ISO 28007:2015 - Marine Technology
ISO 28007 was published in 2015 and replaces ISO/PAS 28007:2012 which was introduced due to rapid growth in the number of maritime security companies and the implications of using PCASP (legal issues, safety concerns for seafarers and varying national regulations).
ISO 28007 gives guidelines containing additional sector-specific requirements, which PMSCs wishing to comply with ISO 28000 can implement to demonstrate that they provide appropriate PCASP services on board ships. Compliance to the ISO 28007 specification demonstrated by ISO 28000 certification.
The supply chains of commerce are increasingly complex and vulnerable – particularly at sea. Providing assurance up and down the chain helps generate competitive edge and reduces reputational risk and costs. The security of seaborne trade underpins much international trade – particularly as emerging economies seek to exploit and export their materials.
The combination of ISO 28000 and ISO 28007 provides organisations and agencies with assurance that the highest level of performance is enshrined.
Tips for implementation
Ensure senior management buy in.
As with all standards the development and implementation of a formal security management system must be driven from the very top of your organisation to ensure that there is the management commitment to deliver. The implementation of a management systems approach requires the buy in of the top management team, a clear policy providing strategic direction, achievable goals, involvement of all within the organisation and understanding that this is a long term commitment.
Ensure that there is a clear and realistic plan.
Many organisations underestimate the time required to complete the development and implementation process and this can overload the management or team responsible. This is usually due to lack of understanding of the scale of the development requirements, the certification process and the need to develop the internal competence or get the support in place. Be realistic, take time to get the development right and embedded within the organisation.
Ensure conformance with the two standards and compliance with legal and other requirements.
The security management system must meet the requirements of both ISO 28000 and the sector specific requirements for PMSCs of ISO/PAS 28007. This sounds an obvious point but is not always fully understood. The certification standard is ISO 28000 and therefore, you must ensure that your security management system is designed and developed to meet the requirements of this standard and the additional sector specific requirements within ISO/PAS 28007. Whilst ISO/PAS 28007 does provide a lot of specific detail for the majority of the system requirements and processes, there are elements not covered such as the procedure requirements for the security risk assessment, which are defined in section 4.3 of ISO 28000. Your organisation will need to ensure that it can demonstrate compliance with the specific legal requirements in ISO/PAS 28007 such as firearms and licencing, employment law, home and flag State and all other requirements relevant to its operations including Human Rights obligations and ICOC requirements where they are signatories.
Ensure that the PMSC supply chain is effectively mapped and all security threats and risks from its activities and operations are understood and effectively managed.
Understanding the supply chain of your organisation, stakeholders and their interactions is fundamental to getting the scope and coverage of the security risk assessment right. Organisations sometimes overlook elements of their supply chain, focus in one direction typically upstream, and therefore can miss business and security threats from the assessment process which could have an impact on them and the wider supply chain. Using a simple mapping exercise to define interactions upstream and downstream at the start the process can ensure that the coverage is correct before the detail of the assessment is started. In addition, the majority of PMSCs have a clear focus and understanding of the operational security requirements and these are usually well represented in their assessment approach. There must also be inclusion of the associated security threats in other areas such as information security and physical security. The impact of these should be considered against all operations and business activities. These are all areas that could affect the business, so it is important therefore, to ensure that your mitigation and controls are effective and evaluate their capability through exercises and tests. For the operational activities the exercises should evaluate the effectiveness of the integration between the ship’s security system and PCASP security plans.
Ensure you have appropriate expertise or support to develop your security management system to meet the requirements of the standard.
Most organisations have at least an understanding of formal management system requirements through standards such as ISO 9001. As a PMSC, you should ensure that there is appropriate competence within the organisation or external support to develop or revise system processes to include the security management requirements of ISO/PAS 28007. This can be delivered through assessing the competence and development needs and training of existing staff. Whilst this is a developing area, there is information, support and training available such as ISO 28000 & ISO/PAS 28007 Awareness training for managers, ISO/PAS 28007 or other Internal Auditor courses. This will ensure understanding but will also take time to complete and must be added to the plan. ISO 28001 and ISO 28004 provide information and guidance to organisations implementing security management systems. There is also useful information available such as the Cyber Security Guidance for Business which gives advice on protecting the business systems, available through the BIS website.
Ensure that your management system is aligned with the business operations and existing systems ‘One Business’ approach.
