EXECUTIVE SUMMARY
ISO 28000 is a
supply chain security management
standard. It was
first published in 2005 as a
publicly available specification
(PAS).
This current version was officially published on September 15, 2007.
It cancels and replaces ISO/PAS 28000 2005. Its purpose is to help
improve the security of
supply chains.
ISO 28000 can help organizations protect
people, products, and
property. It can help both small organizations and multinational
corporations to improve their
security.
ISO 28000 applies to any organization that is
part of a local, national,
or international supply chain. And since almost all organizations
belong
to a supply chain, it applies to virtually all organizations. It
doesn’t matter
what size they are or what they do. ISO 28000 applies to both
exporters
and importers. It applies to airports, seaports, and terminals as well
as
to organizations that move products by air, sea, rail, or road. It
applies
to logistics, storage, transportation, and service companies as well
as to manufacturers, shippers, wholesalers, and distributors.
ISO 28000 defines a set of security
management requirements.
If your organization is part of a supply chain, ISO 28000 expects you
to establish a security management system (SMS) that complies
with
these requirements. It then expects you to use this system to protect
people, products, and property.
A SMS is a network of interrelated and
interacting elements that
combine to resist, fend off, or withstand unauthorized acts that are
designed to cause intentional harm or
damage to a supply chain.
These elements include a security management policy as well as the
many objectives, targets, programs, procedures, plans, practices,
processes, controls, documents, records, roles, relationships,
responsibilities, authorities, and resources that are used to
implement this policy.
|
WHY USE ISO 28000
If you use ISO 28000 to establish and maintain a
security management
system (SMS), you will improve the overall
security of your supply chain
and inspire the trust of your customers.
Not only can ISO 28000 help you
to preserve the integrity of your
shipments and safeguard your customers’
valuable property, it can also
help you to protect personnel. When properly
implemented, an ISO 28000
SMS will not only decrease disruptions and
shorten transit times, it
can also help you to reduce theft and combat
smuggling, piracy, and
terrorism.
Since ISO 28000 is a generic security
management standard, it will
support and provide a foundation for all
of your security initiatives.
Because it’s a generic security
standard, it will also help you to
comply with all other national and
international security programs
and requirements. An ISO 28000 SMS
will help you to comply with:
• US Customs-Trade Partnership Against
Terrorism (C-TPAT) security requirements.
• World Customs Organization (WCO)
SAFE Framework security requirements.
• Safety of Life at Sea (SOLAS) security requirements.
• International Maritime Organization (IMO) International
Ship and Port Facility security requirements.
• EU Authorized Economic Operator
(AEO) security requirements.
|
HOW TO USE ISO 28000
If you don’t already have a supply chain security
management system
(SCSMS), you can use this ISO 28000 standard to establish one. And
once
you’ve established your organization’s SCSMS, you can use it to manage
and control your security risks and to improve your security
performance.
However, the size and complexity of SCSMSs vary quite a bit. How far
you
go is up to you. The size and complexity of your SCSMS, the extent of
your
documentation, and the resources allocated to your system will depend
on
many things. How you meet each of the ISO 28000 requirements, and to
what extent, depends on many factors, including:
- The size of your organization
- The location of your organization
- The nature and size of your supply chain
- The nature of your activities, products,
and services
- The nature of your organization’s legal
obligations
- The content of your organization’s
security policy
- The nature of your organization’s security
risks
- The scope of your organization’s SCSMS
ISO 28000 is designed to be used for
certification purposes. In other
words, once you’ve established a
supply chain security management
system (SCSMS) that meets both the
ISO 28000 requirements and your
organization’s needs, you can ask a
registrar (certification body) to audit
your system. If you pass the
audit, your registrar will issue a certificate
that states
that your SCSMS meets the ISO 28000 requirements.
While ISO 28000 is designed to be used for certification
purposes, you
don’t have to become certified. You can be in compliance
without being
formally registered by an accredited auditor. You can
self-audit your
system and then announce to the world that your SCSMS
complies with
the ISO 28000 2007 standard (assuming that it actually
does). Of course,
your compliance claim may have more credibility if
an independent
registrar has audited your SCSMS and agrees with your
claim.
|