Security Audit Profile

Before you start your audit, you will be asked to fill out a one page form
entitled Profile of Supply Chain Security Audit (see Part 2). First record the
name of the organization being audited, its address, the areas being audited,
the address of the audit, and a brief description of the actual scope or focus
of the audit. Also use the form to record the names of your auditors and the
audit start date. Once you’ve completed the audit, use the same form to
record when the audit was finished, who reviewed the audit and
when, and any review comments (if any).

Security Audit Methodology

Our audit tool uses questions to list the six sets of supply chain
security management requirements that make up ISO 28000.
Accordingly, it contains six separate questionnaires:

4.1 General Supply Chain Security Audit Questionnaire
4.2 Supply Chain Security Policy Audit Questionnaire
4.3 Supply Chain Security Planning Audit Questionnaire
4.4 Supply Chain Security Implementation Audit Questionnaire
4.5 Supply Chain Security Checking Audit Questionnaire
4.6 Supply Chain Security Review Audit Questionnaire

Our audit questionnaires start with Part 4.1 because the
ISO 28000 2007 requirements start in section 4.1.

For each audit question, two answers are possible: YES or NO. A YES
answer means you’re in compliance with the standard while a NO answer
means you’re not in compliance. NO answers reveal gaps that exist between
the ISO 28000 standard and your organization's activities. Please answer
each question by selecting one of these two answers. To the right of your
answers you will also find a column that you can use to record any
comments or observations you might have.

Once you’ve completed our compliance audit questionnaires, study
your NO answers and use the associated questions to formulate remedial
actions. Use the forms at the end of this audit process (Part 5) to record your
remedial actions and to create supply chain security improvement plans.

In most cases, remedial actions can be formulated by simply turning
an audit question into an action statement. For example, one of our audit
questions asks: “Have you established security management objectives?”.
If you answered NO, you would create a remedial action statement by
simply writing: Establish security management objectives. Once all
security improvement plans have been implemented and all gaps
have been filled, your SMS will comply with the ISO 28000 standard.

Security Audit Questionnaires

As previously mentioned, the ISO 28000 requirements are presented in
Parts 4.1 to 4.6. Our Audit Tool preserves this numbering system in order
to make it easy to cross-reference the original ISO 28000 standard with our
material. Accordingly, our Audit Tool starts with Part 4.1. However, at the
detailed level we have added a numbering system that you won’t find in the
original ISO 28000 standard. We have sequentially numbered all questions
within each of the 6 parts (4.1 to 4.6) that make up the core of the standard.
We have done this in order to make it easier for you to work with our
audit questionnaires.

In addition, we have used paragraph indents to distinguish between
general questions and specific questions. This approach makes it easy
to see how our questionnaires are structured. In most cases, a general
question is immediately followed by several specific questions which
usually help clarify what the general question means. If you’re not sure
what a general question is asking, just keep reading. In most cases, the
more detailed questions will clarify what the general questions are
trying to ask. But, if you’re still not sure about what a question or
word means, please check out our ISO 28000 dictionary.

Security Audit Scores

Once you’ve answered all the audit questions and prepared your
security improvement plans, you can also summarize your supply chain
audit quantitatively (see Part 3). The idea here is to measure precisely how
compliant your SMS actually is. And if you carry out regular supply chain
security audits, you can also use our approach to measure whether or
not your SMS is improving over time.

This is how it works. For each section of the audit (4.1 to 4.6), count
the number of YES answers and the number of NO answers and record
the totals for each section in the Form provided in Part 3, below. To calculate
the compliance score for each section, divide the total YES answers by the
total YES+NO answers and multiply the total by 100 to get a percentage.
To calculate the average compliance score for the entire audit, do the
same for the grand totals. Detailed instructions for doing all of this
will be found in Part 3.

4.3.1 ANALYZE SECURITY THREATS AND SELECT CONTROLS

IDENTIFY SECURITY THREATS AND ASSESS YOUR RISKS

1

Did you define a methodology to identify
your organization’s security threats and
assess its security risks?

YES

NO

2

Did you define the scope of
your threat identification and
risk assessment methodology?

YES

NO

3

Did you define the nature of
your threat identification and
risk assessment methodology?

YES

NO

4

Can your methodology be used to collect
information about security threats and risks?

YES

NO

5

Can your methodology be used
to classify threats and risks?

YES

NO

6

Can your methodology be used
to identify threats and risks that
must be avoided?

YES

NO

7

Can your methodology be used
to identify threats and risks that
must be eliminated?

YES

NO

8

Can your methodology be used
to identify threats and risks that
must be controlled?

YES

NO

9

Can your methodology be used to monitor the
effectiveness and timeliness of actions taken to
identify threats, assess risks, and select controls?

YES

NO

10

Did you define the timing of
your threat identification and
risk assessment methodology?

YES

NO

11

Is your methodology future oriented
and can it anticipate the evolution of
new and emerging security threats?

