BS ISO 28004-1-2007 Security management systems for the supply chain - Guidelines for the implementation of ISO 28000《供应链安全管理系统 ISO 28000的实施指南》.pdf

1、BRITISH STANDARD BS ISO Security management systems for the supply chain Guidelines for the implementation of ISO 28000 ICS 03.100.10; 47.020.99nullnull nullnullnullnullnullnullnull nullnullnullnullnullnullnull nullnullnull nullnullnullnullnullnullnullnullnullnull nullnullnullnullnullnull nullnull n

2、ullnullnullnullnullnullnullnullnull nullnull nullnullnullnullnullnullnullnullnull nullnullnull28004-1:2007Incorporating corrigendum August 2012National forewordThis British Standard is the UK implementation of ISO 28004-1:2007, incorporating corrigendum August 2012. It supersedes DD ISO/PAS 28004:20

3、06 which is withdrawn.The UK participation in its preparation was entrusted to Technical Committee SME/32, Ships and marine technology - Steering committee.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include a

4、ll the necessary provisions of a contract. Users are responsible for its correct application.Compliance with a British Standard cannot confer immunity from legal obligations.BS ISO 28004-1:2007This British Standard waspublished under the authorityof the Standards Policy andStrategy Committeeon 31 De

5、cember 2007Amendments/corrigenda issued since publicationDate Comments 30 April 2014 Implementation of ISO corrigendum August 2012: identifier updated throughout document from ISO 28004:2007 to ISO 28004-1:2007ISBN 978 0 580 81154 8 The British Standards Institution 2014. Published by BSI Standards

6、Limited 2014Reference numberINTERNATIONAL STANDARDISOFirst edition2007-10-15Security managementsystems for the supply chain Guidelines for the implementation of ISO 28000 Systmes de management de la sret pour la chane dapprovisionnement Lignes directrices pour la mise en applicationde lISO 28000 ISO

7、 28004-1:2007(E)28004-1BS ISO 28004-1:2007ii iiiContents PageForeword ivIntroduction v1Scope . 12Normative references. 23Terms and definitions. 24Security management system elements 44.1 General requirements. 44.2 Security management policy. 54.3 Security risk assessment and planning. 84.4 Implement

8、ation and operation 204.5 Checking and corrective action 344.6 Management review and continual improvement . 49Annex A (informative) Correspondence between ISO 28000:2007, ISO 14001:2004 and ISO 9001:2000 53Bibliography. 56BS ISO 28004-1:2007 ISO 28004-1:2007 (E)iv Foreword ISO (the International Or

9、ganization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member bodyinterested in a subject for which a technical committee has beenestablis

10、hed has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closel ywith the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization

11、. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.The main task of technical committees is to prepare International Standards. Draft International Standardsadopted by the technical committees are circulated to the member bodies for voting. Pub

12、lication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent

13、 rights. with other relevant technical committees responsible for specific nodes of the supply chain. This first edition of ISO 28004-1 cancels and replaces ISO/PAS 28004:2006, which has been technically revised.ISO 28004-1 was prepared by Technical Committee ISO/TC 8, Ships and marine technology, i

14、n collaborationBS ISO 28004-1:2007 ISO 28004-1:2007 (E)vIntroduction ISO 28000:2007, Specification for security management systems for the supply chain, and this International Standard have been developed in response to the need for a recognizable supply chain management systemstandard against which

15、 their security management systems can be assessed and certified and for guidance on the implementation of such a standard. ISO 28000 is compatible with the ISO9001:2000 (Quality) and ISO 14001:2004 (Envir onmental) management systems standards. They facilitate the integration of quality, environmen

16、tal and supply chain managementsystems by organizations, should they wish to do so. This International Standard includes a box at the beginning of each clause/subclause, which gives thecomplete requirements from ISO 28000; this is followed by relevant guidance. The clause numbering of thisInternatio

