ISO 28000 - The Supply Chain Quiz

ISO 28000 is a standard that outlines the requirements for a security management system for the supply chain. This means that organizations need to establish and maintain a system to manage security risks within their supply chain, ensuring the safety and integrity of goods and services throughout the entire process. This includes implementing measures to prevent theft, damage, and unauthorized access to goods, as well as ensuring compliance with relevant laws and regulations. The standard aims to enhance the security and resilience of supply chains, ultimately protecting organizations and their stakeholders from potential security threats.

According to ISO 28000, security risk assessment should consider risks due to physical failure threats and risks, operational threats and risks, as well as stakeholder threats and risks. This means that when conducting a security risk assessment, all these factors should be taken into account to ensure a comprehensive evaluation of potential risks and vulnerabilities.

The correct answer is "A competent internal auditor" because being a first-party internal auditor requires having the necessary skills, knowledge, and experience to effectively perform internal audits within an organization. This role involves assessing and evaluating the organization's internal controls, risk management processes, and compliance with policies and regulations. Being a downstream or upstream vendor is not a requirement for being a first-party internal auditor.

According to ISO 28000, security management objectives should be communicated, documented, and reviewed periodically. This means that the objectives should be clearly communicated to all relevant stakeholders, documented in a formal manner, and regularly reviewed to ensure their effectiveness and relevance. This ensures that the security management system remains up-to-date and aligned with the organization's goals and commitments. The other options, such as being consistent with supplier evaluation ratings, a one-time activity, or approved by a regulatory body, do not align with the requirements stated in ISO 28000.

Corrective action is the appropriate term for the action taken to eliminate the cause of a nonconformity and prevent its recurrence. It involves identifying the root cause of the nonconformity, implementing measures to address it, and ensuring that the issue does not happen again in the future. This is different from correction, which refers to the action taken to rectify the nonconformity itself, without necessarily addressing the underlying cause. Preventive action, on the other hand, focuses on taking proactive measures to prevent nonconformities from occurring in the first place. Security failure is unrelated to the concept described in the question.

The correct answer is "Plan Do Check Act." PDCA refers to a four-step management method used for continuous improvement. It starts with planning, where goals and objectives are set. Then, actions are taken to implement the plan. Next, the results are checked and compared to the desired outcomes. Finally, adjustments are made to correct any issues and improve future performance.

The correct answer is "All of the above" because the documented procedure for security risk assessment includes all three components mentioned in the options. It involves identifying security threats, determining the risks associated with those threats, and indicating the level of risks and whether they are tolerable or not. This comprehensive approach ensures that all potential security risks are considered and evaluated properly.

ISO 28000:2007 requires that the security policy includes several elements. First, it must provide a framework that enables the specific security management objectives, targets, and programs to be produced. This means that the policy should outline the overall goals and plans for security management within the organization. Second, the security policy should be consistent with the organization's overall security threat and risk management framework. This ensures that security measures are aligned with the organization's specific risks and threats. Third, the policy should include a commitment to the continual improvement of the security management process. This means that the organization should continuously strive to enhance its security practices. Lastly, the security policy should be documented, implemented, and maintained. This ensures that the policy is properly communicated and followed throughout the organization. Therefore, all of the above elements are required in the security policy according to ISO 28000:2007.

The correct answer means that security management programs are the methods or strategies used to accomplish a security management objective. These programs outline the specific steps and actions that need to be taken in order to achieve the desired level of security within an organization. They provide a structured approach to addressing security risks and implementing necessary measures to protect against potential threats.

ISO 28000 requires organizations to retain records for various aspects, including training and competence records, security inspection reports, and reports of security exercises and drills. This means that the organization must keep a record of the training and competence of its personnel, maintain records of security inspections conducted, and retain reports of security exercises and drills undertaken. By retaining these records, organizations can demonstrate compliance with ISO 28000 requirements and ensure the effectiveness of their security management system.

The correct answer is "At planned intervals." According to the ISO 28000 standard, internal audits should be conducted at regular intervals that are planned in advance. This ensures that the organization's security management system is regularly assessed and evaluated for compliance and effectiveness. Conducting audits at planned intervals allows for a systematic and proactive approach to identifying areas for improvement and ensuring ongoing compliance with the standard's requirements.

The correct answer is "likelihood of a security threat materializing and the consequences." This definition of risk refers to the probability of a security threat occurring and the potential negative impact it could have. It encompasses both the chance of a threat happening and the potential consequences that could result from it.

ISO 28000 section 4.4.1 requires organizations to appoint a member of the top management with overall responsibility and establish and maintain a structure of roles, responsibilities, and authorities. These two points are mentioned in the given options, indicating that both of them are required by the standard. The option "Above two points" correctly summarizes the requirements stated in ISO 28000 section 4.4.1.

Internal audit must be conducted by trained auditors because they possess the necessary skills, knowledge, and expertise to effectively evaluate and assess the organization's internal controls, risk management processes, and compliance with policies and regulations. Trained auditors are familiar with auditing standards and methodologies, which enables them to conduct thorough and objective audits. Their training ensures that they can identify areas of improvement, recommend corrective actions, and provide valuable insights to management. Competent personnel may not have the specific training and expertise required for conducting internal audits, and a certification body is not responsible for conducting internal audits.

To address the root cause(s) of a nonconformity, the company will implement one or several corrective actions. This means that the company will take specific actions to correct the issue at hand and prevent it from happening again in the future. These actions may include making changes to processes, procedures, or systems, providing additional training or resources, or implementing new controls or measures. By taking corrective actions, the company aims to eliminate the root cause of the nonconformity and prevent its recurrence.