09 Jan 2023
Punyam Academy Pvt. Ltd.
News & updates from Punyam Academy Pvt. Ltd.
This informal CPD article, ‘Creating & Controlling ISO 28000 Security Management System Documents,’ was provided by Punyam Academy, an industry leader in training of international compliance standards.
Day-by-day, the security environment in most part of the world is deteriorating. Not only common citizens, organisations across all industries and sectors also are facing threats and incidents of theft, smuggling, terrorism, and other security issues. The uncertainty and volatility in their security environment impact on their goals and objectives. In this global scenario, large number of organisations across the world are looking towards a formal approach to security management that could solve their problems relating to the security of business processes and supply chain.
International Organization for Standardization (ISO), issued in March 2022 a new version of ISO 28000 standard that provides a systematic approach to solving such problems by establishing, implementing, maintaining and improving a security management system. ISO 28000:2022 includes all those aspects which are critical to the security assurance of the supply chain and directly contributes to increasing security of the organization’s processes, including entire supply chain of goods, vehicles and transport infrastructure.
Organisations which are planning to establish and implement ISO 28000 security management system or those who wish to get ISO 28000 certification will need to create accurate documents and records for the security management system, as well as control them in accordance with ISO 28000: 2022 requirements.
ISO 28000:2022 Documentation Structure
As per ISO 28000:2022 standard, the security management system must include documented information required by this standard and those determined by the organisation as being necessary for the effectiveness of its security management system. The documents and records of ISO management system are collectively referred to as documented information. The complete documentation for a security management system will consist of a number of documented information.
The standard allows flexibility to the organisation in developing security management system documentation, which may differ from organisation to organisation depending on their size and type of activities, processes, products and services, complexity of processes and their interactions, and training and competence of personnel.
ISO 28000:2022 documented information can be prepared in any language, software version, etc., and they could be in paper or digital form.Based on our rich experience of various ISO management system implementation and certification process, we recommend organisations to create a 4-tier documentation structure, as below:
- Security manual: Although it is optional, organizations should prepare it, because it gives macro-level details of how the system is implemented for all the requirements of ISO 28000:2022.
- Security management system procedures or Procedures’ manual, Process approach, etc.: Procedures are core of documentation system. They describe the methods of meeting requirements of relevant clauses of ISO 28000. They support the operation of security management system processes to establish confidence in the system
- SOPs, Work Instructions, Policies, Plans, Exhibits, etc.: These are practical documents, and therefore, should be prepared in simple language, so that users can understand well.
- Forms, Registers and other Records: These are also called ‘Retain documented information’, which means records that must be kept and be available for a defined retention period. Record is evidence that the management system and its processes are followed. These are supporting documents to record and distribute information and to prove that the security management system is operating effectively.
This documentation structure should cover all departments and functions within the scope of ISO 28000 security management system of the organization.
Creating ISO 28000:2022 Documentation
When establishing a new security management system based on ISO 28000 standard, an organisation will need to create the entire management system documentation structure. Depending on the type and size of organisation and its processes, it may take anything from a week to a couple of months. Help from external experts and/or use of sample documents of ISO 28000 security management system can save time in document preparation.
The top management of the organisation should form a team or task force for documentation of the security management system. This team should thoroughly read and understand the ISO 28000 security management system standard and identify the documented information required under different clauses of the standard. The team should also identify the documented information required by the organisation for smooth functioning of the ISO 28000 security management system.
The documentation team leader or the Security management system coordinator should ensure that the documented information of the ISO 28000 security management system contains its identification by means of an appropriate title, date, author, document reference number, issue number and approval authority. Once documented information is created, it should be reviewed and approved by designated person for suitability and adequacy.
Controlling ISO 28000:2022 Documented Information
ISO 28000:2022 security management system consists of a number of documents and records. Therefore, control of documented information is important for security management system. Documented information control helps to ensure that documented information is suitable, legible, and available where and when it is needed and adequately protected from loss of confidentiality, improper use, or loss of integrity.
