ISO
          28000 Supply Chain Security Audit Tool

ISO 28000 is an international supply chain security management standard.
It explains what organizations need to do to protect their supply chains.

Use our ISO 28000 audit tool to comply with the standard and to improve the
overall effectiveness of your supply chain security management system.
Our tool will pinpoint the security gaps that exist between ISO's security standard
and your practices and processes. Once you've filled all the gaps, you can be assured
that you've done everything possible to protect your property, products, and people.

ISO 28000 2007 SUPPLY CHAIN SECURITY AUDIT TOOL

TABLE OF CONTENTS (TITLE 81)

PART

INTRODUCTION

PAGE

1

Overview of Supply Chain Security Audit

3

2

Profile of Supply Chain Security Audit

7

3

Summary of Supply Chain Security Audit

8

4

SUPPLY CHAIN SECURITY AUDIT QUESTIONNAIRES

9

4.1

General Supply Chain Security Audit Questionnaire

9

4.2

Supply Chain Security Policy Audit Questionnaire

11

4.3

Supply Chain Security Planning Audit Questionnaire

SAMPLE

4.4

Supply Chain Security Implementation Audit Questionnaire

28

4.5

Supply Chain Security Checking Audit Questionnaire

45

4.6

Supply Chain Security Review Audit Questionnaire

61

5

SUPPLY CHAIN SECURITY IMPROVEMENT PLANS

64

5.1

General Supply Chain Security Improvement Plan

64

5.2

Supply Chain Security Policy Improvement Plan

65

5.3

Supply Chain Security Planning Improvement Plan

66

5.4

Supply Chain Security Implementation Improvement Plan

67

5.5

Supply Chain Security Checking Improvement Plan

68

5.6

Supply Chain Security Review Improvement Plan

69

6

LICENSE AGREEMENT AND CONTACT INFORMATION

70

NOV 2009

COPYRIGHT © 2009 BY PRAXIOM RESEARCH GROUP LIMITED 

VER 1.0


Security Audit Profile

Before you start your audit, you will be asked to fill out a one page form
entitled Profile of Supply Chain Security Audit (see Part 2). First record the
name of the organization being audited, its address, the areas being audited,
the address of the audit, and a brief description of the actual scope or focus
of the audit. Also use the form to record the names of your auditors and the
audit start date. Once you’ve completed the audit, use the same form to
record when the audit was finished, who reviewed the audit and
when, and any review comments (if any).


Security Audit Methodology

Our audit tool uses questions to list the six sets of supply chain
security management requirements that make up ISO 28000.
Accordingly, it contains six separate questionnaires:

4.1 General Supply Chain Security Audit Questionnaire
4.2 Supply Chain Security Policy Audit Questionnaire
4.3 Supply Chain Security Planning Audit Questionnaire
4.4 Supply Chain Security Implementation Audit Questionnaire
4.5 Supply Chain Security Checking Audit Questionnaire
4.6 Supply Chain Security Review Audit Questionnaire

Our audit questionnaires start with Part 4.1 because the
ISO 28000 2007 requirements start in section 4.1.

For each audit question, two answers are possible: YES or NO. A YES
answer means you’re in compliance with the standard while a NO answer
means you’re not in compliance. NO answers reveal gaps that exist between
the ISO 28000 standard and your organization's activities. Please answer
each question by selecting one of these two answers. To the right of your
answers you will also find a column that you can use to record any
comments or observations you might have.

Once you’ve completed our compliance audit questionnaires, study
your NO answers and use the associated questions to formulate remedial
actions. Use the forms at the end of this audit process (Part 5) to record your
remedial actions and to create supply chain security improvement plans.

In most cases, remedial actions can be formulated by simply turning
an audit question into an action statement. For example, one of our audit
questions asks: “Have you established security management objectives?”.
If you answered NO, you would create a remedial action statement by
simply writing: Establish security management objectives. Once all
security improvement plans have been implemented and all gaps
have been filled, your SMS will comply with the ISO 28000 standard.


Security Audit Questionnaires

As previously mentioned, the ISO 28000 requirements are presented in
Parts 4.1 to 4.6. Our Audit Tool preserves this numbering system in order
to make it easy to cross-reference the original ISO 28000 standard with our
material. Accordingly, our Audit Tool starts with Part 4.1. However, at the
detailed level we have added a numbering system that you won’t find in the
original ISO 28000 standard. We have sequentially numbered all questions
within each of the 6 parts (4.1 to 4.6) that make up the core of the standard.
We have done this in order to make it easier for you to work with our
audit questionnaires.

In addition, we have used paragraph indents to distinguish between
general questions and specific questions. This approach makes it easy
to see how our questionnaires are structured. In most cases, a general
question is immediately followed by several specific questions which
usually help clarify what the general question means. If you’re not sure
what a general question is asking, just keep reading. In most cases, the
more detailed questions will clarify what the general questions are
trying to ask. But, if you’re still not sure about what a question or
word means, please check out our ISO 28000 dictionary.


