ISO 28000 2007

PLAIN ENGLISH DICTIONARY

Continual Improvement

Continual improvement is a recurring process that enhances
an organization’s security management system and improves its
overall security performance. Continual improvements must be
consistent with the organization’s security policy and can be
achieved by carrying out audits, performing management
reviews, analyzing data, and implementing corrective
and preventive actions.

Controls

A control is any administrative, management, technical, or legal
method that is used to manage risk. Controls are safeguards or
countermeasures. Controls include things like practices, policies,
procedures, programs, objectives, targets, techniques, technologies,
guidelines, requirements, and organizational structures.

Corrective Actions

Corrective actions are steps that are taken to remove the
causes of an existing security nonconformity or security incident.
The corrective action process is designed to prevent the recurrence
of security nonconformities and security incidents. It tries to make
sure that existing nonconformities and incidents don’t happen
again. It tries to prevent recurrence by eliminating causes.

Facility

The term facility refers to any item of infrastructure that has
a business function or provides a business service. It includes
property, buildings, plants, machinery, ships, vehicles, port
facilities, and related systems (including software code
that facilitates security management).

Management Review

In the context of ISO 28000, the purpose of a management review
is to evaluate the suitability, adequacy, and effectiveness of an
organization’s supply chain security management system, and
to look for improvement opportunities. Management reviews are
also used to identify and assess opportunities to change an
organization’s security management policy, objectives, and
targets and to assess changes in security threats and risks.

Management System

A management system is a set of interrelated or interacting
elements that organizations use to implement policy and
achieve objectives. There are many types of management
systems. Some of these include quality management systems, food
safety management systems, environmental management systems,
emergency management systems, occupational health and safety
management systems, information security management systems,
business continuity management systems, and, of course, supply
chain security management systems.

Nonconformance

A nonconformance (or a nonconformity) is a failure to comply with
requirements. A requirement is an expectation or obligation. It can be
stated or implied by an organization, its customers, or other interested
parties. There are many types of requirements. Some of these include
legal requirements, regulatory requirements, customer requirements,
and management requirements.

ISO 28000 2007 Part 4 lists many supply chain security management
requirements. Whenever your organization fails to meet one of these
requirements, a nonconformance (or nonconformity) occurs.

Preventive Actions

Preventive actions are steps that are taken to remove the causes of
potential security nonconformances and security incidents, ones that
have not yet occurred. Preventive actions address potential problems
(not actual problems). While corrective actions prevent recurrence,
preventive actions prevent occurrence. Both types of actions are
intended to prevent nonconformities and incidents.

Procedure

A procedure is a specified way of carrying out an activity
or a process. Procedures may or may not be documented. A
documented procedure describes and controls a logically distinct
process or activity, including the associated inputs and outputs.
Documented procedures can be very general or very detailed, or
anywhere in between. While a general procedure could take the
form of a simple flow diagram, a detailed procedure could be
a one page form or it could be several pages of text.

A detailed documented procedure defines and controls the work that
should be done, and explains how it should be done, who should do
it, and under what circumstances. In addition, it often explains what
authority and what responsibility has been allocated, which supplies
and materials should be used, and which documents and records
must be used to carry out the work.

Security

A supply chain is secure when it can resist, fend off, or withstand
unauthorized acts that are designed to cause intentional harm or
damage. Conversely, it is insecure when it cannot successfully
resist or repel such acts. Therefore, security is a variable and
relative state of resistance.

It is variable because it can vary from very secure to very insecure.
And it is relative because it depends on how threatening or dangerous
specific harmful acts are. A supply chain may be secure relative to
some threats but insecure relative to other threats.

Security Management

Security management includes all the activities and practices that
organizations use to manage security risks, threats, and impacts.
According to ISO 28000, your security management activities and
practices should be coordinated, systematic, and optimized.

Security Management Objective

A security management objective is a security outcome or
achievement. Objectives must be specific and must support and
comply with your security management policy. Security management
objectives should be tied directly or indirectly to an organization’s
product and service delivery activities.

Security Management Policy

Your organization’s security management policy should define its
general security intentions and clarify its overall direction. It should
support your organization’s general security framework and should
be used to control its security activities and processes. A security
management policy should also be used to generate security
objectives and targets and encourage their achievement. And
it should be consistent with your organization’s other policies
and must comply with all regulatory requirements.

Security Management Program

Security management programs (or programmes) are used
to achieve security management objectives and targets. This
definition establishes a means-end relationship between programs
on the one hand and objectives and targets on the other.

Security Management System

A security management system (SMS) is a complex network of
interrelated and interacting elements that combine to resist, fend off,
or withstand unauthorized acts that are designed to cause intentional
harm or damage to a supply chain. These elements include a security
management policy as well as the many programs, objectives, targets,
procedures, plans, practices, processes, controls, documents,
records, roles, relationships, responsibilities, authorities, and
resources that are used to implement this policy.

Security Management Target

Objectives are achieved by meeting specific targets. A security
management target is a specific level of performance that must be
attained in order to be able to say that a related security management
objective has actually been achieved.

Security Risk

Risk combines three elements: it starts with a potential threat
and then combines its probability with its potential severity.
In the context of ISO 28000, the concept of risk asks two
future oriented questions:

1. What is the probability that a potential security
   threat will actually occur in the future?

2. How severe would the impact be if the potential
   security threat became an actual security incident?

A high risk security threat would have both a high probability
of occurring and a severe impact if it actually occurred.

Security Risk Assessment

A risk assessment considers the effectiveness of existing security
controls and then evaluates the probability and the potential severity
of specific security threats. On the basis of such an assessment,
organizations decide what steps should be taken to manage
and control their risk.

Security Threat

A security threat is any possible intentional action or series of actions
that could potentially damage stakeholders, facilities, or operations;
destroy the integrity of a business or jeopardize its continuation;
or disrupt a supply chain or an entire economy.

Stakeholder

Individuals, groups, and organizations become an organization’s
stakeholders when they have a vested interest in its performance or its
success or are concerned about the impact of its activities. Examples
include shareholders, financiers, insurers, customers, employees,
suppliers, contractors, regulators, statutory bodies, labor
organizations, and members of society.

Supply Chain

A supply chain is a set of interconnected processes and
resources that starts with the sourcing of raw materials and
ends with the delivery of products and services to end users.
Supply chains may include producers, suppliers, manufacturers,
distributors, wholesalers, vendors, and logistics providers. They
include facilities, plants, offices, warehouses, and branches and
can be both internal or external to an organization.

Top Management

When ISO 28000 uses the term top management, it is referring to a
person or group of people at the highest level within an organization. It
refers to the people who coordinate, direct, and control organizations.
While top management in large organizations may not be personally
involved in the management of supply chain security, accountability
through the chain of command must, nevertheless, be manifest.

Upstream and Downstream

In the context of ISO 28000, the terms upstream and downstream
refer to the relative location and movement of cargo within a supply
chain and to the associated cargo management activities, processes,
and operations that occur.

Activities, processes, and operations that occur before cargo comes
under the direct operational control of an organization are said to be
upstream from it. Conversely, activities, processes, and operations
that occur after cargo leaves the direct operational control of an
organization are said to be downstream from it. Downstream and
upstream cargo management functions can include insurance,
finance, packing, storing, delivery, data processing, etcetera.