The current issue of ISO Focus (February 2011) is dedicated to a wide range of security-related issues and highlights the ISO 28000 series on security risk management.
ISO 28000 was published in 2007 and provides guidance on security management. Its framework follows the ISO 14001 framework closely. 28000 is the core of the family, providing a specification management system standard. ISO 28004 provides implementation guidance in specific areas, such as 28005 (Electronic Port Clearance) and 20858 (Ships and Marine Technology).If you have an ISO 14001 management system in place it will help if you want to pursue 28000. Many of the 280001 requirements will look familiar. Particular attention is given to the security management policy and risk assessment in 28000. As with an EMS, these are two important initial pieces in a management system. They set the trajectory for objectives/targets and operational controls.
When performing your security risk assessment, I recommend that you throw the net wide and include a diversity of people within your organization to help in this process. You can augment your ability here by also familiarizing yourself with ISO 31000 on risk management. Several professional associations publish security risk assessment guidelines that can help. Counsel I give my clients in this area is to also trust the professional judgment and experience of the security team. During several 28000 engagements, I’ve heard professionals say that they don’t have a security risk assessment process. After a short dialogue, we find that they do—it just isn’t formalized or well-documented.
As with developing any management system, if you are going to develop an ISO 28000-based security management system, strive to integrate it with other MSs in the company, and get wide input and participation in your company in its development, implementation, and maintenance.
© Redinger EHS, Inc. (2010)