Attractions of Iso28000 for Security of Supply Chains

International Journal of Mechanical Engineering and Technology (IJMET) Volume 9, Issue 9, September 2018, pp. 421–427, Article ID: IJMET_09_09_046 Available online at http://iaeme.com/Home/issue/IJMET?Volume=9&Issue=9 ISSN Print: 0976-6340 and ISSN Online: 0976-6359

ATTRACTIONS OF ISO28000 FOR SECURITY OF SUPPLY CHAINS

Constantin Gehling ESB Business School, Reutlingen University, Germany

Shahryar Sorooshian Faculty of Industrial Management & Centre for Earth Resources Research and Management, Universiti Malaysia Pahang, Malaysia

ABSTRACT This research investigates the benefits that encourage implementation of ISO28000 security management systems for Supply chains. Hence, a list of benefits is presented from exploring published journals as a literature review. The journal articles and books investigated ISO standards were used due to the lack of literature on ISO28000. A list of benefits was developed. Since there is no list of benefits of implementing security management systems to be found in the literature, the proposed list fills the gap in literature. The findings of the study can be used in future research to explore ways to lift the supply chains with encouraging the implementation of ISO28000. Key words: Benefits, Supply chain, ISO28000 Implementation, Security. Cite this Article: Constantin Gehling and Shahryar Sorooshian, Attractions of ISO28000 for Security of Supply Chains, International Journal of Mechanical Engineering and Technology 9(9), 2018, pp. 421–427. http://iaeme.com/Home/issue/IJMET?Volume=9&Issue=9

1. INTRODUCTION ISO28000 was first introduced in 2005 as ISO/PAS 28000:2005, but has since been revised by the International Organization for Standardization (ISO). The aim of this standard is to provide the requirements for an organization to implement, improve, maintain and establish a security management system [1,2]. Compared to all of the before mentioned standards and measures, ISO provides to most complete list of requirements. ISO has tried to incorporate a holistic view towards implementing a security management policy within the supply chain [3]. ISO28000 covers more aspects than any other of the security management standards as financing, manufacturing as well as information management along with the normal logistics processes such as warehousing and transportation are all covered by this standard [1]. Kern, Eßig & Ständer [4] suggest a multi-layered concept of supply chain management. In their findings, the only standard that was capable to achieve parts of the highest security level was the ISO28000.

http://iaeme.com/Home/journal/IJMET 421 [email protected] Attractions of ISO28000 for Security of Supply Chains

The general format of ISO28000 is based on the ISO14000:2004 format due to its risk based management system approach [5]. The standard is based on the Plan-Do-Check-Act (PDCA) cycle as it focuses on continuous improvement as the supply chain is no rigid concept and it evolves constantly [5]. The standard is applicable to companies of all sizes as well as all stages during the supply chain from the raw material to the final product delivery to the end consumer. It is applicable to companies that wish to implement or improve a SCS management system but also to companies that wish to show compliance with this standard to third parties. In accordance with the PDCA cycle, the International Organization for Standardization [5] has divided the standard into five main clauses [6]; Security management procedure; Security risk assessment and preparation; Operation and implementation; Checking and corrective action; and Management review and continual improvement. The security management policy of organizations looking to get ISO28000 certified have to be consistent with other organizational structures, the top management of the organization has to visibly support and endorse the implementation [5]. The overall security management objectives and measures have to be clearly stated and available to stakeholders where needed or appropriate. Furthermore, the objectives have to reflect the nature and scale of each organization as well as include a commitment for continuous improvement [6]. Security risk assessment and planning in ISO2800 should provide a holistic view of all possible security threats to an organization. The likelihood of the event has to be considered as well as the subsequent consequences. Physical failures of company assets or resources, either through incidental or malicious damage, have to be considered as well as failures, which lie outside of the control of the organization, such as natural events (floods, storms, etc.) as well as failure of third party equipment or services [5]. This shows again clearly that the ISO28000 has a holistic view on all supply chain processes. Furthermore, an organization has to have an established procedure to determine and have access to the proper legal and other security regulatory requirements. Lastly, security management programs, objective and targets have to be well documented, specific, measurable, relevant and achievable at the appropriate levels. These objectives and targets also have to be communicated throughout the entire supply chain to ensure maximum security [6]. Within implementation and operation; the structure, responsibilities and authorities of the workers have to be present as well as adequate resources available. Individuals in charge of overseeing or implementing the security management system have to be properly trained in their roles. Communication management of sensitive data to relevant individuals or stakeholders has to be present. Adequate documentation as well as document and data control must be present. Here it is important that only authorized individuals can access relevant documents and that documents are reviewed and if necessary revised regularly [5,6]. In the clause checking and corrective action, organizations have to establish procedures to monitor the performance of the security management system. These monitoring tools should be both quantitative as well as qualitative and be tailored to the individual needs of the organization. The degree to which the targets and objectives set by the organization in the previous clauses have to be monitored as well. The entire security management system of the organization should be periodically evaluated regarding the compliance with possible new legislation and regulation. Records of the conformity to the standards have to be kept in order to guarantee transparency. A security management audit program has to be established and carried out in intervals in order to ensure that the security management system still complies with the planned objectives, is properly maintained and is still aligned with the overall company strategy [5,6]. Lastly, the top management of the organization has to periodically review the security management system. For these reviews, all documentation and actions taken in the four

