SEMINAR ON ISO 28000

SUPPLY CHAIN SECURITY

MANAGEMENT SYSTEM
(SCSMS)

Implementation and Requirements

of ISO 28000

2ND APRIL 2013

at

SHAH ALAM CONVENTION CENTRE

SHAH ALAM, SELANGOR DARUL EHSAN
 Presentation Outline

• Objectives of the Seminar on ISO 28000

• Background of Security Management System

• ISO 28000 Applicability & Requirements

• Other SCSMS Requirements

• Integration of SCSMS with other Management

Systems
 Objectives

• To increase awareness on the needs of Supply

Chain Security Management System.

• To highlight main points in implementing Supply

Chain Security Management System and best
practises.

• To improve understanding of standard requirements

in implementing Supply Chain Security Management
System.
 The Needs of Security Management System

From Terrorism Attacked

• 911 – 11 Sep 2001 – World Trade Center in USA

• 4 commercial passenger jet airlines hijacked
• > 3000 death (attack by air)

• 5 Dec 2003 - Explosion of commuter train in Russia

• > 46 death (attack by train)

• 12 Oct 2002 – Bombed by small craft

• > 17 death, 39 injured (attack by sea)

• 19 April 1995 – Truck rented to blast the building

• > 168 death, > 800 injured (attack by truck)
 The Needs of Security Management System

To Supply chain

• 20 Nov 2007 – policeman hijacks payroll plane,

Papua New Guinea
• 2 pilots rescued, Value $ 2 M found

• 7 Dec 2007 – Aluminium plates shipment hijacked ,

Johor Bahru,
• 2 suspect detained with truck, Value – RM 200 K

• 20 Nov 2006 – Nation’s biggest robbery, gang (20

men) hijacked containers at warehouse in Penang
• 585 cartridges of microchips and computer parts
• Value RM 50 M
 Introduction to ISO 28000:2007

Background of ISO 28000:2007

• Developed by ISO/TC 8 on Ship and Marine

Technology

• New standard to replace ISO/PAS 28000:2005

• ISO 28000 – Specification for security management

systems for the supply chain

• ISO 28001 – Security management systems for the

supply chain – Best practices for implementing
supply chain security – Assessments and plans
 Introduction to ISO 28000:2007

Supply Chain Security Management Systems (SCSMS)

- ISO 28000 : 2007 - Specification for security

management systems for the supply chain provides
framework for a security management system which
aimed at improving the overall security in supply
chains.

- Supply risks such as threats from terrorism, fraud

and piracy have serious implications to businesses.

- Organization shall manage the risks and assure

security by identifying potential threats, assessing
risks and implementing measure to prevent any risks
and threats from adversely affecting the success of
their business.
 Introduction to ISO 28000:2007

Supply Chain Security Management Systems (SCSMS)

- SCSMS will facilitate trade and the transport of goods

across boarders.

- It will increase the ability of organization in the

supply chain to effectively implement mechanism that
address security vulnerabilities at strategic and
operational level, as well a to establish preventive
action plans.

- SCSMS can be applied by the organizations of all

sizes involved in manufacturing, services, storage or
transportation at any stages of production or supply
chain.
 Introduction to ISO 28000:2007

Supply Chain Security Management Systems (SCSMS)

ISO 2800 Family:

- ISO 28000:2007 sets the framework for security by all

groups or organizations involved in the supply chain.
Industry sectors can assess risks to security such as
terrorism and start using methods to manage those
potential security threats.

- ISO 28001:2007 assists organizations with designing

and implementing security processes. It also helps
these organizations assess security on their specific
part of the supply chain and trains employees on the
new security plans.
 Introduction to ISO 28000:2007

Supply Chain Security Management Systems (SCSMS)

ISO 2800 Family:

- ISO 28003:2007 sets guidelines for companies to

obtain certification for their security management
systems. It also assists auditors judging compliance
with the certification. It is designed to build customer
confidence in the company and its security in the
supply chain.

- ISO 28004:2007 explains the generic and basic

principles of ISO 28000. This section aims to better the
overall understanding of ISO 28000.
 Introduction to ISO 28000:2007

Compatibility with other standards

Standard developed based on ISO format adopted by

• ISO 14001:2004 – risk based approach to

management systems

• ISO 9001:2008 – process based approach as

foundation for security management system

• Plan-Do-Check-Act (PDCA) Methodology

 PDCA Methodology

Establish the objectives and processes

PLAN

Take actions to A
continually C DO
Implement the
improve process processes
performance
T

CHECK

Monitor & measure processes

Report the results
 Supply Chain Security Management System - PDCA

The “Plan-Do-Check-Act” (PDCA) methodology can be

applied to all processes and risk based activities.

• PLAN : establish the objectives and processes

necessary to deliver results in accordance with the
organization’s security policy

• DO : implement the processes

• CHECK : monitor and measure processes against

security policy, objectives, targets, legal and other
requirements and report results

• ACT : take actions to continually improve

performance of the security management system
 Supply Chain Security Management systems
Process Approach & PDCA
• Advantage of the process approach is on going
control that it provides over the linkage between the
individual processes within the system of
processes, as well as over their combination and
interaction.
 Integration of Security Management Systems

Integrated Management System

• The ISO 28000 requirements are structured within

the “Plan-Do-Check-Act” (PDCA) framework and
aligned with other international standard such as
ISO 9001, ISO 14001 and OHSAS 18001 to facilitate
the integration with other management systems.

