Competency Unit: Exemplar Global SCY Security Management Systems Auditing



Similar documents
Competency Unit: Exemplar Global AU Management Systems Auditing

MINISTRY OF THE ENVIRONMENT DRINKING WATER QUALITY MANAGEMENT STANDARD

Title: Rio Tinto management system

SMALL BUSINESS OH&S SELF APPRAISAL

COMPANY NAME. Environmental Management System Manual

DNV GL Assessment Checklist ISO 9001:2015

ISO 14001:2015 Client Transition Checklist

OH&S Management Systems Audit Checklist (NAT, E3)

UNCONTROLLED DOCUMENT ENVIRONMENTAL MANAGEMENT SYSTEM MANUAL UNCONTROLLED DOCUMENT

Correspondence between ISO 9001:2008 and 14001:2004, OHSAS 18001:2007, ISM and the SeaBird Management System

Preparation for ISO OH&S Management Systems

The contents of OHSAS are listed below, followed by brief notes on each of the main subheadings.

Drinking Water Quality Management Plan Review and Audit Guideline

Integrated management systems Ship operating companies

AS/NZS 4801:2001. Safety Management Systems (SMS) Self-Assessment Checklist. Revision 1 (January 2014)

Summary of Requirements for ISO 14001:2004 February 24, 2005

Quality Manual. UK Wide Security Solutions Ltd. 1 QM-001 Quality Manual Issue 1. January 1, 2011

ONTARIO'S DRINKING WATER QUALITY MANAGEMENT STANDARD

QUALITY MANAGEMENT SYSTEM REQUIREMENTS General Requirements. Documentation Requirements. General. Quality Manual. Control of Documents

(NOTE: ALL BS7799 REFERENCES IN THIS DOCUMENT ARE FROM BS7799-2:1999 and SHOULD BE AMENDED TO REFLECT BS7799-2:2002)

ENVIRONMENTAL MANAGEMENT SYSTEM ISO-14001:2004 POLICY MANUAL

Chapter 1. The ISO 9001:2000 Standard and Certification Process

FINAL May Guideline on Security Systems for Safeguarding Customer Information

CERTIFICATION REQUIREMENTS QUALIFICATION-BASED ENVIRONMENTAL MANAGEMENT SYSTEMS (EMS) AUDITOR CERTIFICATION PROGRAM

The following paragraphs, identified to coincide with the OHSAS 18001:2007 numbering system, provide a clause-by-clause summary of the standard.

OH&S MANAGEMENT SYSTEM CHECKLIST - AS 4801:2001 (STATUS A = Acceptable; N = Not Acceptable; N/A = Not Applicable)

ISO 9001 (2000) QUALITY MANAGEMENT SYSTEM ASSESSMENT REPORT SUPPLIER/ SUBCONTRACTOR

ONTARIO'S DRINKING WATER QUALITY MANAGEMENT STANDARD

Jonathan Wilson. Sector Manager (Health & Safety)

FSSC Q. Certification module for food quality in compliance with ISO 9001:2008. Quality module REQUIREMENTS

AUDITOR GUIDELINES. Responsibilities Supporting Inputs. Receive AAA, Sign and return to IMS with audit report. Document Review required?

OH&S Management Systems Auditor Conversion Training Course

P-01 Certification Procedure for QMS, EMS, EnMS & OHSAS. Procedure. Application, Audit and Certification

Quality Manual ISO 9001:2015 Quality Management System

IRCA Certificated QMS Lead Auditor Training Course. Programme

ISO 9001:2008 Quality Management System Requirements (Third Revision)

REGULATION ON RISK MANAGEMENT AND OTHER ASPECTS OF INTERNAL CONTROL IN INVESTMENT FIRMS

CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems

VICTORIAN GOVERNMENT DEPARTMENT ENVIRONMENTAL MANAGEMENT SYSTEM MODEL MANUAL

ISO 9001:2000 AUDIT CHECKLIST

WEST LOTHIAN COUNCIL RECORDS MANAGEMENT POLICY. Data Label: Public

An organization properly establishes and operates its control over risks regarding the information system to fulfill the following objectives:

ISO Controls and Objectives

Contents of the ISO 9001:2008 Quality System Checklist

ISO27001 Controls and Objectives

Appendix 2 to Chapter 7 GUIDANCE ON THE DEVELOPMENT OF AN SMS GAP ANALYSIS FOR SERVICE PROVIDERS

Risk Management Policy

Moving from BS to ISO The new international standard for business continuity management systems. Transition Guide

Certification Process Requirements

Good practice: Application of EN ISO (management system)

Compliance. Group Standard

General Guidance for Developing, Documenting, Implementing, Maintaining, and Auditing an SQF System. Module 2: System Elements. SQF Code, Edition 7.

