Summary of meeting discussions and achievements

Transcription

1 Summary of meeting discussions and achievements ISO/PAS Best practices (ISO/SC/N987) ISO/PAS Security Management System for the Supply Chain (ISO/TC8/WG2/N988) Panama, July 11 th - 15 th Notes by J.F.F. Becker (TNO) This summary provides an overview on the discussions and achievements for working groups N987 and N988. This report does not have a chronicle character, but is rather structured topically. It is additional to the working documents of ISO/PAS 28000, ISO/PAS and ISO/PAS I refer to these documents as regarding the content and textual changes therein. Welcome (Steve) A lot of P members present. P members have the right to vote at the end. There are also some industry parties present that do not have the right to vote but they are present to represent their interests. Individual experts also participate in the group. Goal is to produce ISO as a guidance that adds value. Update on wco framework (Simon) Most recent WCO Framework is version 3. June This version is also distributed on paper to all participants. Simon summarizes the content of the Framework. Policy commission made relatively minor amendments (April-June 2005). Small amendments on seal integrity. Strengthening the language by including other technologies than solely seal technology. Also on security assessments for better house keeping. Also appended a letter of intend to state that a member intends to implement the framework. Council approved framework in June member + EU signed : 104 from 155 members. Based on letter of intend, being developed a method to study what the capacity needs are. This is now a self assessment method; an overview on measures and funding. Later this will be a method for strategic directions. Next Council meeting in October 5 th. Policy commission in December 10 th. In November, at least between October and December, there will be another business consultative meeting. A couple of appendices did not make it. A detailed appendix on security best practices. An appendix on validation and creditating. These appendices will not be forgotten and will be placed on agenda in October. Benefits of AEOs are vague. To be developed in a research package a clear view on benefits and how to implement it. These appendices need more time. The challenges the ISO will be facing to enable industry to implement portions of the framework. A lot of measures to be taken for 1

2 compliance. Several customs delegations argued against annex 2 are being to prescriptive and too detailed. Annex 2 now more high level. OSCE: agreed that OSCE will encourage the lagging members to sign the letter of intend. That is good news. IMO: close relations, trying to foster that and encourage that. HLSE; 5 October meeting? WCO framework as it is, is done deal. We need to be now ons same lanes. Question: Can we influence WCO in the process of appendix? Useful way foreword is to point out that the appendices are available. Allison Levy (US Customs and Border Protection): Adoption of framework is first step. Real work now to be done. Between February and June there was not enough time to develop the best practices in detail. Levy assures that it will be on the agenda for October. There will be appendix on the best practices. We do not know when to see the text. Policy commission can council, hence only can endorse. Drafted and hoped to be approved? Fully drafted out for comment. Best practices are critical for implementing the framework. US CBP will promote and strive continuously for it. They want it within 2 years. TC104 -> Information iso17712 PAS high security of mechanical seals updated security practices for manufacturer and distribution of seals. (now included in wco framework) Council only meets once a year in June -> do we need to wait till June 06? >High level group will lot of steering of work. Decision on to it is up to council in June 06. Earliest point of time that we can expect to have somewhat. Goal is to be as (un)detailed as we need to. Our product is so good as we can make it in time so that we can have it as input as endorsement for the meeting in October. Not to be too slow and go forth. Adoption to WCO best practices is always possible. There is hard a chance on large differences between ISO and WCO. ISO/PAS Publicly Available Specification (PAS) has been developed in response to demand from industry for a security management standard. Its ultimate objective is to improve the security of supply chains. ISO/PAS is a high level management standard that enables an organization to establish an overall supply chain security management system. It requires the organization to assess the security environment in which it operates and to determine if adequate security measures are in place and other regulations requirements already existing with which the organization complies. If security needs are identified by this process, the organization should implement mechanisms and processes to meet these needs. Since supply chains are dynamic in nature, some organizations managing multiple supply chains may look to their service providers to meet related governmental and ISO supply chain security standards as a condition of being included in that supply chain in order to simplify security management. 2