Understanding the benefits to your organisation and stakeholders is important in selling the change required and delivering the real business benefits from effective implementation. Developing a formal security management system provides an overall structure that supports the effective management of the business, helps improve the service delivery, understand the business, security threats and assess risks. The benefits of adopting a systems approach which is aligned to operations and functions include; formal systems that support the operations and activities rather than work against them or create barriers, helps clarify threats to the business, gain consistency of best practice approaches across the organisation and ensures its capability to deliver compliance with legal obligations and other requirements of its operations.
Where there are formal systems in place consider an integrated approach.
All organisations are different and, when it comes to management systems, one size or approach does not fit all. However, if your organisation is embarking on the development of a security management system, it should at least consider an integrated approach at the concept stage as change later after the implementation of the systems and completion of the certification process can be resource intensive. There is guidance available on the requirements for an integrated management system in PAS 99 which can be considered.
Understand the certification process, what is involved and time frames.
Your organisation should spend time researching and considering the selection of their certification body, identifying your needs and ensure that they are delivered in the process. This could include any existing standards and scale of the operations. Having a clear understanding of the certification process, its stages and the requirements ensures that your organisation will be suitably prepared to successfully complete the assessment process. This also ensures that the assessment time frames fit with the organisation’s resourcing and your implementation plan.
Embrace change and help your team to adapt.
Developing a management system that meets the formal requirements of ISO 28000 and ISO/PAS 28007, and is assessed and certificated by an accredited certification body is a significant commitment. The challenges to the organisation are many but, with appropriate commitment and drive, they can be resolved. You should be prepared for the development process and the change that usually results from implementation of formalised approaches. Your organisation must ensure that there is a clear understanding of goals and objectives set, and ensure that the potential benefits are understood to ensure buy-in of all staff. Without this, your organisation may fail to fully embed the requirements and not achieve the real business and security benefits.
Establish relevant performance improvement objectives and monitoring parameters.
This is a particular area that is important to ensuring that the security management system does align with the business goals and supports the delivery of continual improvement. You should ensure that the objectives set are aligned with business goals from the policy and are driven from the output of the security risk assessment process or others. The security objectives need to be clearly stated, be confirmed at the highest level and cascade into all functions of the organisation so that they are understood and relevant to the activities of the department or team. The effective monitoring of performance of the business activities and security status is essential to understanding the true situation and risk level.
ISO 28007 gives guidelines containing additional sector-specific requirements, which PMSCs wishing to comply with ISO 28000 can implement to demonstrate that they provide appropriate PCASP services on board ships. Compliance to the ISO 28007 specification demonstrated by ISO 28000 certification.
The supply chains of commerce are increasingly complex and vulnerable – particularly at sea. Providing assurance up and down the chain helps generate competitive edge and reduces reputational risk and costs. The security of seaborne trade underpins much international trade – particularly as emerging economies seek to exploit and export their materials.
The combination of ISO 28000 and ISO 28007 provides organisations and agencies with assurance that the highest level of performance is enshrined.
Tips for implementation
Ensure senior management buy in.
As with all standards the development and implementation of a formal security management system must be driven from the very top of your organisation to ensure that there is the management commitment to deliver. The implementation of a management systems approach requires the buy in of the top management team, a clear policy providing strategic direction, achievable goals, involvement of all within the organisation and understanding that this is a long term commitment.
Ensure that there is a clear and realistic plan.
Many organisations underestimate the time required to complete the development and implementation process and this can overload the management or team responsible. This is usually due to lack of understanding of the scale of the development requirements, the certification process and the need to develop the internal competence or get the support in place. Be realistic, take time to get the development right and embedded within the organisation.
Ensure conformance with the two standards and compliance with legal and other requirements.
The security management system must meet the requirements of both ISO 28000 and the sector specific requirements for PMSCs of ISO/PAS 28007. This sounds an obvious point but is not always fully understood. The certification standard is ISO 28000 and therefore, you must ensure that your security management system is designed and developed to meet the requirements of this standard and the additional sector specific requirements within ISO/PAS 28007. Whilst ISO/PAS 28007 does provide a lot of specific detail for the majority of the system requirements and processes, there are elements not covered such as the procedure requirements for the security risk assessment, which are defined in section 4.3 of ISO 28000. Your organisation will need to ensure that it can demonstrate compliance with the specific legal requirements in ISO/PAS 28007 such as firearms and licencing, employment law, home and flag State and all other requirements relevant to its operations including Human Rights obligations and ICOC requirements where they are signatories.
