Continual improvement is a recurring
process that enhances
an organizationís security management system and improves its
overall security performance. Continual improvements must be
consistent with the organizationís security policy and can be
achieved by carrying out audits, performing management
reviews, analyzing data, and implementing corrective
and preventive actions.
A control is any administrative,
management, technical, or legal
method that is used to manage risk. Controls are safeguards or
countermeasures. Controls include things like practices,
procedures, programs, objectives, targets, techniques, technologies,
guidelines, requirements, and organizational structures.
Corrective actions are steps that are taken to
causes of an existing security nonconformity or security incident.
The corrective action process is designed to prevent the recurrence
of security nonconformities and security incidents. It tries to make
sure that existing nonconformities and incidents donít happen
again. It tries to prevent recurrence by eliminating causes.
term facility refers to any item of infrastructure that has
a business function or provides a business service. It includes
property, buildings, plants, machinery, ships, vehicles, port
facilities, and related systems (including software code
that facilitates security management).
In the context of ISO 28000, the purpose of a
is to evaluate the suitability,
adequacy, and effectiveness of an
organizationís supply chain
security management system, and
to look for improvement opportunities. Management reviews are
also used to identify and assess
opportunities to change an
management policy, objectives, and
targets and to assess changes in security threats and risks.
A management system is a set of interrelated or interacting
elements that organizations use
to implement policy and
achieve objectives. There are
many types of
systems. Some of these include quality management systems,
safety management systems, environmental management systems,
emergency management systems, occupational health and safety
management systems, information security management systems,
business continuity management systems, and, of course, supply
chain security management systems.
A nonconformance (or a nonconformity) is a
failure to comply with
requirements. A requirement is an expectation or obligation. It can be
stated or implied by an organization, its customers, or other interested
parties. There are many types of requirements. Some of these include
legal requirements, regulatory requirements, customer requirements,
and management requirements.
ISO 28000 2007 Part 4 lists many supply chain security
requirements. Whenever your organization fails to meet one of these
requirements, a nonconformance (or nonconformity) occurs.
Preventive actions are steps that are taken to remove the
potential security nonconformances and security incidents, ones that
have not yet occurred. Preventive actions address potential problems
(not actual problems). While corrective actions prevent recurrence,
preventive actions prevent occurrence. Both types of actions
intended to prevent nonconformities and incidents.
A procedure is
a specified way of carrying out an activity
or a process. Procedures may or may not be documented. A
documented procedure describes and controls a logically
process or activity, including the associated inputs and outputs.
Documented procedures can be very general or very detailed, or
anywhere in between. While a general procedure could take the
form of a simple flow diagram, a detailed procedure could be
a one page form or it could be several pages of text.
A detailed documented procedure
defines and controls the work that
should be done, and explains how it should be done, who should do
it, and under what circumstances. In addition, it often explains what
authority and what responsibility has been allocated, which supplies
and materials should be used, and which documents and records
must be used to carry out the work.
A supply chain is secure when it can resist, fend off,
unauthorized acts that are designed to cause intentional harm or
damage. Conversely, it is insecure when it cannot successfully
resist or repel such acts. Therefore, security is a variable
relative state of resistance.
It is variable because it can vary from very secure to
And it is relative because it depends on how threatening or
specific harmful acts are. A supply chain may be secure
some threats but insecure relative to other threats.
Security management includes all the
activities and practices that
organizations use to manage security risks, threats, and impacts.
According to ISO 28000, your security management activities and
practices should be coordinated, systematic, and optimized.
A security management objective is a
security outcome or
achievement. Objectives must be specific and must support and
comply with your security management policy. Security management
objectives should be tied directly or indirectly to an
product and service delivery activities.
Your organizationís security management
policy should define its
general security intentions and clarify its overall direction. It
support your organizationís general security framework and should
be used to control its security activities and processes. A
management policy should also be used to generate
objectives and targets and encourage their achievement. And
it should be consistent with your organizationís other policies
and must comply with all regulatory requirements.
Security management programs (or
programmes) are used
to achieve security management objectives and targets. This
definition establishes a means-end relationship between programs
on the one hand and objectives and targets on the other.
A security management system (SMS) is a
complex network of
interrelated and interacting elements that combine to resist, fend
or withstand unauthorized acts that are designed to cause intentional
harm or damage to a supply chain. These elements include a security
management policy as well as the many programs, objectives, targets,
procedures, plans, practices, processes, controls, documents,
records, roles, relationships, responsibilities, authorities, and
resources that are used to implement this policy.
Objectives are achieved by meeting specific
targets. A security
management target is a specific level of performance that must be
attained in order to be able to say that a related security management
objective has actually been achieved.
Risk combines three elements: it starts with
a potential threat
and then combines its probability with its potential
In the context of ISO 28000, the concept of risk asks two
future oriented questions:
What is the
probability that a potential security
threat will actually occur in the future?
How severe would the impact be if the
security threat became an actual security incident?
A high risk security threat would have both
a high probability
of occurring and a severe impact if it actually occurred.
A risk assessment considers the
effectiveness of existing security
controls and then evaluates the probability and the potential severity
of specific security threats. On the basis of such an assessment,
organizations decide what steps should be taken to manage
and control their risk.
A security threat is any possible
intentional action or series of actions
that could potentially damage stakeholders, facilities, or operations;
destroy the integrity of a business or jeopardize its continuation;
or disrupt a supply chain or an entire economy.
groups, and organizations become an organizationís
stakeholders when they have a vested interest in its
performance or its
success or are concerned about the impact of its activities. Examples
include shareholders, financiers, insurers, customers, employees,
suppliers, contractors, regulators, statutory bodies, labor
organizations, and members of society.
A supply chain
is a set of interconnected processes and
resources that starts with the sourcing of raw materials and
ends with the delivery of products and services to end users.
Supply chains may include producers, suppliers, manufacturers,
distributors, wholesalers, vendors, and logistics providers. They
include facilities, plants, offices, warehouses, and branches and
can be both internal or external to an organization.
When ISO 28000 uses the term top management, it is
referring to a
person or group of people at the highest level within an organization. It
refers to the people who coordinate, direct, and control organizations.
While top management in large organizations may not be personally
involved in the management of supply chain security, accountability
through the chain of command must, nevertheless, be manifest.
In the context of ISO 28000, the terms
upstream and downstream
refer to the relative location and movement of cargo within a supply
chain and to the associated cargo management activities, processes,
and operations that occur.
Activities, processes, and operations that occur before cargo
under the direct operational control of an organization are said to be
upstream from it. Conversely, activities, processes, and
that occur after cargo leaves the
control of an
organization are said to be downstream from it. Downstream
upstream cargo management functions can include insurance,
finance, packing, storing, delivery, data processing, etcetera.