Upload
beverly-welch
View
253
Download
5
Embed Size (px)
Citation preview
Conformity &Performance
ISO 28000
ISO 28000 – Security Management System
The security of the business operations
NOT
the security operations of the business• Unless this is the required objective.
Common terms of referenceConformance & Performance
conformity or conformance• compliance in actions, behaviour, etc, with certain
standards or norms • correspondence or likeness in form or appearance;
congruity; agreement
performance • manner or quality of functioning • any accomplishment
Collins English Dictionary - Complete & Unabridged 10th Edition
Security Performance
Security is a performance issue
Security must be addressing the needs of the organisation:• Proactive in addressing plausible security issues• Alert to changes in organisational security risks• Responsive to changing organisational security
objectives• Security management activities must be fit for
purpose, in situ and for meeting security targets
• SECURITY PERFORMANCE MUST MEET OR EXCEED THE SECURITY REQUIREMENTS OF THE ORGANISATION
– Not just conform to a predefined set of instruments
What is ISO 28000
• A Security Management System that defines best practice methodologies for managing organisational security needs.
• Four overarching requirements of any security programA. Consistent with business model and objectivesB. Legal and statutory complianceC. Identification and understanding of security risksD. Management of the security risks
• ISO 28000 allows any organisation, public or private, large or small, to meet these requirements in a structured and systematic manner – facilitating program reliability and consistent performance.
Security Management System
StartManagementCommitmentManagement
Review
Checking / Corrective ActionNonconformance &
Corrective & Preventive ActionMonitoring & Measurement
RecordsSMS Audits & Evaluation
PlanningLegal & Other Requirements Security Risks and Threats
Objectives & TargetsSecurity Management Program
ImplementationStructure & Responsibility
Training, Awareness, Competence Operational ControlSMS Documentation
Document Control Communication
Emergency Preparedness / Response
Know your OrganizationDefine scope and boundaries
for security program.Identify critical objectives,
operation, functions, products and services
ContinualContinualImprovementImprovement
Security Policy
What is the business or operations?
What do you want to protect? How much of the organisation? What are the boundaries? What activities and assets?
The nature and scale of the business?
Know your OrganizationDefine scope and boundaries
for security program.Identify critical objectives,
operation, functions, products and services
General. 4.1
• Policy is a statement of “WHAT” is to be achieved; supported by procedures specifying “HOW” it will be achieved.
Security Policy4.2
Businesses wants to protect
PEOPLE
Other stakeholders•Customers / suppliers•Business partners•Regulators•Community
Visitors•Access•Safety•Theft
Employees•Recruitment•Staff joining and leaving•Industrial relations•OHS•Bullying / Harassment•Workplace violence•Ethics / Governance•Discipline•Theft & Fraud
ASSETS
Intangibles•Intellectual property•Reputation•Goodwill / Market Status
Financial•Governance•Transactions and funding•Cash handling•Purchasing and receiving•Working capital
Operations•Process capability•Disruption•Over-runs / Diversions
Capital•Physical Assets
• Owned or in possession•Integrity & Control
INFORMATION
Information Technology (IT)•Computer protocols / Encryption•Access control•Backup / Storage•Continuity & Recovery•Hacking & Virus•Physical site
Confidentiality, Availability & Integrity•Classification / Authorisations•Escrow & Guarantees•Validation & Verification•Privacy•Misuse / Access / Release•Storage / Archiving / Disposal•Movement & accountability•Records Management•Version control
The foundation of the program
• Legal and other requirements,• Security risk assessment, and• The design of the security
program contribute to the planning phase for implementing a security management system.
• This is the FOUNDATION• If not correct, the security
outcomes and performance of the entire system may be flawed.
Planning Legal & Other Requirements (4.3.2)
Security Risks and Threats (4.3.1)
Objectives & Targets (4.3.3 & 4)Security Management Program (4.3.5)
What Legal requirements?
• Legal and other requirements to which the organisation is bound or subscribes to.
• Statue Law• Traffic and parking laws• Firearms laws• Privacy laws• Security licensing laws & regulations• Signage and safety laws/regulations
• Government schemesi.e. PS Prep, TSA – Secure Freight, FDA – Pharma security, etc.