http://iaeme.com/Home/journal/IJMET 422 [email protected] Constantin Gehling and Shahryar Sorooshian previous clauses are taken into account. The aim of this review is to decide on possible policy changes of the security management system, in order to achieve continuous improvement [5] Although, as can be seen above, ISO28000 is the most holistic of the security standards addressed in this paper, it is not widely accepted or used in the industry. The International Organization for Standardization [7] published its yearly certification numbers. ISO9001 tops this list with over 1.1 million companies worldwide using this standard. The next biggest standard is the IS014001 standard with almost 350,000 companies accredited. ISO28000 is the standard with the least amount of companies in that list. From its initial release until end of 2016 only 356 companies worldwide received the ISO28000 accreditation. Furthermore, of these 356 companies, 277 of them are situated in only four countries with Hungary having 149 ISO28000 certified companies.

2. LITERATURE REVIEW ON BENEFITS Although there is a gap in research on implementation of ISO28000, potential benefits for this standard are itemized based on a benchmark with other ISO standards (e.g. ISO 14001 and ISO 9000). It is evident from the literature that “enhanced brand image” is the most mentioned benefit of the implementation of standards. According to Santos et al [8], one of the benefits of ISO14001 is the enhancement of the brand or companies image for Portuguese companies. Sambasivan et al [9] discovered in their study that one of the perceived benefits for Malaysian organizations of ISO14001 implementation is the enhanced brand image and reputation. Similarly, Mariotti et al [10] and Prajogo et al [11] found that one of the benefits of implementing ISO14001 is the enhancement of the company image in the public eye in both Saudi Arabia and Australia. Badar & Aba [12] recognize that the implementation of IS14001 can lead to an enhanced public image and increased market share. Luthra et al [13] and Musa & Chinniah [12] mention enhanced corporate image as one of the benefits of an adoption of green supply chain management in India and Malaysia respectively. Musa & Chinniah [12] mention the optimization of process flows in their paper on benefits of Malaysian companies implementing ISO14001. These findings have been already confirmed by Sambasivan & Fei [9], stating that the implementation of ISO14001 in Malaysian companies has led of more efficient processes. Prajogo et al [11] confirms that improvements of efficiency in the operations is a benefit of ISO14001 not only in Malaysia, but also in Australia. Similarly, Mariotti et al [10] confirm that ISO14001 leads to positive effects of the organizations efficiency in Saudi Arabia. Gould et al [14] confirm that improved efficiency is generally one of the benefits when investing in supply chain security. Peleg- Gillai et al [1] identified that 50% of companies investing in supply chain security were able to reduce steps in their supply chain, making it more efficient. Regarding the economic benefits; a better financial performance as well as an increased annual gross profit margin has been observed in Malaysia when implementing either green supply chain management or ISO14001 [12, 15]. Luthra et al [13] have observed an improved financial situation in Indian companies implementing green supply chain management through the increased support of customers. Gavronski et al [16] have identified a perceived financial benefit as one of the drivers for Brazilian companies implementing ISO14001. Through the implementation of ISO14001, Malaysian SME’s have experienced a growth in customer satisfaction [12]. Similarly, Mariotti et al [10] have observed an increase in customer satisfaction as a result of the implementation of ISO14001 in Saudi Arabia. Perceived benefits in customer relationship was also a reason for Brazilian companies implementing ISO14001, according to Gavronski et al [16]. In general, Peleg-Gillai et al [1] have identified better customer satisfaction as being one of the benefits of investing in supply

