BS ISO 28001:2007 Security management systems for the supply chain. Best practices for implementing supply chain security, assessments and plans. Requirements and guidance
BS ISO 28001 is the Standard that provides requirements and guidance for organizations in international supply chains to:
- Develop and implement supply chain security processes
- Establish and document a minimum level of security within a supply chain(s) or segment of a supply chain
- Assist in meeting the applicable authorized economic operator (AEO) criteria set forth in the World Customs Organization Framework of Standards and conforming national supply chain security programmes.
Only a participating National Customs Agency can designate organizations as AEOs in accordance with its supply chain security programme and its attendant certification and validation requirements.
In addition, BS ISO28001 establishes certain documentation requirements that would permit verification. BS ISO28001 can be used to:
- Define the portion of an international supply chain within which they have established security
- Conduct security assessments on that portion of the supply chain and develop adequate countermeasures
- Develop and implement a supply chain security plan
- Train security personnel in their security related duties.
Security incidents against international supply chains are threats to international trade and the economic growth of trading nations. People, goods, infrastructure and equipment — including means of transport — need to be protected against security incidents and their potentially devastating effects. Such protection benefits the economy and society as a whole.
International supply chains are highly dynamic and consist of many entities and business partners. BS ISO 28001 recognizes this complexity. It has been developed to allow an individual organization in the supply chain to apply its requirements in conformance with the organization’s particular business model and its role and function in the international supply chain.
BS ISO 28001 provides an option for organizations to establish and document reasonable levels of security within international supply chains and their components. It will enable such organizations to make better risk-based decisions concerning the security in those international supply chains.
BS ISO28001 is multimodal and is intended to be in concert with and to complement the World Customs Organization’s Framework of Standards to secure and facilitate global trade (Framework). It does not attempt to cover, replace or supersede individual customs agencies’ supply chain security programmes and their certification and validation requirements.
Organizations can implement BS ISO28001 in order to establish adequate levels of security within the parts of the international supply chain that it controls. It is also a basis for determining or validating the level of existing security within an organizations’ supply chain by internal or external auditors or by those government agencies that choose to use compliance with BS ISO 28001 as the baseline for acceptance into their supply chain security programmes.
Customers, business partners, government agencies and others might request organizations that claim compliance with BS ISO 28001 to undergo an audit or a validation to confirm such compliance. Government agencies might find it mutually agreeable to accept validations conducted by other governments’ agencies. If a third-party organization audit is to be conducted, then the organization needs to consider employing a third-party certification body accredited by a competent body, which is a member of the International Accreditation Forum.
BS ISO 28001 is not intended to duplicate governmental requirements and standards regarding supply chain security in compliance with the WCO SAFE Framework. Organizations that have already been certified or validated by mutually recognizing governments are compliant with BS ISO 28001.
Outputs resulting from BS ISO28001 will be the following:
- A Statement of Coverage that defines the boundaries of the supply chain that is covered by the security plan.
- A Security Assessment that documents the vulnerabilities of the supply chain to defined security threat scenarios. It also describes the impacts that can reasonably be expected from each of the potential security threat scenarios.
- A Security Plan that describes security measures in place to manage the security threat scenarios identified by the Security assessment.
- A training programme setting out how security personnel will be trained to meet their assigned security related duties.
To undertake the security assessment needed to produce the security plan, an organization using BS ISO28001 will:
- Identify the threats posed (security threat scenarios)
- Determine how likely persons could progress each of the security threat scenarios identified by the Security Assessment into a security incident.
This determination is made by reviewing the current state of security in the supply chain. Based on the findings of that review, professional judgment is used to identify how vulnerable the supply chain is to each security threat scenario.
If the supply chain is considered unacceptably vulnerable to a security threat scenario, the organization will develop additional procedures or operational changes to lower likelihood, consequence or both. These are called countermeasures. Based upon a system of priorities, countermeasures need to be incorporated into the security plan to reduce the threat to an acceptable level.
BS ISO 28001 contains illustrative examples of risk management based security processes for protecting people, assets and international supply chain missions. They facilitate both a macro approach for complex supply chains and/or more discrete approaches for some aspects:
These examples are also intended to:
- Facilitate understanding, adoption and implementation of methodologies, which can be customized by organizations
- Provide guidance for baseline security management for continual improvement
- Assist organizations to manage resources to address existing and emerging security risks
- Describe possible means for assessment of risk and mitigation of security threats in the supply chain from raw materiel allocation through storage, manufacturing and transportation of finished goods to the market place.
BS ISO 28001 also contains guidance for obtaining advice and certification for BS ISO 28001 if an organization using it chooses to exercise this option.
Contents of BS ISO 28001 include:
- Normative references
- Terms and definitions
- Field of application
- Statement of application
- Business partners
- Internationally accepted certificates or approvals
- Business partners exempt from security declaration requirement
- Security reviews of business partners
- Supply chain security process
- Identification of the scope of security assessment
- Conduction of the security assessment
- Development of the supply chain security plan
- Execution of the supply chain security plan
- Documentation and monitoring of the supply chain security process
- Actions required after a security incident
- Protection of the security information
- Supply chain security process
- Identification of the scope of the security assessment
- Conduction of the security assessment
- Development of the security plan
- Execution of the security plan
- Documentation and monitoring of the security process
- Continual improvement
- Methodology for security risk assessment and development of countermeasures
- Step one – Consideration of the security threat scenarios
- Step two – Classification of consequences
- Step three – Classification of likelihood of security incidents
- Step four – Security incident scoring
- Step five – Development of countermeasures
- Step six – Implementation of countermeasures
- Step seven – Evaluation of countermeasures
- Step eight – Repetition of the process
- Continuation of the process
- Guidance for obtaining advice and certification
- Demonstrating conformance with ISO 28001 by audit
- Certification of ISO 28001 by third party certification bodies