Conformity &

Performance
ISO 28000
ISO 28000 – Security Management System

The security of the business operations

NOT

the security operations of the business

• Unless this is the required objective.
Common terms of reference
Conformance & Performance

conformity or conformance
• compliance in actions, behaviour, etc, with certain standards or
norms
• correspondence or likeness in form or appearance; congruity;
agreement

performance
• manner or quality of functioning
• any accomplishment

Collins English Dictionary - Complete & Unabridged 10th Edition

Security Performance

Security is a performance issue

Security must be addressing the needs of the organisation:
• Proactive in addressing plausible security issues
• Alert to changes in organisational security risks
• Responsive to changing organisational security objectives
• Security management activities must be fit for purpose, in situ and
for meeting security targets

• SECURITY PERFORMANCE MUST MEET OR EXCEED THE

SECURITY REQUIREMENTS OF THE ORGANISATION
– Not just conform to a predefined set of instruments
What is ISO 28000

• A Security Management System that defines best practice methodologies

for managing organisational security needs.

• Four overarching requirements of any security program

A. Consistent with business model and objectives
B. Legal and statutory compliance
C. Identification and understanding of security risks
D. Management of the security risks

• ISO 28000 allows any organisation, public or private, large or small, to

meet these requirements in a structured and systematic manner –
facilitating program reliability and consistent performance.
Security Management System Know your Organization
Define scope and boundaries
for security program.
Identify critical objectives,
operation, functions,
products and services
Start
Management
Management Commitment Security Policy
Review

Continual
Checking /
Corrective Action Improvement Planning
Legal & Other Requirements
Nonconformance & Security Risks and Threats
Corrective & Preventive Action
Monitoring & Measurement Implementation Objectives & Targets
Records Structure & Responsibility Security Management Program
SMS Audits & Evaluation Training, Awareness, Competence
Operational Control
SMS Documentation
Document Control
Communication
Emergency Preparedness /
Response
 What is the business or operations?
 What do you want to protect?
 How much of the organisation? Know your Organization
Define scope and boundaries
 What are the boundaries? for security program.
 What activities and assets? Identify critical objectives,
operation, functions,
products and services
 The nature and scale of the business? General. 4.1

• Policy is a statement of “WHAT” is to be Security Policy

achieved; supported by procedures specifying 4.2
“HOW” it will be achieved.
 Businesses wants to protect
PEOPLE ASSETS INFORMATION
Employees Confidentiality, Availability & Integrity
Capital
•Recruitment
•Physical Assets •Classification/ Authorisations
•Staffjoining and leaving • Owned or in possession •Escrow & Guarantees
•Industrial relations
•Integrity •Validation & Verification
•OHS
& Control
•Privacy
•Bullying / Harassment
•Misuse / Access / Release
•Workplace violence Operations
•Storage / Archiving / Disposal
•Ethics / Governance •Process capability
•Movement & accountability
•Discipline •Disruption
•Records Management
•Theft & Fraud •Over-runs / Diversions
•Version control

Financial
•Governance
Visitors •Transactionsand funding
•Access
•Cash handling
•Safety
•Purchasing and receiving Information Technology (IT)
•Theft
•Working capital •Computer protocols / Encryption
•Access control
Other stakeholders •Backup / Storage

•Customers / suppliers Intangibles •Continuity & Recovery

•Business partners •Intellectual property •Hacking & Virus

•Regulators •Reputation •Physical site

•Community •Goodwill / Market Status

 The foundation of the program

• Legal and other requirements,

• Security risk assessment, and
• The design of the security program
contribute to the planning phase for
implementing a security management
system.
Planning
Legal & Other Requirements (4.3.2)
Security Risks and Threats (4.3.1)

Objectives & Targets (4.3.3 & 4)

• This is the FOUNDATION Security Management Program (4.3.5)
• If not correct, the security
outcomes and performance of the
entire system may be flawed.
 What Legal requirements?

• Legal and other requirements to which the organisation is bound or subscribes to.
• Statue Law

• Traffic and parking laws

Planning
• Firearms laws
Legal & Other Requirements (4.3.2)
• Privacy laws

• Security licensing laws & regulations

• Signage and safety laws/regulations

• Government schemes

i.e. PS Prep, TSA – Secure Freight, FDA – Pharma security, etc.

