Escolar Documentos
Profissional Documentos
Cultura Documentos
Table of Contents:
Does the organization continually improve its See also Section 4.6.
effectiveness?
Does the organization define the scope of its security See also Section 4.4.4 b) and ISO 28001,
ch 4.1 Statement of application
management system?
Does the organization outsource security relevant Note: may require auditing of those outsourced
processes and their documentation. At least the
processes? In case of outsourced processes, does the organiszation has to ensure control of
organization ensure that such processes are controlled? outsourced processes.
Are the necessary controls and responsibilities identified
within the security management system?
a) Is the policy consistent with other organizational policies? See ISO 28004 4.2 c) Evidence documentation
see Section 4.4.4 c). Note: review policies and
objectives relevant to the organisations
business a whole.
c) Is the policy consistent with the organizations overall Note: are the measures described therein
adequate for addressing the security risks that
security threat and risk management framework? have been identified? Is the policy effective?
This may have to be revisited once Sections
4.3, and 4.5.1-3 have provided sufficient
evidence.
d) Is the policy appropriate to the threats to the organization Note: are the measures described therein
adequate for addressing the security risks that
and the nature and scale of its operations? have been identified? Is the policy effective?
This may have to be revisited once Sections
4.3, and 4.5.1-3 have provided sufficient
evidence.
e) Does the policy clearly state the overall/broad security See also Section 4.4.4 a)
management objectives?
f) Does the policy include a commitment to continual See Section 4.4.1 and 4.6 for evidence.
improvement of the security management process?
g) Does the policy include a commitment to comply with See also Section 4.3.2 for evidence of
compliance.
current applicable legislation, regulatory and statutory
requirements and with other requirements to which the
organization subscribes?
j) Is the policy communicated to all relevant employees and See also Section 4.4.3
third parties including contractors and visitors?
k) Is the policy available to stakeholders where appropriate? See also Section 4.4.3
l) Does the policy provide for its review in case of the See also Section 4.4.2.
acquisition of, or merger with other organizations, or other
change to the business scope of the organization which
may affect the continuity or relevance of the security
management system?
4.3.1 Security risk assessment
Does the organization have procedures for the ongoing See also ISO 28001,
chapter 5.2 Identification of the scope of
identification and assessment of security threats and security assessment,
security management related threats and risks and the chapter 5.3 Conduction of the security
identification and implementation of necessary assessment specifically:
management control measures? Qualified assessment personnel
A documented assessment process
Are the methods for security threats and risk identification, See also Statement of Application ISO 28001
ch 4.1 and Section 4.1 above.
assessment and control appropriate to the nature and scale
of the operations?
Does the assessment consider the likelihood of an event Risk Assessment process ISO 28001 Annex B.
Note: consider different approaches to RA may
and all of its consequences? be acceptable if they take into account the
nature of security-specific risks
a) Physical failure threats and risks, such as functional failure, ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
incidental damage, malicious damage or terrorist or for risk assessments.
criminal action?
b) Operational threats and risks, including the control of the ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
security, human factors and other activities which affect the for risk assessments.
organizations performance, condition or safety?
c) Natural environmental events (storm, floods, etc.), which ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
may render security measures? for risk assessments.
d) Factors outside of the organizations control, such as ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
failures in externally supplied equipment and services? for risk assessments.
e) Stakeholder threats and risks such as failure to meet ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
regulatory requirements or damage to reputation or brand? for risk assessments.
f) Design and installation of security equipment including ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
replacement, maintenance, etc.? for risk assessments.
g) Information and data management and communications? ISO 28001 Annex B 2. Note: evidence are
selection of applicable and relevant scenarios
for risk assessments.
Does the organization ensure that the results of these ISO 28001 Annex B 7-10. Note: Evidence may
be found in system evaluation (Section 4.5.2
assessments and the effects of these controls are below) and management review & continual
considered? improvement (Section 4.6 below) Other
evidence may include:
Contingency Plans
Business Continuity Plans
Recovery & Business Resumption
Plans
Exercises and Exercise Evaluations
See also: ISO 28004 ch 4.3.1 for detailed
process. Outputs may be:
Description of risks and control
measures
Identification of training &
competency requirements
Assessment results provide input to...
a) Security management objectives and targets? Note: ensure understanding of distinction
between objectives and targets. Targets should
be measurable.
b) Security management programmes? ISO 28004 ch 4.3.5 c) and Section 4.3.5 below.