YES

NO

12

Did you establish procedures to identify
security threats and assess risks?

YES

NO

13

Do your risk assessment procedures reflect
the nature and scale of your operations?

YES

NO

14

Do your risk assessment procedures consider
the likelihood that security events will occur?

YES

NO

15

Do your risk assessment procedures consider
the consequences that could result if security
events actually occur?

YES

NO

16

Do you use your security risk assessment methods
and procedures to identify your organization's security
threats and assess your risks?

YES

NO

19

Do you consider functional failures
and the impact they could have?

YES

NO

20

Do you consider the likelihood that functional
failures will actually occur in the future?

YES

NO

22

Do you consider incidental damage
and the impact it could have?

YES

NO

23

Do you consider the likelihood that incidental
damage will actually occur in the future?

YES

NO

25

Do you consider malicious damage
and the impact it could have?

YES

NO

26

Do you consider the likelihood that malicious
damage will actually occur in the future?

YES

NO

28

Do you consider terrorist action
and the impact it could have?

YES

NO

29

Do you consider the likelihood that terrorist
action will actually occur in the future?

YES

NO

31

Do you consider criminal behavior
and the impact it could have?

YES

NO

32

Do you consider the likelihood that criminal
behavior will actually occur in the future?

YES

NO

33

Do you consider operational
security threats and risks?

YES

NO

34

Do you consider operational threats and
risks which could affect your organization’s
performance, condition, or safety?

YES

NO

35

Do you consider the failure to control
your organization’s security activities?

YES

NO

36

Do you consider the impact that
security failures could have?

YES

NO

37

Do you consider the likelihood
that security failures could occur?

YES

NO

38

Do you consider the human factors
that could threaten your organization?

YES

NO

39

Do you consider the impact that
human factors could have?

YES

NO

40

Do you consider the likelihood that
human factors could be a threat?

YES

NO

41

Do you consider natural environmental
security threats and risks?

YES

NO

42

Do you consider natural events which
could threaten the effectiveness of your
security measures and equipment?

YES

NO

43

Do you consider the impact that natural
events could have on your organization?

YES

NO

44

Do you consider the impact that
storms and floods could have?

YES

NO

45

Do you consider the likelihood that
natural events could be a threat?

YES

NO

46

Do you consider the likelihood that
storms and floods could be a threat?

YES

NO

47

Do you consider security risk factors and failures
outside of your organization’s direct control?

YES

NO

48

Do you consider externally supplied
equipment risks and failures?

YES

NO

49

Do you consider the impact that externally
supplied equipment failures could have?

YES

NO

50

Do you consider the likelihood that
externally supplied equipment could fail?

YES

NO

51

Do you consider externally supplied
service risks and failures?

YES

NO

52

Do you consider the impact that externally
supplied service failures could have?

YES

NO

53

Do you consider the likelihood that externally
supplied services could actually fail?

YES

NO

54

Do you consider stakeholder
security threats and risks?

YES

NO

55

Do you consider stakeholders’ failure
to meet regulatory requirements?

YES

NO

56

Do you consider the impact that stakeholder
regulatory failures could have?

YES

NO

57

Do you consider the likelihood that stakeholders
will actually have regulatory failures?

YES

NO

58

Do you consider how stakeholders’ could damage
your organization’s reputation or brand?

YES

NO

59

Do you consider the impact that stakeholders
could have on your reputation or brand?

YES

NO

60

Do you consider the likelihood that stakeholders
could damage your reputation or brand?

YES

NO

63

Do you consider the impact that equipment
design defects and deficiencies could have?

YES

NO

64

Do you consider the likelihood
that your security equipment
could be poorly designed?

YES

NO

65

Do you consider security equipment
installation shortcomings?

YES

NO

66

Do you consider the impact
that equipment installation
shortcomings could have?

YES

NO

67

Do you consider the likelihood
that your security equipment
could be poorly installed?

YES

NO

68

Do you consider security equipment
maintenance deficiencies?

YES

NO

69

Do you consider the impact
that equipment maintenance
deficiencies could have?

YES

NO

70

Do you consider the likelihood
that your security equipment
could be badly maintained?

YES

NO

71

Do you consider security equipment
replacement problems?

YES

NO

72

Do you consider the impact
that equipment replacement
problems could have?

YES

NO

73

Do you consider the likelihood
that your security equipment
could be difficult to replace?

YES

NO

74

Do you consider information, data management,
and communications threats, risks, and failures?

YES

NO

75

Do you consider the impact that information,
data, and communications failures could have?

YES

NO

76

Do you consider the likelihood that information,
data, or communications could fail?

YES

NO

77

Do you consider threats to the continuity
of your organization’s operations?

YES

NO

78

Do you consider the impact that
an operational failure could have?

YES

NO

79

Do you consider the likelihood that
an operational failure could occur?

YES

NO

80

Etcetera ...

YES

NO

OTHER ISO 28000 PAGES

OTHER AUDIT TOOLS AND PROGRAMS