• International Conventions

• Industry codes/standards
Security Risk Assessments

Overall process of risk identification, risk analysis and risk evaluation

(ISO Guide 73 – Risk Management, Vocabulary)

• A procedure detailing how security risks are identified, assessed, and evaluated,
including threats to and from stakeholders.
• Risk assessments shall be conducted by qualified personnel using recognised
methodologies.
• The methodology and grading criterion shall be documented, allowing for a
consistently applied process.
• Plausible threats have been identified and risks evaluated.
• Results of security risk assessments shall be documented and provided input to
other areas of the Security Management System.
 Risk Management Model
The External Context
The Internal Context Establishing the
Assets The Risk Management Context Context
Develop Criteria and Define the Structure

Risk Assessment

Communications & Consultation

Threats What can happen, when, where, how & why Risk Identification
Vulnerabilities

Monitor and Review

Identify existing controls
Likelihood Determine likelihood
Risk Analysis
Determine Consequences
Consequence Determine level of risk

5 Essential Compare the Criteria – Set the priorities Risk Evaluation

Elements
of a NO
Security Risk Treat Risk

Assessment Identify options YES

Assess options
Prepare and implement treatment options Risk Treatment
Analyse & evaluate residual risk

(ISO 31000:2009)
Security Management Objectives, Targets &
Programs
The security risks identified through the assessment – lead to;

• What risks require attention?

Planning
• Where does it need to happen? Objectives & Targets (4.3.3 & 4)
Security Management Program (4.3.5)

• What security outcomes are sought?

• When does it need to happen?

• How will we manage the risk?

Setting objectives

Identified security risks in operational areas are prioritised

• A determination of the desired improvement for each risk.

Some options include;

• Reduce the security risk?

• Reduce the likelihood?

• Reduce the consequence?

• Accept the risk?

• Transfer the risk?

• Improve incident management?

• Improve business performance?

• Cost and resource improvement?

 How to achieve this security?

• Who is accountable?
• Who has responsibilities?
• Can they do the job?
• Authorities required at different levels?
• Competence
• What security tools are needed? Implementation
Structure & Responsibility (4.4.1)
• Preparations for security emergencies? Training, Awareness, Competence (4.4.2)
Operational Control (4.4.6)
• How is the security program captured?
SMS Documentation (4.4.4)
Document Control (4.4.5)
Communication (4.4.3)
Emergency Preparedness /
Response (4.4.7)
 Implementing the security program
• Policy driven, protecting the business and based on legal requirements
and identified security risks.
• Programs address security objectives and targets.
• The people are competent and authorised for the tasks.
• Utilising “fit-for-purpose" security tools to manage the security.
• With security emergency plans.
• Security manual and/or procedures. Implementation
Structure & Responsibility (4.4.1)
• Communications and consultative processes. Training, Awareness, Competence (4.4.2)
Operational Control (4.4.6)

SMS Documentation (4.4.4)

Document Control (4.4.5)
Communication (4.4.3)
Emergency Preparedness /
Response (4.4.7)
Is the security working
Checking /
• Are the security programs effective? Corrective Action
• Has security been enhanced? Nonconformance &
Corrective & Preventive Action (4.5.3)
• Is the program proactive? Monitoring & Measurement (4.5.1)
Records (4.5.4)
• Are problems being identified, managed and SMS Audits (4.5.5)
rectified? System Evaluation (4.5.2)

• Adequate resources – to do the job?

• The data needed to manage the system is recorded
and managed?
• Consistently compliant with obligations?
• Confirmation of the security program and system
performance?
Management review and Continual Improvement

• Top management reviews the security management system at planned

intervals.
• Legal and stakeholder considerations reviewed.
• Considers security and management systems performance and
improvements
• Discussions and decisions recorded.
• The review includes the mandatory inputs specified in ISO 28000:2007 and
opportunities for improvement or any need for change.

