Auditing supply chain logistics -CTPAT

Auditing Security Management Systems and the
Supply Chain: ISO28000
ASIS International 3rd Asia-Pacific Conference
Wednesday 4 February 2009 11.50 - 12.35

Dr. Marc Siegel
ASIS International
ISO/TC 8 Delegation Head

© 2008

Promoting Security in the Supply Chain
Supplier – Manufacturer – Distributor – Retailer – Logistics

Continuity in the supply chain is a key
component of today's global marketplace
© 2008

Globalization of Supply Chains
Disruption of the Supply Chain a Rising Threat

• Just-in-time manufacturing
• Outsourcing
• Global sourcing
• Specialized factories
• Centralized distribution
• Supply consolidation
• Reduction of the supplier base
• Volatility of demand
• Lack control procedures
© 2008

So What Could Happen?

• Human trafficking
• Contraband smuggling
• Theft
• Cyber-crime
• Internal sabotage
• Industrial sabotage
• Terrorism
• Counterfeiting
• Insurgency
• Bio-terrorism
• Wholesale and retail supply loss
• Organized crime
• WMD in containers
• Political disruptions
• $$$ Damages

© 2008

What are the Consequences of an Incident?

• Damage to tangibles:
– Human and physical assets – property, products,
infrastructure, personnel and the environment

• Damage to intangibles:
– Non-physical assets - reputation, market position, goodwill

• The harm to the organization may include;
– Injury or serious harm to persons and property
– Business integrity
– Reputation
– Clients property
– Standing in industry community
– Regulatory issues

© 2008

ISO 28000 to the Rescue

© 2008

The 28000 Series

• Developed in response to demand from industry
against a background of varying international security
regimes.

• Generic management specification to improve the
security in supply chains.

• Requires organizations to:
– assess the security environment in which it operates
– determine if adequate security measures are in place
– improve performance

• Designed to be a sound foundation for complying
efficiently with other international, national and sector
based security requirements and schemes.

© 2008

The ISO 28000 Series
Standards and codes of practice for supply chain security
• The 28000 series was developed to compliment the
various international initiatives to facilitate uniform
implementation worldwide.

• ISO 28000 - Supply chain security
management
– Published Sept. 2007
– Risked based model
– Plan, Do, Check, Act principles
– Designed for 1st, 2nd & 3rd party auditing

• Certification Standard, similar to:
– ISO 14001, OHSAS 18001, ISO 27001
© 2008

ISO 28000 Enables an Organization to:

• Establish, implement, maintain and improve a
security management system

• Assure conformity with security management policy

• Demonstrate such conformity

• Seek certification/registration of conformity by an
accredited third party organization

• Make a self-determination and self-declaration of
conformity

© 2008

Meet the Family

© 2008

ISO 28000 Series of Standards

• ISO 28000:2007
– Specification for security management systems for the supply
chain
• ISO 28001:2007
– Security management systems for the supply chain -- Best
practices for implementing supply chain security, assessments
and plans -- Requirements and guidance
• ISO 28003:2007
– Security management systems for the supply chain --
Requirements for bodies providing audit and certification of
supply chain security management systems
• ISO 28004:2007
– Security management systems for the supply chain --
Guidelines for the implementation of ISO 28000

© 2008

What Does the ISO 28000 Address?

• ISO 28000 requires the organization to consider the
likelihood of an event and all of its consequences
including:

– Physical failure threats and risks, such as functional failure,
incidental damage, malicious damage or terrorist or criminal
action

– Operational threats and risks, including the control of the
security, human factors and other activities which affect the
organizations performance, condition or safety

– Natural environmental events (storm, floods, etc.), which may
render security measures and equipment ineffective

– Factors outside of the organization's control, such as failures in
externally supplied equipment and services

© 2008

Built to Be Business Friendly

• Suitable for all sizes and types of organizations that
are involved in purchasing, manufacturing, service,
storage, transportation and/or sales processes

• Aligned with the globally accepted standards:
– ISO 9001:2000 - Quality management
– ISO 14001:2004 - Environmental management
– ISO/IEC 27001:2005 - Information technology security

• Supports consistent and integrated implementation
and operation with related management standards.