http://iaeme.com/Home/journal/IJMET 423 [email protected] Attractions of ISO28000 for Security of Supply Chains chain security resulting in “26% reduction in customer attrition” as well as a customer growth of 20% in the interviewed companies. Sambasivan & Fei [9] have identified a cost reduction as a reason for Malaysian companies to seek the ISO14001 certification. Similarly, Brazilian as well as Saudi Arabian companies have reported that cost reduction is one of the benefits and reasons for implementing ISO14001 [10, 16]. Peleg-Gillai et al [1] have reported that 38% of interviewed companies, that had invested in supply chain security, observed a cost reduction. Musa & Chinniah [12] have identified meeting legal requirements or assured legal compliance as one of the benefits for Malaysian companies implementing ISO14001. One of the reasons Saudi Arabian companies implement ISO14001 is the adherence to the environmental regulation requirements [10]. In Australia, according to Prajogo et al [11], one of the reasons companies implement ISO14001 is the assurance of conformity with regulatory requirements. Santos et al [8] report that ensuring the compliance with regulations is one of the major impact benefits for companies implementing ISO14001 in Portugal. Increased competitiveness both internationally and domestically is another benefit of companies implementing ISO14001 in Malaysia [12]. From an Indian perspective, companies have realized that implementing ISO14001 or other sustainable initiatives is one of the ways of increasing competitiveness of the overall company through improving the performance of the entire supply chain [13]. According to Tan [15] the implementation of ISO14001 in Malaysian companies has led to less injuries as well as environmental accidents. Similarly, Sambasivan & Fei [9] have acknowledged that the implementation of ISO14001 in Malaysia lead to a decreased risk of environmental accidents. Musa & Chinniah [12] have discovered that one of the internal benefits of the implementation of ISO14001 in Malaysia is an increased employee morale as well as a better platform for dialogue between the workers and the upper level management. If the staff have been involved in the implementation process of ISO14001 from the beginning, the employee morale as well as their commitment to the changes is boosted considerably in Malaysia [9]. According to Nee [13], one of the benefits of the implementation of ISO14001 in Malaysia is the encouragement through the standard to seek out continuous improvement, especially regarding environmental performance. Continuous improvement is the ability to generate new ideas, products or processes, and has as such been recognized as a benefit of Brazilian companies implementing ISO14001 [16]. Badar & Aba [12] as well as Huarng [17] acknowledge that the implementation of ISO14001 and ISO9001 has the benefit of leading to a reduced defect rate and reducing the amount of first time failures of products or processes. De Oliveira Matias & Coelho [18] realize that due to the similarity between the ISO standards 9001 and 14001, the implementation of the second standard becomes easier once the first standard has already been implemented. The survey, regarding the implementation of ISO9001 and ISO14001, conducted by Zeng et al [19] shows clearly that companies see benefits in implementing both standards. Over 40% of the companies asked see the implementation of both processes as avoiding the duplication of procedures, therefore making the implementation of the second standard easier. The last remaining benefits that have been found in the literature were only found in one paper and therefore will all be covered in this paragraph. Peleg-Gillai et al [1] suggest that the implementation of supply chain safety measures increases the visibility for the supply chain. Furthermore, 30% of the interviewed companies saw higher supply chain resilience, due to reduction in problem identification times as well as response times, as a benefit. Additionally,