Management
Review
The circle closes

and starts again

ISO 28000
Conformance + Performance
Conformance
• The specifications of the management system, require;
• A security policy
• Compliance with legal and regulatory requirements
• An effective and accurate Security Risk Assessment
• The development of security objectives and targets, as well as a planning
process for meeting them.
• The use of operational controls to manage the identified security risks
• Audits and reviews
• Top management involvement and continual improvement of the security
management system and objectives.
• Documentation of the program to ensure consistent application
ISO 28000
Conformance + Performance
Performance
• Through the security management system, organisations are;
• Applying security programs appropriate to the nature and scale of the
organisation
• Identifying and managing those security risks applicable to the site

• Selecting and utilising operational controls that are fit for purpose, maintained
and calibrated where required
• Ensuring that operational controls address the security objectives of the
organisation, these may include business processes and security tools.
• Evaluating the performance and effectiveness of the security program

• Consistently monitoring the security program and maintaining optimum

performance or adjusting when conditions change.
• Motivating top management involvement and continual improvement of the
security program.
• Maintaining the appropriate levels of security in a consistent manner.
Certification or Validation

Certification to ISO 28000: 2007. (three year certificate)

 Two stage assessment process divided between;

 Stage 1 Assessment
 Stage 2 Assessment

 Followed by systematic ongoing surveillance to confirm conformance

and performance of the security management system.
Certification - Stage 1
The Stage 1 will be a full assessment of the following:
• Scope, Policy and Legal
• Security Risk Assessment
– Asset identification
– Identification of threat sources
– Consequence analysis
– Vulnerability review and analysis
– Likelihood evaluation
• SRA methodology, including, criteria, risk grading and prioritization
• Risk mitigation and planning
– Management System “Objectives, Targets and Programs”
• Planning of protective security measures [Operational Controls (procedures,
personnel and technology)] for managing the security objectives and targets.
Certification - Stage 2

The Stage 2 visit confirms that:

• The policies, objectives, controls and procedures are effectively in
practice
• The required management of significant security processes within the
management system are effective
• Operational controls meet the stated mitigation objectives and are fit for
purpose
• The management system conforms with all the requirements of
ISO28000, and that the documented procedures consistently ensure
systematic performance and improvement.
• The internal audits have evaluated the Security Management System and
Top Management reviews support continual improvement.
Surveillance
Once certified, the organisation must demonstrate continuing conformance and performance
through surveillance visits, which normally take place every six months, but not exceeding
12 months.
This surveillance process ensures that a security program if functional at all times, and
• the organisation monitors and responds to changes in security risks and is capable of
managing security incident or changes to threats, vulnerabilities and assets,
• the risk treatment plan is reviewed for progress with actions, and that the security
program is providing the appropriate level of protection.

• Certification surveillance visits ensure the continued optimal performance of the security
program to manage any identified security risks to the operations throughout the life of the
certification cycle.

At this time there is no other verification or certification of any security program that offers this
ongoing assurance that trusted “secure traders” (e.g. C-TPAT, AEO) are consistently
maintaining appropriate security.
Supply Chain Regulations
Production Consolidation Departure Arrivals Storage Und-user
Ports Ports Distribution Point of Sale
Airports Airports
Boarders Boarders

Air

Transport Transport Land Transport Transport

Maritime

WCO Framework of Standards

CSI
AEO (EU)
OSC
ICOA SST C-TPAT (US)
ISPS 24 Hour
PIP (Canada)
IATA Advanced Smart and
EC Regs Secure Trade StairSec (Sweden)
Manifest
831/2006 Lane Project ACP & Frontline (Australia)
96 Hour notice
Secure Exports Scheme (NZ)
2320/2002 of arriving
Singapore STP
vessel
International Standards
BASC (Latin America)
TAPA
 Advantages through ISO 28000
• The answer to global supply chain security rests in the hands of the
majority of businesses operators within the global production, storage
and movement of goods and products – the SME/SMB.
• SME/SMB should participate as “secure traders” based on managing
the security issues applicable to their sites.
• Risk based security of businesses within any supply chain.
• SME/SMB not burdened with extensive set – lists of “security
requirement” – both relevant or not applicable.
• ISO 28000 certification delivered by professional auditing
organisations offers a global solution to cross boarder challenges.
• “Rules of Origin” e.g. Happy Hats of Hainan?
Rules of Origin
Current difficulties for Customs departments confirming:

