ISO
28000 is an international supply chain security
management
standard. Our definitions are based on ISO 28000, section 3,
Terms
and definitions. We have translated these terms and
definitions into
Plain English in order to make them easier to understand.
We’ve also
added a few definitions that aren’t found in the original
ISO 28000 2007
standard. We’ve taken this
approach whenever an important
term is
used in the ISO 28000
standard but not
explicitly defined. Examples
of useful definitions that were
overlooked include terms like controls,
security risk, security management system, security risk
assessment,
and security threat.
Since such terms are central
to this standard,
we’ve tried to define them. In order to do so, we’ve used
other ISO
standards as well as definitions taken from our own publications.
|
Continual improvement is a recurring process that enhances
an organization’s security management system and improves
its
overall security performance. Continual improvements
must be
consistent with the organization’s security policy and can
be
achieved by carrying out audits, performing management
reviews, analyzing data, and implementing corrective
and preventive actions.
|
A control is any
administrative, management, technical, or legal
method that is used to manage risk. Controls are
safeguards or
countermeasures. Controls include things like
practices, policies,
procedures, programs, objectives, targets, techniques,
technologies,
guidelines, requirements, and organizational structures.
|
Corrective actions
are steps that are taken to remove the
causes of an existing security nonconformity or security
incident.
The corrective action process is designed to prevent
the recurrence
of security nonconformities and security incidents. It
tries to make
sure that existing nonconformities and incidents don’t
happen
again. It tries to prevent recurrence by eliminating
causes.
|
The term facility refers to any
item of infrastructure that has
a business function or provides a business service. It
includes
property, buildings, plants, machinery, ships, vehicles,
port
facilities, and related systems (including software code
that facilitates security management).
|
In the context of ISO 28000, the
purpose of a management review
is to evaluate the
suitability, adequacy, and effectiveness of an
organization’s supply chain
security management system, and
to look for improvement opportunities. Management
reviews are
also used to identify and assess
opportunities to change an
organization’s security
management policy, objectives, and
targets and to assess changes in security threats and risks.
|
A management system is a set of
interrelated or interacting
elements that organizations
use to implement policy and
achieve objectives.
There are many types of
management
systems. Some of these include quality
management systems, food
safety management systems, environmental management
systems,
emergency management systems, occupational health and
safety
management systems, information security management
systems,
business continuity management systems, and, of course,
supply
chain security management systems.
|
A nonconformance (or a nonconformity)
is a failure to comply with
requirements. A requirement is an expectation or
obligation. It can be
stated or implied by an organization, its customers, or
other interested
parties. There are many types of requirements. Some of these
include
legal requirements, regulatory requirements, customer
requirements,
and management requirements.
ISO 28000
2007 Part 4 lists many
supply chain security management
requirements. Whenever your organization fails to meet one
of these
requirements, a nonconformance (or nonconformity)
occurs.
|
Preventive actions
are steps that are taken to remove the causes of
potential security nonconformances and security incidents,
ones that
have not yet occurred. Preventive actions address
potential problems
(not actual problems). While corrective actions prevent recurrence,
preventive actions prevent occurrence. Both types
of actions are
intended to prevent nonconformities and incidents.
|
A procedure is a specified way
of carrying out an activity
or a process. Procedures may or may not be documented. A
documented procedure describes and controls a
logically distinct
process or activity, including the associated inputs and
outputs.
Documented procedures can be very general or very detailed,
or
anywhere in between. While a general procedure could
take the
form of a simple flow diagram, a detailed procedure
could be
a one page form or it could be several pages of text.
A detailed documented procedure
defines and controls the work that
should be done, and explains how it should be done, who
should do
it, and under what circumstances. In addition, it often
explains what
authority and what responsibility has been allocated, which
supplies
and materials should be used, and which documents and
records
must be used to carry out the work.
|
A supply chain is secure when
it can resist, fend off, or withstand
unauthorized acts that are designed to cause intentional
harm or
damage. Conversely, it is insecure when it cannot
successfully
resist or repel such acts. Therefore, security is a
variable and
relative state of resistance.
