ISO 28000 Supply Chain Security Audit Tool

ISO 28000 is an international supply chain security management standard.
It explains what organizations need to do to protect their supply chains.

Use our ISO 28000 audit tool to comply with the standard and to improve the
overall effectiveness of your supply chain security management system.
Our tool will pinpoint the security gaps that exist between ISO's security standard
and your practices and processes. Once you've filled all the gaps, you can be assured
that you've done everything possible to protect your property, products, and people.

ISO 28000 2007 SUPPLY CHAIN SECURITY AUDIT TOOL TABLE OF CONTENTS (TITLE 81)
PART	INTRODUCTION	PAGE
1	Overview of Supply Chain Security Audit	3
2	Profile of Supply Chain Security Audit	7
3	Summary of Supply Chain Security Audit	8
4	SUPPLY CHAIN SECURITY AUDIT QUESTIONNAIRES	9
4.1	General Supply Chain Security Audit Questionnaire	9
4.2	Supply Chain Security Policy Audit Questionnaire	11
4.3	Supply Chain Security Planning Audit Questionnaire	SAMPLE
4.4	Supply Chain Security Implementation Audit Questionnaire	28
4.5	Supply Chain Security Checking Audit Questionnaire	45
4.6	Supply Chain Security Review Audit Questionnaire	61
5	SUPPLY CHAIN SECURITY IMPROVEMENT PLANS	64
5.1	General Supply Chain Security Improvement Plan	64
5.2	Supply Chain Security Policy Improvement Plan	65
5.3	Supply Chain Security Planning Improvement Plan	66
5.4	Supply Chain Security Implementation Improvement Plan	67
5.5	Supply Chain Security Checking Improvement Plan	68
5.6	Supply Chain Security Review Improvement Plan	69
6	LICENSE AGREEMENT AND CONTACT INFORMATION	70
NOV 2009	COPYRIGHT © 2009 BY PRAXIOM RESEARCH GROUP LIMITED	VER 1.0

Security Audit Profile

Before you start your audit, you will be asked to fill out a one page form
entitled Profile of Supply Chain Security Audit (see Part 2). First record the
name of the organization being audited, its address, the areas being audited,
the address of the audit, and a brief description of the actual scope or focus
of the audit. Also use the form to record the names of your auditors and the
audit start date. Once you’ve completed the audit, use the same form to
record when the audit was finished, who reviewed the audit and
when, and any review comments (if any).

Security Audit Methodology

Our audit tool uses questions to list the six sets of supply chain
security management requirements that make up ISO 28000.
Accordingly, it contains six separate questionnaires:

4.1 General Supply Chain Security Audit Questionnaire
4.2 Supply Chain Security Policy Audit Questionnaire
4.3 Supply Chain Security Planning Audit Questionnaire
4.4 Supply Chain Security Implementation Audit Questionnaire
4.5 Supply Chain Security Checking Audit Questionnaire
4.6 Supply Chain Security Review Audit Questionnaire

Our audit questionnaires start with Part 4.1 because the
ISO 28000 2007 requirements start in section 4.1.

For each audit question, two answers are possible: YES or NO. A YES
answer means you’re in compliance with the standard while a NO answer
means you’re not in compliance. NO answers reveal gaps that exist between
the ISO 28000 standard and your organization's activities. Please answer
each question by selecting one of these two answers. To the right of your
answers you will also find a column that you can use to record any
comments or observations you might have.

Once you’ve completed our compliance audit questionnaires, study
your NO answers and use the associated questions to formulate remedial
actions. Use the forms at the end of this audit process (Part 5) to record your
remedial actions and to create supply chain security improvement plans.

In most cases, remedial actions can be formulated by simply turning
an audit question into an action statement. For example, one of our audit
questions asks: “Have you established security management objectives?”.
If you answered NO, you would create a remedial action statement by
simply writing: Establish security management objectives. Once all
security improvement plans have been implemented and all gaps
have been filled, your SMS will comply with the ISO 28000 standard.

Security Audit Questionnaires

As previously mentioned, the ISO 28000 requirements are presented in
Parts 4.1 to 4.6. Our Audit Tool preserves this numbering system in order
to make it easy to cross-reference the original ISO 28000 standard with our
material. Accordingly, our Audit Tool starts with Part 4.1. However, at the
detailed level we have added a numbering system that you won’t find in the
original ISO 28000 standard. We have sequentially numbered all questions
within each of the 6 parts (4.1 to 4.6) that make up the core of the standard.
We have done this in order to make it easier for you to work with our
audit questionnaires.