Note: security management programmes
should be derived from the targets and shall
mention responsibilities, means (how they are
achieved) and time-scale.
c) Determination of requirements for the design, specification Note: Requirements may be subjected cost-
benefit analyses, ALARP determination, legal or
and installation? regulatory restrictions.
e) Identification of training needs and skills? ISO 28004 ch 4.3.1 e). See also Section 4.4.2
below.
f) Development of operational controls? ISO 28004 ch 4.3.1 e) see also Section 4.4.6
below.
Does the organization document and keep the above Note: are performance reviews carried out
regularly? Are there exercises and exercise
mentioned information up to date? evaluations? Is there a continual improvement
process which includes Risk Assessment?
a) Provide for a definition with respect to its scope, nature and Note: for example does it seek to identify
emerging risks and are results factored into
timing to ensure it is proactive rather than reactive? response, continuity and recovery plans? Or
does it rely on incident response alone? Does if
focus on physical security or is it holistic?
d) provide for the monitoring of actions to ensure ISO 28001 Annex B 7 and ISO 28004 4.3.1. d)
iii. See also Section 4.5.1.
effectiveness and the timeliness of their
implementation?
b) to determine how these requirements apply to its security Note: Risk mitigation and prevention (counter
measures, response plans and detection
threats and risks? methods) shall not only be derived from results
of risk assessment but also from legal, statutory
and other security requirements. That process
shall be done through identification of
objectives, targets and programmes.
Does the organization keep this information up-to-date?
a) Legal, statutory and other security regulatory See also section 4.3.2
requirements?
c) communicated to all relevant employees and third parties, See also section 4.4.3
including contractors, with the intent that
these persons are made aware of their individual
obligations?
d) reviewed periodically to ensure that they remain relevant See also 4.6. Note: reviews may be achieved
through audits, exercises, repetitive risk
and consistent with the security management policy? Does assessment and up-to-date identification of
security management objectives has been amended where legal and other requirements.
necessary accordingly?
4.3.4
Security management targets
Does the organization establish, implement and maintain Targets should be the result of, and consistent
with, the security policy (see sections 4.2 and
documented security management targets appropriate to 4.3.1). See ISO 28004 for security target
the needs of the organization? requirements. Examples of security targets
include:
risk reduction within a given time
frame
introduction of new technologies
within a given time frame
the elimination or reduction in
frequency of particular undesired
events.
Does the targets derive from and are they consistent with See 4.3.3
the security management objectives?
b) specific, measurable, achievable, relevant and time-based See above and ISO 28004 ch 4.3.4 d)
(where practicable)?
c) communicated to all relevant employees and third parties See also sections 4.4.2 and 4.4.3
including contractors with the intent that
these persons are made aware of their individual
obligations?
d) reviewed periodically to ensure that they remain relevant See also section 4.3.5 should be specified in
security management programmes.
and consistent with the security management objectives?
Where necessary the targets shall be amended
accordingly. Do the targets have been amended
accordingly where necessary?
4.3.5
Security management programmes
Does the organization establish, implement and maintain
security management programmes for achieving its
objectives and targets?
Have these roles, responsibilities and authorities been ISO 28004 ch 4.4.1 d): Define:
defined, documented and communicated to the individuals Top management responsibility
Management representative
responsible for implementation and maintenance? responsibility
Line management responsibility
Document:
Security management manuals
Work procedures
Job descriptions
Induction/awareness training
Is the Top management able to provide evidence of its
commitment to the development and implementation of the
security management system (processes) and continually
improving its effectiveness by:
b) appointing (a) member(s) of management with the Note: Further to above one or more
management personnel need to be appointed
necessary authority to ensure that the objectives and given the authority to achieve identified
and targets are implemented? objectives and targets. Within each programme
further responsibilities are expected to be
defined in a large organization.
c) identifying and monitoring the requirements and Note: definition of stakeholder according ISO
28000: person or entity having a vested
expectations of the organizations stakeholders and interest in the organizations performance,
taking appropriate and timely action to manage these success or the impact of its
expectations? Activities, e.g. customers, shareholders,
financiers, insurers, regulators, statutory bodies,
employees, contractors, suppliers, labour
organizations, or society.
