ISO 28001 (Annex A ) Ship in Service Training Material A-M CHAUVEL.

ISO 28001 (Annex A )

Ship in Service Training Material A-M CHAUVEL

ISO 28001 – Annex A

Supply ChainSecurity Process


A-M CHAUVEL - BUREAU VERITAS - DNS / DCO Ships in Service Training Material A-M CHAUVEL

CustomerEnd user

Port facilityfreight yard

Seatransportation

Landtransportation

Port facilityunloading

Storage &Distribution

Raw materialSupplier

Unpackingstation

Port facilityfreight yard

Landtransportation

Port facilityloading

Producerfactory

Packingstation

A.3 Conduction of the Security Asst.

To secure and facilitate global trade

Should include but are not limited to :

ISO 28001 – Annex AA1- General

This annex provides guidance on the development of a Supply Chain Security process that can be implemented in an organization with an existing management system.

Figure A.1 provides a graphical description of such a process.


ISO 28001 – Annex AA1- Description of a Supply Chain Security process

Identify scope of Security Assessment

Conduct Security Assessment

Identify existingSecurity Measures

Develop & ExecuteSecurity Plan

Assessed?

List applicable threatscenarios

Document & MonitorSecurity Process

Select a threatScenario

EvaluateSecurity Measures

DetermineConsequence

Develop Counter measures

Adequate?

DetermineLikelihood

Adequate?

Yes

Yes

Yes

No

No

No

Co

ntin

ual I

mpr

ove

me

nt

ISO 28001 – Annex A A2- Identification the scope of the assessment





Assessed?







Adequate?

DetermineLikelihood

Adequate?

Yes

Yes

Yes

No

No

No

Co

ntin

ual I

mpr

ove

me

nt

A Security assessment is an attempt to identifyrisks present in that part of the Supply Chain.

To accomplish this assessment the boundaries of the scope of coverage

(both physical and virtually)need to be established.






Assessed?







Adequate?

DetermineLikelihood

Adequate?

Yes

Yes

Yes

No

No

No

Co

ntin

ual I

mpr

ove

me

nt

Using qualified personnel the existing arrangementsat all locations has to be assessed.

Where goods are being manufactured, processed,…Where goods are being transported,

Where custody change hands,Other,…

See Performance review list

A 3.1- Conduction of the security assessment

A.3 Conducting Security Assessment


A.3.1 General- The existing security arrangements at all locations has to be assessed where there are potential Security vulnerabilities, which should include but are not limited to the following where :

Goods are being manufactured, processed or handled prior to being loaded in a transport unit, palletized, or otherwise prepared for shipment.

Goods prepared for shipment are stored or consolidated prior to transportation.

Goods are being transported.

A.3 Conducting Security Assessment


A.3.1 General- The existing security arrangements at all locations has to be assessed where there are potential Security vulnerabilities, which should include but are not limited to the following where :

Goods are loaded into or unloaded from a conveyance.

Custody of the goods changes hands.

Documentation or information pertaining to goods being shipped is handled, generated or accessible.

Inland transportation routes and means of conveyance used by the various modes of transportation…

A.3.2 Performance Review List


For reviewing existing Security arrangements of business partners, who have confirmed to the organization that they :

- Are verified compliant with this Standard or ISPS Code.

- Are covered by international accepted certificates or approval or - Have been designated as Authorized Economic Operator in accordance with the WCO SAFE Framework.

ISO 28001 – Annex AA 3 3- Performance review list Table A1

Factor Yes No Comments

Management of Supply Chain Security

Security Plan

Personnel Security

Asset Security

Information Security

Goods and Conveyance Security

Closed Cargo Transport Units

T.A.1 Performance Review List



Does the organization have a management system that addresses Supply Chain Security.

Does the organization have a person designated as responsible for Supply Chain Security.

Y Coms.

Y Coms.

N

N



Security Plan

Does the organization have (a) current Security plan (s).

Does the plan address the organization’s Security expectations of upstream and downstreambusiness partners.

