Competency Unit: Exemplar Global SCY Security Management Systems Auditing

Transcription

1 Please visit: for your region s Principal Office contact details. info@exemplarglobal.org Competency Unit: Exemplar Global SCY Security Management Systems Auditing How to use this document The purpose of this Competency Unit is to give Training Providers detailed information on the performance criteria required of those who are seeking to become certified Exemplar Global Security Management Systems Auditors. This competency unit applies to the knowledge requirements for several Exemplar Global personnel certification schemes. A Training Provider is someone who has received the Exemplar Global Training Provider and Examiner Certification Scheme (TPECS) certification for the development and delivery of the Exemplar Global-SCY examination. A potential Exemplar Global Security Management Systems Auditor is someone who conducts security management system audits, oftentimes as a member of an audit team. To become a certified Exemplar Global Security Management Systems Auditor, an individual must show evidence that they have adequate skills in the fourteen (14) areas of Competencies shown in the tables below. These individuals show competency by meeting the performance criteria shown in the second column. Training Providers are responsible for ensuring that these individuals provide adequate evidence of the performance criteria, according to the Evidence Guide. Training Providers use an accompanying Examination Profile to document how evidence will be collected and are authorized to administer the TPECS Competency Unit examination through their TPECS certification. All TPECS examinations will measure the performance criteria shown in this competency unit as written. Document Ref: TCD59 Exemplar Global SCY Competency Unit Edition: 3 Page: 1 of 6 Issued: 21-Apr-14 Printed : 21-Apr-14

2 1. Understand requirements of management systems. 2. Understand how to determine the adequacy and effectiveness of a management system. 1.1 The documentation required for an effective management system is described. 1.2 The interrelationships between the management system manual, procedures, planning, policy, and objectives are explained within the context of a given business/industry sector. 1.3 The benefits of using the process approach to develop, implement and improve the effectiveness of a management system, customer focus and continual improvement are described, within the context of a given business/industry sector. 1.4 The importance of planning and resourcing a management system is described. 2.1 Methods to evaluate the effectiveness of an entire management system are described, within the context of a given business/industry sector. 2.2 Appropriate verification procedures to establish the currency, relevance, and effectiveness of a management system are described. 2.3 Omissions in a management system that could affect security are identified. 2.4 The adequacy of a management system in preventing, reducing, or eliminating security hazards is described. E1.1 Management system documentation requirements are defined in accordance with ISO 28000:2007 clauses 4.1 (general requirements) and (documentation). E1.2 Interrelationships between the various levels of documentation are described in accordance with ISO 28000:2007 clauses 4.1 (general), 4.2 (security management policy), and 4.3 (security risk assessment and planning). E1.3 The process approach to the development of management systems is described in accordance with ISO 28000:2007 Introduction. E1.4 Requirements for planning and resourcing a management system are described in accordance with ISO 28000:2007 clauses (security risk assessment) and (structure, authority and responsibilities for security management). E2.1 Requirements for Management Review are described in accordance with ISO 28000:2007 clause 4.6 (management review and continual improvement). E2.2 Requirements for Internal Audit are described in accordance with ISO 28000:2007 clauses (system evaluation) and 4.6 (management review and continual improvement). E2.3 Critical omissions are defined in accordance with ISO 28000:2007 clauses 4.3 (security risk assessment and planning) and (system evaluation). E2.4 System adequacy is defined in accordance with ISO 28000:2007 clauses (security performance measurement and monitoring) and (system evaluation). Document Ref: TCD59 Exemplar Global SCY Competency Unit Edition: 3 Page: 2 of 6 Issued: 21-Apr-14 Printed : 21-Apr-14

3 3. Understand requirements and methods for ensuring continuous improvement. 3.1 The impact of continuous improvement processes on management systems is described. 3.2 The role of continuous improvement in identification of preventive actions is described. E3.1 Continuous improvement processes are described in accordance with ISO 28000:2007 clause 4.6 (management review and continual improvement). E3.2 Methods for identification of preventive actions are described in accordance with ISO 28000:2007 clause 4.6 (management review and continual improvement). 4. Understand legislative requirements, industry codes and regulations that are applicable to security management. 4.1 The appropriateness and effectiveness of controls based on legislative requirements, industry codes, and other technical information relevant to security management are defined. E4.1 Methods to identify legal and other requirements applicable to security management are described in accordance with ISO 28000:2007 clause (legal, statutory and other security regulatory requirements). 5. Understand the elements of risk management as defined in ISO 31000: The main elements and principles of risk management are defined. E5.1 The elements of risk management are described in accordance with ISO 31000:2009 (Introduction and clause 3, principles) and ISO 28000:2007 clause (security risk assessment). 6. Understand the management. 6.1 Requirements for establishing the contexts of risk management processes are described. 6.2 Requirements for defining risk criteria of risk management processes are described. 6.3 The structure and interrelationships of risk management processes is defined. E6.1 The range of contexts of risk management and methods used to establish these contexts are described in accordance with ISO 31000:2009 clause 5.3 (establishing the context) and ISO 28000:2007 clause (security risk assessment). E6.2 Methods used to define risk criteria are described in accordance with ISO 31000:2009 clause (defining risk criteria) and ISO 28000:2007 clause (security risk assessment). E6.3 The structure of risk management components is described in accordance with ISO 31000:2009 clause 4.1 (general). Document Ref: TCD59 Exemplar Global SCY Competency Unit Edition: 3 Page: 3 of 6 Issued: 21-Apr-14 Printed : 21-Apr-14

