16/4/2014 Presentation Outline SEMINAR ON ISO 28000 Objectives of - - PDF document

16/4/2014 1

16TH APRIL 2014 at M SUITES HOTEL JOHOR BAHRU JOHOR DARUL TAKZIM

SEMINAR ON ISO 28000 SUPPLY CHAIN SECURITY MANAGEMENT SYSTEM (SCSMS)

Presentation Outline

• Objectives of the Seminar on ISO 28000
• Overview of ISO 28000 – Supply Chain Security

Management System (SCSMS)

• Other Supply Chain Security Requirements
• Managing Organization’s Supply Chain Security

Risks through the Implementation of ISO 28000

• Integration of SCSMS with other Management

Systems Objectives

• To increase awareness on the needs of Supply

Chain Security Management System.

• To highlight main points in implementing Supply

Chain Security Management System and best practises.

• To improve understanding of standard requirements

in implementing Supply Chain Security Management System in managing the organization’s risks. Supply Chain

• A supply chain is a system of organizations, people,

activities, information, and resources involved in moving a product or service from supplier to customer.

• Supply chain activities transform natural resources, raw

materials, and components into a finished product that is delivered to the end customer.

• In sophisticated supply chain systems, used products

may re-enter the supply chain at any point where residual value is recyclable.

• Supply chains link value chains.

Supply Chain Supply Chain Security

• Supply chain security refers to efforts to enhance the

security of the supply chain, the transport and logistics system for the world's cargo.

• It combines traditional practices of supply chain

management with the security requirements driven by threats such as terrorism, piracy, and theft.

16/4/2014 2

Supply Chain Security

• Typical supply chain security activities include:
• Credentialing of participants in the supply chain
• Screening and validating of the contents of cargo being

shipped

• Advance notification of the contents to the destination

country

• Ensuring the security of cargo while in-transit via the

use of locks and tamper-proof seals

• Inspecting cargo on entry

Supply Chain Security

• There are a number of supply chain security initiatives in

the United States and abroad, including:

• The Customs Trade Partnership against Terrorism (C-

TPAT), a voluntary compliance program for companies to improve the security of their corporate supply chains.

• The World Customs Organization (WCO) adopted the

Framework of Standards to Secure and Facilitate Global Trade in 2005, which consists of supply chain security standards for Customs administrations including Authorized Economic Operator(AEO) programs. Supply Chain Security

• The Container Security Initiative(CSI), a program led by

U.S. Customs and Border Protection in the Department

• f Homeland Security focused on screening containers

at foreign ports.

• The Global Trade Exchange, a DHS data-mining

program designed to collect financial information about shipments, with the objective of determining safety of cargo shipments are safe.

• Efforts for countries around the world to implement and

enforce the International Ship and Port Facility Security Code (ISPS Code), an agreement of 148 countries that are members of the International Maritime Organization (IMO). Supply Chain Security

• Pilot initiatives by companies in the private sector to

track and monitor the integrity of cargo containers moving around the world using technologies such as RFID and GPS.

• The International Organization for Standardization have

released a series of Standards for the establishment and management of supply chain security.

• ISO 28000 Specification for Security Management

Systems for the Supply Chain, offers public and private enterprise an international high-level management standard that enables organisations to utilise a globally consistent management approach to applying supply chain security initiatives. Security Risk

• Security Risk describes employing the concept of risk

to the security risk management paradigm to make a particular determination of security orientated events.

• Security risk is the demarcation of risk, into the security

silo, from the broader enterprise risk management framework for the purposes of isolating and analysing unique events, outcomes and consequences. Security Risk

• Security risk is often, quantitatively, represented as any

event that compromises the assets, operations and

• bjectives of an organisation.
• 'Event', in the security paradigm, comprises those

undertaken by actors intentionally for purposes that adversely affect the organisation.

• The role of the 'actors' and the intentionality of the

'events', provides the differentiation of security risk from

• ther risk management silos, particularly those of safety,

environment, quality, operational and financial.

16/4/2014 3

Security Risk

• Common Approaches to Analysing Security Risk
• Some security professionals define security according to
• ne of the following formulas.
• Risk = Threat × Harm
• Risk = Consequence × Threat × Vulnerability
• Risk = Consequence × Likelihood
• Risk = Consequence × Likelihood × Vulnerability

Security Risk

• Factor Analysis of Information Risk deeply analyze

different risk factors and measure security risk.

