Creating & Controlling ISO 28000 Security Management System Documents

This informal CPD article, ‘Creating & Controlling ISO 28000 Security Management System Documents,’ was provided by Punyam Academy, an industry leader in training of international compliance standards.

Day-by-day, the security environment in most part of the world is deteriorating. Not only common citizens, organisations across all industries and sectors also are facing threats and incidents of theft, smuggling, terrorism, and other security issues. The uncertainty and volatility in their security environment impact on their goals and objectives. In this global scenario, large number of organisations across the world are looking towards a formal approach to security management that could solve their problems relating to the security of business processes and supply chain.

International Organization for Standardization (ISO), issued in March 2022 a new version of ISO 28000 standard that provides a systematic approach to solving such problems by establishing, implementing, maintaining and improving a security management system. ISO 28000:2022 includes all those aspects which are critical to the security assurance of the supply chain and directly contributes to increasing security of the organization’s processes, including entire supply chain of goods, vehicles and transport infrastructure.

Organisations which are planning to establish and implement ISO 28000 security management system or those who wish to get ISO 28000 certification will need to create accurate documents and records for the security management system, as well as control them in accordance with ISO 28000: 2022 requirements.

ISO 28000:2022 Documentation Structure

As per ISO 28000:2022 standard, the security management system must include documented information required by this standard and those determined by the organisation as being necessary for the effectiveness of its security management system. The documents and records of ISO management system are collectively referred to as documented information. The complete documentation for a security management system will consist of a number of documented information.

The standard allows flexibility to the organisation in developing security management system documentation, which may differ from organisation to organisation depending on their size and type of activities, processes, products and services, complexity of processes and their interactions, and training and competence of personnel.

ISO 28000:2022 documented information can be prepared in any language, software version, etc., and they could be in paper or digital form. Based on our rich experience of various ISO management system implementation and certification process, we recommend organisations to create a 4-tier documentation structure, as below:

1. Security manual: Although it is optional, organizations should prepare it, because it gives macro-level details of how the system is implemented for all the requirements of ISO 28000:2022.
2. Security management system procedures or Procedures’ manual, Process approach, etc.: Procedures are core of documentation system. They describe the methods of meeting requirements of relevant clauses of ISO 28000. They support the operation of security management system processes to establish confidence in the system
3. SOPs, Work Instructions, Policies, Plans, Exhibits, etc.: These are practical documents, and therefore, should be prepared in simple language, so that users can understand well.
4. Forms, Registers and other Records: These are also called ‘Retain documented information’, which means records that must be kept and be available for a defined retention period. Record is evidence that the management system and its processes are followed. These are supporting documents to record and distribute information and to prove that the security management system is operating effectively.

This documentation structure should cover all departments and functions within the scope of ISO 28000 security management system of the organization.

Creating ISO 28000:2022 Documentation

When establishing a new security management system based on ISO 28000 standard, an organisation will need to create the entire management system documentation structure. Depending on the type and size of organisation and its processes, it may take anything from a week to a couple of months. Help from external experts and/or use of sample documents of ISO 28000 security management system can save time in document preparation.

The top management of the organisation should form a team or task force for documentation of the security management system. This team should thoroughly read and understand the ISO 28000 security management system standard and identify the documented information required under different clauses of the standard. The team should also identify the documented information required by the organisation for smooth functioning of the ISO 28000 security management system.

The documentation team leader or the Security management system coordinator should ensure that the documented information of the ISO 28000 security management system contains its identification by means of an appropriate title, date, author, document reference number, issue number and approval authority. Once documented information is created, it should be reviewed and approved by designated person for suitability and adequacy.

Controlling ISO 28000:2022 Documented Information

ISO 28000:2022 security management system consists of a number of documents and records. Therefore, control of documented information is important for security management system. Documented information control helps to ensure that documented information is suitable, legible, and available where and when it is needed and adequately protected from loss of confidentiality, improper use, or loss of integrity.

It is important to clearly define as to where they should be kept and for how long, and who is responsible for them. The Document Controller/Authorised Person should have a list of all completed documented information, applicable to the individual departmental activities. Against each listed document the number should be shown together with the date of the latest change. It is also called a "Master Copy". It is a yardstick against which any other controlled copy can be judged. Documented information should be approved, signed (written or electronically) and dated by authorised persons. No document should be changed without authorisation and all changes must be recorded.

The bottom-line is that the documentation team of the organisation should create and control ISO 28000:2022 documented information in accordance with the requirements of the standard.

We hope this article was helpful. For more information from Punyam Academy, please visit their CPD Member Directory page. Alternatively, you can go to the CPD Industry Hubs for more articles, courses and events relevant to your Continuing Professional Development requirements.