This informal CPD article, ‘Creating & Controlling ISO 28000 Security Management System Documents,’ was provided by Punyam Academy, an industry leader in training of international compliance standards.
Day-by-day, the security environment in most part of the world is deteriorating. Not only common citizens, organisations across all industries and sectors also are facing threats and incidents of theft, smuggling, terrorism, and other security issues. The uncertainty and volatility in their security environment impact on their goals and objectives. In this global scenario, large number of organisations across the world are looking towards a formal approach to security management that could solve their problems relating to the security of business processes and supply chain.
International Organization for Standardization (ISO), issued in March 2022 a new version of ISO 28000 standard that provides a systematic approach to solving such problems by establishing, implementing, maintaining and improving a security management system. ISO 28000:2022 includes all those aspects which are critical to the security assurance of the supply chain and directly contributes to increasing security of the organization’s processes, including entire supply chain of goods, vehicles and transport infrastructure.
Organisations which are planning to establish and implement ISO 28000 security management system or those who wish to get ISO 28000 certification will need to create accurate documents and records for the security management system, as well as control them in accordance with ISO 28000: 2022 requirements.
ISO 28000:2022 Documentation Structure
As per ISO 28000:2022 standard, the security management system must include documented information required by this standard and those determined by the organisation as being necessary for the effectiveness of its security management system. The documents and records of ISO management system are collectively referred to as documented information. The complete documentation for a security management system will consist of a number of documented information.
The standard allows flexibility to the organisation in developing security management system documentation, which may differ from organisation to organisation depending on their size and type of activities, processes, products and services, complexity of processes and their interactions, and training and competence of personnel.
ISO 28000:2022 documented information can be prepared in any language, software version, etc., and they could be in paper or digital form. Based on our rich experience of various ISO management system implementation and certification process, we recommend organisations to create a 4-tier documentation structure, as below:
- Security manual: Although it is optional, organizations should prepare it, because it gives macro-level details of how the system is implemented for all the requirements of ISO 28000:2022.
- Security management system procedures or Procedures’ manual, Process approach, etc.: Procedures are core of documentation system. They describe the methods of meeting requirements of relevant clauses of ISO 28000. They support the operation of security management system processes to establish confidence in the system
- SOPs, Work Instructions, Policies, Plans, Exhibits, etc.: These are practical documents, and therefore, should be prepared in simple language, so that users can understand well.
- Forms, Registers and other Records: These are also called ‘Retain documented information’, which means records that must be kept and be available for a defined retention period. Record is evidence that the management system and its processes are followed. These are supporting documents to record and distribute information and to prove that the security management system is operating effectively.
This documentation structure should cover all departments and functions within the scope of ISO 28000 security management system of the organization.