 200,000 businesses eligible to apply
for AEO, again on a three-year cycle.
• 48 full working weeks pa = 240 days

• 200,000 ÷ 3 = 66,000 per year, ÷ 240 = 278 audits per day

• Alternatively Governments “Licence” a number of International

Certification Bodies and manage the auditing performance.
• Government establish standards, appraise and maintain AEO
certification service delivery, including ongoing performance
reviews of Licensed AEO auditing companies.
• The US Government is already preparing for
independent (3rd Party) validation of some national
security programs,
• The EU and Asia are familiar with and widely utilise
ISO management system standards,
• Promoting the model of “secure supply chains”
globally must involve a broader business acceptance
and participation,
• Conformity to WCO AEO principles, coupled with the
security performance processes through
verified/certified ISO 28000 offers a model that can
cross boarders.

Manage the global AEO / C-TPAT

consistency and quality,
not just conformity.
For more information, please contact:

Peter Boyce
Senior Business Manager, Security Management Systems

Lloyd’s Register Quality Assurance Limited

3501, China Merchants Tower
Connaught Rd, Central, Hong Kong.

T +852 2287 9307

E peter.boyce@lrqa.com
w www.lrqa.com