Business Continuity Policy. Version 1.0

ISO 9001:2000 Gap Analysis Checklist

Certification criteria for. OH&S Management Systems Auditor/Lead Auditor Training Course

OFFICIAL. NCC Records Management and Disposal Policy

The anglo american Safety way. Safety Management System Standards

Human Diversity Management Systems. Diversity-Management Sytems based on ÖNORM S 2501

QUALITY MANAGEMENT SYSTEM Corporate

Appendix 3 (normative) High level structure, identical core text, common terms and core definitions

Strategic Alliance. Business Continuity Policy

CP14 ISSUE 5 DATED 1 st OCTOBER 2015 BINDT Audit Procedure Conformity Assessment and Certification/Verification of Management Systems

FINE LOGISTICS. Quality Manual. Document No.: Revision: A

Preparation of a Rail Safety Management System Guideline

ISO 9001:2008 Document Management Guidance

ISO 14001:2004 vs. ISO 14001:2015

Information & ICT Security Policy Framework

Issue No. 02 BOBS May, 2008 Effective Date: UNCONTROLLED WHEN DOWNLOADED/PRINTED

IMPLEMENTATION OF SECURITY CONTROLS ACCORDING TO ISO/IEC IN A SMALL ORGANISATION

ISO 9001:2015 Internal Audit Checklist

ISO 14001:2004 Environmental Management System Manual

Advisory Guidelines of the Financial Supervision Authority. Requirements for Organising the Business Continuity Process of Supervised Entities

ISO 9001:2008 Audit Checklist

WEST YORKSHIRE FIRE & RESCUE SERVICE. Business Continuity Management Strategy

Translation Service Provider according to ISO 17100

QUALITY MANUAL 1. SCOPE, COVERAGE AND BASIS OF QUALITY MANAGEMENT SYSTEM AT APSSDC

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;

General Register Office for Scotland information about Scotland s people. Paper NHSCR GB 1/08. NHSCR Scotland Information Governance Standards

Implementing an Energy Management System Using ISO 50001

Foreword 2 STO BR IBBS

System Audit Framework

Health, Safety and Environment Management System

Integrated Risk Management Policy

INTEGRATED MANAGEMENT SYSTEM MANUAL IMS. Based on ISO 9001:2008 and ISO 14001:2004 Standards

ENVIRONMENTAL MANAGEMENT SYSTEM MANUAL

INTERNAL AUDIT SERVICES Glenorchy City Council Internal audit report of Derwent Entertainment Centre financial business and operating systems

Quality Management Standard BS EN ISO 9001:

Information Security Policy Best Practice Document

Certification criteria for. Food Safety Management Systems Auditor Conversion Training Course

FSSC Certification scheme for food safety systems in compliance with ISO 22000: 2005 and technical specifications for sector PRPs PART I

CENTRIS CONSULTING. Quality Control Manual

Implementation of a Quality Management System for Aeronautical Information Services -1-

Log management and ISO 27001

Table of Contents INTEGRATED MANAGEMENT SYSTEM MANUAL

Information security controls. Briefing for clients on Experian information security controls

TELEFÓNICA UK LTD. Introduction to Security Policy

BUSINESS CONTINUITY PLANNING

GLASGOW LIFE Review of Business Continuity Planning. Final Report

Transcription:

Please visit: www.exemplarglobal.org for your region s Principal Office contact details. Email: info@exemplarglobal.org Competency Unit: Exemplar Global SCY Security Management Systems Auditing How to use this document The purpose of this Competency Unit is to give Training Providers detailed information on the performance criteria required of those who are seeking to become certified Exemplar Global Security Management Systems Auditors. This competency unit applies to the knowledge requirements for several Exemplar Global personnel certification schemes. A Training Provider is someone who has received the Exemplar Global Training Provider and Examiner Certification Scheme (TPECS) certification for the development and delivery of the Exemplar Global-SCY examination. A potential Exemplar Global Security Management Systems Auditor is someone who conducts security management system audits, oftentimes as a member of an audit team. To become a certified Exemplar Global Security Management Systems Auditor, an individual must show evidence that they have adequate skills in the fourteen (14) areas of Competencies shown in the tables below. These individuals show competency by meeting the performance criteria shown in the second column. Training Providers are responsible for ensuring that these individuals provide adequate evidence of the performance criteria, according to the Evidence Guide. Training Providers use an accompanying Examination Profile to document how evidence will be collected and are authorized to administer the TPECS Competency Unit examination through their TPECS certification. All TPECS examinations will measure the performance criteria shown in this competency unit as written. Document Ref: TCD59 Exemplar Global SCY Competency Unit Edition: 3 Page: 1 of 6 Issued: 21-Apr-14 Printed : 21-Apr-14

