Professional Documents
Culture Documents
Boyce Panel 3
Boyce Panel 3
Performance
ISO 28000
ISO 28000 – Security Management System
NOT
conformity or conformance
• compliance in actions, behaviour, etc, with certain standards or
norms
• correspondence or likeness in form or appearance; congruity;
agreement
performance
• manner or quality of functioning
• any accomplishment
Continual
Checking /
Corrective Action Improvement Planning
Legal & Other Requirements
Nonconformance & Security Risks and Threats
Corrective & Preventive Action
Monitoring & Measurement Implementation Objectives & Targets
Records Structure & Responsibility Security Management Program
SMS Audits & Evaluation Training, Awareness, Competence
Operational Control
SMS Documentation
Document Control
Communication
Emergency Preparedness /
Response
What is the business or operations?
What do you want to protect?
How much of the organisation? Know your Organization
Define scope and boundaries
What are the boundaries? for security program.
What activities and assets? Identify critical objectives,
operation, functions,
products and services
The nature and scale of the business? General. 4.1
Financial
•Governance
Visitors •Transactionsand funding
•Access
•Cash handling
•Safety
•Purchasing and receiving Information Technology (IT)
•Theft
•Working capital •Computer protocols / Encryption
•Access control
Other stakeholders •Backup / Storage
• Legal and other requirements to which the organisation is bound or subscribes to.
• Statue Law
• Government schemes
• Industry codes/standards
Security Risk Assessments
• A procedure detailing how security risks are identified, assessed, and evaluated,
including threats to and from stakeholders.
• Risk assessments shall be conducted by qualified personnel using recognised
methodologies.
• The methodology and grading criterion shall be documented, allowing for a
consistently applied process.
• Plausible threats have been identified and risks evaluated.
• Results of security risk assessments shall be documented and provided input to
other areas of the Security Management System.
Risk Management Model
The External Context
The Internal Context Establishing the
Assets The Risk Management Context Context
Develop Criteria and Define the Structure
Risk Assessment
Elements
of a NO
Security Risk Treat Risk
(ISO 31000:2009)
Security Management Objectives, Targets &
Programs
The security risks identified through the assessment – lead to;
Planning
• Where does it need to happen? Objectives & Targets (4.3.3 & 4)
Security Management Program (4.3.5)
• Who is accountable?
• Who has responsibilities?
• Can they do the job?
• Authorities required at different levels?
• Competence
• What security tools are needed? Implementation
Structure & Responsibility (4.4.1)
• Preparations for security emergencies? Training, Awareness, Competence (4.4.2)
Operational Control (4.4.6)
• How is the security program captured?
SMS Documentation (4.4.4)
Document Control (4.4.5)
Communication (4.4.3)
Emergency Preparedness /
Response (4.4.7)
Implementing the security program
• Policy driven, protecting the business and based on legal requirements
and identified security risks.
• Programs address security objectives and targets.
• The people are competent and authorised for the tasks.
• Utilising “fit-for-purpose" security tools to manage the security.
• With security emergency plans.
• Security manual and/or procedures. Implementation
Structure & Responsibility (4.4.1)
• Communications and consultative processes. Training, Awareness, Competence (4.4.2)
Operational Control (4.4.6)
Management
Review
The circle closes
• Selecting and utilising operational controls that are fit for purpose, maintained
and calibrated where required
• Ensuring that operational controls address the security objectives of the
organisation, these may include business processes and security tools.
• Evaluating the performance and effectiveness of the security program
• Certification surveillance visits ensure the continued optimal performance of the security
program to manage any identified security risks to the operations throughout the life of the
certification cycle.
At this time there is no other verification or certification of any security program that offers this
ongoing assurance that trusted “secure traders” (e.g. C-TPAT, AEO) are consistently
maintaining appropriate security.
Supply Chain Regulations
Production Consolidation Departure Arrivals Storage Und-user
Ports Ports Distribution Point of Sale
Airports Airports
Boarders Boarders
Air
Maritime
What alternative ?
Using ISO 28000 for a Risk Based AEO Model
• WCO SAFE recommends all of WCO SFoS 5.2 to be applied. A – M (13) Conditions
and Requirements for AEO.
• In 5.2 par 1, “These are the standards, practices and procedures which members of
the trade business community aspiring to AEO status are expected to adopt into
routine usage, based on risk assessment and AEO business model”
• Note: based on risk and business model
• Using ISO 28000 to identify the security risks and therefore the need to apply the
“security related” AEO Criteria meets and/or exceed all existing major National
programs.
• A combined WCO-AEO & ISO 28000 model should facilitate the opportunities for
mutual recognition in respect to similar programs based on Section 5.2 WCO SAFE
Framework of Standards.
• WCO SAFE 5.4 mandates for the design of validation and authorisation process.
Security Schemes
NZ EU US CBP WBO Singapore APEC
WCO SFoS, AEO Criteria ISO 28000
SES AEO C-TPAT BASC STP + Security 03
Demonstrated Compliance
4.3.2
with Customs Requirements
4.4.1,
Consultation, Cooperation
4.3.2,
and Communication
4.4.3.
4.4.3,
Information Exchange, 4.4.4,
Access and Confidentiality 4.4.5,
4,4,6,
4.3.1,
Trading Partner Security
4.3.3.
4.5.1,
4.5.2,
Measurement, Analysis and
4.5.3,
Improvement
4.5.5,
4.6.
Criteria met 13 9 10 8 9 10 9 13
Peter Boyce
Senior Business Manager, Security Management Systems