Re-Emphasizing Risk Management. by George Huff November 9, 2011



Similar documents
Business Continuity Standards A Primer

ISO 22301:2012 Societal Security Appendix B Business Continuity Management Systems Requirements 347

Review and Revision of ISO/IEC 17021

Is Business Continuity Certification Right for Your Organization?

Client information note Assessment process Management systems service outline

The PNC Financial Services Group, Inc. Business Continuity Program

ISO 14001:2004 vs. ISO 14001:2015

Time Warner Cable s (TWC) Path to Declaring Conformity to ISO 22301

The PNC Financial Services Group, Inc. Business Continuity Program

Implementing ISO 9001

Using an Integrated Management System Approach to Increase Resilience

INTRODUCTION TO ISO 9001 REVISION - COMMITTEE DRAFT

RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES

HOW CAN YOU ENSURE BUSINESS CONTINUITY? ISO AUDITS, CERTIFICATION AND TRAINING

FSSC Q. Certification module for food quality in compliance with ISO 9001:2008. Quality module REQUIREMENTS

SUPPLY CHAIN SECURITY SYSTEMS STANDARDS

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

BS BUSINESS CONTINUITY MANAGEMENT

Certification Process Requirements

Committed to Environment, Health, & Safety

Company Management System. Business Continuity in SIA

Certification Process Requirements

Aviation Safety Policy. Aviation Safety (AVS) Safety Management System Requirements

FSSC Certification scheme for food safety systems in compliance with ISO 22000: 2005 and technical specifications for sector PRPs PART I

Preparing for the Convergence of Risk Management & Business Continuity

ISO 22301: Societal Security Terminology ISO 22313: BCMS Guidance ISO 22398: Exercises and Testing - Guidance

Business Resiliency Business Continuity Management - January 14, 2014

TG TRANSITIONAL GUIDELINES FOR ISO/IEC :2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES

Proposal for Business Continuity Plan and Management Review 6 August 2008

Increasing Competitiveness / Lowering Costs with Supply Chain Management and Security Standards

Loss Control Webcast. Disaster Recovery Planning we re not in Kansas anymore

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

eet Business continuity and disaster recovery Enhancing enterprise resiliency for the power and utilities industry Power and Utilities Fact Sheet

ISO 14001:2015: Key Changes

ISO 14001: White Paper on the Changes to the ISO Standard on Environmental Management Systems JULY 2015

REQUIREMENTS FOR CERTIFICATION BODIES TO DETERMINE COMPLIANCE OF APPLICANT ORGANIZATIONS TO THE MAGEN TZEDEK SERVICE MARK STANDARD

security standards and guidelines development

ISO Information Technology Service Management Systems Professional

Moving from BS to ISO The new international standard for business continuity management systems. Transition Guide

ISO/TS 16949:2002 Guidance Document

Preparation for ISO OH&S Management Systems

Business Management System Manual. Context, Scope and Responsibilities

Description of the certification procedure MS - ISO 9001, MS - ISO 14001, MS - ISO/TS and MS OHSAS and MS ISO 50001

The contents of OHSAS are listed below, followed by brief notes on each of the main subheadings.

Summary of Requirements for ISO 14001:2004 February 24, 2005

Introduction to Business Continuity Planning

CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems

A Review ISO 9001:2015 Draft

ISO/IEC Registration Guidance Document

Business Continuity & Disaster Recovery

Business Continuity for the New Professional. Britt Corra Enterprise BCM Erika Voss Senior BCM

Il nuovo standard ISO sulla Business Continuity Scenari ed opportunità

NHS ISLE OF WIGHT CLINICAL COMMISSIONING GROUP BUSINESS CONTINUITY POLICY

FAMI-QS Certification Rules for Operators. Rules for Operators

Need to protect your business from potential disruption? Prepare for the unexpected with ISO

Information Security Management Systems

Business Continuity Management Governance. Frank Higgins Abu Dhabi March 2015

ISO 14001:2015 Client Transition Checklist

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

Asset Management Systems Scheme (AMS Scheme)

