1、 Collection of SANS standards in electronic format (PDF) 1. Copyright This standard is available to staff members of companies that have subscribed to the complete collection of SANS standards in accordance with a formal copyright agreement. This document may reside on a CENTRAL FILE SERVER or INTRA
2、NET SYSTEM only. Unless specific permission has been granted, this document MAY NOT be sent or given to staff members from other companies or organizations. Doing so would constitute a VIOLATION of SABS copyright rules. 2. Indemnity The South African Bureau of Standards accepts no liability for any
3、damage whatsoever than may result from the use of this material or the information contain therein, irrespective of the cause and quantum thereof. ISBN 978-0-626-22062-4 SANS 28003:2008 Edition 1 ISO 28003:2007 Edition 1SOUTH AFRICAN NATIONAL STANDARD Security management systems for the supply chain
4、 Requirements for bodies providing audit and certification of supply chain security management systems This national standard is the identical implementation of ISO 28003:2007 and is adopted with the permission of the International Organization for Standardization. Published by SABS Standards Divisi
5、on 1 Dr Lategan Road Groenkloof Private Bag X191 Pretoria 0001 Tel: +27 12 428 7911 Fax: +27 12 344 1568 www.sabs.co.za SABS This standard may only be used and printed by approved subscription and freemailing clients of the SABS.SANS 28003:2008 Edition 1 ISO 28003:2007 Edition 1 Table of changes Cha
6、nge No. Date Scope National foreword This South African standard was approved by National Committee SABS TC 180, Conformity assessment (CASCO), in accordance with procedures of the SABS Standards Division, in compliance with annex 3 of the WTO/TBT agreement. This SANS document was published in Novem
7、ber 2008. This standard may only be used and printed by approved subscription and freemailing clients of the SABS. Reference number ISO 28003:2007(E) ISO 2007INTERNATIONAL STANDARD ISO 28003 First edition 2007-08-01 Security management systems for the supply chain Requirements for bodies providing a
8、udit and certification of supply chain security management systems Systmes de management de la sret pour la chane dapprovisionnement Exigences pour les organismes effectuant laudit et la certification des systmes de management de la sret pour la chane dapprovisionnement SANS 28003:2008This standard
9、may only be used and printed by approved subscription and freemailing clients of the SABS.ISO 28003:2007(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which a
10、re embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorp
11、orated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that
12、 a problem relating to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO 2007 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical
13、, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org
14、Published in Switzerland ii ISO 2007 All rights reservedSANS 28003:2008This standard may only be used and printed by approved subscription and freemailing clients of the SABS.ISO 28003:2007(E) ISO 2007 All rights reserved iii Contents Page Foreword . iv Introduction . v 1 Scope . 1 2 Normative refer
15、ences . 1 3 Terms and definitions 2 4 Principles for certification bodies . 2 4.1 General . 2 4.2 Impartiality 3 4.3 Competence 4 4.4 Responsibility . 4 4.5 Openness . 4 4.6 Confidentiality . 4 4.7 Resolution of complaints . 4 5 General requirements 4 5.1 Legal and contractual matters . 4 5.2 Manage
16、ment of impartiality . 5 5.3 Liability and financing 6 6 Structural requirements . 6 6.1 Organizational structure and top management . 6 6.2 Committee for safeguarding impartiality . 7 7 Resource requirements . 8 7.1 Competence of management and personnel . 8 7.2 Personnel involved in the certificat
17、ion activities 8 7.3 Use of external auditors and external technical experts 10 7.4 Personnel records 11 7.5 Outsourcing . 12 8 Information requirements 13 8.1 Publicly accessible information 13 8.2 Certification documents . 13 8.3 Directory of certified clients 14 8.4 Reference to certification and
18、 use of marks 14 8.5 Confidentiality . 14 8.6 Information exchange between a certification body and its clients 15 9 Process requirements 16 9.1 General requirements applicable to any audit . 16 9.2 Initial audit and certification 18 9.3 Surveillance activities 23 9.4 Recertification . 25 9.5 Specia
19、l audits 27 9.6 Suspending, withdrawing or reducing scope of certification 27 9.7 Appeals 28 9.8 Complaints 28 9.9 Records on applicants and clients . 29 10 Management system requirements for certification bodies 30 10.1 Option 1 Management system requirements in accordance with ISO 9001 30 10.2 Opt
20、ion 2 General management system requirements . 30 Annex A (informative) Guide for process to determine auditor time . 34 Annex B (normative) Criteria for auditing organizations with multiple sites 36 Annex C (normative) Auditor education, work and audit experience and training durations 40 Annex D (
21、normative) Auditor competence requirements . 41 Bibliography . 43 SANS 28003:2008This standard may only be used and printed by approved subscription and freemailing clients of the SABS.ISO 28003:2007(E) iv ISO 2007 All rights reservedForeword ISO (the International Organization for Standardization)
22、is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for whom a technical committee has been established has the right to be represe
23、nted on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. In the field of conformity as
24、sessment, the ISO Committee on conformity assessment (CASCO) is responsible for the development of International Standards and Guides. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare Interna
25、tional Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the
26、elements of this document may be the subject of patent rights. ISO 28003 was prepared jointly by the ISO Committee on conformity assessment (ISO/CASCO) and ISO/TC 8, Ships and marine technology. This first edition cancels and replaces ISO/PAS 28003:2006, which has been technically revised. ISO 28003
27、 encompasses the requirements from ISO/IEC 17021, Conformity assessment Requirements for bodies providing audit and certification of management systems. When assessing security supply chain security management systems, a number of requirements need to be met which go beyond what is required for the
28、assessment and certification of supply chain security management systems covering other operational aspects of organizations. To formulate these additional requirements, ISO/IEC 17021 has been amended or modified where needed. SANS 28003:2008This standard may only be used and printed by approved sub