4 7. Understand the identification. 7.1 Requirements to identify risks to be managed are described. E7.1 Methods used to identify risks to be managed are described in accordance with ISO 31000:20009 clause (risk identification) and ISO 28000:2007 clause (security risk assessment). 8. Understand the analysis. 8.1 Requirements used to analyse risks are described. E8.1 Methods used to analyse risks are described in accordance with ISO 31000:20009 clause (risk analysis) and ISO 28000:2007 clause (security risk assessment). 9. Understand the evaluation. 9.1 Requirements for evaluation of risks are described. E9.1 Methods used to evaluate risks are described in accordance with ISO 31000:2009 clause (risk evaluation) and ISO 28000:2007 clause (security risk assessment). 10. Understand the treatment Requirements for treatment of risks are described. E10.1 Methods used to treat risks are described in accordance with ISO 31000:2009 clause 5.5 (risk treatment) and ISO 28000:2007 clauses 4.3 (security risk assessment planning) and 4.5 (checking and corrective action). 11. Understand the processes of monitoring and reviewing risks Requirements for monitoring and reviewing risks are described. E11.1 Methods used to monitor and review risks are described in accordance with ISO 31000:2009 clause 5.6 (monitoring and review) and ISO 28000:2007 clause 4.5 (checking and corrective action). Document Ref: TCD59 Exemplar Global SCY Competency Unit Edition: 3 Page: 4 of 6 Issued: 21-Apr-14 Printed : 21-Apr-14

5 12. Understand the process of communication and consultation Requirements for communication and consultation at each step of the risk management process are described. E12.1 Methods used for communication and consultation in relation to risks are described in accordance with ISO 31000:2009 clause 5.2 (communication and consultation). 13. Understand general requirements for operational security Functional understanding of major operational security elements that will be encountered while undertaking security management system audits is demonstrated. This includes awareness of key assessment criteria and appropriate control applications associated with each element type. E13.1 Typical risks associated with the following areas are identified and assessed with appropriate security controls described: Asset protection Industrial Commercial Domestic Crisis management Loss prevention Fraud Theft IP protection IT and electronic systems Systems design and access Storage and handling of data Analysis of data Personnel protection VIP protection Employee protection General public protection Transport and logistics Maritime Aircraft Land transport Terminals Handling facilities 14. Understand roles and responsibilities for security management The roles and responsibilities of personnel responsible for security are clearly identified The inter-relationship between the security hierarchy and the corporate organizational structure is defined Barriers to the effective implementation of a security management system are identified and methods to eliminate these barriers are described. E14.1 Typical roles and responsibilities for security are described in accordance with ISO 28000:2007 clause (structure, authority and responsibilities for security management). E14.2 Appropriate organizational structures to ensure effective interrelationships between the security hierarchy and corporate organisation are described with reference to ISO 28000:2007 clause (structure, authority and responsibilities for security management). E14.3 Limitations to effective implementation of a security management system are described as detailed in ISO 28000:2007 clause (security risk assessment) Document Ref: TCD59 Exemplar Global SCY Competency Unit Edition: 3 Page: 5 of 6 Issued: 21-Apr-14 Printed : 21-Apr-14

6 Clause Name Coverage 4.1 General requirements Establish the system structure, including a process for continual improvement 4.2 Security management policy Developed and acknowledged by top management 4.3 Security risk assessment Security risk assessment Identify physical, operational, environmental threats and risks Legal, statutory and other security regulatory requirements Identify legal and other requirements related to organization Security management objectives Establish and document management objectives Security management targets Establish measurable, relevant targets and communicate these to the organization Security management programmes Establish and document programmes 4.4 Implementation and operation Structure, authority and responsibilities for security management Establish an organizational structure of roles; appoint and communicate responsibilities to the proper individuals Competence, training and awareness Establish a system to ensure qualified competent personnel Communication Establish a system to communicate information to the organization Documentation Document policy objectives, scopes, references, records, Document and data control Establish the location and access, review, currency, archival Operational control Document procedures, including procedures related to threat evaluation Emergency preparedness, response and security recovery Identify potential threats and develop plans and responses for these threats 4.5. Checking and Corrective action Security performance measurement and monitoring Establish a system that includes qualitative and quantitative monitoring objectives & targets, and a process for addressing non-conformances System evaluation Review plans, procedures, incidents reports, performance evaluations Security-related failures, incidents, non-conformances and Evaluate system failures, incidents, near misses, false alarms, etc corrective Control of and records preventative actions Describe the process for record identification, storage, protection, retrieval, retention and disposal Audit Develop an audit program 4.6 Management review and continual improvement Describe the process for management review of the system by top management. Document Ref: TCD59 Exemplar Global SCY Competency Unit Edition: 3 Page: 6 of 6 Issued: 21-Apr-14 Printed : 21-Apr-14