Logistic Security Management System (LSMS) - ISO28001:2007

OVERVIEW OF ISO 28001

ISO 28001 – Standard to reduce risks to the supply chain, meet regulatory requirements and streamlined supply chain operations

BACKGROUND

ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. Security management is linked to many other aspects of business management. Aspects include all activities controlled or influenced by organizations that impact on supply chain security. These other aspects should be considered directly, where and when they have an impact on security management, including transporting these goods along the supply chain (₁₎.

The transportation of goods in the global economy, driven largely by outsourcing of services, has never been more complex. Sources of raw materials, components, component assembly, and finished products are global in nature and therefore require a global supply chain. As this global dependence has intensified, the value of goods shipped has also increased. The threat of terrorism, smuggling (drugs, weapons, human trafficking), preservation of brand integrity, product safety and other threats have mandated the increase in regulation and cooperation between nations. Requirements of the Customs-Trade Partnership Against Terrorism (C-TPAT), the Container Security Initiative (CSI), the Transported Asset Protection Association (TAPA) and others are some examples of regulation designed to address threats to the supply chain. These are complemented by the drive for increased surveillance and inspection.

SECURITY MANAGEMENT SYSTEM ELEMENTS

There are five key elements that are critical to the development of a Logistic Security Management System (LLSMS):

- LSMS Management Policy 

- LSMS Planning

- Implementation & Operation

- Checking & Corrective Action

- Management Review & Continual Improvement

ELEMENTS 1 : LSMS MANAGEMENT POLICY AND SECURITY PLANNING

A conformant physical security management system (LSMS) requires the organization to have an  overall security management policy, authorized by executive management. The LSMS must also have a process for assessing the security environment in which it operates and for determining if adequate security measures are in place. This examination of the operational environment includes regulatory requirements as well as the physical, natural and human hazards and specific industry requirements. ISO 28000 articulates a strategy for assessment of risk and determining countermeasures as a core component of providing physical security for the organization.

ELEMENTS 2: IMPLEMENTATION AND OPERATION

ISO 28000 identifies requirements for implementing and operating a LSMS, including organizational (security) structure, authorized personnel responsible for security management, assessing and maintaining competence of personnel and training for personnel responsible for security.

ELEMENT 3: CHECKING AND CORRECTIVE ACTION

Corrective and preventative actions, based on monitoring and evaluation of the LSMS, must be implemented to address any security-related failures and address in a timely fashion any non-conformities that are discovered.

ELEMENTS 4: MANAGEMENT REVIEW AND CONTINUAL IMPROVEMENT

Oversight by the organization’s executive management at regular intervals is required to assure that security management policy, objectives, targets and other elements of the LSMS are functioning as intended and consistent with continual improvement. Records generated as part of the operation of the LSMS, results of audits and risk assessments, legal and regulatory requirements are submitted for review along with input from interested parties and recommendations for improvement. Output from management review must include guidance for the organization to improve the LSMS through changes to policy, controls and other elements of the LSMS. ISO 28004:2007 provides corresponding implementation guidance for implementation of ISO 28000.

APPLICATION

ISO 28000:2007 is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:

a) establish, implement, maintain and improve a security management system;

b) assure conformance with stated security management policy;

c) demonstrate such conformance to others;

d) seek certification/registration of its security management system by an Accredited third party Certification Body; or

e) make a self-determination and self-declaration of conformance with ISO 28000:2007.

There are legislative and regulatory codes that address some of the requirements in ISO 28000:2007.

It is not the intention of ISO 28000:2007 to require duplicative demonstration of conformance.

Organizations that choose third party certification can further demonstrate that they are contributing significantly to supply chain security.

BENEFITS

A study by University of Virginia, 3 researchers analyzing the cost/benefit of implementing Customs-Trade Partnership Against Terror (C-TPAT) requirements identified tangible benefits to organizations that implemented a supply chain security program ₍₃₎. Among the benefits:

• -          Significant decrease in U.S. Customs inspections (up to 42.8%)
• -          Increase in new customers for transport and logistics companies (35.2%)
• -          Increase in sales (24.1%)
• -          Access to the U.S. Customs FAST (Free and Secure Trade) program
• -          Decreased wait time at the border (Green Lane)
• -          Decreased supply chain disruptions
• -          Increased supply chain visibility and improved lead-time predictability

An ISO 28000-conformant security management system will meet the security requirements of C-TPAT, World Customs Organization (WCO) SAFE Framework, Safety of Life at Sea (SOLAS) and other international regulations while providing greater visibility and optimizing the organization’s security spend.

SERIES OF ISO28000 FAMILIES

The International Standards Organization released the ISO 28000 series in 2007 to provide  requirements and guidance to organizations seeking enhancement to supply chain security and to certification bodies providing audit and certification of supply chain security management systems.

The series consists of:

ISO 28000:2007 – Specification for security management systems for the supply chain

ISO 28001:2007 – Best practices for implementing supply chain security, assessments and plans –

Requirements and guidance

ISO 28003:2007 – Requirements for bodies providing audit and certification of supply chain security

management systems

ISO 28004:2007 – Guidelines for the implementation of ISO 28000

Proper implementation and operation of a security management system will provide improved security and deliver

tangible benefits. ISO 28001 - Specific guidance for implementation of a security management system for the supply chain is provided in ISO 28001:2007 – Best practices for implementing supply chain security, assessments and plans – Requirements and guidelines. ISO 28001 is intended to assist organizations in establish reasonable levels of security and make better risk-based decisions for protection of the supply chain. Organizations that are in compliance with the WCO SAFE

Framework of standards2 are also in compliance with ISO 28001. In the absence of SAFE Framework compliance, ISO 28001 is an auditable standard containing requirements of a supply chain security process (General Requirements 4 – 5) and guidance for implementing a supply chain security process (Annex A).

A core component of ISO 28000 is planning the organization’s security program, including a formal risk assessment and selection of controls and countermeasures. Annex B of ISO 28001 contains an eight-step methodology for security risk assessment and development of countermeasures. This specific methodology is not required for certification to 28001 but is provided as an informative reference for organizations seeking to implement a risk assessment process or refine an existing methodology.

 RISK MANAGEMENT

Risk management is the process of identifying threats, vulnerabilities, impact to the organization in the event that a threat exploits a vulnerability, likelihood of such an occurrence and identification of countermeasures sufficient to reduce risk to levels acceptable to executive management. In ISO 28001 Annex B, the risk management methodology is captured as followed:

1. Identify all activities within the scope of the security management system (LSMS)

2. Identify the security controls and countermeasures in place

3. Identify security threat scenarios

4. Determine the potential impact if the threat scenario actually occurred

5. Determine the likelihood of such an event occurring, given the current controls and countermeasures in place

6. Assess whether the current controls and countermeasures are adequate

References

(1)     http://www.iso.org/iso/catalogue_detail?csnumber=44641

(2)     ISO 28000:2007 – Specification for security management systems for the supply chain

(3)     The C-TPAT Cost/Benefit Survey was prepared by the University of Virginia Center for Survey Research and the Weldon Cooper Center for Public Service for the U.S. Customs and Border Protection Service in August 2007.

-CER-