Ensure that the PMSC supply chain is effectively mapped and all security threats and risks from its activities and operations are understood and effectively managed.
Understanding the supply chain of your organisation, stakeholders and their interactions is fundamental to getting the scope and coverage of the security risk assessment right. Organisations sometimes overlook elements of their supply chain, focus in one direction typically upstream, and therefore can miss business and security threats from the assessment process which could have an impact on them and the wider supply chain. Using a simple mapping exercise to define interactions upstream and downstream at the start the process can ensure that the coverage is correct before the detail of the assessment is started. In addition, the majority of PMSCs have a clear focus and understanding of the operational security requirements and these are usually well represented in their assessment approach. There must also be inclusion of the associated security threats in other areas such as information security and physical security. The impact of these should be considered against all operations and business activities. These are all areas that could affect the business, so it is important therefore, to ensure that your mitigation and controls are effective and evaluate their capability through exercises and tests. For the operational activities the exercises should evaluate the effectiveness of the integration between the ship’s security system and PCASP security plans.
Ensure you have appropriate expertise or support to develop your security management system to meet the requirements of the standard.
Most organisations have at least an understanding of formal management system requirements through standards such as ISO 9001. As a PMSC, you should ensure that there is appropriate competence within the organisation or external support to develop or revise system processes to include the security management requirements of ISO/PAS 28007. This can be delivered through assessing the competence and development needs and training of existing staff. Whilst this is a developing area, there is information, support and training available such as ISO 28000 & ISO/PAS 28007 Awareness training for managers, ISO/PAS 28007 or other Internal Auditor courses. This will ensure understanding but will also take time to complete and must be added to the plan. ISO 28001 and ISO 28004 provide information and guidance to organisations implementing security management systems. There is also useful information available such as the Cyber Security Guidance for Business which gives advice on protecting the business systems, available through the BIS website.
Ensure that your management system is aligned with the business operations and existing systems ‘One Business’ approach.
Understanding the benefits to your organisation and stakeholders is important in selling the change required and delivering the real business benefits from effective implementation. Developing a formal security management system provides an overall structure that supports the effective management of the business, helps improve the service delivery, understand the business, security threats and assess risks. The benefits of adopting a systems approach which is aligned to operations and functions include; formal systems that support the operations and activities rather than work against them or create barriers, helps clarify threats to the business, gain consistency of best practice approaches across the organisation and ensures its capability to deliver compliance with legal obligations and other requirements of its operations.
Where there are formal systems in place consider an integrated approach.
All organisations are different and, when it comes to management systems, one size or approach does not fit all. However, if your organisation is embarking on the development of a security management system, it should at least consider an integrated approach at the concept stage as change later after the implementation of the systems and completion of the certification process can be resource intensive. There is guidance available on the requirements for an integrated management system in PAS 99 which can be considered.
Understand the certification process, what is involved and time frames.
Your organisation should spend time researching and considering the selection of their certification body, identifying your needs and ensure that they are delivered in the process. This could include any existing standards and scale of the operations. Having a clear understanding of the certification process, its stages and the requirements ensures that your organisation will be suitably prepared to successfully complete the assessment process. This also ensures that the assessment time frames fit with the organisation’s resourcing and your implementation plan.
Embrace change and help your team to adapt.
Developing a management system that meets the formal requirements of ISO 28000 and ISO/PAS 28007, and is assessed and certificated by an accredited certification body is a significant commitment. The challenges to the organisation are many but, with appropriate commitment and drive, they can be resolved. You should be prepared for the development process and the change that usually results from implementation of formalised approaches. Your organisation must ensure that there is a clear understanding of goals and objectives set, and ensure that the potential benefits are understood to ensure buy-in of all staff. Without this, your organisation may fail to fully embed the requirements and not achieve the real business and security benefits.
Establish relevant performance improvement objectives and monitoring parameters.
This is a particular area that is important to ensuring that the security management system does align with the business goals and supports the delivery of continual improvement. You should ensure that the objectives set are aligned with business goals from the policy and are driven from the output of the security risk assessment process or others. The security objectives need to be clearly stated, be confirmed at the highest level and cascade into all functions of the organisation so that they are understood and relevant to the activities of the department or team. The effective monitoring of performance of the business activities and security status is essential to understanding the true situation and risk level.