Security Audit Scores

Once you’ve answered all the audit questions and prepared your
security improvement plans, you can also summarize your supply chain
audit quantitatively (see Part 3). The idea here is to measure precisely how
compliant your SMS actually is. And if you carry out regular supply chain
security audits, you can also use our approach to measure whether or
not your SMS is improving over time.

This is how it works. For each section of the audit (4.1 to 4.6), count
the number of YES answers and the number of NO answers and record
the totals for each section in the Form provided in Part 3, below. To calculate
the compliance score for each section, divide the total YES answers by the
total YES+NO answers and multiply the total by 100 to get a percentage.
To calculate the average compliance score for the entire audit, do the
same for the grand totals. Detailed instructions for doing all of this
will be found in Part 3.

The following example will show you what our
ISO 28000 Supply Chain Security Audit Tool looks like.

SAMPLE AUDIT QUESTIONS

ISO 28000 2007 SUPPLY CHAIN SECURITY AUDIT TOOL

PART 4.3 SUPPLY CHAIN SECURITY PLANNING AUDIT QUESTIONNAIRE

4.3.1 ANALYZE SECURITY THREATS AND SELECT CONTROLS

IDENTIFY SECURITY THREATS AND ASSESS YOUR RISKS

1

Did you define a methodology to identify
your organization’s security threats and
assess its security risks?

YES

NO

 

 

2


Did you define the scope of
your threat identification and
risk assessment methodology?

YES

NO

 

 

3


Did you define the nature of
your threat identification and
risk assessment methodology?

YES

NO

 

 

4



Can your methodology be used to collect
information about security threats and risks?

YES

NO

 

 

5



Can your methodology be used
to classify threats and risks?

YES

NO

 

 

6

 


 

Can your methodology be used
to identify threats and risks that
must be avoided?

YES

NO

 

 

7

 

   

Can your methodology be used
to identify threats and risks that
must be eliminated?

YES

NO

 

 

8

 

   

Can your methodology be used
to identify threats and risks that
must be controlled?

YES

NO

 

 

9

   

Can your methodology be used to monitor the
effectiveness and timeliness of actions taken to
identify threats, assess risks, and select controls?

YES

NO

 

 

10

 

Did you define the timing of
your threat identification and
risk assessment methodology?

YES

NO

 

 

11

 

 

Is your methodology future oriented
and can it anticipate the evolution of
new and emerging security threats?

YES

NO

 

 

12

Did you establish procedures to identify
security threats and assess risks?

YES

NO

 

 

13

 

Do your risk assessment procedures reflect
the nature and scale of your operations?

YES

NO

 

 

14

 

Do your risk assessment procedures consider
the likelihood that security events will occur?

YES

NO

 

 

15

 

Do your risk assessment procedures consider
the consequences that could result if security
events actually occur?

YES

NO

 

 

16

Do you use your security risk assessment methods
and procedures to identify your organization's security
threats and assess your risks?

YES

NO

 

 

17

 

Do you consider physical failure threats and risks?

YES

NO

 

 

18

   

Do you consider functional failures?

YES

NO

 

 

19

 

   

Do you consider functional failures
and the impact they could have?

YES

NO

 

 

20

 

   

Do you consider the likelihood that functional
failures will actually occur in the future?

YES

NO

 

 

21

   

Do you consider incidental damage?

YES

NO

 

 

22

 

   

Do you consider incidental damage
and the impact it could have?

YES

NO

 

 

23

     

Do you consider the likelihood that incidental
damage will actually occur in the future?

YES

NO

 

 

24

   

Do you consider malicious damage?

YES

NO

 

 

25

 

   

Do you consider malicious damage
and the impact it could have?

YES

NO

 

 

26

 

   

Do you consider the likelihood that malicious
damage will actually occur in the future?

YES

NO

 

 

27

   

Do you consider terrorist action?

YES

NO

 

 

28

 

   

Do you consider terrorist action
and the impact it could have?

YES

NO

 

 

29

 

   

Do you consider the likelihood that terrorist
action will actually occur in the future?

YES

NO

 

 

30

   

Do you consider criminal behavior?

YES

NO

 

 

31

 

   

Do you consider criminal behavior
and the impact it could have?

YES

NO

 

 

32

 

   

Do you consider the likelihood that criminal
behavior will actually occur in the future?

YES

NO

 

 

33

 

Do you consider operational
security threats and risks?

YES

NO

 

 

34

   

Do you consider operational threats and
risks which could affect your organization’s
performance, condition, or safety?

YES

NO

 

 

35

 

   

Do you consider the failure to control
your organization’s security activities?

YES

NO

 

 

36

       

Do you consider the impact that
security failures could have?

YES

NO

 

 

37

       

Do you consider the likelihood
that security failures could occur?

YES

NO

 

 

38

 

   

Do you consider the human factors
that could threaten your organization?

YES

NO

 

 

39

       

Do you consider the impact that
human factors could have?

YES

NO

 

 

40

       

Do you consider the likelihood that
human factors could be a threat?