Happy Hats of Hainan

1. Legitimate company
2. Makes Hats
3. Business site in Hainan

What alternative ?
Using ISO 28000 for a Risk Based AEO Model

• WCO SAFE recommends all of WCO SFoS 5.2 to be applied. A – M (13) Conditions
and Requirements for AEO.
• In 5.2 par 1, “These are the standards, practices and procedures which members of
the trade business community aspiring to AEO status are expected to adopt into
routine usage, based on risk assessment and AEO business model”
• Note: based on risk and business model
• Using ISO 28000 to identify the security risks and therefore the need to apply the
“security related” AEO Criteria meets and/or exceed all existing major National
programs.
• A combined WCO-AEO & ISO 28000 model should facilitate the opportunities for
mutual recognition in respect to similar programs based on Section 5.2 WCO SAFE
Framework of Standards.
• WCO SAFE 5.4 mandates for the design of validation and authorisation process.
 Security Schemes
NZ EU US CBP WBO Singapore APEC
WCO SFoS, AEO Criteria ISO 28000
SES AEO C-TPAT BASC STP + Security 03

Demonstrated Compliance
4.3.2
with Customs Requirements

Satisfactory System for 4.4.3,

Management of Commercial 4.4.5,
Records 4.5.4,

Financial Viability 4.3.3

4.4.1,
Consultation, Cooperation
4.3.2,
and Communication
4.4.3.

Education, Training and

4.4.2
Awareness

4.4.3,
Information Exchange, 4.4.4,
Access and Confidentiality 4.4.5,
4,4,6,

Cargo Security 4.4.6.

Conveyance Security 4.4.6.

Premises Security 4.4.6.

Personnel Security 4.4.6.

4.3.1,
Trading Partner Security
4.3.3.

Crisis Management and

4.4.7.
Incident Recovery

4.5.1,
4.5.2,
Measurement, Analysis and
4.5.3,
Improvement
4.5.5,
4.6.

Criteria met 13 9 10 8 9 10 9 13

Where business and security risk needs exist

WCO requires Validation

WCO SAFE 5.4 and 5.5 – Validation process required.

• Customs Departments retain ultimate authority for accrediting,
suspending or revoking AEO status.
• Validation processes may be delegated to 3rd Parties.
• 3rd Party validation should not inhibit mutual recognition.

• Customs administrations should not burden the international trade

community with different sets of requirements.
Validation of conformity
Validation. - vb, validation, - n
1. to confirm or corroborate
2. to give legal force or official confirmation to; declare legally valid
Collins English Dictionary - Complete & Unabridged 10th Edition

Self- validating. - adjective;

• requiring no external confirmation, sanction, or validation.
Random House Dictionary, © Random House, Inc. 2010.

• There are currently some government and industry security schemes

that allow self-validation, either during initial accreditation/licence
issue or during annual self-declarations of continued compliance by
business.
When is a Secure Business not a “Secure Trader”

Is a business that is professionally validated as;

• accurately identifying, analysing and evaluating all their security risk,
• managing those risk,
• monitoring the performance of their security program,
• proactively adaptive to changes in the security environment
• maintaining optimum security programs for business advantage, and
• consistently seeking to improve their security and business benefits

any less secure than the business that;

• adopts a list of government specified security measures – needed or not,
thereafter applying a fix & forget approach until next licence/approval
application cycle.
Government Benefits of 3rd Party Validation

• It is anticipated that the EU may have up to 600,000 businesses eligible for EU

AEO on a three-year cycle, which equates to 200,000 visits per year, excluding
performance monitoring.
• Hong Kong may have up to 200,000 businesses eligible to apply for AEO,
again on a three-year cycle.
• 48 full working weeks pa = 240 days

• 200,000 ÷ 3 = 66,000 per year, ÷ 240 = 278 audits per day

• Alternatively Governments “Licence” a number of International Certification

Bodies and manage the auditing performance.
• Government establish standards, appraise and maintain AEO certification
service delivery, including ongoing performance reviews of Licensed
AEO auditing companies.
• The US Government is already preparing for independent (3rd
Party) validation of some national security programs,
• The EU and Asia are familiar with and widely utilise ISO
management system standards,
• Promoting the model of “secure supply chains” globally must
involve a broader business acceptance and participation,
• Conformity to WCO AEO principles, coupled with the security
performance processes through verified/certified ISO 28000
offers a model that can cross boarders.

Manage the global AEO / C-TPAT

consistency and quality,
not just conformity.
For more information, please contact:

Peter Boyce
Senior Business Manager, Security Management Systems

Lloyd’s Register Quality Assurance Limited

3501, China Merchants Tower
Connaught Rd, Central, Hong Kong.

T +852 2287 9307

E peter.boyce@lrqa.com
w www.lrqa.com