.
d) ensuring the availability of adequate resources? ISO 28004 ch. 4.4.1 d 7): Resources can be
considered adequate, if they are sufficient to
carry out security programmes and activities,
including performance measurement and
monitoring. For organisations with established
security management systems, the adequacy
can be at least partially evaluated by comparing
the planned achievement of security objectives
with actual results.
e) considering the adverse impact that the security Note: eg cost-benefit analyses, business impact
analyses and change management tools.
management policy; objectives, targets, programmes,
etc. may have on other aspects of the organization?
f) ensuring any security programmes generated from other See Section 4.4.4 c) for evidence. Note.
Consider interrelationship with AEO and ISO
parts of the organization complement the 20850 (ISPS-Code), C-TPAT and maybe
security management system? security programmes derived from a quality
management system.
h) ensuring security-related threats and risks are evaluated Risk assessment process in place as per ISO
28001 Annex A.1-A.3. Are performance reviews
and included in organizational threat and risk being carried out? (Annex A.3)
assessments, as appropriate?
i) ensuring the viability of the security management See Section 4.6 for evidence.
objectives, targets and programmes?
4.4.2
Competence, training and awareness
Does the organization ensure that personnel responsible ISO 28004 ch 4.4.2: evidence may include:
for the design, operation and management of security Analysis of training needs
Training programmes/plans
equipment and processes are suitably qualified in terms of Training courses
education, training and/or experience? Training records/evaluations
Security awareness programme
Security awareness evaluation
Does the organization establish and maintain procedures to ISO 28004 ch 4.4.2: to include contractors,
temporary workers and visitors. See also
make persons working for it or on its behalf aware of: Section 4.2 j).
b) their roles and responsibilities in achieving compliance with ISO 28004 ch 4.4.2 d)
Note: This is about specific task to be complied
the security management policy and with by personnel and persons working on
procedures and with the requirements of the security behalf of the organization (training,
management system, including emergency familiarization etc).
preparedness and response requirements?
4.4.3
Communication
Does the organization have procedures for ensuring that See ISO 28004 ch 4.3.3, information can be
communicated through:
pertinent security management information is
management and employee
communicated to and from relevant employees, contractors consultations/councils
and other stakeholders? employee involvement
improvement schemes
security briefings
notice boards
email or print newsletters
Does the organization give because of the sensitive nature
of certain security related information, due consideration to
the sensitivity of information prior to dissemination?
4.4.4
Documentation
Does the organization establish and maintain a security
management documentation system that includes,
but is not limited to the following:
4.4.5
Document and data control
Does the organization establish and maintain procedures
for controlling all documents, data and information required
by Clause 4 of this Specification to ensure that:
a) these documents, data and information can be located and Authorised Personnel: see ISO 28001 ch 5.8.
Note: evidence authorisation procedure if
accessed only by authorized individuals? necessary. For example:
Is there an ID system tied to the
authorisation procedure?
Does possession of a (fraudulent) ID
confer authorisation?
Is data access logged and fraudulent
b) these documents, data and information are periodically Note: For example regular change of
passwords, exchange of ID systems etc.
reviewed, revised as necessary, and
approved for adequacy by authorized personnel?
d) obsolete documents, data and information are promptly Note: consider procedures and enforcement for
deletion for data:
removed from all points of issue and points of use, or
confidential waste baskets,
otherwise assured against unintended use? shredding,
electronic purging.
e) archival documents, data and information retained for legal ISO 28004 ch 4.4.5 e) document control
procedures, master lists, indexes, archival
or knowledge preservation purposes orboth are suitably location?
identified?
f) these documents, data and information are secure, and if in See also ISO 28001,
chapter 5.8 Protection of the security
electronic form are adequately backed up information
and can be recovered?
4.4.6
Operational control
b) evaluating any threats posed from upstream supply chain Note: these threats should have been evaluated
within the risk assessment and the result
activities and applying controls to mitigate adequately been considered when developing
theses impacts to the organization and other downstream objectives, targets, programmes and counter
supply chain operators? measures.
c) establishing and maintaining the requirements for goods or See also ISO 28001,
chapter 4.2 4.5 Business partners - Security
services which impact on security and reviews of business partners
communicating these to suppliers and contractors?
Does the organization consider the associated security Note: When existing arrangements are revised
or new arrangement are introduced, this should
threats and risks where existing arrangements are be only done when the security impact (change
revised or new arrangements introduced, that could impact of threats and risks) has been evaluated.
on security management operations and activities, before
their implementation?