YES

NO

 

 

41

 

Do you consider natural environmental
security threats and risks?

YES

NO

 

 

42

   

Do you consider natural events which
could threaten the effectiveness of your
security measures and equipment?

YES

NO

 

 

43

 

   

Do you consider the impact that natural
events could have on your organization?

YES

NO

 

 

44

       

Do you consider the impact that
storms and floods could have?

YES

NO

 

 

45

 

   

Do you consider the likelihood that
natural events could be a threat?

YES

NO

 

 

46

       

Do you consider the likelihood that
storms and floods could be a threat?

YES

NO

 

 

47

 

Do you consider security risk factors and failures
outside of your organization’s direct control?

YES

NO

 

 

48

   

Do you consider externally supplied
equipment risks and failures?

YES

NO

 

 

49

 

   

Do you consider the impact that externally
supplied equipment failures could have?

YES

NO

 

 

50

 

   

Do you consider the likelihood that
externally supplied equipment could fail?

YES

NO

 

 

51

   

Do you consider externally supplied
service risks and failures?

YES

NO

 

 

52

 

   

Do you consider the impact that externally
supplied service failures could have?

YES

NO

 

 

53

 

   

Do you consider the likelihood that externally
supplied services could actually fail?

YES

NO

 

 

54

 

Do you consider stakeholder
security threats and risks?

YES

NO

 

 

55

   

Do you consider stakeholders’ failure
to meet regulatory requirements?

YES

NO

 

 

56

 

   

Do you consider the impact that stakeholder
regulatory failures could have?

YES

NO

 

 

57

 

   

Do you consider the likelihood that stakeholders
will actually have regulatory failures?

YES

NO

 

 

58

   

Do you consider how stakeholders’ could damage
your organization’s reputation or brand?

YES

NO

 

 

59

     

Do you consider the impact that stakeholders
could have on your reputation or brand?

YES

NO



60

 

   

Do you consider the likelihood that stakeholders
could damage your reputation or brand?

YES

NO

 

 

61

 

Do you consider security equipment risks and failures?

YES

NO

 

 

62

   

Do you consider security equipment design defects?

YES

NO

 

 

63

 

   

Do you consider the impact that equipment
design defects and deficiencies could have?

YES

NO

 

 

64

 

   

Do you consider the likelihood
that your security equipment
could be poorly designed?

YES

NO

 

 

65

   

Do you consider security equipment
installation shortcomings?

YES

NO

 

 

66

 

   

Do you consider the impact
that equipment installation
shortcomings could have?

YES

NO

 

 

67

 

   

Do you consider the likelihood
that your security equipment
could be poorly installed?

YES

NO

 

 

68

   

Do you consider security equipment
maintenance deficiencies?

YES

NO

 

 

69

 

   

Do you consider the impact
that equipment maintenance
deficiencies could have?

YES

NO

 

 

70

 

   

Do you consider the likelihood
that your security equipment
could be badly maintained?

YES

NO

 

 

71

   

Do you consider security equipment
replacement problems?

YES

NO

 

 

72

 

   

Do you consider the impact
that equipment replacement
problems could have?

YES

NO

 

 

73

 

   

Do you consider the likelihood
that your security equipment
could be difficult to replace?

YES

NO

 

 

74

 

Do you consider information, data management,
and communications threats, risks, and failures?

YES

NO

 

 

75

   

Do you consider the impact that information,
data, and communications failures could have?

YES

NO

 

 

76

   

Do you consider the likelihood that information,
data, or communications could fail?

YES

NO

 

 

77

 

Do you consider threats to the continuity
of your organization’s operations?

YES

NO

 

 

78

   

Do you consider the impact that
an operational failure could have?

YES

NO

 

 

79

   

Do you consider the likelihood that
an operational failure could occur?

YES

NO

 

 

80

Etcetera ...

YES

NO

 

 


Attention

Now that you know what our supply chain security
audit  tool looks like, please consider
purchasing our
Title 81: ISO 28000 2007 Supply Chain Security Audit Tool.

If you purchase our ISO 28000 Security Audit Tool, you'll find
that it's integrated, detailed, exhaustive, and easy to understand.
You'll find that we've worked hard to create a high quality product
We
guarantee the quality of our supply chain security audit tool.
Title 81 is 71 pages long and comes in pdf and doc file formats.

Place an Order 

 Check our Prices

See our License


MORE ISO 28000 RESOURCES

Introduction to ISO 28000 Supply Chain Security

Plain English Supply Chain Security Management Definitions

ISO 28000 Supply Chain Security Translated into Plain English

Supply Chain Security Management System Development Plan

How to Audit a Supply Chain Security Audit Process

How to Carry out a Supply Chain Gap Analysis

MORE PLAIN ENGLISH AUDIT TOOLS


Home Page

Our Libraries

A to Z Index

Customers

How to Order

Our Products

Our Prices

Guarantee

Praxiom Research Group Limited         help@praxiom.com        780-461-4514

Updated on May 16, 2016. First published on November 30, 2009.

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2009 - 2016 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research
        Group Limited