Domain 1 The Process of Auditing Information Systems

Business Continuity Policy. Version 1.0

EMS Example Example EMS Audit Procedure

Temple university. Auditing a business continuity management BCM. November, 2015

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

Certification Body Quarterly Data Submission Instructions QFE-016 Version 1.0

Single Manufacturing Site with. Extended Manufacturing Site(s)

IAQG AS 9104 System Process Flowcharts

Business Continuity / Disaster Recovery Context

MSC Group Chain of Custody (CoC) Guidance for Non-Reduced Risk Groups

CP14 ISSUE 5 DATED 1 st OCTOBER 2015 BINDT Audit Procedure Conformity Assessment and Certification/Verification of Management Systems

SAAS Notification. September 1, 2015

IAF Mandatory Document

Business Continuity Management Policy

Business Continuity Management Framework

Aerospace Guidance Document

ENVIRONMENTAL MANAGEMENT POLICY MANUAL

ISO 9001 and the Supply Chain

Safe Quality Food Food Safety Certification

Nonconformities (NCs) and Observations (OBs)

The Role of Internal Audit In Business Continuity Planning

Solihull Clinical Commissioning Group

ISO 9001 for Purchasing Professionals

Certification Procedure of RSPO Supply Chain Audit

Audit of Business Continuity Audit of Business Planning Continuity Planning

Internal Audit Checklist

Business Continuity Management

UNDERSTANDING THE SUPPLY CHAIN SECURITY CERTIFICATION STANDARDS

Army Regulation Product Assurance. Army Quality Program. Headquarters Department of the Army Washington, DC 25 February 2014 UNCLASSIFIED

London Local Authorities Business Continuity Guidance for Suppliers & Contractors

Preparation Guide. Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000

QUALITY MANAGEMENT IN VTS

Transcription:

Re-Emphasizing Risk Management by George Huff November 9, 2011

2 Risk Management and Supply Chain Security ISO 28000 s Risk-Based Approach to Management Systems ISO Format adopted from ISO 14001:2004 Environmental Performance, but Organizations with Process Approach (e.g. ISO 9001:2000) may be able to use their existing Management Systems; and Uses Plan-Do-Act-Check Methodology. Resiliency Disciplines: Incident Management, Business Continuity, Facility & Risk Management, Social Resilience, Supply Chain, Logistics & Transportation Incident Management, Business Continuity/ Organizational Resilience Management Systems Understand the Organization Risk Assessment & BIA Develop the BCM Strategy Secure the Supply Chain Next steps: Steering committees are to deliver and set the SCSMS/ IMS/BCMS/ORMS frameworks and policies, and meet regularly to review and update threats to the organization s critical processes and mitigation.

3 ISO 28000: 2007 Security Management Systems for Supply Chain What it Does: Provides requirements and guidance for organizations in international supply chains to: Develop and implement supply chain security processes Establish and document a minimum level of security with a supply chain or segment of a supply chain Assist in meeting the applicable Authorized Economic Operator (AEO) criteria (see, World Customs Organization (WCO) SAFE Framework of Standards to Secure and Facilitate global trade), and conformity to national supply chain security codes & programs Applies to both exporters and importers Applies to airports, seaports and terminals, as well as organizations that move product by air, sea, rail or road Applied to logistics, transportation, and service companies, as well as manufacturers, shippers, wholesalers and distributors. Next steps: Organizations are to assure conformance to SM policy, demonstrate conformance to others, seek registration/certification by Accredited third party CB, or make a self-declaration of conformance.

4 Security Management System Lifecycle SM Elements Continual Improvement Next steps: Lifecycle of Continual Improvement of the Elements of Security Management.

5 Supply Chain Security Management Systems SCSMS is used to manage & control security risks and improve security performance ISO 28000 is tied to other standards: ISO 27001: Information Security ISO 14001: Environmental Performance ISO 20000: IT Service Management ISO 9001: Quality Management Systems Next steps: Correspondence of Elements Between ISO 28000 and Related Management Systems.