• One suitably designed management system can satisfy
the requirements of all these standards

© 2008

The Standard Can Be Used to:

• Demonstrate a robust and secure supply chain
management system to regulators/authorities and other
interested organizations
• Demonstrate a robust and secure supply chain
management system to their customers/potential
customers
• Provide a consistent approach by all service providers
within a supply chain
• Serve as the basis for an independent assessment
• Demonstrate the ability to meet customer requirements
• Improve services
© 2008

Commercial & Competitive Advantage

• Unambiguous demonstration the
organization takes security seriously
– Customer confidence that their goods are
protected
– Increased brand equity through the clear
demonstration of commitment to security
– Benefit through increased market share and
through customer retention
• Increased organizational resilience
• Brand and reputation protection

© 2008

Improved Management

• Effective management of security resources, resulting
in cost savings

• Increased accountability at all levels

• Demonstrates effective corporate governance

• Improved safety and security for employees

• Improved staff and customer satisfaction

• Can be integrated with other internationally recognized
management system standards
© 2008

Ports Worldwide Adopting ISO 28000

• September 2006 - DP World first to certify
– HQ Dubai
– Ports of Djibouti, Dubai, Vancouver (1st port in the Americas), Porto Caucedo
(Dominican Republic- Latin American gateway to US), Southampton, Tilbury, Le
Havre, Port of Busan, Korea
– All Australia terminals undergoing implementation
– DP World plans to certify all its ports/terminals

• March 2008 - Port of Houston Authority (PHA), Port Police has become the
first port authority in the world to receive ISO 28000:2007 certification

• May 2008 - Singapore-based
logistics and supply chain
management company YCH
Group becomes the first end-
to-end Supply Chain
Management (SCM) provider
to receive the ISO 28000:
2007 Certification.

© 2008

Mutual Recognition

• ISO 28000 has been recognized by the EU Authorized
Economic Operators (AEO) initiative as compliant to
the AEO Safety and Security requirements

• DP World’s ISO certification has been recognized by US
Customs Border Protection, with the company uniquely
being invited to join C-TPAT.

• US Congress has recognized the relevance of 28000 to
CTPAT and has tasked its research body, GAO, to
confirm technical compatibility.
– Companies that are ISO 28000 compliant may not have to
qualify to join CTPAT but can now enjoy the benefits upon
recognition.

© 2008

ISO 28000 a New Member
of the Family of ISO
Management Systems
Standards

Identify risks, set priorities
and establish dynamic
programs and plans to cost
effectively improve
performance
Generic framework for organizations of all sizes and types –
private, public, faith-based or not-for-profit organizations.
© 2008

28000 is a Management System
• A management system is what the organization
does to manage its processes, functions or
activities.
– Set of interrelated elements used to establish and
achieve an organization’s policy and objectives.
– Includes policies, organizational structure,
responsibilities, planning activities, resources, practices,
procedures and processes.
– Allows an organization to create and manage its
processes and activities to meet its business objectives.

© 2008

PDCA or APCI Model
Approach to structured problem solving

Plan (Assess) - Do (Protect) - Check (Confirm) - Act (Improve)

Plan
• Define & Analyze a
Problem and Identify the
Root Cause

Act Do
• Devise a Solution
• Standardize Solution
• Develop Detailed Action
• Review and Define
• Plan & Implement It
Next Issues
Systematically

Check
• Confirm Outcomes
Against Plan
• Identify Deviations and
Issues
© 2008

Why Management Systems Work

• Needs focused
• Goals driven
• People oriented
– Leadership driven
– Involves people at all levels
– Promotes cultural change
• Emphasizes process approach
• System approach to management
• Factual basis for decision making
• Continual improvement

Business Advantage
© 2008

Risk Management

• Establishes risk management as proactive
means of protecting the organization
– Pragmatic and business-centric approach to
risk management

– Promotes risk management as a central
component of effective management

– Key decision making and commitment of
resources is based on a process of effective
risk assessment
© 2008

What Does the ISO 28000 Say?

M Re .6
an vi
ag ew
Po

em
lic
4.2 y

en
4

t
Security
Management Se
cur
&
Checking System As it
ses y risk
tive Pla s
Correc nn ment
4.5 ing
Action 4.3
Implementation
& operation
4.4

Standards Implementation Requires A
Organization-wide Commitment to Security
© 2008

Start: Know your Organization
- Define scope and boundaries
for security, preparedness and
continuity management program
- Identify critical objectives, operation,
functions, products and services
- Preliminary determination of likely risk
scenarios and consequences

Security Policy
Management Review - Management Commitment
- Adequacy and Effectiveness - Commitment to Protection of Critical Assets
- Need for Changes - Commitment to Continuous Improvement
- Opportunities for Improvement

Continual
Planning
Improvement
Checking & Corrective Action - Risk Assessment
- Performance and Evaluation - Legal and Other Requirements
- Nonconformity, Corrective - Security Management Objectives
and Preventive Action
- Security Management Targets
- Control of Records
- Security Management Programs
- Audits