17、nal Standard is aligned with that of ISO 28000. This International Standard will be reviewed or amended when considered appropriate. Reviewswill beconducted when ISO 28000 is revised.This International Standard does not purport to include all necessary provisions of a contract between supplychain op

18、erators, suppliers and stakeholders. Users are responsible for its correct application. Compliance with this International Standard does not of itself confer immunity from legal obligations. BS ISO 28004-1:2007 ISO 28004-1:2007 (E)blank1Securitymanagement systems for the supply chain Guidelines for

19、the implementation of ISO 280001 Scope This International Standard provides generic advice on the applicationof ISO28000:2007, Specification forsecurity management systems for the supply chain. It explains the underlyingprinciples of ISO28000 and describes theintent, typical inputs, processes and ty

20、picaloutputs, foreach requirement of ISO 28000. This is to aid the understanding and implementation of ISO 28000.This InternationalSt andard does not create additional requirements to those specified in ISO 28000, nor does itprescribemandatory approaches to the implementation ofISO 28000. ISO 28000

21、1 Scope This International Standard specifies the requirements for a security management s ystem, including thoseaspects critical to security assurance of the supply chain. These aspects include, but are not limited to,financing, manufacturing, information management and the facilities for packing,

22、storing and transferringgoods between modes of transport and locations. Security management is linked to many other aspects of business management. These other aspects should be considered directly, w here and when they have an impact on security management, including transporting these goods along

23、the supply chain. This International Standardis applicable to all sizes of organizations, from small to multinational, inmanufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to: a) establish, implement, maintain and improve a security managemen

24、t system; b) assure compliance with stated security management policy;c) demonstrate such compliance to others;d) seek certification/registration of its security management system by an Accredited third partyCertification Body; ore) make a self-determination and self-declaration of compliance with t

25、his International Standard. There are legislative and regulatory codes that address some of the requirements in this InternationalStandard. It is not the intention of thisInternational Standard to require duplicative demonstration of compliance. Organizations that choose third party certification ca

26、n further demonstrate that theyare contributing significantly to supply chain security. BS ISO 28004-1:2007 ISO 28004-1:2007 (E)2 2 NormativereferencesNo normative references are cited. This clause is included in order to retain clause numbering similar toISO 28000. 3 Terms and definitions ISO 28000

27、 3 Terms and definitions 3.1 facilityplant, machinery, property, buildings, veh icles, ships, port facilities and other items of infrastructure or plant and related systems that have a distinct and quantifiable business function or service NOTE This definition includes any software code that is crit

28、ical to the delivery of security and the application ofsecurity management. 3.2 securityresistance to intentional, unauthorized act(s) designed to cause harm or damage to or by , the supply chain 3.3 security managementsystematic and coordinated activities and practices through which an or ganizatio

29、n optimally manages itsrisks and the associated potential threats and impacts there from3.4 security management objective specific outcome or achievement required of security in order to meet the security management policyNOTE It is essential that such outcomes are linked either directly or indirect

30、ly to providing the products, supply orservices delivered by the total business to its customers or end users.3.5 security management policyoverall intentions and direction of an organization, related to the secur ityand the framework for the control ofsecurity-related processes and activities that

31、are derived from and consistentwith the organizations policy and regulatory requirements3.6 security management programmes means bywhich a security management objective is achieved 3.7 security management targetspecific level of performance required to achieve a security management objective3.8 stak

32、eholder person or entity having a vested interest in the organizationsperformance, success or the impact of itsactivitiesNOTE Examples include customers, shareholders, financiers, insurers, regulators, statutory bodies, employees,contractors, suppliers, labour organizations or society.BS ISO 28004-1

33、:2007 ISO 28004-1:2007 (E)33.9 supply chain linked set of resources and processes that begins with the sourcing of raw material and extends through the deliveryof products or services to the end user across the modes of transport NOTE The supply chain may include vendors, manufacturing facilities, l

34、ogistics providers, internaldistributioncentres, distributors, wholesalers and other entities that lead to the end user. 3.9.1 downstreamrefers to the actions, processes and movements of the cargo in the supply chain thatoccur after the cargoleaves the direct operational control of the organization,