• The integration of all the management systems into

a single system and centrally managed is defined as
Integrated Management System.
Supply Chain Security Management System - IMS

Integrated Management System

QMS
ISO 9001
ISO 13485
TS 16949
EnMS EMS
ISO 50001 ISO 14001
Integrated
Management
System
OHSMS
ISMS OHSAS
ISO 27001 18001
MS 1722
SCSMS
ISO 28000
 Supply Chain Security Management System - IMS

• Benefits of an Integrated Management System

• Greater focus on company objectives
• Reduced business risk
• Clearly defined roles and responsibilities for managing
the integrated management system
• Reduced documentation
• Promotion of a single system
• Reduced resources to manage the system
• Easier to prioritize on key issues
• More concise reporting structure
• More efficient system – removes duplication
• Easier to manage
• Helps with multi-skilling
 Legal & Other SCS Requirements

US Customs and Boarder Protection

• C-TPAT : Customs-Trade Partnership Against

Terrorism by U.S. Customs Service

• Launched in Nov 2001

• Benefits of C-TPAT including

- Reduced Customs inspections

- Reduced boarder delays
- Need certification to proceed with Importer Self
Assessment program (ISA)
 Legal & Other SCS Requirements

Secure Trade Partnership - STP

• Singapore Customs recognized companies that

adopt Security Management System STP

• Companies that have adopted and implemented

robust security measures will benefit from increase
visibility of goods in the supply chain, reduction in
pilferages and greater efficiency in their supply
chain management
 Other SCS Requirements

Secure Trade Partnership - STP

• Companies certified under STP will be recognized

as trusted partners of Singapore Customs with
following benefits

- Cargo less likely to be inspected

- Recognition as a low risk company
- Enhance branding
- Reduced inspection
- Expedited clearance
- Recognized by oversea countries.
 Other SCS Requirements

TAPA - Transported Asset Protection Association

• TAPA FSR – Warehouse and logistics companies

• TAPA TSR – Organization operating a trucking fleet

• Benefits of TAPA:

- Recognized globally as the industry standard

for cargo facility and transport security
 Type of Security

Type of common security

• Container / Trailer Security

• Conveyance Security
• Personnel Security
• Procedure Security
• Physical Security
• Information Security
 Overview of ISO 28000 Requirements

4.1 General Requirements

4.2 Security Management Policy

4.3 Security Risk and Planning

4.4 Implementation and Operation

4.5 Checking and Corrective Action

4.6 Management Review and Continual Improvement

 Overview of ISO 28000 Requirements

4.1 General Requirements

• Establish
• Document
• Implement
• Maintain
• Continually improve

an effective security management system for

• Identifying security threats

• Assessing risks
• Controlling and mitigating their consequences
 Overview of ISO 28000 Requirements

4.1 General Requirements

• Define the scope of security management system

• Control of outsourced process

ISO 28000 applicable to

• All sizes of organizations, Small to multinational
• Manufacturing
• Service
• Storage
• Transportation

At any stage of production or supply chain

 Overview of ISO 28000 Requirements

4.2 Security Management Policy

• Top management shall authorize and endorse an

overall security management policy

• Framework for objectives, targets & programmes

• Consistent and appropriate with security threat and

risk, nature and scale of operation

• Commitment to continually improve the security

management process, comply with applicable
legislation, regulatory and statutory requirements
• Documented and available to all interested parties
 Overview of ISO 28000 Requirements

4.3 Security Risk Assessment and Planning

4.3.1 Security risk assessment (SRA)

Procedure for on going

• identification and assessment of security threats

and security management related threats and risks

• identification and implementation of necessary

management control measures

• Security threats and risk identification, assessment

and control method should be appropriate to the
nature and scale of the operations.
 Overview of ISO 28000 Requirements

4.3 Security Risk Assessment and Planning

4.3.1 Security risk assessment (SRA)

Assessment on likelihood of an event and all of its

consequences including
• Physical failure threats and risks (function failure,
incidental damage, malicious damage, or terrorist or
criminal action)

• Operational threats and risks (control of security,

human factors, other activities which effect the
organizational performance, condition or safety)

• Factor outside of the organization control (failure in

external supplied equipment and services)
 Overview of ISO 28000 Requirements

4.3 Security Risk Assessment and Planning

4.3.1 Security risk assessment (SRA)

Assessment on likelihood of an event and all of its

consequences including
• Stakeholder threats and risks (failure to meet
regulatory requirements, damage to reputation or
brand)

• Design and installation of security equipment

(replacement and maintenance)

• Information, data management and communications

• A threat to continuity of operation
 Overview of ISO 28000 Requirements

4.3 Security Risk Assessment and Planning

4.3.1 Security risk assessment (SRA)

Results of assessment and the effects of controls are

considered for
• Security management objectives, targets and
programmes

• Determination of requirement for the design,

specification and installation

• Identification of adequate resources at all levels,

training needs and skills
• Development of operational controls
 Overview of ISO 28000 Requirements