In addition, we have used paragraph indents to distinguish between
general questions and specific questions. This approach makes it easy
to see how our questionnaires are structured. In most cases, a general
question is immediately followed by several specific questions which
usually help clarify what the general question means. If you’re not sure
what a general question is asking, just keep reading. In most cases, the
more detailed questions will clarify what the general questions are
trying to ask. But, if you’re still not sure about what a question or
word means, please check out our ISO 28000 dictionary.

Security Audit Scores

Once you’ve answered all the audit questions and prepared your
security improvement plans, you can also summarize your supply chain
audit quantitatively (see Part 3). The idea here is to measure precisely how
compliant your SMS actually is. And if you carry out regular supply chain
security audits, you can also use our approach to measure whether or
not your SMS is improving over time.

This is how it works. For each section of the audit (4.1 to 4.6), count
the number of YES answers and the number of NO answers and record
the totals for each section in the Form provided in Part 3, below. To calculate
the compliance score for each section, divide the total YES answers by the
total YES+NO answers and multiply the total by 100 to get a percentage.
To calculate the average compliance score for the entire audit, do the
same for the grand totals. Detailed instructions for doing all of this
will be found in Part 3.

SAMPLE AUDIT QUESTIONS

ISO 28000 2007 SUPPLY CHAIN SECURITY AUDIT TOOL

PART 4.3 SUPPLY CHAIN SECURITY PLANNING AUDIT QUESTIONNAIRE

4.3.1 ANALYZE SECURITY THREATS AND SELECT CONTROLS
IDENTIFY SECURITY THREATS AND ASSESS YOUR RISKS
1	Did you define a methodology to identify your organization’s security threats and assess its security risks?					YES	NO
2		Did you define the scope of your threat identification and risk assessment methodology?				YES	NO
3		Did you define the nature of your threat identification and risk assessment methodology?				YES	NO
4			Can your methodology be used to collect information about security threats and risks?			YES	NO
5			Can your methodology be used to classify threats and risks?			YES	NO
6				Can your methodology be used to identify threats and risks that must be avoided?		YES	NO
7				Can your methodology be used to identify threats and risks that must be eliminated?		YES	NO
8				Can your methodology be used to identify threats and risks that must be controlled?		YES	NO
9			Can your methodology be used to monitor the effectiveness and timeliness of actions taken to identify threats, assess risks, and select controls?			YES	NO
10		Did you define the timing of your threat identification and risk assessment methodology?				YES	NO
11			Is your methodology future oriented and can it anticipate the evolution of new and emerging security threats?			YES	NO
12	Did you establish procedures to identify security threats and assess risks?					YES	NO
13		Do your risk assessment procedures reflect the nature and scale of your operations?				YES	NO
14		Do your risk assessment procedures consider the likelihood that security events will occur?				YES	NO
15		Do your risk assessment procedures consider the consequences that could result if security events actually occur?				YES	NO
16	Do you use your security risk assessment methods and procedures to identify your organization's security threats and assess your risks?					YES	NO
17		Do you consider physical failure threats and risks?				YES	NO
18			Do you consider functional failures?			YES	NO
19				Do you consider functional failures and the impact they could have?		YES	NO
20				Do you consider the likelihood that functional failures will actually occur in the future?		YES	NO
21			Do you consider incidental damage?			YES	NO
22				Do you consider incidental damage and the impact it could have?		YES	NO
23				Do you consider the likelihood that incidental damage will actually occur in the future?		YES	NO
24			Do you consider malicious damage?			YES	NO
25				Do you consider malicious damage and the impact it could have?		YES	NO
26				Do you consider the likelihood that malicious damage will actually occur in the future?		YES	NO
27			Do you consider terrorist action?			YES	NO
28				Do you consider terrorist action and the impact it could have?		YES	NO
29				Do you consider the likelihood that terrorist action will actually occur in the future?		YES	NO
30			Do you consider criminal behavior?			YES	NO
31				Do you consider criminal behavior and the impact it could have?		YES	NO
32				Do you consider the likelihood that criminal behavior will actually occur in the future?		YES	NO
33		Do you consider operational security threats and risks?				YES	NO
34			Do you consider operational threats and risks which could affect your organization’s performance, condition, or safety?			YES	NO
35				Do you consider the failure to control your organization’s security activities?		YES	NO
36					Do you consider the impact that security failures could have?	YES	NO
37					Do you consider the likelihood that security failures could occur?	YES	NO