http://iaeme.com/Home/journal/IJMET 424 [email protected] Constantin Gehling and Shahryar Sorooshian a reduction in inventory as well as reduced cycle times and shipping times is another benefit of investing in supply chain security [1]. Gould et al [14] identifies the improvement of security as one of the main benefits. Poksinska et al [20] identifies an improved employee performance which shows through an increased productivity in the organizations for companies that implemented ISO14001 in Sweden. Zailani et al [21] states that initial investments in supply chain security is needed and therefore the investment into one initiative will make it easier to support other supply chain security initiatives. Aba & Badar [12] argue that one of the benefits of the implementation of ISO9001 is a reduction of costs resulting form customer claims through better quality and therefore also less customer audits and inspections. Gotzamani & Tsiotras [22] claim that one of the reasons companies adopt ISO9001 one is that it is a part of their overall quality strategy and therefore also part of their overall business goals. An increased respect seen from competitors was another benefits of the implementation of ISO9001 [23]. Prajogo et al [11] argue that the implementation of ISO14001, and therefore a greater green orientation, in Australian companies has led to an increase of confidence by stakeholders in the organization. Table 1 presents the benefits of ISO28000 implementation derived from literature review. Confirmation of the validity of the benefits was with exhibition and discussion of the list to the panel of experts of the field.

Table 1 Benefits of implementing ISO28000 Security Standard Benefits Source Enhanced brand image [8-13], [24], [25] More efficient supply chain processes [1], [9-12], [14] Economic Benefits [12], [13], [15], [16] Increased customer growth and satisfaction [1], [12], [10], [16], [25] Cost reduction [1], [12], [9], [10], [24] Meet regulation requirements [8], [10], [11], [12] Increased competitiveness [12], [13], [15] Less injuries / environmental accidents [9], [15], [24] Increased employee morale [12], [9] Continuous improvement [13], [16] Reduced failure rate [12], [17] Able to integrate with other standards [18], [19] Improved security [16] Improve supply chain resilience [1] Improved inventory management [1] Reduced cycle time and shipping time [1] Increased employee performance [20] Strengthened stakeholder confidence [11] Help to support/manage all type of security programs [21] Fewer customer compliance audits and inspections [12] Achieve organization’s objectives and business goals [22] Gained respect from competitor [23] Higher supply chain visibility [1]

http://iaeme.com/Home/journal/IJMET 425 [email protected] Attractions of ISO28000 for Security of Supply Chains

3. CONCLUSIONS This research can be used as the basis for future studies in this topic. For practitioners as well as regulators, this study can be used as a proof for the benefits that the implementation of security standards and security management systems has on all stakeholders involved in the industry. Government regulators can use the benefits within this study to develop and adjust the regulations in order to improve the security of the supply chains, the surrounding communities. Companies can use the benefits highlighted in this research to justify the implementation of ISO28000 security standards.

ACKNOWLEDGMENT This study thanks University Malaysia Pahang for flagship grant RDU172205.