1. Understand requirements of management systems. 2. Understand how to determine the adequacy and effectiveness of a management system. 1.1 The documentation required for an effective management system is described. 1.2 The interrelationships between the management system manual, procedures, planning, policy, and objectives are explained within the context of a given business/industry sector. 1.3 The benefits of using the process approach to develop, implement and improve the effectiveness of a management system, customer focus and continual improvement are described, within the context of a given business/industry sector. 1.4 The importance of planning and resourcing a management system is described. 2.1 Methods to evaluate the effectiveness of an entire management system are described, within the context of a given business/industry sector. 2.2 Appropriate verification procedures to establish the currency, relevance, and effectiveness of a management system are described. 2.3 Omissions in a management system that could affect security are identified. 2.4 The adequacy of a management system in preventing, reducing, or eliminating security hazards is described. E1.1 Management system documentation requirements are defined in accordance with ISO 28000:2007 clauses 4.1 (general requirements) and 4.4.4 (documentation). E1.2 Interrelationships between the various levels of documentation are described in accordance with ISO 28000:2007 clauses 4.1 (general), 4.2 (security management policy), and 4.3 (security risk assessment and planning). E1.3 The process approach to the development of management systems is described in accordance with ISO 28000:2007 Introduction. E1.4 Requirements for planning and resourcing a management system are described in accordance with ISO 28000:2007 clauses 4.3.1 (security risk assessment) and 4.4.1 (structure, authority and responsibilities for security management). E2.1 Requirements for Management Review are described in accordance with ISO 28000:2007 clause 4.6 (management review and continual improvement). E2.2 Requirements for Internal Audit are described in accordance with ISO 28000:2007 clauses 4.5.2 (system evaluation) and 4.6 (management review and continual improvement). E2.3 Critical omissions are defined in accordance with ISO 28000:2007 clauses 4.3 (security risk assessment and planning) and 4.5.2 (system evaluation). E2.4 System adequacy is defined in accordance with ISO 28000:2007 clauses 4.5.1 (security performance measurement and monitoring) and 4.5.2 (system evaluation). Document Ref: TCD59 Exemplar Global SCY Competency Unit Edition: 3 Page: 2 of 6 Issued: 21-Apr-14 Printed : 21-Apr-14

3. Understand requirements and methods for ensuring continuous improvement. 3.1 The impact of continuous improvement processes on management systems is described. 3.2 The role of continuous improvement in identification of preventive actions is described. E3.1 Continuous improvement processes are described in accordance with ISO 28000:2007 clause 4.6 (management review and continual improvement). E3.2 Methods for identification of preventive actions are described in accordance with ISO 28000:2007 clause 4.6 (management review and continual improvement). 4. Understand legislative requirements, industry codes and regulations that are applicable to security management. 4.1 The appropriateness and effectiveness of controls based on legislative requirements, industry codes, and other technical information relevant to security management are defined. E4.1 Methods to identify legal and other requirements applicable to security management are described in accordance with ISO 28000:2007 clause 4.3.2 (legal, statutory and other security regulatory requirements). 5. Understand the elements of risk management as defined in ISO 31000:2009. 5.1 The main elements and principles of risk management are defined. E5.1 The elements of risk management are described in accordance with ISO 31000:2009 (Introduction and clause 3, principles) and ISO 28000:2007 clause 4.3.1 (security risk assessment). 6. Understand the management. 6.1 Requirements for establishing the contexts of risk management processes are described. 6.2 Requirements for defining risk criteria of risk management processes are described. 6.3 The structure and interrelationships of risk management processes is defined. E6.1 The range of contexts of risk management and methods used to establish these contexts are described in accordance with ISO 31000:2009 clause 5.3 (establishing the context) and ISO 28000:2007 clause 4.3.1 (security risk assessment). E6.2 Methods used to define risk criteria are described in accordance with ISO 31000:2009 clause 5.3.5 (defining risk criteria) and ISO 28000:2007 clause 4.3.1 (security risk assessment). E6.3 The structure of risk management components is described in accordance with ISO 31000:2009 clause 4.1 (general). Document Ref: TCD59 Exemplar Global SCY Competency Unit Edition: 3 Page: 3 of 6 Issued: 21-Apr-14 Printed : 21-Apr-14