29、scription and freemailing clients of the SABS.ISO 28003:2007(E) ISO 2007 All rights reserved v Introduction This International Standard is intended for use by bodies that carry out audit and certification of supply chain security management systems. Certification of supply chain security management
30、systems is a third party conformity assessment activity (see clause 5.5 of ISO/IEC 17000:2004). Bodies performing this activity are therefore third party conformity assessment bodies, named certification body/bodies in this International Standard. This wording should not be an obstacle to the use of
31、 this International Standard by bodies with other designations that undertake activities covered by the scope of this International Standard. Indeed, this International Standard will be usable by any body involved in the assessment of supply chain security management systems. Certification of supply
32、 chain security management systems of an organization is one means of providing assurance that the organization has implemented a system for supply chain security management in line with its policy. Certification of supply chain security management systems will be delivered by certification bodies a
33、ccredited by a recognized body, such as IAF members. This International Standard specifies requirements for certification bodies. Observance of these requirements is intended to ensure that certification bodies operate supply chain security management systems certification in a competent, consistent
34、 and reliable manner, thereby facilitating the recognition of such bodies and the acceptance of their certifications on a national and international basis. This International Standard will serve as a foundation for facilitating the recognition of supply chain security management systems certificatio
35、n in the interests of international trade. Certification of a supply chain security management system provides independent verification that the supply chain security management system of the organization a) conforms to specified requirements; b) is capable of consistently achieving its stated polic
36、y and objectives; c) is effectively implemented. Certification of a supply chain security management system thereby provides value to the organization, its customers and interested parties. This International Standard aims at being the basis for recognition of the competence of certification bodies
37、in their provision of supply chain security management system certification. This International Standard can be used as the basis for recognition of the competence of certification bodies in their provision of supply chain security management system certification (such recognition may be in the form
38、 of notification, peer assessment, or direct recognition by regulatory authorities or industry consortia). Observance of the requirements in this International Standard is intended to ensure that certification bodies operate supply chain security management system certification in a competent, consi
39、stent and reliable manner, thereby facilitating the recognition of such bodies and the acceptance of their certifications on a national and international basis. This International Standard will serve as a foundation for facilitating the recognition of supply chain security management system certific
40、ation in the interests of international trade. Certification activities involve the audit of an organizations supply chain security management system. The form of attestation of conformity of an organizations supply chain security management system to a specific standard (for example ISO 28000) or o
41、ther specified requirements is normally a certification document or a certificate. SANS 28003:2008This standard may only be used and printed by approved subscription and freemailing clients of the SABS.ISO 28003:2007(E) vi ISO 2007 All rights reservedIt is for the organization being certified to dev
42、elop its own supply chain security management systems (including ISO 28000 supply chain security management system, other sets of specified supply chain security management system requirements, quality systems, environmental supply chain security management systems or occupational health and safety
43、supply chain security management systems) and, other than where relevant legislative requirements specify to the contrary, it is for the organization to decide how the various components of these are to be arranged. The degree of integration between the various supply chain security management syste
44、m components will vary from organization to organization. It is therefore appropriate for certification bodies that operate in accordance with this International Standard to take into account the culture and practices of their clients in respect of the integration of their supply chain security mana
45、gement system within the wider organization. SANS 28003:2008This standard may only be used and printed by approved subscription and freemailing clients of the SABS.INTERNATIONAL STANDARD ISO 28003:2007(E) ISO 2007 All rights reserved 1 Security management systems for the supply chain Requirements fo
46、r bodies providing audit and certification of supply chain security management systems 1 Scope This International Standard contains principles and requirements for bodies providing the audit and certification of supply chain security management systems according to management system specifications a
47、nd standards such as ISO 28000. It defines the minimum requirements of a certification body and its associated auditors, recognizing the unique need for confidentiality when auditing and certifying/registering a client organization. Requirements for supply chain security management systems can origi
48、nate from a number of sources, and this International Standard has been developed to assist in the certification of supply chain security management systems that fulfil the requirements of ISO 28000, Specification for security management systems for the supply chain, and other supply chain security
49、management system International Standards. The contents of this International Standard may also be used to support certification of supply chain security management systems that are based on other specified supply chain security management system requirements. This International Standard provides harmonized guidance for the accreditation of certification bodies applying for ISO 28000 (or other specified supply chain security management system requirements) certification/registration; defines the rules applicable for the aud