Does the organization have a crisis management, business continuity, and Security recovery plan.

Y Coms.

Y Coms.

Y Com.

N

N

N



Personnel Security

Y Coms.

Y Coms.

Y Com.

N

N

N

Y Com.N

Does the organization have procedures toevaluate the integrity of employees prior to employment and periodically relative to the Security.

Does the organization conduct specific job appropriate training to assist employees in performing their Security duties.

Does the organization make employees awareof the procedures the company has in place toreport suspicious incidents.

Does the access control system incorporate immediate removal of a terminated employee’s company-issued identification and access to sensitive areas and information systems.



Asset Security

Does the organization have in place measures that addresses: The physical Security of buildings.

Monitoring and controlling of exterior and interior perimeters.

Application of access controls that prohibit unauthorized access to facilities, conveyances, loading docks and cargo areas, and managerial control over the issuance of identification ( employee, visitor, vendor, etc…) and other access devices.

Y Coms.

Y Coms.

Y Com.

N

N

N


Asset Security

Are there operational Security technologies which significant enhance asset protection. Ex. intrusion detection , recorded CCTV/DVS cameras that cover areas of importance to the Supply Chain activity,and recording maintained long enough to be usein an incident investigation.

Are there protocols in place to contact internal security personnel or external law enforcementin case of Security breach.

Are procedures in place to restrict, detect and report unauthorized access to all cargo and storage areas. Are persons delivering or receiving cargo identified before cargo is received or released.

Y Coms.

Y Coms.

Y Com.

N

N

N


Y Com.N




Y Coms.

Y Coms.

Y Com.

N

N

N

Are procedures employed to ensure that all information used for cargo processing,both electronic and manual, is legible, timely,accurate and protected against alteration, loss or introduction of erroneous data.

Does the organization shipping or receiving cargo reconcile the cargo with the appropriate shipping document.

Does the organization ensure that cargoinformation received from business partnersis reported accurately and in a timely manner.




Y Coms.

Y Coms.

Y Com.

N

N

N

Is relevant data protected through use of storage systems not contingent on the operation of the primary data handling system. (Data back up)

Do all users have a unique identifier (ID) fortheir personal and sole use, to ensure that theiractivities can be trace to them.

Is an effective password management system employed to authenticate users and are userrequired to change their passwords at least annually.

Is there protection against unauthorized access to and misuse of information. Y Com.N



Goods and Conveyance Security

Y Coms.

Y Coms.

Y Com.

N

N

N

Are procedures in place to restrict, detect and report unauthorized access to all shipping, loading dock areas and closed cargo transport unit storage.

Are qualified persons designated to supervisecargo operations.

Are procedures in place for notifying appropriatelaw enforcement in cases where anomalies orillegal activities are detected or suspected by the organization.




WCO SAFE Framework includes:

A “Seal Integrity Program”.Personnel filling in this form should review that section.

See annex 1 sets out proceduresregarding the affixing and verificationof high Security seals and/or tamper

detection devices.




Y Coms.

Y Com.

N

N

If a closed cargo transport unit is used, are there documented procedures for affixing and recording high Security mechanical seals meeting ISO/PAS 17712 and/or other tamper- detection device bythe party stuffing the cargo unit.

If a sealed closed cargo transport unit is used, are there documented procedures in place to seals for signs of tampering when the custodyof conveyances changes during the course of a shipment and to address detected discrepancies.

If a closed cargo transport unit is used, is itinspected for contamination by the party stuffing immediately before stuffing.

Y Com.N




Y Coms.

Y Coms.

N

N

If a closed cargo transport units are used, are documented procedures in place for inspecting them immediately before stuffing by the partystuffing them to verify their physical integrity, to include the reliability of the unit locking mechanisms.

A seven point inspection process is recommended : - Front wall - Left side - Right side - Floor - Ceiling/ Roof - Inside/Outside closure - Outside/Undercarriage

A.3.3 Performance Review



The following performance review list shown in Table A.1 can be completed and considered when conducting a Security Assessment for an organization :

- If the factor is already implemented by the organization the “Yes” block should be checked.

