Your SlideShare is downloading. ×
0
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Auditing supply chain logistics -CTPAT
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Auditing supply chain logistics -CTPAT

6,645

Published on

Published in: Business, Technology
1 Comment
17 Likes
Statistics
Notes
No Downloads
Views
Total Views
6,645
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
1
Likes
17
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Auditing Security Management Systems and the Supply Chain: ISO28000 ASIS International 3rd Asia-Pacific Conference Wednesday 4 February 2009 11.50 - 12.35 Dr. Marc Siegel ASIS International ISO/TC 8 Delegation Head © 2008
  • 2. Promoting Security in the Supply Chain Supplier – Manufacturer – Distributor – Retailer – Logistics Continuity in the supply chain is a key component of today's global marketplace © 2008
  • 3. Globalization of Supply Chains Disruption of the Supply Chain a Rising Threat • Just-in-time manufacturing • Outsourcing • Global sourcing • Specialized factories • Centralized distribution • Supply consolidation • Reduction of the supplier base • Volatility of demand • Lack control procedures © 2008
  • 4. So What Could Happen? • Human trafficking • Contraband smuggling • Theft • Cyber-crime • Internal sabotage • Industrial sabotage • Terrorism • Counterfeiting • Insurgency • Bio-terrorism • Wholesale and retail supply loss • Organized crime • WMD in containers • Political disruptions • $$$ Damages © 2008
  • 5. What are the Consequences of an Incident? • Damage to tangibles: – Human and physical assets – property, products, infrastructure, personnel and the environment • Damage to intangibles: – Non-physical assets - reputation, market position, goodwill • The harm to the organization may include; – Injury or serious harm to persons and property – Business integrity – Reputation – Clients property – Standing in industry community – Regulatory issues © 2008
  • 6. ISO 28000 to the Rescue © 2008
  • 7. The 28000 Series • Developed in response to demand from industry against a background of varying international security regimes. • Generic management specification to improve the security in supply chains. • Requires organizations to: – assess the security environment in which it operates – determine if adequate security measures are in place – improve performance • Designed to be a sound foundation for complying efficiently with other international, national and sector based security requirements and schemes. © 2008
  • 8. The ISO 28000 Series Standards and codes of practice for supply chain security • The 28000 series was developed to compliment the various international initiatives to facilitate uniform implementation worldwide. • ISO 28000 - Supply chain security management – Published Sept. 2007 – Risked based model – Plan, Do, Check, Act principles – Designed for 1st, 2nd & 3rd party auditing • Certification Standard, similar to: – ISO 14001, OHSAS 18001, ISO 27001 © 2008
  • 9. ISO 28000 Enables an Organization to: • Establish, implement, maintain and improve a security management system • Assure conformity with security management policy • Demonstrate such conformity • Seek certification/registration of conformity by an accredited third party organization • Make a self-determination and self-declaration of conformity © 2008
  • 10. Meet the Family © 2008
  • 11. ISO 28000 Series of Standards • ISO 28000:2007 – Specification for security management systems for the supply chain • ISO 28001:2007 – Security management systems for the supply chain -- Best practices for implementing supply chain security, assessments and plans -- Requirements and guidance • ISO 28003:2007 – Security management systems for the supply chain -- Requirements for bodies providing audit and certification of supply chain security management systems • ISO 28004:2007 – Security management systems for the supply chain -- Guidelines for the implementation of ISO 28000 © 2008
  • 12. What Does the ISO 28000 Address? • ISO 28000 requires the organization to consider the likelihood of an event and all of its consequences including: – Physical failure threats and risks, such as functional failure, incidental damage, malicious damage or terrorist or criminal action – Operational threats and risks, including the control of the security, human factors and other activities which affect the organizations performance, condition or safety – Natural environmental events (storm, floods, etc.), which may render security measures and equipment ineffective – Factors outside of the organization's control, such as failures in externally supplied equipment and services © 2008
  • 13. Built to Be Business Friendly • Suitable for all sizes and types of organizations that are involved in purchasing, manufacturing, service, storage, transportation and/or sales processes • Aligned with the globally accepted standards: – ISO 9001:2000 - Quality management – ISO 14001:2004 - Environmental management – ISO/IEC 27001:2005 - Information technology security • Supports consistent and integrated implementation and operation with related management standards. • One suitably designed management system can satisfy the requirements of all these standards © 2008
