ISO 28000:2022 Security and resilience — Security management systems — Requirements specifies requirements for a security management system, including aspects relevant to the supply chain. The standard is applicable to all types and sizes of organizations (e.g. commercial enterprises, government or other public agencies and non-profit organizations) which intend to establish, implement, maintain and improve a security management system. It provides a holistic and common approach and is not industry or sector specific.
ISO 28000 can be used throughout the life of the organization and can be applied to any activity, internal or external, at all levels.
Table of Contents
Introduction |
1 Scope |
2 Normative references |
3 Terms and definitions |
4 Context of the organization |
4.1 Understanding the organization and its context |
4.2 Understanding the needs and expectations of interested parties |
4.3 Determining the scope of the security management system |
4.4 Security management system |
5 Leadership |
5.1 Leadership and commitment |
5.2 Security policy |
5.3 Roles, responsibilities and authorities |
6 Planning |
6.1 Actions to address risks and opportunities |
6.2 Security objectives and planning to achieve them |
6.3 Planning of changes |
7 Support |
7.1 Resources |
7.2 Competence |
7.3 Awareness |
7.4 Communication |
7.5 Documented information |
8 Operation |
8.1 Operational planning and control |
8.2 Identification of processes and activities |
8.3 Risk assessment and treatment |
8.4 Controls |
8.5 Security strategies, procedures, processes and treatments |
8.6 Security plans |
9 Performance evaluation |
9.1 Monitoring, measurement, analysis and evaluation |
9.2 Internal audit |
9.3 Management review |
10 Improvement |
10.1 Continual improvement |
10.2 Nonconformity and corrective action |
Implementation
Implementing a Security Management System (SMS) for the supply chain in conformity with ISO 28000 involves several key steps.
Here are those steps.
Organizational Context
- Determine the internal and external issues that are relevant to the organization’s purpose and strategic objectives.
- Identify key stakeholders and other interested parties that are relevant to the SMS.
- Assess the need to interface the SMS with other management systems and the resources required for this purpose.
Leadership and Commitment
- Demonstrate leadership commitment to supply chain security within the organization.
- Establish a security policy that aligns with organizational goals.
Scope and Context
- Determine the scope of the SMS for the supply chain.
- Understand the internal and external context, including legal and regulatory requirements related to supply chain security.
Legal and Regulatory Compliance
- Identify and comply with relevant legal and regulatory requirements related to supply chain security.
- Stay informed about changes in legislation that may impact supply chain security practices.
Supply Chain Security Policy
Develop a supply chain security policy that outlines the organization’s commitment to ensuring the security of the supply chain.
Risk Assessment and Management
- Identify and assess security risks associated with the supply chain.
- Develop risk mitigation strategies and controls to manage and reduce security risks.
Physical Security Measures
- Implement physical security measures to protect supply chain assets, facilities, and transportation.
- Ensure secure handling and storage of goods throughout the supply chain.
Information Security
- Implement information security measures to protect sensitive information within the supply chain.
- Establish secure communication channels and data protection protocols.
Personnel Security
- Implement measures to ensure the security awareness and competence of personnel involved in the supply chain.
- Conduct background checks and provide security training for relevant personnel.
Access Controls
- Implement access controls to restrict unauthorized access to supply chain facilities and information.
- Monitor and control access points at key locations in the supply chain.
Emergency Response and Preparedness
- Develop and implement emergency response plans for security incidents within the supply chain.
- Conduct drills and exercises to ensure readiness in case of security threats.
Supplier and Partner Management
- Establish security requirements for suppliers and partners in the supply chain.
- Conduct assessments and audits to ensure compliance with security standards.
Technology and Systems
- Implement technology solutions and systems to enhance supply chain security.
- Use tracking and monitoring systems to trace the movement of goods and detect anomalies.
Security Training and Awareness
- Provide training to employees and partners on supply chain security policies and procedures.
- Raise awareness about the importance of security across the supply chain.
Monitoring and Measurement
- Implement systems for monitoring and measuring supply chain security performance.
- Regularly assess the organization’s compliance with security objectives and targets.
Data Analysis and Reporting
- Analyze supply chain security performance data to identify trends, areas for improvement, and opportunities.
- Prepare regular reports on security achievements and initiatives.
Incident Reporting and Investigation
- Develop processes for reporting and investigating security incidents within the supply chain.
- Establish procedures for learning from incidents and implementing corrective actions.
Continual Improvement
- Establish processes for continual improvement of supply chain security practices.
- Regularly review and update security procedures based on feedback and changing requirements.
Documentation and Record-Keeping
- Develop and maintain documentation related to supply chain security policies, procedures, and practices.
- Keep records of risk assessments, incident reports, training, and security measures.
Audit and Certification
- Conduct internal audits to assess compliance with supply chain security policies and procedures.
- Consider seeking third-party certification to demonstrate adherence to the ISO 28000 standard.
In conclusion…
By following these steps, organizations can implement an effective security management system for the supply chain in conformity with ISO 28000. Regular reviews and updates are crucial to ensuring the continued effectiveness and relevance of supply chain security practices.
ISO 28000 can be purchased through the ISO.org website.
Comments (0)