BS ISO 28000:2007

BS ISO 28000:2007 Specification for security management systems for the supply chain

BS ISO 28000 is the international standard that specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. Security management is linked to many other aspects of business management. Aspects include all activities controlled or influenced by organizations that affect supply chain security. These other aspects should be considered directly, where and when they have an impact on security management, including transporting these goods along the supply chain.

BS ISO 28000 is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:

• Establish, implement, maintain and improve a security management system
• Assure conformance with stated security management policy
• Demonstrate such conformance to others
• Seek certification/registration of its security management system by an accredited third party Certification Body
• Make a self-determination and self-declaration of conformance with this International Standard.

Organizations that choose third party certification can further demonstrate that they are contributing significantly to supply chain security.

BS ISO 28000 was developed in response industry demand for a security management standard. Its ultimate objective is to improve the security of supply chains. It is a high-level management standard that enables an organization to establish an overall supply chain security management system. It requires the organization to assess the security environment in which it operates and to determine if adequate security measures are in place and if other regulatory requirements already exist, with which the organization complies.

If security needs are identified by this process, the organization should implement mechanisms and processes to meet these needs. Since supply chains are dynamic in nature, some organizations managing multiple supply chains may look to their service providers to meet related governmental or ISO supply chain security standards as a condition of being included in that supply chain in order to simplify security management.

This standard is applicable where an organization’s supply chains need secure management. A formal approach to security management can contribute directly to the business capability and credibility of the organization.

BS ISO 28000 is based on the ISO format adopted by ISO 14001:2004 because of its risk-based approach to management systems. However, organizations that have adopted a process approach to management systems (e.g. ISO 9001:2000) may be able to use their existing management system as a foundation for a security management system.

BS ISO 28000 is based on the methodology known as Plan-Do-Check-Act (PDCA). PDCA can be described as follows.

• Plan: establish the objectives and processes necessary to deliver results in accordance with the organization’s security policy
• Do: implement the processes
• Check: monitor and measure processes against security policy, objectives, targets, legal and other requirements, and report results.
• Act: take actions to continually improve performance of the security management system.

Contents of BS ISO 28000 include:

• Introduction
• Scope
• Normative references
• Terms and definitions
• Security management system elements
• General requirements
• Security management policy
• Security risk assessment and planning
• Implementation and operation
• Checking and corrective action
• Management review and continual improvement
• Correspondence between ISO 28000:2007, ISO 14001:2004 and ISO 9001:2000
• Bibliography