4.3 Security Risk Assessment and Planning

4.3.1 Security risk assessment (SRA)

The methodology for threat and risk identification and

assessment shall
• be defined with respect to its scope, nature and
timing to ensure it is proactive rather than reactive
• include the collection of information related to
security threats and risks
• provide classification of threats and risks (to be
avoided, eliminated or controlled)
• provide for the monitoring of action to ensure
effectiveness and the timeliness of their
implementation
 Benefits of ISO 28000

By implementing ISO 28000 and carrying out the

Security Risk Assessment (SRA), a company will be
able

• To provide understanding of critical control points

for potential security risks and threats
• To investigate threats – what or who can harm the
site
• To identify vulnerabilities – existing weaknesses
• To analyze consequences of security risks and
threats that affects the business continuity
• To establish operational control and emergency
response plan in order to minimize the impact of the
potential security risk and threat
• To earn the trust from the current and potential
customers.
 Overview of ISO 28000 Requirements

4.3 Security Risk Assessment and Planning

4.3.2 Legal, statutory and other security regulatory
requirements

Establish, implement and maintain procedure for

• To identify and have access to the applicable legal
requirements and other requirements to which the
organization subscribes related to its security threat
and risk
• To determine how these requirements apply to its
security threats and risks

Shall keep this information up-to-date, communicate

the relevant information on legal and other
requirements to employees, third parties (contractors)
 Overview of ISO 28000 Requirements

4.3 Security Risk Assessment and Planning

4.3.3 Security management objectives

• Establish, implement and maintain security

management objectives at relevant functions and
level within organization
• Objectives shall be derived from and consistent with
security management policy
• Legal, statutory and other security regulatory
requirements
• Security threats and risks
• Technology and other options
• Financial, operational and business requirements
• Views of appropriate stake holders
 Overview of ISO 28000 Requirements

4.3 Security Risk Assessment and Planning

4.3.3 Security management objectives

The security management objectives shall

• Consistent with the organization’s commitment to
continual improvement
• Quantified (where practicable)
• Communicated to relevant employees and third
parties including contractors with the intent that
these persons are made aware of their individual
obligations
• Reviewed periodically to ensure that they are remain
relevant and consistent with security management
policy and amended accordingly.
 Overview of ISO 28000 Requirements

4.3 Security Risk Assessment and Planning

4.3.4 Security management targets

• Establish, implement and maintain security

management targets appropriate to the needs of the
organization.
• Targets shall be derived from and consistent with
security management objectives
• These targets shall be
• - to an appropriate level of details
• - specific, measurable, achievable, relevant and
time-based (where practicable)
• - communicated
• - reviewed periodically
 Overview of ISO 28000 Requirements

4.3 Security Risk Assessment and Planning

4.3.5 Security management programmes

• Establish, implement and maintain security

management programmes for achieving its
objectives and targets.
• The programmes shall be optimized and prioritized
• Provision for the efficient and cost effective
implementation of the programmes
• The designated responsibility and authority for
achieving security management objectives and
targets
• System shall include the means and time-scale by
which security management objectives and targets
are to be achieved
 Overview of ISO 28000 Requirements

4.4 Implementation and Operation

4.4.1 Structure, authority and responsibility for
security management
4.4.2 Competence, training and awareness
4.4.3 Communication
4.4.4 Documentation
4.4.5 Document and data control
4.4.6 Operational control
4.4.7 Emergency preparedness, response and security
recovery
 Overview of ISO 28000 Requirements

4.5 Checking and Corrective Action

4.5.1 Security performance measurement and
monitoring
4.5.2 System evaluation
4.5.3 Security-related failures, incidents, non-
conformances and corrective and preventive action
4.5.4 Control of records
4.5.5 Audit

4.6 Management Review and Continual Improvement

 Management System Certification

Supply Chain Security Management Systems (SCSMS)

The benefits of SCSMS Certification

- Improve stakeholder confidence by demonstrating

more robust an secure supply chain management.

- Enhances customer satisfaction by demonstrating

ability to meet their specific requirements.

- Make the organization a supplier of choice by

demonstrating the organization’s capability to manage
security issues within supply chain.
 Management System Certification

Supply Chain Security Management Systems (SCSMS)

- Demonstrate systematic Supply Chain Security

management

- Develops business cooperation along supply chain.

- Shorten customs clearance time and reduce

secondary inspection.

- Facilitate compliance with other official trade and

supply chain processes, including the

1. European Union’s Authorized Economic Operator (AEO)

2. US Customs and Boarder Patrol (CBP)’s Customs Trade
Partnership Against Terrorism (C-TPAT).
 Management System Certification

Thank You…

SIRIM QAS International Sdn Bhd

Block 4, Persiaran Dato' Menteri
P.O. Box 7035, Section 2,
40700 Shah Alam, MALAYSIA
Tel: 603-55445663/5678, Fax : 603-55446787

www.sirim-qas.com.my