Purpose

Checklists are available corresponding to the two stages of the overall assessment process.

While this checklist applies to stage 1, Assessors should ensure that they also have a copy of the Stage 2 checklist, available as additional reference.

The first requirement is to ensure that the scope is clear and that it correctly details the nature and scale of the operations, including physical and logical boundaries.This requires particular attention when one site with clearly defined physical boundaries (fences, barriers or natural features) houses more than one activity.If a client’s corporate procedures impact on the operations of a site, the influence or requirements of corporate direction must be defined.

It is important to confirm that the Management System addresses the security for the site (supply chain operations and activities), not the management of the security department on the site.The Security Risk Assessment must give full consideration to all areas, activities, facilities, people, processes, information and other assets falling within the documented scope. Please re-familiarise yourself with the content of guidance document Security risk assessment according to ISO 28000 before you begin the stage 1 visit.

Stage 1 processThe Stage 1 will be a full assessment of the following:• Security risk Assessment• Asset identification• Identification of threat sources• Consequence Analysis• Vulnerability review and analysis• Likelihood evaluation• Site inspection / review by assessment team, confirmation of

asset and vulnerability elements• SRA methodology• Risk grading and prioritization• Risk mitigation and planning• SRA outputs becoming the inputs to the Management System

“Objectives and Targets”• Planning and implementation of protective security

measures [Operational Controls (procedures, personnel and technology)] for managing the objectives and targets

• Determine the readiness for stage two audit of the client’s management system, including internal audit and management review

• Review documentation for compliance with ISO 28000• Record the findings and conclusion.

Stage 1 checklist sequenceTo maximise the effectiveness of the stage 1 assessment, Sequence of activities:1. Briefing by the client2. Confirm and agree the scope3. Confirm audit outline with client4. Briefing by the client on existing physical security, technology

and manpower offering site protection5. Site survey by assessors (confirmation of item 4 above) and

identification of potential operational and security concerns (vulnerabilities)

6. Security Risk Assessment review7. Confirmation of existing risks and prioritisation rational8. Confirmation of objectives and targets drawn from SRA9. Planning of the management of the objectives and targets.

ISO 28000:2007 RequirementsStage 1 - Check list

YOUR CERTIFICATION PARTNER “The obvious choice in ISO Certification”

z

ISO 28000:2007 RequirementsStage 1 - Check list

YOUR CERTIFICATION PARTNER “The obvious choice in ISO Certification”

z

General

A documented, implemented and maintained security policy?

The organisation applies a security risk assessment system?

The organisation has a security management program for achieving documented objectives and targets?

The structure, authority and responsibilities for security management are defined and documented?

The organisation is compliant with legal, statutory and other security regulatory requirements?

A security training and awareness program exists in the organisation, and personnel with security responsibilities are competent to perform their duties?

Communications protocols exist for the transfer of information within, and external to, the organisation?

A security document management system exists which includes production, identification, maintenance, handling, storage and disposal of security sensitive records, including electronic format?

Where corporate policy and procedures provide direction or a foundation for the operations at a local site (with local instructions), additional care should be given to ensure the integration of the two levels of procedures are consistent and applied uniformly throughout the site/facility being audited?

Procedures and audit plans exist for internal audit and management review?

4.1 General requirements

Has the organisation established a documented security management system?

Is the documented system treated as a controlled document?(Ref #, Registered, Date, Review)Where Standard Operating Procedures (SOP) or Security Manuals contain security sensitive information, we would be looking for classification markings at the top and bottom of the restricted / sensitive documents. The classification markings may include such titles as IN-CONFIDENCE, PROTECTED, HIGHLY PROTECTED, RESTRICTED, CONFIDENTIAL, etc. These classification markings must be defined within the Security Procedures and include requirements for production, handling, monitoring, storage and destruction, for each classification.

4.2 Security management policy

A documented, implemented and maintained security policy exists?

The policy is authorised and endorsed by senior management?

The policy is consistent with the nature and scale of the organisation?

The policy states that a senior management position (name or title) is appointed as being responsible for the security management system?

The policy clearly states the security objectives, which provide the framework for the application of the security management system?

The policy includes the application of a risk management framework?

The policy includes a commitment to comply with applicable legislative, regulatory and statutory requirements, as well as industry requirements to which the organisation is a signatory?