38				Do you consider the human factors that could threaten your organization?		YES	NO
39					Do you consider the impact that human factors could have?	YES	NO
40					Do you consider the likelihood that human factors could be a threat?	YES	NO
41		Do you consider natural environmental security threats and risks?				YES	NO
42			Do you consider natural events which could threaten the effectiveness of your security measures and equipment?			YES	NO
43				Do you consider the impact that natural events could have on your organization?		YES	NO
44					Do you consider the impact that storms and floods could have?	YES	NO
45				Do you consider the likelihood that natural events could be a threat?		YES	NO
46					Do you consider the likelihood that storms and floods could be a threat?	YES	NO
47		Do you consider security risk factors and failures outside of your organization’s direct control?				YES	NO
48			Do you consider externally supplied equipment risks and failures?			YES	NO
49				Do you consider the impact that externally supplied equipment failures could have?		YES	NO
50				Do you consider the likelihood that externally supplied equipment could fail?		YES	NO
51			Do you consider externally supplied service risks and failures?			YES	NO
52				Do you consider the impact that externally supplied service failures could have?		YES	NO
53				Do you consider the likelihood that externally supplied services could actually fail?		YES	NO
54		Do you consider stakeholder security threats and risks?				YES	NO
55			Do you consider stakeholders’ failure to meet regulatory requirements?			YES	NO
56				Do you consider the impact that stakeholder regulatory failures could have?		YES	NO
57				Do you consider the likelihood that stakeholders will actually have regulatory failures?		YES	NO
58			Do you consider how stakeholders’ could damage your organization’s reputation or brand?			YES	NO
59				Do you consider the impact that stakeholders could have on your reputation or brand?		YES	NO
60				Do you consider the likelihood that stakeholders could damage your reputation or brand?		YES	NO
61		Do you consider security equipment risks and failures?				YES	NO
62			Do you consider security equipment design defects?			YES	NO
63				Do you consider the impact that equipment design defects and deficiencies could have?		YES	NO
64				Do you consider the likelihood that your security equipment could be poorly designed?		YES	NO
65			Do you consider security equipment installation shortcomings?			YES	NO
66				Do you consider the impact that equipment installation shortcomings could have?		YES	NO
67				Do you consider the likelihood that your security equipment could be poorly installed?		YES	NO
68			Do you consider security equipment maintenance deficiencies?			YES	NO
69				Do you consider the impact that equipment maintenance deficiencies could have?		YES	NO
70				Do you consider the likelihood that your security equipment could be badly maintained?		YES	NO
71			Do you consider security equipment replacement problems?			YES	NO
72				Do you consider the impact that equipment replacement problems could have?		YES	NO
73				Do you consider the likelihood that your security equipment could be difficult to replace?		YES	NO
74		Do you consider information, data management, and communications threats, risks, and failures?				YES	NO
75			Do you consider the impact that information, data, and communications failures could have?			YES	NO
76			Do you consider the likelihood that information, data, or communications could fail?			YES	NO
77		Do you consider threats to the continuity of your organization’s operations?				YES	NO
78			Do you consider the impact that an operational failure could have?			YES	NO
79			Do you consider the likelihood that an operational failure could occur?			YES	NO
80	Etcetera ...					YES	NO

Now that you know what our supply chain security audit tool looks like, please consider purchasing our Title 81: ISO 28000 2007 Supply Chain Security Audit Tool. If you purchase our ISO 28000 Security Audit Tool, you'll find that it's integrated, detailed, exhaustive, and easy to understand. You'll find that we've worked hard to create a high quality product We guarantee the quality of our supply chain security audit tool. Title 81 is 71 pages long and comes in pdf and doc file formats.
Place an Order	Check our Prices	See our License

Home Page	Our Libraries	A to Z Index	Customers
How to Order	Our Products	Our Prices	Guarantee
Praxiom Research Group Limited help@praxiom.com 780-461-4514
Updated on May 16, 2016. First published on November 30, 2009.
Legal Restrictions on the Use of this Page Thank you for visiting this webpage. You are welcome to view our material as often as you wish, free of charge. And as long as you keep intact all copyright notices, you are also welcome to print or make one copy of this page for your own personal, noncommercial, home use. But, you are not legally authorized to print or produce additional copies or to copy and paste any of our material onto another web site or to republish it in any way. Copyright © 2009 - 2016 by Praxiom Research Group Limited. All Rights Reserved.