- If the factor is not already implemented or is partially met the “No” block should be checked.

- If the factor is not applicable or is outside the organization’s statement of coverage, Not Applicable (NA) should be noted in the “Comments” block.

A.3.4 Security Threat Scenarios


During the Security Assessment consider Security Threat Scenarios listed in table 2.

The Security Assessment should alsoconsider other scenarios that may be

determined by government authorities,the organization’s management or

the Security professional (s)conducting the assessment.

Intrude or take control of a asset withinthe Supply Chain (damage, hostage, kill people)Using the Supply Chain as a means of smuggling(illegal weapon, terrorist into or out the country)Information tampering (disrupting operations,facilitating illegal activities)Cargo integrity (sabotage or theft for the purposeof terrorism)Unauthorized use (facilitate a terrorist incident,using the mode of transportation as a weapon

Others

A.3.4 Security Threat Scenarios


Table A.2


Development ofthe Security Plan



A.4.1 GeneralA.4 Development of Security Plan

The Security Plans and/or annex may be incorporated into operational plans or procedures and need not tobe stand-alone documents.

If the Security Plans is incorporated into other plans the organization should maintain a cross-reference table to enable verification.

The plan may be separated into annexes in which each describes the security in place for particular segment of the Supply Chain, including Security measures that their business partners will maintain according to their Security declarations.


A.5 Execution of the Security Plan

The implementation of the new or revised Security Plan represents a change to operational practices.

It needs to be undertaken in accordance with the organization’s management system to ensure :

-That adequate resources are available.

- The impact on other operations is managed.

- The effectiveness of the plan is monitored and evaluated.


A.6 Documentation and Monitoring of the Security Process

The organization should establish and maintain procedures to monitor and measure the performance of its Security Management System to ensure its continuity, suitability, adequacy and effectiveness.

The organization should consider the associated Security threats and risks, including potential deterioration mechanisms and their consequences, when setting the frequency for measuring and monitoring the Key Performance parameters.


A.7 Continual Improvement

Management in operational control of that portion of the Supply Chain should review the organization’s Security management system to assess : - Opportunities for improvement.

- Need for changes to the Security management system.

B Methodology for Risk Assessment


Informative

Methodology forSecurity Risk Assessment

and development of Countermeasures



B 1 General

This annex gives a methodology that may be used by organizations:

- To make an assessment of the risk that their operations may suffer from Security incidents.

- To determine the appropriate countermeasures, effective for the type and size of their Supply Chain operations.



B 1 General

a) List all activities as covered in the Scope.b) Identify Security controls presently in place.c) Identify Security threat scenarios.d) Determine consequences if the Security threat scenario was completed.e) What is the likelihood of this happening considering current Security.f) Are control Security measures adequate.g) If not develop additional Security measures.

Figure B.1 is a graphical representation of a process.

This methodology uses the following sequence:

Intrude or take control of a asset withinthe Supply Chain (damage, hostage, kill people)Using the Supply Chain as a means of smuggling(illegal weapon, terrorist into or out the country)Information tampering (disrupting operations,facilitating illegal activities)Cargo integrity (sabotage or theft for the purposeof terrorism)Unauthorized use (facilitate a terrorist incident,using the mode of transportation as a weapon)

Others

B.2 Security Threat Scenarios


Step 1 Consideration of the Scenarios


B.2 Security Threat ScenariosStep 1 During the assessment consider :

Access control on premises : including neighbourhood, means of transportation, information, others.Means of transportation : taking into account normal operation, maintenance shops, changes of means, conveyances while at rest, using means of transportation as a weapon,…Handling : loading, manufacturing, storage, transfer, unloading, deconsolidation/consolidations,…Transport of good by : air, road, rail, inland waterway, ocean shipping,…


B.2 Security Threat ScenariosStep 1 During the assessment consider :

Intrusion detection/prevention applied to shipments during inspections e.g. vehicleEmployees : level of competence, training, awareness, integrity,Use of business partnersCommunication internal/external : information exchange, emergency situations,…Handling or processing of information about cargo or transport routes data protection, data assurance,…External information : legal, orders by authorities, industry practices, accidents and incidents, response times,…


B.3 Classification ConsequencesStep 2 The consequences of each security incident evaluated should be classified :

Rationales for the classifications of the consequences should be documented.

