Professional Documents
Culture Documents
Performance
ISO 28000
ISO 28000 – Security Management
System
The security of the business operations
NOT
conformity or conformance
• compliance in actions, behaviour, etc, with certain
standards or norms
• correspondence or likeness in form or appearance;
congruity; agreement
performance
• manner or quality of functioning
• any accomplishment
Continual
Checking /
Corrective Action Improvement Planning
Legal & Other Requirements
Nonconformance & Security Risks and Threats
Corrective & Preventive Action
Monitoring & Measurement Implementation Objectives & Targets
Records Structure & Responsibility Security Management Program
SMS Audits & Evaluation Training, Awareness, Competence
Operational Control
SMS Documentation
Document Control
Communication
Emergency Preparedness /
Response
What is the business or operations?
What do you want to protect?
How much of the organisation? Know your Organization
Define scope and boundaries
What are the boundaries? for security program.
What activities and assets? Identify critical objectives,
operation, functions,
products and services
The nature and scale of the business? General. 4.1
• Privacy laws
• Government schemes
• Industry codes/standards
Security Risk Assessments
Risk Assessment
Elements
of a NO
Security Risk Treat Risk
(ISO 31000:2009)
Security Management Objectives,
Targets & Programs
The security risks identified through the assessment – lead to;
Planning
• Where does it need to happen? Objectives & Targets (4.3.3 & 4)
Security Management Program (4.3.5)
• Who is accountable?
• Who has responsibilities?
• Can they do the job?
• Authorities required at different
levels?
• Competence Implementation
Structure & Responsibility (4.4.1)
• What security tools are needed? Training, Awareness, Competence (4.4.2)
Operational Control (4.4.6)
• Preparations for security emergencies?
• How is the security program captured? SMS Documentation (4.4.4)
Document Control (4.4.5)
Communication (4.4.3)
Emergency Preparedness /
Response (4.4.7)
Implementing the security program
• Policy driven, protecting the business and based on legal
requirements and identified security risks.
• Programs address security objectives and targets.
• The people are competent and authorised for the tasks.
• Utilising “fit-for-purpose" security tools to manage the
security.
• With security emergency plans. Implementation
Structure & Responsibility (4.4.1)
• Security manual and/or procedures. Training, Awareness, Competence (4.4.2)
• Communications and consultative processes.Operational Control (4.4.6)
SMS Documentation (4.4.4)
Document Control (4.4.5)
Communication (4.4.3)
Emergency Preparedness /
Response (4.4.7)
Is the security working
Checking /
• Are the security programs effective? Corrective Action
• Has security been enhanced? Nonconformance &
Corrective & Preventive Action (4.5.3)
• Is the program proactive? Monitoring & Measurement (4.5.1)
Records (4.5.4)
• Are problems being identified, managed SMS Audits (4.5.5)
and rectified? System Evaluation (4.5.2)
Management
Review
The circle closes
• Selecting and utilising operational controls that are fit for purpose,
maintained and calibrated where required
• Ensuring that operational controls address the security objectives of
the organisation, these may include business processes and security
tools.
• Evaluating the performance and effectiveness of the security program
At this time there is no other verification or certification of any security program that
offers this ongoing assurance that trusted “secure traders” (e.g. C-TPAT, AEO) are
consistently maintaining appropriate security.
Supply Chain Regulations
Production Consolidati Departure Arrivals Storage Und-user
on Ports Ports Distribution Point of
Airports Airports Sale
Boarders Boarders
Air
Maritime
What alternative ?
Using ISO 28000 for a Risk Based
AEO Model
• WCO SAFE recommends all of WCO SFoS 5.2 to be applied. A – M (13)
Conditions and Requirements for AEO.
• In 5.2 par 1, “These are the standards, practices and procedures which
members of the trade business community aspiring to AEO status are
expected to adopt into routine usage, based on risk assessment and AEO
business model”
• Note: based on risk and business model
• Using ISO 28000 to identify the security risks and therefore the need to
apply the “security related” AEO Criteria meets and/or exceed all existing
major National programs.
• A combined WCO-AEO & ISO 28000 model should facilitate the
opportunities for mutual recognition in respect to similar programs based
on Section 5.2 WCO SAFE Framework of Standards.
• WCO SAFE 5.4 mandates for the design of validation and authorisation
process.
Security Schemes
NZ EU US CBP WBO Singapore APEC
WCO SFoS, AEO Criteria ISO 28000
SES AEO C-TPAT BASC STP + Security 03
Demonstrated Compliance
4.3.2
with Customs Requirements
4.4.1,
Consultation, Cooperation
4.3.2,
and Communication
4.4.3.
4.4.3,
Information Exchange, 4.4.4,
Access and Confidentiality 4.4.5,
4,4,6,
4.3.1,
Trading Partner Security
4.3.3.
4.5.1,
4.5.2,
Measurement, Analysis and
4.5.3,
Improvement
4.5.5,
4.6.
Criteria met 13 9 10 8 9 10 9 13
Peter Boyce
Senior Business Manager, Security Management Systems