• International Conventions• Industry codes/standards
Planning Legal & Other Requirements (4.3.2)
Security Risk Assessments
Overall process of risk identification, risk analysis and risk evaluation
• A procedure detailing how security risks are identified, assessed, and evaluated, including threats to and from stakeholders.
• Risk assessments shall be conducted by qualified personnel using recognised methodologies.
• The methodology and grading criterion shall be documented, allowing for a consistently applied process.
• Plausible threats have been identified and risks evaluated.• Results of security risk assessments shall be documented and
provided input to other areas of the Security Management System.
(ISO Guide 73 – Risk Management, Vocabulary)
Identify optionsAssess optionsPrepare and implement treatment optionsAnalyse & evaluate residual risk
Compare the Criteria – Set the priorities
The External ContextThe Internal ContextThe Risk Management ContextDevelop Criteria and Define the Structure
What can happen, when, where, how & why
Identify existing controlsDetermine likelihoodDetermine ConsequencesDetermine level of risk
Risk Management Model
Establishing the Context
Co
mm
un
ica
tio
ns
& C
on
su
lta
tio
n
Mo
nito
r an
d R
ev
iew
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
Risk Assessment
Treat RiskNO
YES
(ISO 31000:2009)
LikelihoodConsequence
ThreatsVulnerabilities
Assets
5 Essential Elements
of a Security Risk Assessment
Security Management Objectives, Targets & Programs
The security risks identified through the assessment – lead to;
• What risks require attention?
• Where does it need to happen?
• What security outcomes are sought?
• When does it need to happen?
• How will we manage the risk?
PlanningObjectives & Targets (4.3.3 & 4)
Security Management Program (4.3.5)
Setting objectives
Identified security risks in operational areas are prioritised• A determination of the desired improvement for each
risk. Some options include;• Reduce the security risk?
• Reduce the likelihood?• Reduce the consequence?
• Accept the risk?• Transfer the risk?• Improve incident management?• Improve business performance?• Cost and resource improvement?
How to achieve this security?
• Who is accountable?• Who has responsibilities?
• Can they do the job?• Authorities required at different
levels?• Competence
• What security tools are needed?• Preparations for security emergencies?• How is the security program captured?
ImplementationStructure & Responsibility (4.4.1)
Training, Awareness, Competence (4.4.2)Operational Control (4.4.6)
SMS Documentation (4.4.4)Document Control (4.4.5)Communication (4.4.3)
Emergency Preparedness / Response (4.4.7)
Implementing the security program
• Policy driven, protecting the business and based on legal requirements and identified security risks.
• Programs address security objectives and targets.• The people are competent and authorised for the tasks.• Utilising “fit-for-purpose" security tools to manage the
security.• With security emergency plans.• Security manual and/or procedures.• Communications and consultative processes.
ImplementationStructure & Responsibility (4.4.1)
Training, Awareness, Competence (4.4.2)Operational Control (4.4.6)
SMS Documentation (4.4.4)Document Control (4.4.5)Communication (4.4.3)
Emergency Preparedness / Response (4.4.7)
Is the security working
• Are the security programs effective?• Has security been enhanced?• Is the program proactive?• Are problems being identified, managed
and rectified?• Adequate resources – to do the job?• The data needed to manage the system is
recorded and managed?• Consistently compliant with obligations?• Confirmation of the security program and
system performance?
Checking / Corrective ActionNonconformance &
Corrective & Preventive Action (4.5.3)Monitoring & Measurement (4.5.1)
Records (4.5.4)SMS Audits (4.5.5)
System Evaluation (4.5.2)
Management review and Continual Improvement• Top management reviews the security management system
at planned intervals.• Legal and stakeholder considerations reviewed.• Considers security and management systems
performance and improvements• Discussions and decisions recorded.
• The review includes the mandatory inputs specified in ISO 28000:2007 and opportunities for improvement or any need for change.
Management Review
The circle closes
and starts again
ISO 28000Conformance + Performance
Conformance• The specifications of the management system, require;
• A security policy• Compliance with legal and regulatory requirements• An effective and accurate Security Risk Assessment• The development of security objectives and targets, as well
as a planning process for meeting them.• The use of operational controls to manage the identified
security risks• Audits and reviews• Top management involvement and continual improvement
of the security management system and objectives.• Documentation of the program to ensure consistent
application
ISO 28000Conformance + PerformancePerformance• Through the security management system, organisations are;
• Applying security programs appropriate to the nature and scale of the organisation
• Identifying and managing those security risks applicable to the site• Selecting and utilising operational controls that are fit for purpose,
maintained and calibrated where required• Ensuring that operational controls address the security objectives of
the organisation, these may include business processes and security tools.