Implementation and Operation
- Structure, Authority and Responsibility
- Competence, Training, & Awareness
- Communication
- Documentation
- Document and Data Control
- Operational Control
- Emergency Preparedness, Response
and Security Recovery © 2008


Start: Know your Organization for security, preparedness and
• Define scope and boundaries for security, functions, products and services

preparedness and continuity management - Preliminary determination of likely risk

program Security Policy

• Identify critical objectives, operation,
- Need for Changes functions, products and services
- Commitment to Continuous Improvement

• Preliminary determination of likely risk

Continual
Planning
Improvement
- Audits

- Communication
- Documentation


Security Policy Security Policy
- Adequacy and Effectiveness
- Need for Changes
- Management Commitment - Commitment to Protection of Critical Assets
- Commitment to Protection of Critical Assets

Continual
Planning
Improvement
- Audits

- Communication
- Documentation


Security Policy

Continual
Improvement
Planning Planning
- Performance and Evaluation - Risk Assessment - Legal and Other Requirements
- Legal and Other Requirements - Security Management Targets
- Audits
- Security Management Objectives

- Communication
- Documentation

Objectives, Targets and Programs

Policy Road to Success
Threats,
Risks and Legal / Other Views of
Impacts Requirements Interested
Parties

Objectives SMS
And
Program
Targets

Technology Finance Operations Critical Assets
© 2008


Security Policy

• Structure, Authority and Responsibility
• Competence, Training, and Awareness
Continual
Planning
Improvement
• Communication
- Nonconformity, Corrective
• Documentation
- Audits
• Document and Data Control
• Operational Control

• Emergency Preparedness, Response

and Security Recovery
- Communication
- Documentation


Security Policy

Checking & Corrective Action
- Security Performance Improvement
Monitoring
Continual
Planning

and Measurement
- Nonconformity, Corrective
- System Evaluation
- Nonconformity, Corrective and
- Audits

Preventive Action
- Control of Records - Structure, Authority and Responsibility

- Audits - Communication
- Documentation


Management Review - Identify critical objectives, operation,

- Adequacy and Effectiveness Security Policy

- Need for Changes
- Adequacy and Effectiveness
- Need for Changes
- Commitment to Protection of Critical Assets


Continual
Planning
Improvement
- Audits

- Communication
- Documentation

There’s a Bottleneck

Lead Auditors Needed

Demand for implementation and certification is
currently outpacing the availability of lead auditors
© 2008

Types of Audits

• First Party
– Internal audit of client
– Self declaration
• Second Party
– External non-certification audit
– Contractually enforced (supply chain)
• Third Party
– Audit by external certified auditors
– Road to certification
© 2008

Accreditation and Certification Relevant Standards
(Registration) Bodies
Accreditation Bodies ISO/IEC 17011:2004
An organization (usually a national standards body Conformity assessment -- General requirements for accreditation
bodies accrediting conformity assessment bodies
associated with ISO) that checks certification bodies
ISO/IEC 17040:2005
and, provided their certification assessment processes Conformity assessment -- General requirements for peer
pass muster, accredits them i.e. grants them the assessment of conformity assessment bodies and accreditation
authority to issue recognized certificates. bodies

Certification ISO 28003:2007
Security management systems for the supply chain --
(Registration) Bodies Requirements for bodies providing audit and certification of
An independent external body that issues written supply chain security management systems
assurance (the certificate) that it has audited a ISO/IEC 17021:2006
management system and verified that it conforms to Conformity assessment -- Requirements for bodies providing
the requirements specified in the standard. audit and certification of management systems

Certified Lead Auditor
ISO 19011:2002
Guidelines for quality and/or environmental management
systems auditing

Organization
Implements standard – may seek formal recognition ISO 28000:2007
(certification) by a specialized third party body. Specification for security management systems for the supply
chain

© 2008

Principles that Relate to Auditors

• Ethical conduct: the foundation of professionalism

• Fair presentation: the obligation to report truthfully
and accurately

• Due professional care: the application of diligence
and judgement in auditing

• Independence: the basis for the impartiality of the
audit and objectivity of the audit conclusions

• Evidence-based approach: the rational method for
reaching reliable and reproducible audit conclusions in a
systematic audit process

© 2008

Lead Auditor Certification

• Knowledge of management systems
• Knowledge of the standard being audit to, as
well as normative documents
• Principles of auditing based on ISO 19011
• Technical knowledge of the activity being
audited
• Understanding risk assessment and
management from a business perspective
• General knowledge of regulatory requirements
• Understanding of security, preparedness
response and recovery management

© 2008

How Do I Become a Player?

