ISO 28000 2007

PLAIN ENGLISH INTRODUCTION

ISO 28000 2007 is a generic security management standard. It was
first published in 2005 as a publicly available specification (PAS).
This current version was officially published on September 15, 2007.
It cancels and replaces ISO/PAS 28000 2005. Its purpose is to help
improve the security of supply chains.

ISO 28000 can help organizations protect people, products, and
property. It can help both small organizations and multinational
corporations to improve their security.

ISO 28000 applies to any organization that is part of a local, national,
or international supply chain. And since almost all organizations belong
to a supply chain, it applies to virtually all organizations. It doesn’t matter
what size they are or what they do. ISO 28000 applies to both exporters
and importers. It applies to airports, seaports, and terminals as well as
to organizations that move products by air, sea, rail, or road. It applies
to logistics, storage, transportation, and service companies as well
as to manufacturers, shippers, wholesalers, and distributors.

ISO 28000 defines a set of security management requirements.
If your organization is part of a supply chain, ISO 28000 expects you
to establish a security management system (SMS) that complies with
these requirements. It then expects you to use this system to protect
people, products, and property.

A SMS is a network of interrelated and interacting elements that
combine to resist, fend off, or withstand unauthorized acts that are
designed to cause intentional harm or damage to a supply chain.
These elements include a security management policy as well as the
many objectives, targets, programs, procedures, plans, practices,
processes, controls, documents, records, roles, relationships,
responsibilities, authorities, and resources that are used to
implement this policy.

If you use ISO 28000 to establish and maintain a security management
system (SMS), you will improve the overall security of your supply chain
and inspire the trust of your customers. Not only can ISO 28000 help you
to preserve the integrity of your shipments and safeguard your customers’
valuable property, it can also help you to protect personnel. When properly
implemented, an ISO 28000 SMS will not only decrease disruptions and
shorten transit times, it can also help you to reduce theft and combat
smuggling, piracy, and terrorism.

Since ISO 28000 is a generic security management standard, it will
support and provide a foundation for all of your security initiatives.
Because it’s a generic security standard, it will also help you to
comply with all other national and international security programs
and requirements. An ISO 28000 SMS will help you to comply with:

• US Customs-Trade Partnership Against
  Terrorism (C-TPAT) security requirements.

• World Customs Organization (WCO)
  SAFE Framework security requirements.

• Safety of Life at Sea (SOLAS) security requirements.

• International Maritime Organization (IMO) International
  Ship and Port Facility security requirements.

• EU Authorized Economic Operator
  (AEO) security requirements.

If you don’t already have a supply chain security management system
(SCSMS), you can use this ISO 28000 standard to establish one. And once
you’ve established your organization’s SCSMS, you can use it to manage
and control your security risks and to improve your security performance.

However, the size and complexity of SCSMSs vary quite a bit. How far you
go is up to you. The size and complexity of your SCSMS, the extent of your
documentation, and the resources allocated to your system will depend on
many things. How you meet each of the ISO 28000 requirements, and to
what extent, depends on many factors, including:

1. The size of your organization
2. The location of your organization
3. The nature and size of your supply chain
4. The nature of your activities, products, and services
5. The nature of your organization’s legal obligations
6. The content of your organization’s security policy
7. The nature of your organization’s security risks
8. The scope of your organization’s SCSMS

ISO 28000 is designed to be used for certification purposes. In other
words, once you’ve established a supply chain security management
system (SCSMS) that meets both the ISO 28000 requirements and your
organization’s needs, you can ask a registrar (certification body) to audit
your system. If you pass the audit, your registrar will issue a certificate
that states that your SCSMS meets the ISO 28000 requirements.

While ISO 28000 is designed to be used for certification purposes, you
don’t have to become certified. You can be in compliance without being
formally registered by an accredited auditor. You can self-audit your
system and then announce to the world that your SCSMS complies with
the ISO 28000 2007 standard (assuming that it actually does). Of course,
your compliance claim may have more credibility if an independent
registrar has audited your SCSMS and agrees with your claim.

The following material presents a brief Supply Chain Security Management
System (SCSMS) Development Plan. It summarizes the general approach
you will take to develop your own unique SCSMS. It uses a PDCA approach
and is taken directly from our plain English version of the standard. If you
use our Plain English ISO 28000 Standard to develop your organization’s
SCSMS, you will automatically take the following steps:

1. Define the scope of your organization’s SCSMS.
2. Define your organization’s security management policy.
3. Develop a methodology to identify threats and assess risks.
4. Establish procedures to identify threats and assess risks.
5. Identify your organization’s threats and assess your risks.
6. Establish procedures to identify and select security controls.
7. Select and implement your security control measures.
8. Respect legal, statutory, and regulatory requirements.
9. Establish your organization’s security objectives.
10. Establish your organization’s security targets.
11. Establish programs to achieve objectives and targets.
12. Establish security management roles and responsibilities.
13. Appoint a member of top management to manage security.
14. Ensure the competence of those who influence security.
15. Establish security training and awareness procedures.
16. Implement security training and awareness procedures.
17. Establish procedures to manage security communications.
18. Establish a security management documentation system.
19. Control your organization’s security documents and data.
20. Implement operational security control measures.
21. Establish emergency SCSMS plans and procedures.
22. Monitor and measure your security performance.
23. Maintain a record of monitoring and measuring activities.
24. Evaluate your SCSMS plans, procedures, and capabilities.
25. Investigate security incidents and take remedial action.
26. Control your organization’s security management records.
27. Perform regular audits of your organization’s SCSMS.
28. Review your SCSMS at planned intervals.
29. Update and improve your SCSMS.

Overview of ISO 28000 Supply Chain Security Management Standard

Plain English ISO 28000 Supply Chain Security Management Definitions

ISO 28000 Supply Chain Security Standard Translated into Plain English

ISO 28000 Supply Chain Security Management Audit Tool

How to Carry out an ISO 28000 Security Gap Analysis

HOW TO ORDER OUR ISO 28000 PRODUCTS

ISO 28000 is a Global Supply Chain Security Management Standard

PRAXIOM RESEARCH GROUP LIMITED
9619 - 100A Street, Edmonton, Alberta, T5K 0V7, Canada
Telephone: (780)461-4514 info@praxiom.com

Updated on January 2, 2010. On the Web since May 25, 1997.