The policy confirms the organisation’s position on security training and awareness?

The policy includes a commitment to continuous improvement?

The policy is communicated to all staff and other stakeholders where appropriate?

The policy is comprehendible and achievable?

The organisation may choose to maintain two versions of the security policy and procedures, one for general distribution and the other having restricted sensitive information (controlled document)?Two copies of the policy are not necessarily going to exist as the policy should state what is to happen / be applied and is rarely specific in relation to security activities / protective measures.The procedures will usually include instructions and guidelines for employees and visitors, it is unlikely that these publicly available sections will be classified, however when included in a total document, all pages within that document will receive the security classification to the level of the most sensitive material within. That is, if a document has some information containing material that is classified as PROTECTED, the entire document should be classified at that level.

ISO 28000:2007 RequirementsStage 1 - Check list

YOUR CERTIFICATION PARTNER “The obvious choice in ISO Certification”

z

Potential internal threats identified?Internal threats may include employees, contractors and authorised visitors with real or perceived grievances. Activities within a facility may also present a threat to the security of the infrastructure or operations.

Potential external threats identified?Opportunist or organised criminals, pranksters, terrorists, activities adjacent to a facility.

Note: Some security risk assessment methodologies primarily consider high consequence / low likelihood threat scenarios (terrorism) and due consideration by the client must be given to a balanced assessment focus (organised or opportunistic crime, existing or past employees).

Reliability and credibility of threat intelligence established?(internal audit and reporting, police, intelligence organisations, credible industry intelligence sources)

We require evidence that the threats were gathered from reliable sources, not just a “best guess” by the facility or consultants.

Threat and risk grading system applied? (tolerate, control, eliminate) [low, medium, high] { # } (Extreme, Very High, High, Medium, Low, Minimal)

Site/Asset Vulnerability evaluated?Potential for a threat to be realised due to the existing security integrity identified? (weaknesses / vulnerabilities)

This includes physical and procedural issues that provide increased opportunities for an incident to occur.Security review processes identify and capture protective security deficiencies.This should be considered by assessors whilst participating in the site tour. NOTE OBVIOUS WEAKNESSES AND FLAWS IN SECURITY

Consequence grading established by the organisation? [low, medium, high] { # }The organisation should determine what consequences are to be acceptable at different grades / levels. The consequence titles are to be defined in writing. More information at the end of this document.Senior management establish each consequence level acceptable to the organisation. This will vary dependant upon commercial, industrial and socially acceptable norms.

Likelihood evaluation considers threat capabilities and evidence that contributes to reaching a grade / decision (past incidents, police warnings, etc.)Motivation and capability of threat sources shall be considered during this evaluation.

Risk determination is established, prioritised and documented?Risks are identified and graded in the assessment process.Risk priorities from the SRA are used to prioritise mitigation and management strategies?Highest risk usually receiving the higher priority. Where activities / areas are assessed to have the same level of risk, evidence should exist to demonstrate how these equally graded risks were prioritised.

The outcome of the Security Risk Assessment (prioritised risks) becomes the input to the management system (objectives and targets)?Security risk management strategies documented with objectives and targets?

Risk control and mitigation specifications from industry standards identified and applied where required? (WCO, AEO, C-TPAT, TAPA)

Management processes include requirements for design, specification and instillation of new and existing structures and equipment?Has the organisation considered and conducted a security risk assessment for refurbishments, new and proposed structures, procedures, electronic security aids, etc.Ergonomic and environmental factors require consideration in relation to risks to personnel.

Security nonconformity and incident investigation procedures documented?What are the steps and who carries out the processes? (for consideration in vulnerability evaluation)

A documented records management system exists for security documents and records that include production, identification methodologies, maintenance, movement and handling, storage and archiving and destruction procedures?The different classification of documents should have different procedures commensurate to the sensitivity of the information.

Monitoring of security management systems? (incident reporting, audit, reviews)

Risk review scheduling including response to major incidents?A site may choose to group and review all areas for potential risks at a scheduled time or prepare a rolling review process whereby all areas of potential risk are reviewed in a specified time frame.

Security management system, including identification of assets and SRA, subject to senior management review and continuous improvement practices?

ISO 28000:2007 RequirementsStage 1 - Check list

YOUR CERTIFICATION PARTNER “The obvious choice in ISO Certification”

z

4.3.3 Security management objectives

Does the organisation have documented security management system objectives?