ISO 28000 is Here – and Rapidly Gaining Momentum

Your Ticket to Play
BECOME A CERTIFIED
ISO 28000 LEAD AUDITOR
© 2008

Course Objectives
• Knowledge of a systematic and practical approach to security
management system auditing

• Broad understanding of the scope of security management
system auditor responsibilities

• Competency in organizing and directing audit team members

• An in-depth understanding of the ISO 28000 and security risk
management requirements

• The ability to effectively provide management with objective
advice regarding progress towards compliance and certification of
security management systems

• Demonstrable understanding of the intent and application of
relevant Acts, Standards, Codes of Practice, and other documents
relevant to regualtions and legislation
© 2008

Key Session Topics

• Plan, conduct, and report an actual audit and examine
relevant case studies

• Major elements and scope of risk management
including definitions of common risk management
terms

• Structure and make-up of management system
documentation

• Roles and responsibilities for security management

• Requirements and methods for ensuring continuous
improvement

© 2008

Key Session Topics

• Audit techniques and methodology according to:
– ISO 28000:2007 Specification for Security Management
Systems for the Supply Chain
– ISO 31000 Risk Management
– ISO 31010 Risk Assessment (Methodologies)
– ASIS International Risk Assessment (Process)
– ISO 19011:2003 Guidelines for Quality and/or Environmental
Management (under revision to add risk-based processes)

• Systems Auditing
– Security threat and vulnerability assessments
– Asset protection and loss protection
– IT and electronic security
– Personnel protection
– Risk to transport and infrastructure from terrorism
© 2008

Competence of Auditors

Competence =

∑ Personal attributes
+ Generic auditing knowledge and skills
+ Security, Preparedness, Response and
Recovery specific knowledge and skills

© 2008

Authority to Audit
• The organization’s top management should Process
grant the authority for managing the audit
program. Flow for
• Establish, implement, monitor, review and Audit
improve the audit program
• Identify the necessary resources and ensure Program
they are provided

© 2008

Process
Plan Flow for
•Objectives of an audit program Audit
•Extent of an audit program
Program
• Scope, objective and duration
• Standards, statutory, regulatory and
contractual requirements
• Language, cultural and social issues
•Audit program responsibilities
•Audit program resources
•Audit program procedures

© 2008

Competence and evaluation of auditors
• Process
Competence = ∑ (Personal attributes) + (Generic
auditing knowledge and skills) + (Security- knowledge
and skills) Flow for
• Confidentiality and clearances
Audit
Program
Do
•Audit program implementation
•communicating the audit coordinating and scheduling
audits
•establishing and maintaining a process for the evaluation
of the auditors
•selection of audit teams
•providing necessary resources to the audit teams
•conduct of audits according to the audit program
•control of records of the audit activities
•review and approval of audit reports,
•audit follow-up
•Audit program records © 2008

Process
Flow for
Audit
Program

Check
- Audit program monitoring and reviewing
- Identify needs for corrective and preventive
actions
- Identify opportunities for improvement © 2008

Initiating the audit
- appointing the audit team leader
- defining audit objectives, scope and criteria
- determining the feasibility of the audit
- selecting the audit team
- establishing initial contact with the auditee
Overview
Conducting document review of typical
- reviewing relevant management system documents, including records,
and determining their adequacy with respect to audit criteria audit
Preparing for the on-site audit activities
activities
- preparing the audit plan
- assigning work to the audit team
- preparing work documents

Conducting on-site audit activities
- conducting opening meeting
- communication during the audit
- roles and responsibilities of guides and observers
- collecting and verifying information
- generating audit findings
- preparing audit conclusions
- conducting closing meeting

Preparing, approving and distributing the audit report
- preparing the audit report
- approving and distributing audit report

Completing the audit

Conducting audit follow-up
© 2008

Source of Information

Collecting and verifying information by
appropriate sampling techniques Collecting
Information to
Reach Audit
Audit evidence
Conclusions

Evaluating against audit criteria

Audit findings

Reviewing

Audit conclusions
© 2008

What Does the Future Hold?

• ISO 28002,
Resilience in the
Supply Chain
• ISO 28005, Ships and
marine technology -
Computer
applications -
Electronic port
clearance (EPC)

© 2008

Thank You

Dr. Marc Siegel
Security Management System Consultant
ASIS International
Phone: +1-858-484-9855
Email: siegel@ASIS-Standards.net
siegel@ymail.com

S

© 2008

Auditing supply chain logistics -CTPAT

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Auditing supply chain logistics -CTPAT

Similar to Auditing supply chain logistics -CTPAT (20)

More from Enterprise Security Risk Management

More from Enterprise Security Risk Management (20)

Recently uploaded

Recently uploaded (20)

Auditing supply chain logistics -CTPAT