International Journal of Mechanical Engineering and Technology (IJMET) Volume 9, Issue 9, September 2018, pp. 421–427, Article ID: IJMET_09_09_046 Available online at http://iaeme.com/Home/issue/IJMET?Volume=9&Issue=9 ISSN Print: 0976-6340 and ISSN Online: 0976-6359 © IAEME Publication Scopus Indexed ATTRACTIONS OF ISO28000 FOR SECURITY OF SUPPLY CHAINS Constantin Gehling ESB Business School, Reutlingen University, Germany Shahryar Sorooshian Faculty of Industrial Management & Centre for Earth Resources Research and Management, Universiti Malaysia Pahang, Malaysia ABSTRACT This research investigates the benefits that encourage implementation of ISO28000 security management systems for Supply chains. Hence, a list of benefits is presented from exploring published journals as a literature review. The journal articles and books investigated ISO standards were used due to the lack of literature on ISO28000. A list of benefits was developed. Since there is no list of benefits of implementing security management systems to be found in the literature, the proposed list fills the gap in literature. The findings of the study can be used in future research to explore ways to lift the supply chains with encouraging the implementation of ISO28000. Key words: Benefits, Supply chain, ISO28000 Implementation, Security. Cite this Article: Constantin Gehling and Shahryar Sorooshian, Attractions of ISO28000 for Security of Supply Chains, International Journal of Mechanical Engineering and Technology 9(9), 2018, pp. 421–427. http://iaeme.com/Home/issue/IJMET?Volume=9&Issue=9 1. INTRODUCTION ISO28000 was first introduced in 2005 as ISO/PAS 28000:2005, but has since been revised by the International Organization for Standardization (ISO). The aim of this standard is to provide the requirements for an organization to implement, improve, maintain and establish a security management system [1,2]. Compared to all of the before mentioned standards and measures, ISO provides to most complete list of requirements. ISO has tried to incorporate a holistic view towards implementing a security management policy within the supply chain [3]. ISO28000 covers more aspects than any other of the security management standards as financing, manufacturing as well as information management along with the normal logistics processes such as warehousing and transportation are all covered by this standard [1]. Kern, Eßig & Ständer [4] suggest a multi-layered concept of supply chain management. In their findings, the only standard that was capable to achieve parts of the highest security level was the ISO28000. http://iaeme.com/Home/journal/IJMET 421 [email protected] Attractions of ISO28000 for Security of Supply Chains The general format of ISO28000 is based on the ISO14000:2004 format due to its risk based management system approach [5]. The standard is based on the Plan-Do-Check-Act (PDCA) cycle as it focuses on continuous improvement as the supply chain is no rigid concept and it evolves constantly [5]. The standard is applicable to companies of all sizes as well as all stages during the supply chain from the raw material to the final product delivery to the end consumer. It is applicable to companies that wish to implement or improve a SCS management system but also to companies that wish to show compliance with this standard to third parties. In accordance with the PDCA cycle, the International Organization for Standardization [5] has divided the standard into five main clauses [6]; Security management procedure; Security risk assessment and preparation; Operation and implementation; Checking and corrective action; and Management review and continual improvement. The security management policy of organizations looking to get ISO28000 certified have to be consistent with other organizational structures, the top management of the organization has to visibly support and endorse the implementation [5]. The overall security management objectives and measures have to be clearly stated and available to stakeholders where needed or appropriate. Furthermore, the objectives have to reflect the nature and scale of each organization as well as include a commitment for continuous improvement [6]. Security risk assessment and planning in ISO2800 should provide a holistic view of all possible security threats to an organization. The likelihood of the event has to be considered as well as the subsequent consequences. Physical failures of company assets or resources, either through incidental or malicious damage, have to be considered as well as failures, which lie outside of the control of the organization, such as natural events (floods, storms, etc.) as well as failure of third party equipment or services [5]. This shows again clearly that the ISO28000 has a holistic view on all supply chain processes. Furthermore, an organization has to have an established procedure to determine and have access to the proper legal and other security regulatory requirements. Lastly, security management programs, objective and targets have to be well documented, specific, measurable, relevant and achievable at the appropriate levels. These objectives and targets also have to be communicated throughout the entire supply chain to ensure maximum security [6]. Within implementation and operation; the structure, responsibilities and authorities of the workers have to be present as well as adequate resources available. Individuals in charge of overseeing or implementing the security management system have to be properly trained in their roles. Communication management of sensitive data to relevant individuals or stakeholders has to be present. Adequate documentation as well as document and data control must be present. Here it is important that only authorized individuals can access relevant documents and that documents are reviewed and if necessary revised regularly [5,6]. In the clause checking and corrective action, organizations have to establish procedures to monitor the performance of the security management system. These monitoring tools should be both quantitative as well as qualitative and be tailored to the individual needs of the organization. The degree to which the targets and objectives set by the organization in the previous clauses have to be monitored as well. The entire security management system of the organization should be periodically evaluated regarding the compliance with possible new legislation and regulation. Records of the conformity to the standards have to be kept in order to guarantee transparency. A security management audit program has to be established and carried out in intervals in order to ensure that the security management system still complies with the planned objectives, is properly maintained and is still aligned with the overall company strategy [5,6]. Lastly, the top management of the organization has to periodically review the security management system. For these reviews, all documentation and actions taken in the four http://iaeme.com/Home/journal/IJMET 422 [email protected] Constantin Gehling and Shahryar Sorooshian previous clauses are taken into account. The aim of this review is to decide on possible policy changes of the security management system, in order to achieve continuous improvement [5] Although, as can be seen above, ISO28000 is the most holistic of the security standards addressed in this paper, it is not widely accepted or used in the industry. The International Organization for Standardization [7] published its yearly certification numbers. ISO9001 tops this list with over 1.1 million companies worldwide using this standard. The next biggest standard is the IS014001 standard with almost 350,000 companies accredited. ISO28000 is the standard with the least amount of companies in that list. From its initial release until end of 2016 only 356 companies worldwide received the ISO28000 accreditation. Furthermore, of these 356 companies, 277 of them are situated in only four countries with Hungary having 149 ISO28000 certified companies. 2. LITERATURE REVIEW ON BENEFITS Although there is a gap in research on implementation of ISO28000, potential benefits for this standard are itemized based on a benchmark with other ISO standards (e.g. ISO 14001 and ISO 9000). It is evident from the literature that “enhanced brand image” is the most mentioned benefit of the implementation of standards. According to Santos et al [8], one of the benefits of ISO14001 is the enhancement of the brand or companies image for Portuguese companies. Sambasivan et al [9] discovered in their study that one of the perceived benefits for Malaysian organizations of ISO14001 implementation is the enhanced brand image and reputation. Similarly, Mariotti et al [10] and Prajogo et al [11] found that one of the benefits of implementing ISO14001 is the enhancement of the company image in the public eye in both Saudi Arabia and Australia. Badar & Aba [12] recognize that the implementation of IS14001 can lead to an enhanced public image and increased market share. Luthra et al [13] and Musa & Chinniah [12] mention enhanced corporate image as one of the benefits of an adoption of green supply chain management in India and Malaysia respectively. Musa & Chinniah [12] mention the optimization of process flows in their paper on benefits of Malaysian companies implementing ISO14001. These findings have been already confirmed by Sambasivan & Fei [9], stating that the implementation of ISO14001 in Malaysian companies has led of more efficient processes. Prajogo et al [11] confirms that