• There are a number of methodologies to analyse and

manage security risk.

• Usually after a cost benefit analysis a countermeasure

is set to decrease the likelihood or the consequence of the threat.

• Security service is the name of countermeasure while

transmitting the information. Security Risk

• Psychological Factors relating to Security Risk
• Risk in Psychology
• Given the strong influence affective states can play in

the conducting of security risk assessment, many papers have considered the roles of affect heuristic and biases in skewing findings of the process. ISO 28000 - Security Management System

• ISO 28000:2007 (Specification for security

management systems for the supply chain) is an International Organization for Standardization on requirements of a security management system particularly dealing with security assurance in the supply chain.

• ISO 28000:2007 was developed to codify operations of

security within the broader supply chain management system.

• The PDCA management systems structure was adopted

in developing ISO 28000:2007 to bring the elements of this standard in congruence with related standards such as ISO 9001 and ISO 14001 ISO 28000 - Security Management System

• Improved risk management integration
• The development of an international standard

addressing security risk management improves the broader interface with existing enterprise risk management in a common integrated platform.

• This integrated approach to risk management is often

employed to better coordinate cross functional risk management mechanisms, improve performance measurement, ensure continual improvement and reducing misalignment of risk management objectives between silos.

16/4/2014 4

ISO 28000 - Security Management System

• Application
• ISO 28000:2007 was developed such that organizations
• f varying scale could apply the standard to supply

chains of various degrees of complexity. The general rational for organizations to adopt ISO 28000:2007 pertains to:

• developing a security management system,
• internal compliance with objectives of a security

management policy,

• external compliance with best practice benchmarks,
• ISO accreditation.

ISO 28000 - Security Management System

• Adopting the ISO 28000 has broad strategic,
• rganisational and operational benefits that are realized

throughout supply chains and business practices.

• Benefits include, but are not limited to:
• Integrated enterprise resilience
• Systematised management practices
• Enhanced credibility and brand recognition
• Aligned terminology and conceptual usage
• Improved supply chain performance
• Benchmarking against internationally recognisable

criteria

• Greater compliance processes

Supply Chain Security Management Systems (SCSMS) The benefits of SCSMS Certification

• Improve stakeholder confidence by demonstrating

more robust an secure supply chain management.

• Enhances customer satisfaction by demonstrating

ability to meet their specific requirements.

• Make the organization a supplier of choice by

demonstrating the organization’s capability to manage security issues within supply chain. ISO 28000 - Security Management System Supply Chain Security Management Systems (SCSMS)

• Demonstrate systematic Supply Chain Security

management

• Develops business cooperation along supply chain.
• Shorten customs clearance time and reduce

secondary inspection.

• Facilitate compliance with other official trade and

supply chain processes, including the

• 1. European Union’s Authorized Economic Operator (AEO)
• 2. US Customs and Boarder Patrol (CBP)’s Customs Trade

Partnership Against Terrorism (C-TPAT).

ISO 28000 - Security Management System ISO 28000 - Security Management System

• Accreditation
• ISO 28000:2007 is a certifiable standard.

The Needs of Security Management System From Terrorism Attacked 911 – 11 Sep 2001 – World Trade Center in USA  4 commercial passenger jet airlines hijacked  > 3000 death (attack by air) 5 Dec 2003 - Explosion of commuter train in Russia  > 46 death (attack by train) 12 Oct 2002 – Bombed by small craft  > 17 death, 39 injured (attack by sea)

16/4/2014 5

The Needs of Security Management System From Terrorism Attacked 19 April 1995 – Truck rented to blast the building  > 168 death, > 800 injured (attack by truck) 20 Nov 2007 – policeman hijacks payroll plane, Papua New Guinea  2 pilots rescued, Value $ 2 M found 7 Dec 2007 – Aluminium plates shipment hijacked , Johor Bahru,  2 suspect detained with truck, Value – RM 200 K The Needs of Security Management System To Supply chain 20 Nov 2006 – Nation’s biggest robbery, gang (20 men) hijacked containers at warehouse in Penang  585 cartridges of microchips and computer parts  Value RM 50 M The Needs of Security Management System Introduction to ISO 28000:2007 Background of ISO 28000:2007  Developed by ISO/TC 8 on Ship and Marine Technology  New standard to replace ISO/PAS 28000:2005  ISO 28000 – Specification for security management systems for the supply chain  ISO 28001 – Security management systems for the supply chain – Best practices for implementing supply chain security – Assessments and plans Supply Chain Security Management Systems (SCSMS)

• ISO 28000 : 2007 - Specification for security

management systems for the supply chain provides framework for a security management system which aimed at improving the overall security in supply chains.