- Acceptability should not be confused with desirability or approval. - Acceptability could be considered as a judgment of the amount of possible damage which it is operating is willing to accept under certain conditions related to probability.An organization or government may determine that the possibility of a certain level of damage may be undesirable yet acceptable.

Assign arating Consequence could be :

Low

Medium

High

Normally acceptable

Unacceptable in ahigh likelihood situation

Unacceptable in all but low likelihood situations


B.3 Classification ConsequencesStep 2 Rationales for the classifications of the consequences should be documented.

Assign arating Consequence could be :

Low

Medium

HighDeath & Injury : loss of life on a certain scale.Economical impact : major damage to a asset or Infrastructure preventing further operations.Environmental impact : complete destruction of multipleaspects of the ecosystem over a large area.


B.3 Classification ConsequencesTable B2

Death & Injury : injuries but no loss of life.Economical impact : minimal damage to a asset or Infrastructure and systems.Environmental impact : some environmental damage.

Death & Injury : loss of life.Economical impact : damage to a asset or Infrastructure requiring repairs.Environmental impact : long tem damage toportion of the ecosystem.


B.4 Classification of LikelihoodsStep 3 The likelihood of each Security incident evaluated should be classified :

High likelihood: When the Security measures in place offer little resistance to the Security incident occurring.

Medium likelihood: When the Security measures in place offer moderate resistance to the Security incident occurring.

Low likelihood: When the Security measures in place offer substantial resistance to the Security incident occurring.


B.5 Security Incident ScoringStep 4

Identification of countermeasures is required for Security incidents that score high in both likelihood and consequences.

Other Security incidents need not include countermeasures, unless they are considered advisable by the evaluator.

The person assessing the Security should list each Security incident required to be considered for countermeasure.

Likelihoods classification

Low Medium High

ConsiderCountermeasure

Countermeasure

Document ConsiderCountermeasure

Document Document ConsiderCo

nse

qu

ence

Sco

re

High

Med.

Low


B.5 Security Incident ScoringStep 4 The likelihood of each Security incident evaluated should be classified :

Means that mitigation strategies, such as security protective measures and / or procedures, may be developed to reduce risk for that scenario.

The appendix to the Security Plan may contain : - The scenario (s) evaluated. - The results of the evaluation. - A description of the mitigation measure evaluated. - The reason mitigation measures were or were not chosen.

Countermeasure


Step 4 The likelihood of each Security incident evaluated should be classified :

ISPS Code ISPS Code

Means that the scenario should be considered and mitigation strategies should be developed on a case-by-case basis.

The Security Plan may contain :

- The scenario (s) evaluated. - The results of the evaluation. - The reason mitigation measures were or were not chosen.

Consider



ISPS Code ISPS Code

Means that the scenario may not need a mitigation measure at this time and therefore needs only to be

documented. However, mitigation measures having little cost may still merit consideration.

The Security Plan may contain : - The scenario evaluated and the results.

This will be beneficial in further revisions of the security plan, to know if the underlying assumptions have changed since the last edition of the Security Assessment.

Document



ISPS Code ISPS Code


B.6 Development CountermeasuresStep 5

If the development of a countermeasures is required or considered advisable by the evaluator both the consequences and/or likelihood of the Security threat scenario should be considered for mitigation.

Guards

Patrols

CCTV

X-Ray machines

Doors

Barriers

Mitigation Measures


Signs

Detectors

Contingency plans

Training

Dog


B.6 Development CountermeasuresStep 5

Countermeasures may come under the following actions: Treat: may be organizational and/or physical measures.

Transfer: may be subcontracting, physical transfer to other locations, time,…

Terminate: it is possible that due to the level of risk the organization decides not to continue the activities.