6 ISO 28003 Requirements for Bodies Providing Audit and Certification of Supply Chain Security Management Systems Certification of Supply Chain Security Management Systems is a Third Party Conformity Assessment activity. Requirements for CBs include Annexes on Auditor Time, Education, Work & Audit Experience, and Training Duration, and Criteria for Auditing Organizations with Multiple Sites ANSI-ASQ National Accreditation Board (ANAB) has received one application for ISO 28000 from a certification body ANAB has received several other inquires from certification bodies. Next steps: Organizations that Choose Third Party Certification can further Demonstrate that They are Contributing Significantly to Supply Chain Security.

7 Cross-Mapping of IM/BC/OR Standards: Understanding the Organization NFPA 1600 BS 25999-2 (2007) BS 25999-1 (2006) ASIS SPC-1 5.4 Risk Assessment 5.4.1 - - 5.4.4 5.5 Business Impact Analysis 5.5.1 - - 5.5.6 4.4.1 BIA 4.1.1.1 - - 4.1.1.2 4.1.2 Risk Assessment 4.1.2.1 - - 4.1.2.2 6.2 Business Impact Analysis (BIA) 6.2.1 - - 6.2.3 4.3 Planning: Identify Hazards & Threats 4.3.1 Risk Assessment & Impact Analysis Next steps: Voluntary Private Sector Preparedness and Accreditation Standards are Risk-Based & Designed to Understand the Organization.

8 Cross-Mapping of IM/BC/OR Standards: Determining the Strategy (Risk Treatment) NFPA 1600 BS 25999-2 (2007) BS 25999-1 (2006) ASIS SPC-1 5.6 Prevention 5.6.1 - - 5.6.4 5.7 Mitigation 5.7.1 - - 5.7.3 6.1 Resource Management 6.1.1 - - 6.1.7 4.2 Determining BC Strategy 6.4 Determining Continuity Requirements 4.3.3 Planning: Identify Hazards & Threats 4.3.3 Planning: Identify Hazards & Threats Next steps: Voluntary Private Sector Preparedness and Accreditation Standards are Risk-Based & Designed to Determine the Strategy.

9 Determining the IM/BC/OR Strategy Examples of Supply Chain Strategy Activities Inventory of the extended enterprise and points of integration with other entities, identifying: 1. Where critical services and products originate, 2. Single points of failure in the service/supply chain, and 3. Where single- and source suppliers are located. Determine how critical products are sourced and shipped from overseas locations. Many core items and critical outputs will not be available because most supply chains operate in a just-in-time model. Therefore, identify core items and critical inputs and identify critical inputs as vulnerable, i.e., potentially not available, or non-vulnerable, i.e., likely to be available. Where critical supplies are dependent upon specialist supplies, the organizations should identify the key suppliers and single sources of supply. Therefore, identify essential customers and suppliers, including prioritization of critical partners relationships and documentation of which customers should receive priority service Next steps: Voluntary Private Section Preparedness and Accreditation Standards Are Risk-Based & Designed to Determine the Strategy.

The Assessment Cycle Stages 1 and 2 10 Stage 1: Conformance with Specification Review of the SCSMS/IM/BC/OR documentation High-level evaluation of the readiness for the stage 2 assessment Review of the understanding of the requirements of the standard, and the proposed scope of stage 2 assessment Review and confirmation of the resources needed for stage 2 assessment Plan outlining stage 2 assessment Confirmation that management review and audit/self assessments are being planned and performed Next steps: Any areas deemed not in compliance will be raised as non-conformities and must be cleared and approved by the lead auditor, prior to moving to stage 2 assessment

The Assessment Cycle 11 Stage 2: Evaluation of Implementation Evaluates the implementation of the SCSMS Uses a process audit approach, assessing all processes within the scope and all linked processes to ensure effectiveness and consistency Conducts interviews with stakeholders, gathering objective evidence (procedures, reports and test results) Evaluates the findings against the standard Identifies any areas not in compliance and/or effective which must be cleared by the lead auditor prior to being recommended for certification.

The Assessment Cycle 3 Year Process 12 Audit Cycle -v- Certification Cycle Initial Assessment Stage 2 audit (last day) Surveillance 1 10 Months Surveillance 2 Recertification Audit Cycle Certification Cycle Certificate decision date (cert. issued) 12 months 24 months Certificate expires at 36 months ( 1 day) Next steps: Important Benefits to Private Sector Preparedness in the United States of America.

End of Presentation

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information