  • 14. The Standard Can Be Used to: • Demonstrate a robust and secure supply chain management system to regulators/authorities and other interested organizations • Demonstrate a robust and secure supply chain management system to their customers/potential customers • Provide a consistent approach by all service providers within a supply chain • Serve as the basis for an independent assessment • Demonstrate the ability to meet customer requirements • Improve services © 2008
  • 15. Commercial & Competitive Advantage • Unambiguous demonstration the organization takes security seriously – Customer confidence that their goods are protected – Increased brand equity through the clear demonstration of commitment to security – Benefit through increased market share and through customer retention • Increased organizational resilience • Brand and reputation protection © 2008
  • 16. Improved Management • Effective management of security resources, resulting in cost savings • Increased accountability at all levels • Demonstrates effective corporate governance • Improved safety and security for employees • Improved staff and customer satisfaction • Can be integrated with other internationally recognized management system standards © 2008
  • 17. Ports Worldwide Adopting ISO 28000 • September 2006 - DP World first to certify – HQ Dubai – Ports of Djibouti, Dubai, Vancouver (1st port in the Americas), Porto Caucedo (Dominican Republic- Latin American gateway to US), Southampton, Tilbury, Le Havre, Port of Busan, Korea – All Australia terminals undergoing implementation – DP World plans to certify all its ports/terminals • March 2008 - Port of Houston Authority (PHA), Port Police has become the first port authority in the world to receive ISO 28000:2007 certification • May 2008 - Singapore-based logistics and supply chain management company YCH Group becomes the first end- to-end Supply Chain Management (SCM) provider to receive the ISO 28000: 2007 Certification. © 2008
  • 18. Mutual Recognition • ISO 28000 has been recognized by the EU Authorized Economic Operators (AEO) initiative as compliant to the AEO Safety and Security requirements • DP World’s ISO certification has been recognized by US Customs Border Protection, with the company uniquely being invited to join C-TPAT. • US Congress has recognized the relevance of 28000 to CTPAT and has tasked its research body, GAO, to confirm technical compatibility. – Companies that are ISO 28000 compliant may not have to qualify to join CTPAT but can now enjoy the benefits upon recognition. © 2008
  • 19. ISO 28000 a New Member of the Family of ISO Management Systems Standards Identify risks, set priorities and establish dynamic programs and plans to cost effectively improve performance Generic framework for organizations of all sizes and types – private, public, faith-based or not-for-profit organizations. © 2008
  • 20. 28000 is a Management System • A management system is what the organization does to manage its processes, functions or activities. – Set of interrelated elements used to establish and achieve an organization’s policy and objectives. – Includes policies, organizational structure, responsibilities, planning activities, resources, practices, procedures and processes. – Allows an organization to create and manage its processes and activities to meet its business objectives. © 2008
  • 21. PDCA or APCI Model Approach to structured problem solving Plan (Assess) - Do (Protect) - Check (Confirm) - Act (Improve) Plan • Define & Analyze a Problem and Identify the Root Cause Act Do • Devise a Solution • Standardize Solution • Develop Detailed Action • Review and Define • Plan & Implement It Next Issues Systematically Check • Confirm Outcomes Against Plan • Identify Deviations and Issues © 2008
  • 22. Why Management Systems Work • Needs focused • Goals driven • People oriented – Leadership driven – Involves people at all levels – Promotes cultural change • Emphasizes process approach • System approach to management • Factual basis for decision making • Continual improvement Business Advantage © 2008
  • 23. Risk Management • Establishes risk management as proactive means of protecting the organization – Pragmatic and business-centric approach to risk management – Promotes risk management as a central component of effective management – Key decision making and commitment of resources is based on a process of effective risk assessment © 2008
  • 24. What Does the ISO 28000 Say? M Re .6 an vi ag ew Po em lic 4.2 y en 4 t Security Management Se cur & Checking System As it ses y risk tive Pla s Correc nn ment 4.5 ing Action 4.3 Implementation & operation 4.4 Standards Implementation Requires A Organization-wide Commitment to Security © 2008
  • 25. Start: Know your Organization - Define scope and boundaries for security, preparedness and continuity management program - Identify critical objectives, operation, functions, products and services - Preliminary determination of likely risk scenarios and consequences Security Policy Management Review - Management Commitment - Adequacy and Effectiveness - Commitment to Protection of Critical Assets - Need for Changes - Commitment to Continuous Improvement - Opportunities for Improvement Continual Planning Improvement Checking & Corrective Action - Risk Assessment - Performance and Evaluation - Legal and Other Requirements - Nonconformity, Corrective - Security Management Objectives and Preventive Action - Security Management Targets - Control of Records - Security Management Programs - Audits Implementation and Operation - Structure, Authority and Responsibility - Competence, Training, & Awareness - Communication - Documentation - Document and Data Control - Operational Control - Emergency Preparedness, Response and Security Recovery © 2008