3 Current status Working Group N988 finished from Thursday July 14 th to Friday July 15 th the concept text for the draft of PAS Important issues during the two days of meeting were: Focus on both terrorism and criminality. Primary focus of ISO/PAS is prevention of terrorism. Criminality is however in the scope of These especially include acts which could result in terrorism, acts of criminal intend. Of course, it must be related to supply chains. Terrorism vs crime/theft, the mgt system can serve both purposes. Large multinationals who are implementing must be able to integrate it into their existing systems. These must be easily adopted to mitigate security risks. In ISO/PAS we set security management systems as an umbrella on policy, top mgt commitment, developing and implementing sec. procedures. Specific standards, like ISO or the ISO/PAS as being developed, can come under this ISO/PAS 28000, i.e. managed via the standardized security management system of this PAS. This is also illustrated in the triangle figure which has been included in the ISO/PAS ISO provides guidelines for management systems auditing. Within the framework of ISO/PAS we can not add additional guidelines on management systems auditing. However, we can build a guideline how to realize ISO/PAS within the framework, under the number of ISO/PAS Auditors can also use this document for the interpretation of ISO/PAS Discussion on whether the ISPS code would be equivalent to the ISO/PAS and making parties deemed compliant with the ISPS code automatically deemed compliant with ISO/PAS However, it is stressed that ISPS hardly specifies anything on security management systems (especially not for terminals). This working group has not the task, nor the mandate, to deter the equivalence. To do so, ISO follows specific procedures. Making the PAS fully based on ISO , and in accordance with ISO , since the draft originally was based on the 1996 versions. Testing the robustness (did we forget anything?) via the helpful Integrated Security Management Systems Approach developed by U.S.-Israel Science & Technology Foundation (USISTF). In the context of the development of ISO/PAS the following presentations were given: Mr. J.F.F. Becker introduces himself, TNO and the project PROTECT. PROTECT is a Dutch supply chain security project that has the objective to develop security strategies for Dutch companies involved in international supply chains in a four years time frame. Amongst others, several case studies of actual supply chains are studied for the security level and impact on logistics performance. Dr. M. Siegal is program director of USISTF. This Foundation has also developed a security management standard on the basis of ISO Case studies are being conducted in for example hospitals. First results demonstrate the added value of a standardized security management system. 3

4 ISO/PAS Specification ISO/PAS is designed to establish reasonable and documented levels of security within international supply chains and their components that will enable organizations to make better risk based decisions concerning the goods in the international supply chain. After a period of public comment the International Standards Organization may elect to use this Publicly Available Specification as a basis for an ISO Standard. This ISO/PAS is relevant to three major stakeholders: industry, logistics, government. To give a maximum number of options to all these groups, we need standards that are measurable and auditable. It has the purpose to create a high level of confidence for both governments and supply chain parties. Working Group N987 drafted a concept from Monday July 11 th to Wednesday July 13 th for PAS Important issues during the three days of meeting were: Redraft of sections: o 2.1 on Scope of Specification, o 3.1, 3.2 on Scope of Coverage, o as Performance Review List o 4.2 on Scope of Security Assessment. o 4.4 on Threat scenarios o Resp. on Significance of security incidents, Levels of Security Significance, Countermeasures. o 6.0 Incident response o Further, the working group makes other textual modification. Regarding 4.1 Discussion on the level of detail of 4.1 Review List. The list has the purpose to exemplify the questions to be raised in the security assessment. We do not need a 10 page review list. And we don t need too detailed questions, since that makes a lot of questions missing. Suggestion: including but not limited to. Regarding sections 4.5 to The working group agrees that within the ISO/PAS two methodologies are possible: 1. Significance we do not want to let a company add another type of risk management system for security, we need to integrate security risk management into the existing risk mgt system. Thus we need to be less specific and not to enforce our specific risk mgt system. 2. Guidelines for Risk management system for those companies that have no experience with these kind of systems. Risk management Discussion on verification, compliance to which kind of other standards (PAS 20858). Discussion is highly focuses on maritime transport. ICAO rules are not globally regulated, like ISPS by IMO. Hence, we can not include the appropriate ICAO rules in the PAS However, if such rules are globally regulated, than PAS can easily be amended and changed within 3-4 weeks. This is mandatory by the convention. goods should be throughout goods and instruments of international trade, including empty containers and empty trailers to be secured. After the working group, the document will be redrafted on the usage of the terms examine, will, should, shall. 4

5 Next meeting ISO is expected in the second week (12 th ) of December in Kobe, Japan. Quoting I have a problem if the shipment is ok and a delay occurs, and I have a problem if it s not ok and a delay does not occur. - Francis D Addario ISO/PAS Working group N988 sets out the first lines of the working document for ISO/PAS This document has the objective to function as a guideline for users that like to comply ISO/PAS The following issues are suggested: ISO/PAS should be in accordance with the specifications of ISO ISO/PAS should be in accordance with the specifications and ideas of ISO/PAS And other issues: - Verify compliance with the ISPS code (amplify) - Risk assessment give definition of risk mgt (one exist in 28000) - Significant risk and threats - Introduce term vulnerabilities what one organization is talking about and link to other communities. Differentiate between vulnerabilities and threat. - Top level discussion of relationship of all the standards - Business continuity discussion o Discussion of recovery of business system o Recovery of security system o Discussion on how you get recovery of the community o Discussion of each of above and how they relate and are different - Discussion of customs business partnership programs - Inventory of all relevant regulations where and what document that could relate to this standard - Communication plans and suggestions on how to handle those under various situations. What are your options, requirements etc. for first responders, businesses, police, etc. What do you do when the police, customs or others are not interested in your program? - Evacuation plan for facility, community evacuation plan etc. depending relevance to your organization and how this would apply to the business. - Training recommendations and best practices. How do you organize, record, manage and measure? - How do you measure and monitor? What should you measure and monitor and what do you do with that information? How do you create continual improvement? - What does first, second and third party auditing mean and how do you do this? Closing (Ms. Nancy Williams) We drafted the concept for ISO/PAS This document will be edited for a consistent format next week. Then it goes out for comment by all members. Same holds for ISO/PAS (-> other working group convened by Steve O Malley) and ISO/PAS