• Supply risks such as threats from terrorism, fraud

and piracy have serious implications to businesses.

• Organization shall manage the risks and assure

security by identifying potential threats, assessing risks and implementing measure to prevent any risks and threats from adversely affecting the success of their business. Introduction to ISO 28000:2007 Supply Chain Security Management Systems (SCSMS)

• SCSMS will facilitate trade and the transport of goods

across boarders.

• It will increase the ability of organization in the

supply chain to effectively implement mechanism that address security vulnerabilities at strategic and

• perational level, as well a to establish preventive

action plans.

• SCSMS can be applied by the organizations of all

sizes involved in manufacturing, services, storage or transportation at any stages of production or supply chain. Introduction to ISO 28000:2007

16/4/2014 6

Supply Chain Security Management Systems (SCSMS) ISO 2800 Family:

• ISO 28000:2007 sets the framework for security by all

groups or organizations involved in the supply chain. Industry sectors can assess risks to security such as terrorism and start using methods to manage those potential security threats.

• ISO 28001:2007 assists organizations with designing

and implementing security processes. It also helps these organizations assess security on their specific part of the supply chain and trains employees on the new security plans. Introduction to ISO 28000:2007 Supply Chain Security Management Systems (SCSMS) ISO 2800 Family:

• ISO 28003:2007 sets guidelines for companies to
• btain certification for their security management
• systems. It also assists auditors judging compliance

with the certification. It is designed to build customer confidence in the company and its security in the supply chain.

• ISO 28004:2007 explains the generic and basic

principles of ISO 28000. This section aims to better the

• verall understanding of ISO 28000.

Introduction to ISO 28000:2007 Introduction to ISO 28000:2007 Compatibility with other standards Standard developed based on ISO format adopted by  ISO 14001:2004 – risk based approach to management systems  ISO 9001:2008 – process based approach as foundation for security management system  Plan-Do-Check-Act (PDCA) Methodology

• Establish the objectives and processes
• Implement the

processes

• Monitor & measure processes
• Report the results
• Take actions to

continually improve process performance

PLAN DO CHECK A C T PDCA Methodology

Supply Chain Security Management System - PDCA

The “Plan-Do-Check-Act” (PDCA) methodology can be applied to all processes and risk based activities.

• PLAN : establish the objectives and processes

necessary to deliver results in accordance with the

• rganization’s security policy
• DO : implement the processes
• CHECK : monitor and measure processes against

security policy, objectives, targets, legal and other requirements and report results

• ACT : take actions to continually improve

performance of the security management system

Supply Chain Security Management systems Process Approach & PDCA

• Advantage of the process approach is on going

control that it provides over the linkage between the individual processes within the system of processes, as well as over their combination and interaction.

16/4/2014 7

Integration of Security Management Systems Integrated Management System

• The ISO 28000 requirements are structured within

the “Plan-Do-Check-Act” (PDCA) framework and aligned with other international standard such as ISO 9001, ISO 14001 and OHSAS 18001 to facilitate the integration with other management systems.