Mechanism for determining objectives documented?Objectives derived from SRA identified risks?

Security management system objectives consistent with policy?

Objectives relate to all relevant functions and levels within the organisation?

Legislation and other regulatory requirements, risks, business continuity and stakeholders considered when objectives set?

Technological and other options considered?

Are all functional areas within the organisation addressed? (existing and proposed)

4.3.4 Security management targets

Targets are set to achieve the objectives within a specified and realistic timeframe?

Targets are consistent with levels of identified and prioritised security risk in each functional area or asset?

Target progress is monitored to ensure continued relevance and timeliness with changing security and management needs?

Objectives and target setting methodologies are reviewed periodically?Key Performance Indicators (KPI). These may be derived from incident types and should also reflect the outputs from the Security Risk Assessment.They may include:

• “Security incidents involving death or serious injury”• “Security incidents involving injury”• “Security incidents involving disruption to operations”• “Security breaches”• “Security equipment failure”• “Non-conformance reports”• These are only examples and whatever KPIs are set should be clearly defined and documented.KPIs are often consistent with consequence grades / levels.Security incident titles are poor KPIs.Robbery, assault, theft, damage, etc are types of incidents and it is rare to find them used as KPIs.

4.3.5 Security management programs

Security Management programs consider business efficiency and cost effectiveness during implementation?

Security strategies evaluated and sufficient measures to manage the risks implemented?Are the mitigation programs, strategies, plans fit for purpose and will they achieve the desired results as specified in the objectives.

Funding and resource needs identified, including staff levels?

Security management procedures and systems are applied to new projects or major variations to existing organisational structure, production or infrastructure?Proposed additions or variations to an organisation undergo a Security Risk Assessment prior to work commencing.

4.4.1 Structure, authority and responsibilities

Security roles, responsibilities and authorities are defined, documented and communicated? (Security manuals, procedures, training packages)Who is responsible v. who does what?

A Member(s) of top management is responsible for the design, maintenance, documentation and improvement of the security management system?

Management allocate appropriate resources, including personnel, equipment, expertise and training, to the security management system?

Line manager with security responsibilities (including deputy or substitute) have their security roles and responsibilities identified and documented?

ISO 28000:2007 RequirementsStage 1 - Check list

Employees and contractors involvement in a security consultative process?

Security nonconformity identification and reporting system for general use?

Security incident reporting and communications system applicable to all staff and contractors?

Security awareness program extends to the workplace? (notice boards, newsletters)

Secure communications and information exchange system for exchange with relevant authorities and business partners?

Security communications protocols exist regarding receiving and responding to security and threat related information, from internal and external sources?

Security consultative process with business partners and other key stakeholders?

4.4.4 Documentation

The organisation has fully documented all aspects of the security management system?

The security documentation is subject to records management procedures? (registered)

Security sensitive information is identified, controlled and secured to prevent unauthorised access? Refer previous comments in 4.1

Examined documents are legible and comprehensible?

4.4.5 Document and data control

Document register system with locations exists, for access of secure information by authorised personnel?“Need to Know” is classification based? Restricted distribution lists maintained?

A systematic document / information creation and review process is itself documented?

The document review process provides timings, or circumstances when documents shall be reviewed and defines the “authorised person(s)?

The review process ensures that documents, data and information are periodically reviewed, revised where necessary and approved by authorised person(s)?

The documentation system ensures that current versions of documents / information are available?

The system ensures the removal of obsolete copies of documents / information?

The system ensures that the different security status of documents / information is readily identifiable? Refer to earlier comments on classification.

Documentation / information requiring protection is suitably secured?The system for securing information / documents is clearly defined.

The system establishes procedures for archival and retention? (retention periods specified)

The system establishes procedures for document / information destruction?

Suitable storage and backup procedures exist for electronic forms of information / data?

YOUR CERTIFICATION PARTNER “The obvious choice in ISO Certification”

z

DQS (Pty) Ltd2nd Floor Process House, 279 Kent Avenue, Randburg Tel: +27 11 787 0060 | Toll free: ZA 0800 11 5901email: info@dqs.co.za<http://www.facebook.com/DQSCert?sk=wall><https://twitter.com/#!/DQSCert>