Implementation and Requirements of ISO ND APRIL 2013 SHAH ALAM CONVENTION CENTRE SHAH ALAM, SELANGOR DARUL EHSAN

Transcription

1 SEMINAR ON ISO SUPPLY CHAIN SECURITY MANAGEMENT SYSTEM (SCSMS) Implementation and Requirements of ISO ND APRIL 2013 at SHAH ALAM CONVENTION CENTRE SHAH ALAM, SELANGOR DARUL EHSAN

2 Presentation Outline Objectives of the Seminar on ISO Background of Security Management System ISO Applicability & Requirements Other SCSMS Requirements Integration of SCSMS with other Management Systems

3 Objectives To increase awareness on the needs of Supply Chain Security Management System. To highlight main points in implementing Supply Chain Security Management System and best practises. To improve understanding of standard requirements in implementing Supply Chain Security Management System.

4 The Needs of Security Management System From Terrorism Attacked Sep 2001 World Trade Center in USA 4 commercial passenger jet airlines hijacked > 3000 death (attack by air) 5 Dec Explosion of commuter train in Russia > 46 death (attack by train) 12 Oct 2002 Bombed by small craft > 17 death, 39 injured (attack by sea) 19 April 1995 Truck rented to blast the building > 168 death, > 800 injured (attack by truck)

5 The Needs of Security Management System To Supply chain 20 Nov 2007 policeman hijacks payroll plane, Papua New Guinea 2 pilots rescued, Value $ 2 M found 7 Dec 2007 Aluminium plates shipment hijacked, Johor Bahru, 2 suspect detained with truck, Value RM 200 K 20 Nov 2006 Nation s biggest robbery, gang (20 men) hijacked containers at warehouse in Penang 585 cartridges of microchips and computer parts Value RM 50 M

6 Introduction to ISO 28000:2007 Background of ISO 28000:2007 Developed by ISO/TC 8 on Ship and Marine Technology New standard to replace ISO/PAS 28000:2005 ISO Specification for security management systems for the supply chain ISO Security management systems for the supply chain Best practices for implementing supply chain security Assessments and plans

7 Introduction to ISO 28000:2007 Supply Chain Security Management Systems (SCSMS) - ISO : Specification for security management systems for the supply chain provides framework for a security management system which aimed at improving the overall security in supply chains. - Supply risks such as threats from terrorism, fraud and piracy have serious implications to businesses. - Organization shall manage the risks and assure security by identifying potential threats, assessing risks and implementing measure to prevent any risks and threats from adversely affecting the success of their business.

8 Introduction to ISO 28000:2007 Supply Chain Security Management Systems (SCSMS) - SCSMS will facilitate trade and the transport of goods across boarders. - It will increase the ability of organization in the supply chain to effectively implement mechanism that address security vulnerabilities at strategic and operational level, as well a to establish preventive action plans. - SCSMS can be applied by the organizations of all sizes involved in manufacturing, services, storage or transportation at any stages of production or supply chain.

9 Supply Chain Security Management Systems (SCSMS) ISO 2800 Family: Introduction to ISO 28000: ISO 28000:2007 sets the framework for security by all groups or organizations involved in the supply chain. Industry sectors can assess risks to security such as terrorism and start using methods to manage those potential security threats. - ISO 28001:2007 assists organizations with designing and implementing security processes. It also helps these organizations assess security on their specific part of the supply chain and trains employees on the new security plans.

10 Supply Chain Security Management Systems (SCSMS) ISO 2800 Family: Introduction to ISO 28000: ISO 28003:2007 sets guidelines for companies to obtain certification for their security management systems. It also assists auditors judging compliance with the certification. It is designed to build customer confidence in the company and its security in the supply chain. - ISO 28004:2007 explains the generic and basic principles of ISO This section aims to better the overall understanding of ISO

11 Introduction to ISO 28000:2007 Compatibility with other standards Standard developed based on ISO format adopted by ISO 14001:2004 risk based approach to management systems ISO 9001:2008 process based approach as foundation for security management system Plan-Do-Check-Act (PDCA) Methodology

12 PDCA Methodology Establish the objectives and processes PLAN Take actions to continually improve process performance A C T DO Implement the processes CHECK Monitor & measure processes Report the results

13 Supply Chain Security Management System - PDCA The Plan-Do-Check-Act (PDCA) methodology can be applied to all processes and risk based activities. PLAN : establish the objectives and processes necessary to deliver results in accordance with the organization s security policy DO : implement the processes CHECK : monitor and measure processes against security policy, objectives, targets, legal and other requirements and report results ACT : take actions to continually improve performance of the security management system

14 Supply Chain Security Management systems Process Approach & PDCA Advantage of the process approach is on going control that it provides over the linkage between the individual processes within the system of processes, as well as over their combination and interaction.