35、 including but not limited to insurance, finance, datamanagement and the packing, storing and transferring of cargo 3.9.2 upstreamrefers to the actions, processes and movements of the cargo in the supply chain that occur before the cargo comes under the direct operational control of the organization

36、. Including but not limited to insurance, finance, data management and the packing, storing and transferring of cargo 3.10 top management person or group of people who directs and controls an organization at the highest level NOTE Top management, especially in a large multinational organization, may

37、 not be personally involved as describedin this International Standard; however top management accountability through the chain of command shall be manifest. 3.11 continual improvement recurring process of enhancing the security management system in order to achieve improvements in overallsecurity p

38、erformance consistent with the organizations security policyFor the purposes of this document, the terms and definitions given in ISO 28000 and the following apply.3.1 risk likelihood of a security threat materializing and the consequences3.2 security clearedprocess of verifying the trustworthiness

39、of people whowill have access to security sensitive material 3.3 threatanypossible intentional action or seriesof actions with a damaging potential to anyof the stakeholders, the facilities, operations, the supply chain, society,economy or business continuity and integrityBS ISO 28004-1:2007 ISO 280

40、04-1:2007 (E)4 4 Security management system elementsFigure 1 Elements of successful security management4.1 General requirementsa) ISO 28000 requirementThe organization shall establish, document, implement, maintain and continuallyimprove an effectivesecurity management system for identifying securit

41、y threats, assessing risks and controlling and mitigating their consequences. The organization shall continually improve its effectiveness in accordance with the requirements set out in the whole of Clause 4.The organization shall define the scope of its security management system. Where an organiza

42、tion choosesto outsource any process that affects conformity with these requirements, the organization shall ensure thatsuch processes are controlled. The necessary controls and responsibilities of such outsourced processesshall be identified within the security management system.b) Intent The organ

43、ization should establish and maintain a management system that conforms to all of the requirements of ISO 28000. This may assist the organization in meeting security regulations, requirements and laws. The level of detail and complexity of the security management system, the extent of documentation

44、and the resources devoted to it are dependent on the size and complexity of an organization and the nature of its activities. Securicuritt yy managementpolii cc yySecuricuritt y p l anni ngRisk assessmentRegulatory requirementsSecurity objectives and targets Security management programmeCONTINUALIMP

45、ROVEMENT Implementatt ii on ann d operaa tioo nnResponsibilities and competence,CommunicationDocumentation Operational controlEmergency preparedness CC hh eckk ii nn gg ann d cc oo r r ective a cc tionnMeasurement andmonitoring System evaluationNon-conformance and correctiveand preventive actionReco

46、rds AuditManagement re vv ii ee ww andc ontinuu aa l improvement BS ISO 28004-1:2007 ISO 28004-1:2007 (E)5An organization has the freedom and flexibility to define its boundaries and may choose to implement ISO 28000 with respect to the entire organization or to specific operating units or activitie

47、s of the organization.Caution should be taken when defining the boundaries and scope of the management system. Organizationsshould not attempt to limit their scope so as to exclude from assessment, an operation or activity required forthe overall operation of the organization or th ose thatcan impac

48、t on the security of its em ployees and otherinterested parties. If ISO 28000 is implemented for a specific operating unit or activity, the security policies and proceduresdeveloped by other parts of the organization may be able to be used by the specific operating unit or activity to assist in meet

49、ing the requirements of ISO 28000. This may require that these security policies or proceduresare subject to minor revision or amendment, to ensure that they are applicable tothe specific operating unit oractivity. c) Typical input All input requirements are specified in ISO 28000.d) Typical output A typical output is an effectively implemented and maintained security management system that assists theorganization in continuallyseeking for improvements.4.2 Security management policyFigure 2 Security management policyBS ISO 28004-1:2007 ISO 28004-1:2007 (E)6 a) ISO 28000 re