REFERENCES [1] B. Peleg-Gillai, G. Bhat, and L. Sept, “Innovators in Supply Chain Security,” Manuf. Innov. Ser., no. July, pp. 1–38, 2006. [2] V. D. Majstorović and V. Marinković, “The development of business standardization and integrated management systems,” J. Med. Biochem., vol. 30, no. 4, pp. 334–345, 2011. [3] J. Hintsa, “A comprehensive framework for analysis and design of supply chain security standards,” J. Transp. Secur., vol. 3, no. 2, pp. 105–125, 2010. [4] E. Kern, M. Eßig, and B. Ständer, “Management von Sicherheit in Supply Chains,” Ind. Manag., vol. 23, no. 5, pp. 63–66, 2007. [5] International Organization for Standardization, Specification for security management systems for the supply chain (ISO 28000: 2007). 2007. [6] E. Lapachelle, M. Bislimi, and B. Ajvazi, “ISO 28000 Supply Chain Security Management Systems,” 2015. [7] International Organization for Standardization, “The ISO Survey of Management System Standard Certifications 2016,” 2017. [8] G. Santos, M. Rebelo, N. Lopes, M. R. Alves, and R. Silva, “Implementing and certifying ISO 14001 in Portugal: motives, difficulties and benefits after ISO 9001 certification,” Total Qual. Manag. Bus. Excell., vol. 27, no. 11–12, pp. 1211–1223, 2016. [9] M. Sambasivan and N. Y. Fei, “Evaluation of critical success factors of implementation of ISO 14001 using analytic hierarchy process (AHP): a case study from Malaysia,” J. Clean. Prod., vol. 16, no. 13, pp. 1424–1433, 2008. [10] F. Mariotti, N. Kadasah, and N. Abdulghaffar, “Motivations and barriers affecting the implementation of ISO 14001 in Saudi Arabia: an empirical investigation,” Total Qual. Manag. Bus. Excell., vol. 25, no. 11–12, pp. 1352–1364, 2014. [11] D. Prajogo, A. K. Y. Tang, and K. H. Lai, “Do firms get what they want from ISO 14001 adoption?: An Australian perspective,” J. Clean. Prod., vol. 33, pp. 117–126, 2012. [12] E. K. Aba and M. A. Badar, “A Review of the Impact of ISO 9000 and ISO 14000 Certifications,” J. Technol. Stud., vol. 39, no. 1, pp. 42–50, 2013. [13] S. Luthra, D. Garg, and A. Haleem, “An analysis of interactions among critical success factors to implement green supply chain management towards sustainability: An Indian perspective,” Resour. Policy, vol. 46, pp. 37–50, 2015. [14] J. E. Gould, C. Macharis, and H.-D. Haasis, “Emergence of security in supply chain management literature,” J. Transp. Secur., vol. 3, no. 4, pp. 287–302, 2010.

http://iaeme.com/Home/journal/IJMET 426 [email protected] Constantin Gehling and Shahryar Sorooshian

[15] L. P. Tan, “Implementing ISO 14001: Is it beneficial for firms in newly industrialized Malaysia?,” J. Clean. Prod., vol. 13, no. 4, pp. 397–404, 2005. [16] I. Gavronski, G. Ferrer, and E. L. Paiva, “ISO 14001 certification in Brazil: motivations and benefits,” J. Clean. Prod., vol. 16, no. 1, pp. 87–94, 2008. [17] F. Huarng, “Integrating ISO 9000 with TQM spirits: a survey,” Ind. Manag. Data Syst., vol. 9(9), no. 8, pp. 373–379, 199(9). [18] J. C. De Oliveira Matias and D. A. Coelho, “The integration of the standards systems of quality management, environmental management and occupational health and safety management,” Int. J. Prod. Res., vol. 40, no. 15, pp. 3857–3866, 2002. [19] S. X. Zeng, P. Tian, and J. J. Shi, “Implementing integration of ISO 9001 and ISO 14001 for construction,” Manag. Audit. J., vol. 20, no. 4, pp. 394–407, 2005. [20] B. Poksinska, J. Jörn Dahlgaard, and J. A. E. Eklund, Implementing ISO 14000 in Sweden: motives, benefits and comparisons with ISO 9000, vol. 20, no. 5. 2003. [21] S. H. Zailani, K. Seva Subaramaniam, M. Iranmanesh, and M. R. Shaharudin, “The impact of supply chain security practices on security operational performance among logistics service providers in an emerging economy: Security culture as moderator,” Int. J. Phys. Distrib. Logist. Manag., 2015. [22] K. D. Gotzamani and G. D. Tsiotras, “The true motives behind ISO 9000 certification,” Int. J. Qual. Reliab. Manag., vol. 19, no. 2, pp. 151–169, 2002. [23] M. Casadesús and G. Giménez, “The benefits of the implementation of the ISO 9000 standard: empirical research in 288 Spanish companies,” TQM Mag., vol. 12, no. 6, pp. 432–441, 2000. [24] Sorooshian. S, Lim Cai Qi, Lee Li Fei, Characterization of ISO 14001 implementation, Environmental Quality Management, 27(3) (2018) 97–105. https://doi.org/10.1002/tqem.21532 [25] Sorooshian. S, Khaw Chin Ting, Reasons for implementing ISO14001 in Malaysia, Environmental Quality Management, (2018). https://doi.org/10.1002/tqem.21561

http://iaeme.com/Home/journal/IJMET 427 [email protected]