Please comment on this draft book section on ISO 22000 Food Safety Management and Cybersecurity. As a food safety manager, what is your role? Do you have a role? Are you compliant with ISO 22000 and related laws, regulations, standards, and certifications?
If you would like to read the draft chapter section or to add your comments, please click the link below to access the shared Google Document. Your comments and edits will be considered for use in the final version of this section, chapter, and new book:
The call to action from the chapter section summary is:
- Conclusion for a Food Safety Manager based on NIST, ISO 27000, and ISO 27032:
- You are NOT accountable or responsible for conducting IT/ cybersecurity assessments or selecting/ implementing/ managing those systems.
- You ARE accountable for sharing your expert, functional-area insight on critical infrastructure protection (e.g., what processes are the most vulnerable and why) and ensuring your security systems.
- You ARE accountable for making sure you are meeting the FSMA and GFSI requirements for considering all hazards, including cybersecurity and e-commerce.
Cybersecurity is a hot topic. There is an application in a food safety management system. Before you start to act it is best to review the topic and assess what you should do. Start your information-gathering by reviewing the attached document.
Test your food safety -related, cybersecurity knowledge in this self-assessment:
- Did you know that your food safety plan DOES have cybersecurity compliance requirements?
- Did you know that cybersecurity is mentioned in ISO 22000 Food Safety Management?
- Do you know about the NIST cybersecurity requirements?
- Do you know about CMMC? If yes, what do the letters stand for?
- When was CMMC updated? Are you still compliant?
Notes on the self-assessment:
- CMMC is the Cybersecurity Maturity Model Certification. It is a requirement for US Department of Defense contracts, and it is a benchmark for all cyber security systems.
- CMMC was “enhanced” on November 4, 2021, to “version 2.0.” The new system is more streamlined and has a more specific starting point. The intent is for CMMC not to be a separate standard and to utilize the NIST activity, including the NIST update process.
- The CMMC2.0 will have a roll-out period, so it is not required yet. A “final rule” goes through a review process including development of the proposed rule, published in the US Federal Register, an open comment period, a period where the agency reviews the comments, then a published response, before the final rule is published that includes a period until the adoption is required.
- As food safety is based on ISO 22000 and GFSI, cyber standards and requirements are based on the US National Institute of Standards and Technology, NIST.
- NIST created a cybersecurity framework.
- NIST has a wide range of supporting documents that are often updated. An example is: Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management, Published on November 12, 2021.
FDA Public Meeting on Food E-Commerce (Part 4): Video Lecture on Cybersecurity and the Food Safety Manager
By John W. Spink, PhD / October 5, 2021
If FDA is asking questions about food e-commerce, then what is your role? As a food safety manager, you have a role in cybersecurity – including e-commerce – but to do what? This post includes a recent video lecture on the topic that provides for a simple call to action.
This is the fourth blog post in our multi-post series that focuses on the FDA “New Era of Smarter Food Safety” (SFS) blueprint. Other posts include a review of the FDA public meeting, an e-commerce and food fraud overview, a review of ISO cybersecurity definitions, a country-level vulnerability assessment, an explanation of supply chain mapping and the use of criminology hot spot analysis, and possibly others.
Over the last six months, we’ve intensified our focus on food fraud in the online marketplace. This post provides two resource links: (1) a video lecture on Cybersecurity and the Food Safety Manager, and (2) for your comments, a draft of the Cybersecurity and ISO 22000 section from my new book.
Our cybersecurity research started with consideration of the food fraud risks from e-commerce and online direct-to-consumer sales. Our recent activity in this area includes presentations at the 2016 IUOFST conference in Beijing and the 2017 INTERPOL/ Europol Operation Opson meeting. [1,2] In 2018, the ISO 22000 Food Safety Management scope clarified that it included “cybersecurity and food fraud.” Then, last month FDA announced their food e-commerce public meeting. Together, these were the motivation for creating this video lecture and finishing the section draft.
To support the need for training and education, we presented and recorded the topic in the PJR Registrars food safety webinar series.
- Reference: PJR Registrars, Webinar Series, Cybersecurity and the Role of the Food Safety Manager, Presented by John W Spink, September 17, 2021, URL (64-minutes): https://www.youtube.com/watch?v=AfR2iXnK9y4
The subjects included are:
- The Requirements in the Food Law and Food Safety Management Systems
- ISO 22000 Food Safety Management (the foundation for GFSI and the food safety standards)
- Food Safety Modernization Act (FSMA)
- Global Food Safety Initiative (GFSI)
- General Cybersecurity standards:
- US National Institute of Standards and Technology (NIST)
- ISO 27000 Information Security
- ISO 27034 Cybersecurity
- The role of the food safety manager in cybersecurity
FOR REVIEW AND COMMENT: Section Draft
The foundation of this video presentation is based on our previous research, including this draft book section. Please review and comment in the shared Google Document:
As presented in the video lecture and the book section, to manage cybersecurity, here are key statements:
Conclusion for a Food Safety Manager based on NIST, ISO 27000, and ISO 27032:You are NOT accountable or responsible for conducting IT/ cybersecurity assessments or selecting/ implementing/ managing those systems.You ARE accountable for sharing your expert, functional-area insight on critical infrastructure protection (what processes are the most vulnerable, and why) AND assuring your systems are covered.You ARE accountable for making sure you are meeting the FSMA and GFSI requirements for considering all hazards, including cybersecurity and e-commerce.
This post continues to provide a foundation for the FDA food e-commerce public meeting and provides insight for your food fraud prevention strategies.
 Spink, John W (2016). Food Fraud and E-Commerce, Session: Food Safety and Supervision in E-Commerce, International Forum on Food Safety (IFFS), International Union of Food Science and Technology (IUOFST), April 4, 2016, Beijing
 Spink, John W (2017). Food Fraud Prevention Challenges in E-Commerce [FSAI] – e-commerce and country-level assessment: a presentation at the Food Safety Authority of Ireland meeting for the EU Food Integrity Project. This covers a Food Fraud Vulnerability Assessment (initial screen or pre-filter) for an entire country of a specific product problem. This is an example of an FFVA for an entire country (18 minutes): https://www.youtube.com/watch?v=uhrkoUuOhEk