  • 26. Start: Know your Organization - Define scope and boundaries Start: Know your Organization for security, preparedness and continuity management program - Identify critical objectives, operation, • Define scope and boundaries for security, functions, products and services preparedness and continuity management - Preliminary determination of likely risk scenarios and consequences program Security Policy • Identify critical objectives, operation, Management Review - Management Commitment - Adequacy and Effectiveness - Commitment to Protection of Critical Assets - Need for Changes functions, products and services - Commitment to Continuous Improvement - Opportunities for Improvement • Preliminary determination of likely risk scenarios and consequences Continual Planning Improvement Checking & Corrective Action - Risk Assessment - Performance and Evaluation - Legal and Other Requirements - Nonconformity, Corrective - Security Management Objectives and Preventive Action - Security Management Targets - Control of Records - Security Management Programs - Audits Implementation and Operation - Structure, Authority and Responsibility - Competence, Training, & Awareness - Communication - Documentation - Document and Data Control - Operational Control - Emergency Preparedness, Response and Security Recovery © 2008
  • 27. Start: Know your Organization - Define scope and boundaries for security, preparedness and continuity management program - Identify critical objectives, operation, functions, products and services - Preliminary determination of likely risk scenarios and consequences Security Policy Security Policy Management Review - Management Commitment - Adequacy and Effectiveness - Need for Changes - Management Commitment - Commitment to Protection of Critical Assets - Commitment to Continuous Improvement - Opportunities for Improvement - Commitment to Protection of Critical Assets - Commitment to Continuous Improvement Continual Planning Improvement Checking & Corrective Action - Risk Assessment - Performance and Evaluation - Legal and Other Requirements - Nonconformity, Corrective - Security Management Objectives and Preventive Action - Security Management Targets - Control of Records - Security Management Programs - Audits Implementation and Operation - Structure, Authority and Responsibility - Competence, Training, & Awareness - Communication - Documentation - Document and Data Control - Operational Control - Emergency Preparedness, Response and Security Recovery © 2008
  • 28. Start: Know your Organization - Define scope and boundaries for security, preparedness and continuity management program - Identify critical objectives, operation, functions, products and services - Preliminary determination of likely risk scenarios and consequences Security Policy Management Review - Management Commitment - Adequacy and Effectiveness - Commitment to Protection of Critical Assets - Need for Changes - Commitment to Continuous Improvement - Opportunities for Improvement Continual Improvement Planning Planning Checking & Corrective Action - Risk Assessment - Performance and Evaluation - Risk Assessment - Legal and Other Requirements - Nonconformity, Corrective - Security Management Objectives and Preventive Action - Control of Records - Legal and Other Requirements - Security Management Targets - Security Management Programs - Audits - Security Management Objectives - Security Management Targets Implementation and Operation - Security Management Programs - Structure, Authority and Responsibility - Competence, Training, & Awareness - Communication - Documentation - Document and Data Control - Operational Control - Emergency Preparedness, Response and Security Recovery © 2008
  • 29. Objectives, Targets and Programs Policy Road to Success Threats, Risks and Legal / Other Views of Impacts Requirements Interested Parties Objectives SMS And Program Targets Technology Finance Operations Critical Assets © 2008
  • 30. Start: Know your Organization - Define scope and boundaries for security, preparedness and continuity management program - Identify critical objectives, operation, functions, products and services - Preliminary determination of likely risk scenarios and consequences Security Policy Management Review - Management Commitment - Adequacy and Effectiveness - Commitment to Protection of Critical Assets - Need for Changes - Commitment to Continuous Improvement - Opportunities for Improvement Implementation and Operation • Structure, Authority and Responsibility • Competence, Training, and Awareness Continual Planning Improvement • Communication Checking & Corrective Action - Risk Assessment - Performance and Evaluation - Legal and Other Requirements - Nonconformity, Corrective • Documentation - Security Management Objectives and Preventive Action - Security Management Targets - Control of Records - Security Management Programs - Audits • Document and Data Control • Operational Control Implementation and Operation • Emergency Preparedness, Response - Structure, Authority and Responsibility - Competence, Training, & Awareness and Security Recovery - Communication - Documentation - Document and Data Control - Operational Control - Emergency Preparedness, Response and Security Recovery © 2008
