Have you heard of ISO 28002? No? You should take note of this standard, because the ISO 28000 series specifies the requirements for a security management system for the supply chain. The standards address potential security issues at all stages of the supply process, thus targeting threats such as terrorism, fraud and piracy. The most recent addition to the series is ISO 28002: Security management systems for the supply chain – Development of resilience in the supply chain, published in September 2010. ISO 28002 details how an organization can engage in a comprehensive and systematic process of prevention, protection, preparedness, mitigation, response, continuity and recovery. This post will take an inside look at ISO 28002 and highlight the essential content.
ISO 28000 series
News about ISO 28002 have been circulating on the web for some time now, and continuitycomliance.org wrote about ISO 28002 already more than a year ago. Interestingly, the ISO 28000 is listed under “ships and marine technology” on the ISO website. Given the fact that much of today’s global trade is done by cargo ships circling the global in a complex pattern, this is not surprising, and maritime security is important in ensuring timely deliveries of goods and supplies. Nonethless, the ISO 28000 series standards are applicable to all modes of transport, air cargo included, and the recent bomb packages found on cargo planes highlights that supply chain security is not something that should be easily ignored.
The ISO 28000 series consists of
- ISO 28000,
Specification for security management systems for the supply chain
- ISO 28001,
Best practices for implementing supply chain security – Assessments and plans – Requirements and guidance
- ISO 28002,
Development of resilience in the supply chain
- ISO 28003,
Requirements for bodies providing audit and certification of supply chain security management systems
- ISO 28004,
Guidelines for the implementation of ISO 28000
- ISO 28005,
Electronic port clearance (EPC), part 1 and part 2
This post will look at ISO 28002 only.
The first thing that strikes me when I open ISO 28002 is a figure showing the framework for resilience management in the supply chain. It is the same global environment perspective that is used by the Supply Chain Council in their Supply Chain Risk Management framework based on the SCOR model. Moreover, it is not even referenced as being related to the SCOR framework, even though it is the exact same figure.
Terms and definitions
As with all standards, there is a list of terms and definitions, so let just cite the most useful:
A supply chain is a linked set of resources and processes that begins with the sourcing of raw material and extends through the delivery of products and services to the end user across the modes of transport.
Simple and straightforward.
Resilience is the adaptive capacity of an organization in a complex and changing environment. Resilience also describes the capability of an organization to prevent or resist being affected by an event or the ability to return to an acceptable level of performance in an acceptable period of time after being affected by an event. Resilience means the capability of a system to maintain its functions and structure in face of internal and external change and to degrade gracefully when it must.
Interesting…especially the last notion of degrading gracefully. Adaptive capacity has been covered in previous post on this blog.
Security is the condition of being protected against hazards, threats, risks, or loss.
Interestingly the standard does not differentiate between safety and security. More puzzling perhaps is this on the ISO website: “The ISO 28000 series of International Standards specifies the requirements for a security management system to ensure safety in the supply chain” (emphasis by me). A bit contradictory maybe, because security and safety are two very different animals in my opinion.
Resilience management process
The resilience management process follows the well-known quality principles of Plan-Do-Check-Act, as seen in the figure below:
- Understand the organization’s risk, security, preparedness, response, continuity and recovery requirements (Mind you, ALL need to be covered).
- Establish risk management policies and objectives.
- Implement and operate controls to mange the risk within the objectives.
- Monitor and review the performance and effectiveness of the resilience management system.
- Improve continuously
Resilience policy statement
Adopting the standard requires an organization to produce a resilience policy statement. The policy must
- include a commitment to employee and community life and safety as the first priority,
- include a commitment to continual improvement,
- include a commitment to enhanced organizational and supply chain sustainability and resilience,
- include a commitment to adaptive and proactive risk minimization,
- include a commitment to comply with applicable legal requirements and with other requirements to which the organization subscribes, and
- determine and document the risk tolerance or readiness to bear risk
A couple of things are worth noting here. The first bullet point puts the employees’ well-being ahead of anything else, something Alex Fullick hightlights in his book, Heads in the Sand. It is also interesting to see supply chain sustainability being part of supply chain security. And unsurprising, security is best achieved through proactive mitigation, not reactive response.
Internal and external resilience
ISO 28002 emphasizes the differences between internal and external parameters, as these two perspectives require different scope and criteria for risk management, i.e. risk assessment objectives, risk and recovery criteria, risk treatment processes.
Resilience comes from within an organization, but the test for a company’s resilience is more often than not created by external forces.
There is a strong demand for standards and best practices when organizations are seeking assurance that their suppliers and the extended supply chain have planned for, and taken the necessary steps to prevent and mitigate the threats and hazards to which they are exposed. Only this way can can resilience in the supply chain be achieved. Or was it resiliency? The standard seems a bit undecided as to which word to use as both appear throughout the publication. A standard should try to adhere to one form, in my opinion, especially since it defines resilience, but not resiliency. That said, do we need yet another standard? Alex Fullick thinks there are two many standards already, because if a corporation does choose to follow one (set of) standard(s) it may be missing out on another perspective (subscribed to by the other standards) and have an area that is lacking the attention it deserves. Maybe, so he says, there really cannot be a standard that completely addresses every aspect, and maybe that is why there is always a new one that is developed. As far as ISO 28000 goes, I think that is a needed standard.
- iso.org: ISO/PAS 28002