It is important to clearly define as to where they should be kept and for how long, and who is responsible for them. The Document Controller/Authorised Person should have a list of all completed documented information, applicable to the individual departmental activities. Against each listed document the number should be shown together with the date of the latest change. It is also called a "Master Copy". It is a yardstick against which any other controlled copy can be judged. Documented information should be approved, signed (written or electronically) and dated by authorised persons. No document should be changed without authorisation and all changes must be recorded.
The bottom-line is that the documentation team of the organisation should create and control ISO 28000:2022 documented information in accordance with the requirements of the standard.
We hope this article was helpful. For more information from Punyam Academy, please visit their CPD Member Directory page. Alternatively, you can go to the CPD Industry Hubs for more articles, courses and events relevant to your Continuing Professional Development requirements.
Punyam Academy Pvt. Ltd.
For more information from Punyam Academy Pvt. Ltd., please visit their CPD Member Directory page. Alternatively please visit the CPD Industry Hubs for more CPD articles, courses and events relevant to your Continuing Professional Development requirements.
Want to learn more?
Get industry-related content straight to your inbox
Get industry-related content straight to your inbox
"Teaching is only demonstrating that it is possible. Learning is making it possible for yourself."
"I am still learning."
"Commit yourself to lifelong learning. The most valuable asset you'll ever have is your mind and what you put into it."
"Living is easy with eyes closed, misunderstanding all you see."
"Real learning comes about when the competitive spirit has ceased."
"Much to learn, you still have."
"Science is organised knowledge. Wisdom is organised life."
"Learn everything you can, anytime you can, from anyone you can. There will always come a time when you will be grateful you did."
"Light up the darkness."
"Knowledge speaks, but wisdom listens."
"A man, though wise, should never be ashamed of learning more, and must unbend his mind."
"Live as if you were to die tomorrow. Learn as if you were to live forever."
"The mind is not a vessel to be filled, but a fire to be ignited."
"Education is not the learning of facts, but the training of the mind to think."
"The roots of education are bitter, but the fruit is sweet."
"Self-education is, I firmly believe, the only kind of education there is."
"Learning never exhausts the mind."
"Education is the movement from darkness to light."
"You don't understand anything until you learn it more than one way."
"Mistakes are great, the more I make the smarter I get."
"It’s taken me all my life to learn what not to play."
"Every time man makes a new experiment he always learns more. He cannot learn less."
"For the best return on your money, pour your purse into your head."
"It is the art of an educated mind to be able to entertain a thought without accepting it."
"I am learning all the time. The tombstone will be my diploma."
"In learning you will teach, and in teaching you will learn."
"Education is not the filling of a pail, but the lighting of a fire."
"Education's responsibility is to replace an empty mind with an open one."
"I had six honest men. They taught me all I knew. Their names were: Where, What, When, Why, How and Who."
"Education is the key to unlocking the world, a passport to freedom."
"All the world is my school and all humanity is my teacher."
"Education is not preparation; education is life itself."
"Wisdom comes not from age, but from education and learning."
"Education is the kindling of a flame, not the filling of a vessel."
"Anyone who stops learning is old, whether at twenty or eighty. Anyone who keeps learning stays young."
"You can never be overdressed or overeducated."
"Tell me and I forget. Teach me and I remember. Involve me and I learn."
"It does not matter how slowly you go as long as you do not stop."
"The capacity to learn is a gift; the ability to learn is a skill; the willingness to learn is a choice."
"I am always doing that which I cannot do, in order that I may learn how to do it."
"You cannot open a book without learning something."
"I was obliged to be industrious. Whoever is equally industrious will succeed equally well."
"Gold has a price, but learning is priceless."
"We are what we repeatedly do. Excellence, therefore, is not an act, but a habit."
"Learning is a treasure that will follow its owner everywhere."
"Education is a progressive discovery of our own ignorance."
"You do not learn to walk by following rules. You learn by doing, and falling over."
"The noblest pleasure is the joy of understanding."
"The beautiful thing about learning is nobody can take it away from you."
"We are born not to be perfect, but to learn and reflect from imperfections"
"Learning is an experience. Everything else is just information."