7. Understand the identification. 7.1 Requirements to identify risks to be managed are described. E7.1 Methods used to identify risks to be managed are described in accordance with ISO 31000:20009 clause 5.4.2 (risk identification) and ISO 28000:2007 clause 4.3.1 (security risk assessment). 8. Understand the analysis. 8.1 Requirements used to analyse risks are described. E8.1 Methods used to analyse risks are described in accordance with ISO 31000:20009 clause 5.4.3 (risk analysis) and ISO 28000:2007 clause 4.3.1 (security risk assessment). 9. Understand the evaluation. 9.1 Requirements for evaluation of risks are described. E9.1 Methods used to evaluate risks are described in accordance with ISO 31000:2009 clause 5.4.4 (risk evaluation) and ISO 28000:2007 clause 4.3.1 (security risk assessment). 10. Understand the treatment. 10.1 Requirements for treatment of risks are described. E10.1 Methods used to treat risks are described in accordance with ISO 31000:2009 clause 5.5 (risk treatment) and ISO 28000:2007 clauses 4.3 (security risk assessment planning) and 4.5 (checking and corrective action). 11. Understand the processes of monitoring and reviewing risks. 11.1 Requirements for monitoring and reviewing risks are described. E11.1 Methods used to monitor and review risks are described in accordance with ISO 31000:2009 clause 5.6 (monitoring and review) and ISO 28000:2007 clause 4.5 (checking and corrective action). Document Ref: TCD59 Exemplar Global SCY Competency Unit Edition: 3 Page: 4 of 6 Issued: 21-Apr-14 Printed : 21-Apr-14

12. Understand the process of communication and consultation. 12.1 Requirements for communication and consultation at each step of the risk management process are described. E12.1 Methods used for communication and consultation in relation to risks are described in accordance with ISO 31000:2009 clause 5.2 (communication and consultation). 13. Understand general requirements for operational security. 13.1 Functional understanding of major operational security elements that will be encountered while undertaking security management system audits is demonstrated. This includes awareness of key assessment criteria and appropriate control applications associated with each element type. E13.1 Typical risks associated with the following areas are identified and assessed with appropriate security controls described: Asset protection Industrial Commercial Domestic Crisis management Loss prevention Fraud Theft IP protection IT and electronic systems Systems design and access Storage and handling of data Analysis of data Personnel protection VIP protection Employee protection General public protection Transport and logistics Maritime Aircraft Land transport Terminals Handling facilities 14. Understand roles and responsibilities for security management. 14.1 The roles and responsibilities of personnel responsible for security are clearly identified. 14.2 The inter-relationship between the security hierarchy and the corporate organizational structure is defined. 14.3 Barriers to the effective implementation of a security management system are identified and methods to eliminate these barriers are described. E14.1 Typical roles and responsibilities for security are described in accordance with ISO 28000:2007 clause 4.4.1 (structure, authority and responsibilities for security management). E14.2 Appropriate organizational structures to ensure effective interrelationships between the security hierarchy and corporate organisation are described with reference to ISO 28000:2007 clause 4.4.1 (structure, authority and responsibilities for security management). E14.3 Limitations to effective implementation of a security management system are described as detailed in ISO 28000:2007 clause 4.3.1 (security risk assessment) Document Ref: TCD59 Exemplar Global SCY Competency Unit Edition: 3 Page: 5 of 6 Issued: 21-Apr-14 Printed : 21-Apr-14

Clause Name Coverage 4.1 General requirements Establish the system structure, including a process for continual improvement 4.2 Security management policy Developed and acknowledged by top management 4.3 Security risk assessment 4.3.1 Security risk assessment Identify physical, operational, environmental threats and risks 4.3.2 Legal, statutory and other security regulatory requirements Identify legal and other requirements related to organization 4.3.3 Security management objectives Establish and document management objectives 4.3.4 Security management targets Establish measurable, relevant targets and communicate these to the organization 4.3.5 Security management programmes Establish and document programmes 4.4 Implementation and operation 4.4.1 Structure, authority and responsibilities for security management Establish an organizational structure of roles; appoint and communicate responsibilities to the proper individuals 4.4.2 Competence, training and awareness Establish a system to ensure qualified competent personnel 4.4.3 Communication Establish a system to communicate information to the organization 4.4.4 Documentation Document policy objectives, scopes, references, records, 4.4.5 Document and data control Establish the location and access, review, currency, archival 4.4.6 Operational control Document procedures, including procedures related to threat evaluation 4.4.7 Emergency preparedness, response and security recovery Identify potential threats and develop plans and responses for these threats 4.5. Checking and Corrective action 4.5.1 Security performance measurement and monitoring Establish a system that includes qualitative and quantitative monitoring objectives & targets, and a process for addressing non-conformances 4.5.2 System evaluation Review plans, procedures, incidents reports, performance evaluations 4.5.3 Security-related failures, incidents, non-conformances and Evaluate system failures, incidents, near misses, false alarms, etc. 4.5.4 corrective Control of and records preventative actions Describe the process for record identification, storage, protection, retrieval, retention and disposal 4.5.5 Audit Develop an audit program 4.6 Management review and continual improvement Describe the process for management review of the system by top management. Document Ref: TCD59 Exemplar Global SCY Competency Unit Edition: 3 Page: 6 of 6 Issued: 21-Apr-14 Printed : 21-Apr-14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information