15 Integration of Security Management Systems Integrated Management System The ISO requirements are structured within the Plan-Do-Check-Act (PDCA) framework and aligned with other international standard such as ISO 9001, ISO and OHSAS to facilitate the integration with other management systems. The integration of all the management systems into a single system and centrally managed is defined as Integrated Management System.

16 Supply Chain Security Management System - IMS Integrated Management System EnMS ISO ISMS ISO QMS ISO 9001 ISO TS Integrated Management System SCSMS ISO EMS ISO OHSMS OHSAS MS 1722

17 Supply Chain Security Management System - IMS Benefits of an Integrated Management System Greater focus on company objectives Reduced business risk Clearly defined roles and responsibilities for managing the integrated management system Reduced documentation Promotion of a single system Reduced resources to manage the system Easier to prioritize on key issues More concise reporting structure More efficient system removes duplication Easier to manage Helps with multi-skilling

18 Legal & Other SCS Requirements US Customs and Boarder Protection C-TPAT : Customs-Trade Partnership Against Terrorism by U.S. Customs Service Launched in Nov 2001 Benefits of C-TPAT including - Reduced Customs inspections - Reduced boarder delays - Need certification to proceed with Importer Self Assessment program (ISA)

19 Legal & Other SCS Requirements Secure Trade Partnership - STP Singapore Customs recognized companies that adopt Security Management System STP Companies that have adopted and implemented robust security measures will benefit from increase visibility of goods in the supply chain, reduction in pilferages and greater efficiency in their supply chain management

20 Other SCS Requirements Secure Trade Partnership - STP Companies certified under STP will be recognized as trusted partners of Singapore Customs with following benefits - Cargo less likely to be inspected - Recognition as a low risk company - Enhance branding - Reduced inspection - Expedited clearance - Recognized by oversea countries.

21 Other SCS Requirements TAPA - Transported Asset Protection Association TAPA FSR Warehouse and logistics companies TAPA TSR Organization operating a trucking fleet Benefits of TAPA: - Recognized globally as the industry standard for cargo facility and transport security

22 Type of common security Type of Security Container / Trailer Security Conveyance Security Personnel Security Procedure Security Physical Security Information Security

23 Overview of ISO Requirements 4.1 General Requirements 4.2 Security Management Policy 4.3 Security Risk and Planning 4.4 Implementation and Operation 4.5 Checking and Corrective Action 4.6 Management Review and Continual Improvement

24

25 Overview of ISO Requirements 4.1 General Requirements Establish Document Implement Maintain Continually improve an effective security management system for Identifying security threats Assessing risks Controlling and mitigating their consequences

26 Overview of ISO Requirements 4.1 General Requirements Define the scope of security management system Control of outsourced process ISO applicable to All sizes of organizations, Small to multinational Manufacturing Service Storage Transportation At any stage of production or supply chain

27 Overview of ISO Requirements 4.2 Security Management Policy Top management shall authorize and endorse an overall security management policy Framework for objectives, targets & programmes Consistent and appropriate with security threat and risk, nature and scale of operation Commitment to continually improve the security management process, comply with applicable legislation, regulatory and statutory requirements Documented and available to all interested parties

28 Overview of ISO Requirements 4.3 Security Risk Assessment and Planning Security risk assessment (SRA) Procedure for on going identification and assessment of security threats and security management related threats and risks identification and implementation of necessary management control measures Security threats and risk identification, assessment and control method should be appropriate to the nature and scale of the operations.

29 Overview of ISO Requirements 4.3 Security Risk Assessment and Planning Security risk assessment (SRA) Assessment on likelihood of an event and all of its consequences including Physical failure threats and risks (function failure, incidental damage, malicious damage, or terrorist or criminal action) Operational threats and risks (control of security, human factors, other activities which effect the organizational performance, condition or safety) Factor outside of the organization control (failure in external supplied equipment and services)

30 Overview of ISO Requirements 4.3 Security Risk Assessment and Planning Security risk assessment (SRA) Assessment on likelihood of an event and all of its consequences including Stakeholder threats and risks (failure to meet regulatory requirements, damage to reputation or brand) Design and installation of security equipment (replacement and maintenance) Information, data management and communications A threat to continuity of operation