• Evaluating the performance and effectiveness of the security program• Consistently monitoring the security program and maintaining
optimum performance or adjusting when conditions change.• Motivating top management involvement and continual improvement
of the security program.• Maintaining the appropriate levels of security in a consistent manner.
Certification or Validation
Certification to ISO 28000: 2007. (three year certificate)
Two stage assessment process divided between;
Stage 1 Assessment
Stage 2 Assessment
Followed by systematic ongoing surveillance to confirm conformance and performance of the security management system.
Certification - Stage 1
The Stage 1 will be a full assessment of the following:• Scope, Policy and Legal• Security Risk Assessment
– Asset identification– Identification of threat sources– Consequence analysis– Vulnerability review and analysis– Likelihood evaluation
• SRA methodology, including, criteria, risk grading and prioritization
• Risk mitigation and planning– Management System “Objectives, Targets and Programs”
• Planning of protective security measures [Operational Controls (procedures, personnel and technology)] for managing the security objectives and targets.
Certification - Stage 2
The Stage 2 visit confirms that:• The policies, objectives, controls and procedures are
effectively in practice• The required management of significant security
processes within the management system are effective• Operational controls meet the stated mitigation objectives
and are fit for purpose• The management system conforms with all the
requirements of ISO28000, and that the documented procedures consistently ensure systematic performance and improvement.
• The internal audits have evaluated the Security Management System and Top Management reviews support continual improvement.
SurveillanceOnce certified, the organisation must demonstrate continuing conformance and
performance through surveillance visits, which normally take place every six months, but not exceeding 12 months.This surveillance process ensures that a security program if functional at all times, and
• the organisation monitors and responds to changes in security risks and is capable of managing security incident or changes to threats, vulnerabilities and assets,
• the risk treatment plan is reviewed for progress with actions, and that the security program is providing the appropriate level of protection.
• Certification surveillance visits ensure the continued optimal performance of the security program to manage any identified security risks to the operations throughout the life of the certification cycle.
At this time there is no other verification or certification of any security program that offers this ongoing assurance that trusted “secure traders” (e.g. C-TPAT, AEO) are consistently maintaining appropriate security.
Supply Chain RegulationsProduction Consolidati
onDeparture
PortsAirportsBoarders
ArrivalsPorts
AirportsBoarders
StorageDistribution
Und-userPoint of
Sale
Air
Land
Maritime
Transport TransportTransport Transport
ICOAIATA
EC Regs831/20062320/2002
ISPS
CSIOSC
24 Hour Advanced Manifest 96 Hour notice of arriving vessel
SSTSmart and
Secure Trade Lane
Project
WCO Framework of StandardsAEO (EU)
C-TPAT (US)PIP (Canada)
StairSec (Sweden)ACP & Frontline (Australia)
Secure Exports Scheme (NZ)Singapore STP
International StandardsBASC (Latin America)
TAPA
Advantages through ISO 28000
• The answer to global supply chain security rests in the hands of the majority of businesses operators within the global production, storage and movement of goods and products – the SME/SMB.
• SME/SMB should participate as “secure traders” based on managing the security issues applicable to their sites.
• Risk based security of businesses within any supply chain.• SME/SMB not burdened with extensive set – lists of “security
requirement” – both relevant or not applicable.• ISO 28000 certification delivered by professional auditing
organisations offers a global solution to cross boarder challenges.
• “Rules of Origin” e.g. Happy Hats of Hainan?
Rules of Origin
Happy Hats of Hainan1.Legitimate company2.Makes Hats3.Business site in Hainan
Current difficulties for Customs departments confirming:
What alternative ?
Using ISO 28000 for a Risk Based AEO Model• WCO SAFE recommends all of WCO SFoS 5.2 to be applied. A – M (13)
Conditions and Requirements for AEO. • In 5.2 par 1, “These are the standards, practices and procedures
which members of the trade business community aspiring to AEO status are expected to adopt into routine usage, based on risk assessment and AEO business model”
• Note: based on risk and business model• Using ISO 28000 to identify the security risks and therefore the need
to apply the “security related” AEO Criteria meets and/or exceed all existing major National programs.