Does the organization periodically review the effectiveness Also the adequacy, eg through risk
assessments. See section 4.3.1.
of its emergency preparedness, response and security Note: Effectiveness may be reviewed after drills
recovery plans and procedures, in particular after the and exercises and must be reviewed after
occurrence of incidents or emergency situations incidents or emergency situations:
caused by security breaches and threats?
Does the organization periodically test these procedures Note: This is about drills and exercises.
where practicable?
4.5.1
Security performance measurement and monitoring
Does the organization establish and maintain procedures to ISO 28004 ch. 4.5.1 d)
monitor and measure the performance of its Proactive monitoring, eg audits,
inspections, exercises, reviews.
security management system? Reactive monitoring, eg incident
investigation and analysis.
Does the organization establish and maintain procedures to ISO 28004 ch 4.5.1 d) 2), e.g.
- Security inspections
monitor and measure the security performance? - Behaviour sampling
- Benchmarking against other security
practises
- Stakeholders feedback
Does the organization consider the associated security Note: this is part of the risk assessment.
Deterioration mechanisms may be corrosion
threats and risks, including potential deterioration (fences and equipment housings), low visibility
mechanisms and their consequences, when setting the (for CCTV), wildlife (for motion detectors),
frequency for measuring and monitoring the key power cuts (for lighting), computer malfunctions
performance parameters? (for DVS or RFID readers)
Are significant changes in these factors reflected See also ISO 28000 ch 4.5.2 e) Note: evidence
may be:
immediately in the procedure(s)?
reduced non-conformities or incidents
better legal compliance
evaluation reports
Does the organization periodically evaluate compliance Consult sections 4.2, 4.3.2 and 4.3.3.
with relevant legislation and regulations, industry best
practices, and conformance with its own policy and
objectives?
a) evaluating and initiating preventive actions to identify See also ISO 28001,
chapter 5.7 Actions required after a security
potential failures of security in order that that incident
may be prevented from occurring?
iii) non-conformances?
c) taking action to mitigate any consequences arising from See also section 4.4.7 or any other contingency
planning or emergency preparedness
such failures, incidents or non-conformances? measures.
d) the initiation and completion of corrective actions? See also ISO 28001, ch 5.7 a)
e) the confirmation of the effectiveness of corrective actions See also ISO 28001, ch 5.7 b) on the
assessment of security recovery measures. See
taken? also section 4.6 on management review.
Do these procedures require that all proposed corrective Note: proportionality of the reaction to the
security incident. Security measures should not
and preventive actions are reviewed through the infringe safety or civil liberties.
security threat and risk assessment process prior to
implementation unless immediate implementation
forestalls imminent exposures to life or public safety?
Are any corrective or preventive actions taken to eliminate Note: Focus of new measures should not be
solely on preventing the incident that just
the causes of actual and potential non-conformances happened but on the root causes identified by
appropriate to the magnitude of the problems and the investigation and corroborated by the risk
commensurate with the security management related assessment.
threats and risks likely to be encountered?
Does the organization implement and record any changes Note: May be required by regulators. See also
sections 4.3.2 and 4.5.4. for reference.
in the documented procedures resulting from corrective
and preventive action and does it include the required
training where necessary?
Does electronic and digital documentation render tamper See also ISO 28001,
chapter 5.8 Protection of the security
proof, securely backed-up and accessible only to information.
authorized personnel? Note: digitally stored data too needs physical
protection.
4.5.5 Audit
Does the organization establish, implement and maintain a
security management audit program?
Does the organization insure that audits of the security Note: Planned intervals are to be understood as
being annually.
management system are carried out at planned intervals, in
order to:
4.6
Management review and continual improvement
Does the Top management review the organization's Note: Planned intervals are to be understood as
being annually.
security management system, at planned intervals, to
ensure its continuing suitability, adequacy and
effectiveness?
g) changing circumstances, including developments in legal See also section 4.3.1 security risk assessment
and 4.3.2 legal requirements.
and other requirements related to its security
aspects?
Do the outputs from management reviews include any See also ISO 28004 ch 4.6 e). Outputs include:
decisions and actions related to possible changes to meeting minutes
revisions of security policies and
security policy, objectives, targets and other elements of objectives; amendments of
the security management system, consistent with the programmes
commitment to continual improvement? specific corrective actions with target
dates
specific improvement actions with
responsibilities and target dates.
date for review of corrective actions
new risk appreciation