• The integration of all the management systems into

a single system and centrally managed is defined as Integrated Management System. Supply Chain Security Management System - IMS Integrated Management System

QMS ISO 9001 ISO 13485 TS 16949 BCM ISO 22301

Integrated Management System

EMS ISO 14001 OHSMS OHSAS 18001 MS 1722 ISMS ISO 27001 SCSMS ISO 28000

Supply Chain Security Management System - IMS

• Benefits of an Integrated Management System
• Greater focus on company objectives
• Reduced business risk
• Clearly defined roles and responsibilities for managing

the integrated management system

• Reduced documentation
• Promotion of a single system
• Reduced resources to manage the system
• Easier to prioritize on key issues
• More concise reporting structure
• More efficient system – removes duplication
• Easier to manage
• Helps with multi-skilling

Legal & Other SCS Requirements US Customs and Boarder Protection  C-TPAT : Customs-Trade Partnership Against Terrorism by U.S. Customs Service  Launched in Nov 2001  Benefits of C-TPAT including

• Reduced Customs inspections
• Reduced boarder delays
• Need certification to proceed with Importer Self

Assessment program (ISA) Legal & Other SCS Requirements Other SCS Certification  C-TPAT  TAPA  SOLAS  Senjata api  Akta pencegahan Jenayah  Criminal Procedure Code ACT 593 Legal & Other SCS Requirements Malaysia Act & Regulations  Akta Kastam  Akta Senjata api  Akta pencegahan Jenayah  Criminal Procedure Code ACT 593

16/4/2014 8

Legal & Other SCS Requirements Secure Trade Partnership - STP  Singapore Customs recognized companies that adopt Security Management System STP  Companies that have adopted and implemented robust security measures will benefit from increase visibility of goods in the supply chain, reduction in pilferages and greater efficiency in their supply chain management Other SCS Requirements Secure Trade Partnership - STP  Companies certified under STP will be recognized as trusted partners of Singapore Customs with following benefits

• Cargo less likely to be inspected
• Recognition as a low risk company
• Enhance branding
• Reduced inspection
• Expedited clearance
• Recognized by oversea countries.

Other SCS Requirements TAPA - Transported Asset Protection Association  TAPA FSR – Warehouse and logistics companies  TAPA TSR – Organization operating a trucking fleet  Benefits of TAPA:

• Recognized globally as the industry standard

for cargo facility and transport security Type of Security Type of common security  Container / Trailer Security  Conveyance Security  Personnel Security  Procedure Security  Physical Security  Information Security Overview of ISO 28000 Requirements 4.1 General Requirements 4.2 Security Management Policy 4.3 Security Risk and Planning 4.4 Implementation and Operation 4.5 Checking and Corrective Action 4.6 Management Review and Continual Improvement

16/4/2014 9

Overview of ISO 28000 Requirements 4.1 General Requirements  Establish  Document  Implement  Maintain  Continually improve an effective security management system for  Identifying security threats  Assessing risks  Controlling and mitigating their consequences Overview of ISO 28000 Requirements 4.1 General Requirements  Define the scope of security management system  Control of outsourced process ISO 28000 applicable to  All sizes of organizations, Small to multinational  Manufacturing  Service  Storage  Transportation At any stage of production or supply chain Overview of ISO 28000 Requirements 4.2 Security Management Policy  Top management shall authorize and endorse an

• verall security management policy

 Framework for objectives, targets & programmes  Consistent and appropriate with security threat and risk, nature and scale of operation  Commitment to continually improve the security management process, comply with applicable legislation, regulatory and statutory requirements  Documented and available to all interested parties Overview of ISO 28000 Requirements 4.3 Security Risk Assessment and Planning 4.3.1 Security risk assessment (SRA) Procedure for on going  identification and assessment of security threats and security management related threats and risks  identification and implementation of necessary management control measures  Security threats and risk identification, assessment and control method should be appropriate to the nature and scale of the operations. Overview of ISO 28000 Requirements 4.3 Security Risk Assessment and Planning 4.3.1 Security risk assessment (SRA) Assessment on likelihood of an event and all of its consequences including  Physical failure threats and risks (function failure, incidental damage, malicious damage, or terrorist or criminal action)  Operational threats and risks (control of security, human factors, other activities which effect the

• rganizational performance, condition or safety)

 Factor outside of the organization control (failure in external supplied equipment and services) Overview of ISO 28000 Requirements 4.3 Security Risk Assessment and Planning 4.3.1 Security risk assessment (SRA) Assessment on likelihood of an event and all of its consequences including  Stakeholder threats and risks (failure to meet regulatory requirements, damage to reputation or brand)  Design and installation of security equipment (replacement and maintenance)  Information, data management and communications  A threat to continuity of operation