31 Overview of ISO Requirements 4.3 Security Risk Assessment and Planning Security risk assessment (SRA) Results of assessment and the effects of controls are considered for Security management objectives, targets and programmes Determination of requirement for the design, specification and installation Identification of adequate resources at all levels, training needs and skills Development of operational controls

32 Overview of ISO Requirements 4.3 Security Risk Assessment and Planning Security risk assessment (SRA) The methodology for threat and risk identification and assessment shall be defined with respect to its scope, nature and timing to ensure it is proactive rather than reactive include the collection of information related to security threats and risks provide classification of threats and risks (to be avoided, eliminated or controlled) provide for the monitoring of action to ensure effectiveness and the timeliness of their implementation

33 Benefits of ISO By implementing ISO and carrying out the Security Risk Assessment (SRA), a company will be able To provide understanding of critical control points for potential security risks and threats To investigate threats what or who can harm the site To identify vulnerabilities existing weaknesses To analyze consequences of security risks and threats that affects the business continuity To establish operational control and emergency response plan in order to minimize the impact of the potential security risk and threat To earn the trust from the current and potential

34 Overview of ISO Requirements 4.3 Security Risk Assessment and Planning Legal, statutory and other security regulatory requirements Establish, implement and maintain procedure for To identify and have access to the applicable legal requirements and other requirements to which the organization subscribes related to its security threat and risk To determine how these requirements apply to its security threats and risks Shall keep this information up-to-date, communicate the relevant information on legal and other requirements to employees, third parties (contractors)

35 Overview of ISO Requirements 4.3 Security Risk Assessment and Planning Security management objectives Establish, implement and maintain security management objectives at relevant functions and level within organization Objectives shall be derived from and consistent with security management policy Legal, statutory and other security regulatory requirements Security threats and risks Technology and other options Financial, operational and business requirements Views of appropriate stake holders

36 Overview of ISO Requirements 4.3 Security Risk Assessment and Planning Security management objectives The security management objectives shall Consistent with the organization s commitment to continual improvement Quantified (where practicable) Communicated to relevant employees and third parties including contractors with the intent that these persons are made aware of their individual obligations Reviewed periodically to ensure that they are remain relevant and consistent with security management policy and amended accordingly.

37 Overview of ISO Requirements 4.3 Security Risk Assessment and Planning Security management targets Establish, implement and maintain security management targets appropriate to the needs of the organization. Targets shall be derived from and consistent with security management objectives These targets shall be - to an appropriate level of details - specific, measurable, achievable, relevant and time-based (where practicable) - communicated - reviewed periodically

38 Overview of ISO Requirements 4.3 Security Risk Assessment and Planning Security management programmes Establish, implement and maintain security management programmes for achieving its objectives and targets. The programmes shall be optimized and prioritized Provision for the efficient and cost effective implementation of the programmes The designated responsibility and authority for achieving security management objectives and targets System shall include the means and time-scale by which security management objectives and targets are to be achieved

39 Overview of ISO Requirements 4.4 Implementation and Operation Structure, authority and responsibility for security management Competence, training and awareness Communication Documentation Document and data control Operational control Emergency preparedness, response and security recovery

40 Overview of ISO Requirements 4.5 Checking and Corrective Action Security performance measurement and monitoring System evaluation Security-related failures, incidents, nonconformances and corrective and preventive action Control of records Audit 4.6 Management Review and Continual Improvement

41 Management System Certification Supply Chain Security Management Systems (SCSMS) The benefits of SCSMS Certification - Improve stakeholder confidence by demonstrating more robust an secure supply chain management. - Enhances customer satisfaction by demonstrating ability to meet their specific requirements. - Make the organization a supplier of choice by demonstrating the organization s capability to manage security issues within supply chain.

42 Management System Certification Supply Chain Security Management Systems (SCSMS) - Demonstrate systematic Supply Chain Security management - Develops business cooperation along supply chain. - Shorten customs clearance time and reduce secondary inspection. - Facilitate compliance with other official trade and supply chain processes, including the 1. European Union s Authorized Economic Operator (AEO) 2. US Customs and Boarder Patrol (CBP) s Customs Trade Partnership Against Terrorism (C-TPAT).

43 Management System Certification Thank You SIRIM QAS International Sdn Bhd Block 4, Persiaran Dato' Menteri P.O. Box 7035, Section 2, Shah Alam, MALAYSIA Tel: /5678, Fax :