28000 is an international supply chain security
standard. Our definitions are based on ISO 28000, section 3,
and definitions. We have translated these terms and
Plain English in order to make them easier to understand.
added a few definitions that arenít found in the original
ISO 28000 2007
standard. Weíve taken this
approach whenever an important
used in the ISO 28000
standard but not
explicitly defined. Examples
of useful definitions that were
overlooked include terms like controls,
security risk, security management system, security risk
and security threat.
Since such terms are central
to this standard,
weíve tried to define them. In order to do so, weíve used
standards as well as definitions taken from our own publications.
Continual improvement is a recurring process that enhances
an organizationís security management system and improves
overall security performance. Continual improvements
consistent with the organizationís security policy and can
achieved by carrying out audits, performing management
reviews, analyzing data, and implementing corrective
and preventive actions.
A control is any
administrative, management, technical, or legal
method that is used to manage risk. Controls are
countermeasures. Controls include things like
procedures, programs, objectives, targets, techniques,
guidelines, requirements, and organizational structures.
are steps that are taken to remove the
causes of an existing security nonconformity or security
The corrective action process is designed to prevent
of security nonconformities and security incidents. It
tries to make
sure that existing nonconformities and incidents donít
again. It tries to prevent recurrence by eliminating
The term facility refers to any
item of infrastructure that has
a business function or provides a business service. It
property, buildings, plants, machinery, ships, vehicles,
facilities, and related systems (including software code
that facilitates security management).
In the context of ISO 28000, the
purpose of a management review
is to evaluate the
suitability, adequacy, and effectiveness of an
organizationís supply chain
security management system, and
to look for improvement opportunities. Management
also used to identify and assess
opportunities to change an
management policy, objectives, and
targets and to assess changes in security threats and risks.
A management system is a set of
interrelated or interacting
elements that organizations
use to implement policy and
There are many types of
systems. Some of these include quality
management systems, food
safety management systems, environmental management
emergency management systems, occupational health and
management systems, information security management
business continuity management systems, and, of course,
chain security management systems.
A nonconformance (or a nonconformity)
is a failure to comply with
requirements. A requirement is an expectation or
obligation. It can be
stated or implied by an organization, its customers, or
parties. There are many types of requirements. Some of these
legal requirements, regulatory requirements, customer
and management requirements.
2007 Part 4 lists many
supply chain security management
requirements. Whenever your organization fails to meet one
requirements, a nonconformance (or nonconformity)
are steps that are taken to remove the causes of
potential security nonconformances and security incidents,
have not yet occurred. Preventive actions address
(not actual problems). While corrective actions prevent recurrence,
preventive actions prevent occurrence. Both types
of actions are
intended to prevent nonconformities and incidents.
A procedure is a specified way
of carrying out an activity
or a process. Procedures may or may not be documented. A
documented procedure describes and controls a
process or activity, including the associated inputs and
Documented procedures can be very general or very detailed,
anywhere in between. While a general procedure could
form of a simple flow diagram, a detailed procedure
a one page form or it could be several pages of text.
A detailed documented procedure
defines and controls the work that
should be done, and explains how it should be done, who
it, and under what circumstances. In addition, it often
authority and what responsibility has been allocated, which
and materials should be used, and which documents and
must be used to carry out the work.
A supply chain is secure when
it can resist, fend off, or withstand
unauthorized acts that are designed to cause intentional
damage. Conversely, it is insecure when it cannot
resist or repel such acts. Therefore, security is a
relative state of resistance.
It is variable because it can
vary from very secure to very insecure.
And it is relative because it depends on how
threatening or dangerous
specific harmful acts are. A supply chain may be secure
some threats but insecure relative to other threats.
includes all the activities and practices that
organizations use to manage security risks, threats, and
According to ISO 28000, your security management
practices should be coordinated, systematic, and
A security management objective is
a security outcome or
achievement. Objectives must be specific and must
comply with your security management policy. Security
objectives should be tied directly or indirectly to an
product and service delivery activities.
Your organizationís security
management policy should define its
general security intentions and clarify its overall
direction. It should
support your organizationís general security framework and
be used to control its security activities and processes. A
management policy should also be used to
objectives and targets and encourage their
it should be consistent with your organizationís other
and must comply with all regulatory requirements.
Security management programs (or programmes) are used
to achieve security management objectives and targets.
definition establishes a means-end relationship between programs
on the one hand and objectives and targets on the other.
A security management system
(SMS) is a complex network of
interrelated and interacting elements that combine to
resist, fend off,
or withstand unauthorized acts that are designed to cause
harm or damage to a supply chain. These elements include a
management policy as well as the many programs, objectives,
procedures, plans, practices, processes, controls,
records, roles, relationships, responsibilities,
resources that are used to implement this policy.
Objectives are achieved by meeting
specific targets. A security
management target is a specific level of performance
that must be
attained in order to be able to say that a related security
objective has actually been achieved.
combines three elements: it starts with a potential threat
and then combines its probability with its
In the context of ISO 28000, the concept of risk asks
future oriented questions:
the probability that a potential security
threat will actually occur in the future?
How severe would the impact be if
security threat became an actual security incident?
A high risk security threat would have
both a high probability
of occurring and a severe impact if it actually occurred.
A risk assessment considers
the effectiveness of existing security
controls and then evaluates the probability and the
of specific security threats. On the basis of such an
organizations decide what steps should be taken to manage
and control their risk.
A security threat is any
possible intentional action or series of actions
that could potentially damage stakeholders, facilities, or
destroy the integrity of a business or jeopardize its
or disrupt a supply chain or an entire economy.
Individuals, groups, and organizations
become an organizationís
stakeholders when they have a vested interest in its
performance or its
success or are concerned about the impact of its activities.
include shareholders, financiers, insurers, customers,
suppliers, contractors, regulators, statutory bodies, labor
organizations, and members of society.
A supply chain is a set of
interconnected processes and
resources that starts with the sourcing of raw materials and
ends with the delivery of products and services to end
Supply chains may include producers, suppliers,
distributors, wholesalers, vendors, and logistics providers.
include facilities, plants, offices, warehouses, and
can be both internal or external to an organization.
When ISO 28000 uses the term top
management, it is referring to a
person or group of people at the highest level within an
refers to the people who coordinate, direct, and control
While top management in large organizations may not
involved in the management of supply chain security,
through the chain of command must, nevertheless, be manifest.
In the context of ISO 28000, the
terms upstream and downstream
refer to the relative location and movement of cargo within
chain and to the associated cargo management activities,
and operations that occur.
Activities, processes, and operations
that occur before cargo comes
under the direct operational control of an organization are
said to be
upstream from it. Conversely, activities, processes,
that occur after cargo leaves the direct
organization are said to be downstream from it. Downstream
upstream cargo management functions can include
finance, packing, storing, delivery, data processing,