16/4/2014 10

Overview of ISO 28000 Requirements 4.3 Security Risk Assessment and Planning 4.3.1 Security risk assessment (SRA) Results of assessment and the effects of controls are considered for  Security management objectives, targets and programmes  Determination of requirement for the design, specification and installation  Identification of adequate resources at all levels, training needs and skills  Development of operational controls Overview of ISO 28000 Requirements 4.3 Security Risk Assessment and Planning 4.3.1 Security risk assessment (SRA) The methodology for threat and risk identification and assessment shall  be defined with respect to its scope, nature and timing to ensure it is proactive rather than reactive  include the collection of information related to security threats and risks  provide classification of threats and risks (to be avoided, eliminated or controlled)  provide for the monitoring of action to ensure effectiveness and the timeliness of their implementation Benefits of ISO 28000 By implementing ISO 28000 and carrying out the Security Risk Assessment (SRA), a company will be able  To provide understanding of critical control points for potential security risks and threats  To investigate threats – what or who can harm the site  To identify vulnerabilities – existing weaknesses  To analyze consequences of security risks and threats that affects the business continuity  To establish operational control and emergency response plan in order to minimize the impact of the potential security risk and threat  To earn the trust from the current and potential customers. Overview of ISO 28000 Requirements 4.3 Security Risk Assessment and Planning 4.3.2 Legal, statutory and other security regulatory requirements Establish, implement and maintain procedure for  To identify and have access to the applicable legal requirements and other requirements to which the

• rganization subscribes related to its security threat

and risk  To determine how these requirements apply to its security threats and risks Shall keep this information up-to-date, communicate the relevant information on legal and other requirements to employees, third parties (contractors) Overview of ISO 28000 Requirements 4.3 Security Risk Assessment and Planning 4.3.3 Security management objectives  Establish, implement and maintain security management objectives at relevant functions and level within organization  Objectives shall be derived from and consistent with security management policy  Legal, statutory and other security regulatory requirements  Security threats and risks  Technology and other options  Financial, operational and business requirements  Views of appropriate stake holders Overview of ISO 28000 Requirements 4.3 Security Risk Assessment and Planning 4.3.3 Security management objectives The security management objectives shall  Consistent with the organization’s commitment to continual improvement  Quantified (where practicable)  Communicated to relevant employees and third parties including contractors with the intent that these persons are made aware of their individual

• bligations

 Reviewed periodically to ensure that they are remain relevant and consistent with security management policy and amended accordingly.

16/4/2014 11

Overview of ISO 28000 Requirements 4.3 Security Risk Assessment and Planning 4.3.4 Security management targets  Establish, implement and maintain security management targets appropriate to the needs of the

• rganization.

 Targets shall be derived from and consistent with security management objectives  These targets shall be  - to an appropriate level of details  - specific, measurable, achievable, relevant and time-based (where practicable)  - communicated  - reviewed periodically Overview of ISO 28000 Requirements 4.3 Security Risk Assessment and Planning 4.3.5 Security management programmes  Establish, implement and maintain security management programmes for achieving its

• bjectives and targets.

 The programmes shall be optimized and prioritized  Provision for the efficient and cost effective implementation of the programmes  The designated responsibility and authority for achieving security management objectives and targets  System shall include the means and time-scale by which security management objectives and targets are to be achieved Overview of ISO 28000 Requirements 4.4 Implementation and Operation 4.4.1 Structure, authority and responsibility for security management 4.4.2 Competence, training and awareness 4.4.3 Communication 4.4.4 Documentation 4.4.5 Document and data control 4.4.6 Operational control 4.4.7 Emergency preparedness, response and security recovery Overview of ISO 28000 Requirements 4.5 Checking and Corrective Action 4.5.1 Security performance measurement and monitoring 4.5.2 System evaluation 4.5.3 Security-related failures, incidents, non- conformances and corrective and preventive action 4.5.4 Control of records 4.5.5 Audit 4.6 Management Review and Continual Improvement

Management System Certification

Thank You…

SIRIM QAS International Sdn Bhd Block 4, Persiaran Dato' Menteri P.O. Box 7035, Section 2, 40700 Shah Alam, MALAYSIA Tel: 603-55445663/5678, Fax : 603-55446787

www.sirim-qas.com.my