• A combined WCO-AEO & ISO 28000 model should facilitate the opportunities for mutual recognition in respect to similar programs based on Section 5.2 WCO SAFE Framework of Standards.
• WCO SAFE 5.4 mandates for the design of validation and authorisation process.
Security Schemes
WCO SFoS, AEO CriteriaNZ
SESEU
AEOUS CBPC-TPAT
WBOBASC
SingaporeSTP +
APECSecurity 03
ISO 28000
Demonstrated Compliance with Customs Requirements
4.3.2
Satisfactory System for Management of Commercial Records
4.4.3, 4.4.5, 4.5.4,
Financial Viability 4.3.3
Consultation, Cooperation and Communication
4.4.1, 4.3.2, 4.4.3.
Education, Training and Awareness
4.4.2
Information Exchange, Access and Confidentiality
4.4.3, 4.4.4, 4.4.5, 4,4,6,
Cargo Security 4.4.6.
Conveyance Security 4.4.6.
Premises Security 4.4.6.
Personnel Security 4.4.6.
Trading Partner Security4.3.1, 4.3.3.
Crisis Management and Incident Recovery
4.4.7.
Measurement, Analysis and Improvement
4.5.1, 4.5.2, 4.5.3, 4.5.5, 4.6.
Criteria met 13 9 10 8 9 10 9 13
Where business and security risk needs exist
WCO requires Validation
WCO SAFE 5.4 and 5.5 – Validation process required.• Customs Departments retain ultimate authority for
accrediting, suspending or revoking AEO status.• Validation processes may be delegated to 3rd Parties. • 3rd Party validation should not inhibit mutual recognition.
• Customs administrations should not burden the international trade community with different sets of requirements.
Validation of conformity
Self- validating. - adjective; • requiring no external confirmation, sanction, or validation.
Random House Dictionary, © Random House, Inc. 2010.
• There are currently some government and industry security schemes that allow self-validation, either during initial accreditation/licence issue or during annual self-declarations of continued compliance by business.
Validation. - vb, validation, - n1. to confirm or corroborate 2. to give legal force or official confirmation to; declare legally
validCollins English Dictionary - Complete & Unabridged 10th Edition
When is a Secure Business not a “Secure Trader”Is a business that is professionally validated as;
• accurately identifying, analysing and evaluating all their security risk,
• managing those risk, • monitoring the performance of their security program, • proactively adaptive to changes in the security environment• maintaining optimum security programs for business advantage,
and• consistently seeking to improve their security and business
benefits
any less secure than the business that; • adopts a list of government specified security measures – needed
or not, thereafter applying a fix & forget approach until next licence/approval application cycle.
Government Benefits of 3rd Party Validation• It is anticipated that the EU may have up to 600,000 businesses
eligible for EU AEO on a three-year cycle, which equates to 200,000 visits per year, excluding performance monitoring.
• Hong Kong may have up to 200,000 businesses eligible to apply for AEO, again on a three-year cycle.
• 48 full working weeks pa = 240 days• 200,000 ÷ 3 = 66,000 per year, ÷ 240 = 278 audits per day
• Alternatively Governments “Licence” a number of International Certification Bodies and manage the auditing performance.
• Government establish standards, appraise and maintain AEO certification service delivery, including ongoing performance reviews of Licensed AEO auditing companies.
• The US Government is already preparing for independent (3rd Party) validation of some national security programs,
• The EU and Asia are familiar with and widely utilise ISO management system standards,
• Promoting the model of “secure supply chains” globally must involve a broader business acceptance and participation,
• Conformity to WCO AEO principles, coupled with the security performance processes through verified/certified ISO 28000 offers a model that can cross boarders.
Manage the global AEO / C-TPAT consistency and quality,
not just conformity.
For more information, please contact:
Peter BoyceSenior Business Manager, Security Management Systems
Lloyd’s Register Quality Assurance Limited3501, China Merchants TowerConnaught Rd, Central, Hong Kong.
T +852 2287 9307E [email protected] www.lrqa.com