It is variable because it can
vary from very secure to very insecure.
And it is relative because it depends on how
threatening or dangerous
specific harmful acts are. A supply chain may be secure
relative to
some threats but insecure relative to other threats.
|
Security management
includes all the activities and practices that
organizations use to manage security risks, threats, and
impacts.
According to ISO 28000, your security management
activities and
practices should be coordinated, systematic, and
optimized.
|
A security management objective is
a security outcome or
achievement. Objectives must be specific and must
support and
comply with your security management policy. Security
management
objectives should be tied directly or indirectly to an
organization’s
product and service delivery activities.
|
Your organization’s security
management policy should define its
general security intentions and clarify its overall
direction. It should
support your organization’s general security framework and
should
be used to control its security activities and processes. A
security
management policy should also be used to
generate security
objectives and targets and encourage their
achievement. And
it should be consistent with your organization’s other
policies
and must comply with all regulatory requirements.
|
Security management programs (or programmes) are used
to achieve security management objectives and targets.
This
definition establishes a means-end relationship between programs
on the one hand and objectives and targets on the other.
|
A security management system
(SMS) is a complex network of
interrelated and interacting elements that combine to
resist, fend off,
or withstand unauthorized acts that are designed to cause
intentional
harm or damage to a supply chain. These elements include a
security
management policy as well as the many programs, objectives,
targets,
procedures, plans, practices, processes, controls,
documents,
records, roles, relationships, responsibilities,
authorities, and
resources that are used to implement this policy.
|
Objectives are achieved by meeting
specific targets. A security
management target is a specific level of performance
that must be
attained in order to be able to say that a related security
management
objective has actually been achieved.
|
Risk
combines three elements: it starts with a potential threat
and then combines its probability with its
potential severity.
In the context of ISO 28000, the concept of risk asks
two
future oriented questions:
-
What is
the probability that a potential security
threat will actually occur in the future?
-
How severe would the impact be if
the potential
security threat became an actual security incident?
A high risk security threat would have
both a high probability
of occurring and a severe impact if it actually occurred.
|
A risk assessment considers
the effectiveness of existing security
controls and then evaluates the probability and the
potential severity
of specific security threats. On the basis of such an
assessment,
organizations decide what steps should be taken to manage
and control their risk.
|
A security threat is any
possible intentional action or series of actions
that could potentially damage stakeholders, facilities, or
operations;
destroy the integrity of a business or jeopardize its
continuation;
or disrupt a supply chain or an entire economy.
|
Individuals, groups, and organizations
become an organization’s
stakeholders when they have a vested interest in its
performance or its
success or are concerned about the impact of its activities.
Examples
include shareholders, financiers, insurers, customers,
employees,
suppliers, contractors, regulators, statutory bodies, labor
organizations, and members of society.
|
A supply chain is a set of
interconnected processes and
resources that starts with the sourcing of raw materials and
ends with the delivery of products and services to end
users.
Supply chains may include producers, suppliers,
manufacturers,
distributors, wholesalers, vendors, and logistics providers.
They
include facilities, plants, offices, warehouses, and
branches and
can be both internal or external to an organization.
|
When ISO 28000 uses the term top
management, it is referring to a
person or group of people at the highest level within an
organization. It
refers to the people who coordinate, direct, and control
organizations.
While top management in large organizations may not
be personally
involved in the management of supply chain security,
accountability
through the chain of command must, nevertheless, be manifest.
|
In the context of ISO 28000, the
terms upstream and downstream
refer to the relative location and movement of cargo within
a supply
chain and to the associated cargo management activities,
processes,
and operations that occur.
Activities, processes, and operations
that occur before cargo comes
under the direct operational control of an organization are
said to be
upstream from it. Conversely, activities, processes,
and operations
that occur after cargo leaves the direct
operational control
of an
organization are said to be downstream from it. Downstream
and
upstream cargo management functions can include
insurance,
finance, packing, storing, delivery, data processing,
etcetera.
|