B.7 Implementation CountermeasuresStep 6

New countermeasures represent a change to operational practices and need to be enacted in accordance with the organization’s management system to ensure that adequate resources are available:

- The impact on other operations is managed. - The change has the support of management.


B.8 Evaluation of CountermeasuresStep 7

Using the methods specified in the Standard, each countermeasure should be assessed for effectiveness in lowering the likelihood or consequences (or both) until the Security risk no longer requires that additional countermeasures be considered.

The countermeasure achieving this is considered to be effective, and should be listed in the Security assessment report.


B.9 Repetition of the ProcessStep 8

After countermeasure have been developed and evaluated as effective continue the process for the next threat scenario until the scenario list is depleted.


B.10 Continuation of the Process

The process of assessment is continual.

Security must be monitored continually to ensure Security measures are performing as intended and the assessment process should be performed as needed.

C Methodology for Risk Assessment


Informative

Guidance for obtaining advice and certification



C1 General

If an organization determines that it needs advice or help with carrying out Security assessments, developing security plans, or implementing the necessary requirements, it may seek external consulting services.

Organizations intending to implement ISO 28001 are not obliged to obtain the services of an outside consultant.



C1 General

It is, however, the responsibility of the organization seeking advice to check and verify the competence of consultants offering advisory services, for example by seeking recommendations, following up references orby reviewing work carried out.

Consultants that provide services to the organization would be precluded from participating in third party audits of the same organization.



C2 Demonstrating conformance by Audit

It therefore serves as a basis for determining, validating or demonstrating the level of existing Security within organizations’ Supply Chain (s) through a first, second or third party audit process, or by any government agency that choose to use compliance with this Standard as the basis for acceptance into their Supply Chain Security programs.

ISO 28001 is a requirements specification intended to help organizations, which opt to voluntarily implement the requirements, establish and demonstrate an appropriate level of Security within those part (s) of the Supply Chain (s) they control.

OrganisationOrganisationSupplierSupplier

Third partyThird party

( accredited organisation )( accredited organisation )

OrganisationOrganisation

InternalInternal

( Organisation )( Organisation )

AuditAudit

OrganisationOrganisationSupplierSupplier

Second partySecond party

( Client or Organisation )( Client or Organisation )

ExternalExternal

Audit Process

Ships in Service Training Material A-M CHAUVEL




Government agencies that choose to use compliance with this Standard as the basis for acceptance into their Supply Chain Security programs may :

- Wish to certify and validate such compliance themselves or - To avoid duplication they may choose to rely on audits by other parties.

Validation and certification by government or government agency.




The WCO sets guidelines for Customs administrations regarding validation and certification requirements for national Customs Supply Chain Security programs in conformance with the WCO SAFE Framework, and for mutual recognition of such programs.



C3 Certification by Third party bodies

If demonstration of compliance is sought through the third party audit process then the organization seeking certification should consider selecting a third party certification body accredited by a competent accreditation body, such as those which are members of the International Accreditation Forum Inc. (IAF)and subject to the IAF Multilateral Recognition Arrangement (MLA). Such accredited certification bodies comply with internationally recognized rules, codes of practice and audit protocols, such as ISO 17021 and ISO 19011.

• The process must be dynamic.

• If something is “obvious” it probably doesn’t need a risk assessment.

• It needs to be understood by both Shipboard and Port Facility personnel.

• Every part of the process needs to be accurate.

• The process must deal in “ reality ”.

Risk Assessment Scoring


• The process must be dynamic.

• If something is “obvious” it probably doesn’t need a risk assessment.

• It needs to be understood by both Shipboard and Port Facility personnel.

• Every part of the process needs to be accurate.

• The process must deal in “ reality ”.

Risk Assessment Scoring


Date post:	27-Dec-2015
Category:	Documents
Upload:	myra-benson
View:	243 times
Download:	7 times

ISO 28001 (Annex A ) Ship in Service Training Material A-M CHAUVEL.

Documents