  • 31. Start: Know your Organization - Define scope and boundaries for security, preparedness and continuity management program - Identify critical objectives, operation, functions, products and services - Preliminary determination of likely risk scenarios and consequences Security Policy Management Review - Management Commitment - Adequacy and Effectiveness - Commitment to Protection of Critical Assets - Need for Changes - Commitment to Continuous Improvement - Opportunities for Improvement Checking & Corrective Action - Security Performance Improvement Monitoring Continual Planning and Measurement Checking & Corrective Action - Risk Assessment - Performance and Evaluation - Legal and Other Requirements - Nonconformity, Corrective - System Evaluation - Security Management Objectives and Preventive Action - Security Management Targets - Control of Records - Security Management Programs - Nonconformity, Corrective and - Audits Preventive Action Implementation and Operation - Control of Records - Structure, Authority and Responsibility - Competence, Training, & Awareness - Audits - Communication - Documentation - Document and Data Control - Operational Control - Emergency Preparedness, Response and Security Recovery © 2008
  • 32. Start: Know your Organization - Define scope and boundaries for security, preparedness and continuity management program Management Review - Identify critical objectives, operation, functions, products and services - Preliminary determination of likely risk scenarios and consequences - Adequacy and Effectiveness Security Policy Management Review - Management Commitment - Need for Changes - Adequacy and Effectiveness - Need for Changes - Commitment to Protection of Critical Assets - Commitment to Continuous Improvement - Opportunities for Improvement - Opportunities for Improvement Continual Planning Improvement Checking & Corrective Action - Risk Assessment - Performance and Evaluation - Legal and Other Requirements - Nonconformity, Corrective - Security Management Objectives and Preventive Action - Security Management Targets - Control of Records - Security Management Programs - Audits Implementation and Operation - Structure, Authority and Responsibility - Competence, Training, & Awareness - Communication - Documentation - Document and Data Control - Operational Control - Emergency Preparedness, Response and Security Recovery © 2008
  • 33. There’s a Bottleneck Lead Auditors Needed Demand for implementation and certification is currently outpacing the availability of lead auditors © 2008
  • 34. Types of Audits • First Party – Internal audit of client – Self declaration • Second Party – External non-certification audit – Contractually enforced (supply chain) • Third Party – Audit by external certified auditors – Road to certification © 2008
  • 35. Accreditation and Certification Relevant Standards (Registration) Bodies Accreditation Bodies ISO/IEC 17011:2004 An organization (usually a national standards body Conformity assessment -- General requirements for accreditation bodies accrediting conformity assessment bodies associated with ISO) that checks certification bodies ISO/IEC 17040:2005 and, provided their certification assessment processes Conformity assessment -- General requirements for peer pass muster, accredits them i.e. grants them the assessment of conformity assessment bodies and accreditation authority to issue recognized certificates. bodies Certification ISO 28003:2007 Security management systems for the supply chain -- (Registration) Bodies Requirements for bodies providing audit and certification of An independent external body that issues written supply chain security management systems assurance (the certificate) that it has audited a ISO/IEC 17021:2006 management system and verified that it conforms to Conformity assessment -- Requirements for bodies providing the requirements specified in the standard. audit and certification of management systems Certified Lead Auditor ISO 19011:2002 Guidelines for quality and/or environmental management systems auditing Organization Implements standard – may seek formal recognition ISO 28000:2007 (certification) by a specialized third party body. Specification for security management systems for the supply chain © 2008
  • 36. Principles that Relate to Auditors • Ethical conduct: the foundation of professionalism • Fair presentation: the obligation to report truthfully and accurately • Due professional care: the application of diligence and judgement in auditing • Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions • Evidence-based approach: the rational method for reaching reliable and reproducible audit conclusions in a systematic audit process © 2008
  • 37. Lead Auditor Certification • Knowledge of management systems • Knowledge of the standard being audit to, as well as normative documents • Principles of auditing based on ISO 19011 • Technical knowledge of the activity being audited • Understanding risk assessment and management from a business perspective • General knowledge of regulatory requirements • Understanding of security, preparedness response and recovery management © 2008
  • 38. How Do I Become a Player? ISO 28000 is Here – and Rapidly Gaining Momentum Your Ticket to Play BECOME A CERTIFIED ISO 28000 LEAD AUDITOR © 2008
  • 39. Course Objectives • Knowledge of a systematic and practical approach to security management system auditing • Broad understanding of the scope of security management system auditor responsibilities • Competency in organizing and directing audit team members • An in-depth understanding of the ISO 28000 and security risk management requirements • The ability to effectively provide management with objective advice regarding progress towards compliance and certification of security management systems • Demonstrable understanding of the intent and application of relevant Acts, Standards, Codes of Practice, and other documents relevant to regualtions and legislation © 2008
  • 40. Key Session Topics • Plan, conduct, and report an actual audit and examine relevant case studies • Major elements and scope of risk management including definitions of common risk management terms • Structure and make-up of management system documentation • Roles and responsibilities for security management • Requirements and methods for ensuring continuous improvement © 2008
  • 41. Key Session Topics • Audit techniques and methodology according to: – ISO 28000:2007 Specification for Security Management Systems for the Supply Chain – ISO 31000 Risk Management – ISO 31010 Risk Assessment (Methodologies) – ASIS International Risk Assessment (Process) – ISO 19011:2003 Guidelines for Quality and/or Environmental Management (under revision to add risk-based processes) • Systems Auditing – Security threat and vulnerability assessments – Asset protection and loss protection – IT and electronic security – Personnel protection – Risk to transport and infrastructure from terrorism © 2008
  • 42. Competence of Auditors Competence = ∑ Personal attributes + Generic auditing knowledge and skills + Security, Preparedness, Response and Recovery specific knowledge and skills © 2008
  • 43. Process Flow for Audit Program © 2008
  • 44. Authority to Audit • The organization’s top management should Process grant the authority for managing the audit program. Flow for • Establish, implement, monitor, review and Audit improve the audit program • Identify the necessary resources and ensure Program they are provided © 2008
  • 45. Process Plan Flow for •Objectives of an audit program Audit •Extent of an audit program Program • Scope, objective and duration • Standards, statutory, regulatory and contractual requirements • Language, cultural and social issues •Audit program responsibilities •Audit program resources •Audit program procedures © 2008
  • 46. Competence and evaluation of auditors • Process Competence = ∑ (Personal attributes) + (Generic auditing knowledge and skills) + (Security- knowledge and skills) Flow for • Confidentiality and clearances Audit Program Do •Audit program implementation •communicating the audit coordinating and scheduling audits •establishing and maintaining a process for the evaluation of the auditors •selection of audit teams •providing necessary resources to the audit teams •conduct of audits according to the audit program •control of records of the audit activities •review and approval of audit reports, •audit follow-up •Audit program records © 2008
  • 47. Process Flow for Audit Program Check - Audit program monitoring and reviewing - Identify needs for corrective and preventive actions - Identify opportunities for improvement © 2008
  • 48. Process Flow for Audit Program Act - Improve the audit program - Commitment to Continuous Improvement © 2008
  • 49. Initiating the audit - appointing the audit team leader - defining audit objectives, scope and criteria - determining the feasibility of the audit - selecting the audit team - establishing initial contact with the auditee Overview Conducting document review of typical - reviewing relevant management system documents, including records, and determining their adequacy with respect to audit criteria audit Preparing for the on-site audit activities activities - preparing the audit plan - assigning work to the audit team - preparing work documents Conducting on-site audit activities - conducting opening meeting - communication during the audit - roles and responsibilities of guides and observers - collecting and verifying information - generating audit findings - preparing audit conclusions - conducting closing meeting Preparing, approving and distributing the audit report - preparing the audit report - approving and distributing audit report Completing the audit Conducting audit follow-up © 2008
  • 50. Source of Information Collecting and verifying information by appropriate sampling techniques Collecting Information to Reach Audit Audit evidence Conclusions Evaluating against audit criteria Audit findings Reviewing Audit conclusions © 2008
  • 51. What Does the Future Hold? • ISO 28002, Resilience in the Supply Chain • ISO 28005, Ships and marine technology - Computer applications - Electronic port clearance (EPC) © 2008
  • 52. Thank You Dr. Marc Siegel Security Management System Consultant ASIS International Phone: +1-858-484-9855 Email: siegel@ASIS-Standards.net siegel@ymail.com S © 2008

×