1、BSI Standards Publication Societal security Business continuity management systems Guidelines for supply chain continuity PD ISO/TS 22318:2015National foreword This Published Document is the UK implementation of ISO/TS 22318:2015. It supersedes PD 25222:2011 which is withdrawn. The UK participation
2、in its preparation was entrusted to Technical Committee CAR/1, Continuity and Resilience. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible
3、for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 86362 2 ICS 03.100.01 Compliance with a British Standard cannot confer immunity from legal obligations. This Published Document was published under the authority of the Standar
4、ds Policy and Strategy Committee on 31 October 2015. Amendments/corrigenda issued since publication Date Text affected PUBLISHED DOCUMENT PD ISO/TS 22318:2015 ISO 2015 Societal security Business continuity management systems Guidelines for supply chain continuity Scurit socitale Systmes de managemen
5、t de la continuit en affaires Lignes directrices pour la continuit de la chane dapprovisionnement TECHNICAL SPECIFICATION ISO/TS 22318 Reference number ISO/TS 22318:2015(E) First edition 2015-0 9-01 PD ISO/TS 22318:2015 ISO/TS 22318:2015(E)ii ISO 2015 All rights reserved COPYRIGHT PROTECTED DOCUMENT
6、 ISO 2015, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written per
7、mission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org PD ISO/TS 22318:
8、2015 ISO/TS 22318:2015(E)Foreword v Introduction vi 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 3.1 Terms included in ISO 22300 . 1 3.2 Terms included in ISO 22301 . 3 3.3 Terms and definitions applicable to this Technical Specification . 5 4 Why supply chain continuity is impo
9、rtant 6 4.1 General . 6 4.2 Describing the supply chain 6 4.3 Dynamics of supply chains . 8 4.3.1 General 8 4.3.2 Supplier and contract lifecycle . 8 4.3.3 Who owns the risk? . 9 4.4 The essentials for SCCM 9 4.5 Benefits of effective SCCM 10 4.6 Challenges to effective SCCM .10 4.7 Key points of Cl
10、ause 4: Why supply chain continuity is important 11 5 Analysis of the supply chain .11 5.1 General 11 5.2 Considerations for analysing the supply chain 11 5.3 Define the approach 12 5.4 Structure of the analysis 12 5.5 Conducting the analysis .13 5.6 Output of analysis 14 5.7 Key points of Clause 5:
11、 Analysis of the supply chain .14 6 SCCM strategies .15 6.1 General 15 6.2 Continuity strategy options 15 6.2.1 Option 1 Accept status quo .15 6.2.2 Option 2 Reduce dependency .15 6.2.3 Option 3 Increase resilience 15 6.2.4 Option 4 Work with the supplier .16 6.2.5 Option 5 Ending the relationship 1
12、6 6.3 Including SCCM capability into a supply contract .16 6.4 Ownership of SCCM 17 6.5 Key points of Clause 6: Considering options: developing strategies .17 7 Managing a disruption in the supply chain 17 7.1 General 17 7.2 Before an incident happens 18 7.3 Incident detection and notification 18 7.
13、4 During an incident 18 7.5 Return to business as usual 19 7.6 Key points of Clause 7: Managing a disruption in the supply chain .19 8 Performance evaluation 19 8.1 General 19 8.2 Engaging with suppliers 20 8.3 Implementing an SCCM performance evaluation programme .20 8.4 Maintaining the analysis 20
14、 8.5 Outcomes of performance evaluation 21 ISO 2015 All rights reserved iii Contents Page PD ISO/TS 22318:2015 ISO/TS 22318:2015(E)8.6 Key points of Clause 8: Performance management 21 Bibliography .22 iv ISO 2015 All rights reserved PD ISO/TS 22318:2015 ISO/TS 22318:2015(E) Foreword ISO (the Intern
15、ational Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has b
16、een established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical sta
17、ndardization. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accor
18、dance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Detail
19、s of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an end
20、orsement. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information The committee res
21、ponsible for this document is ISO/TC 292, Security and resilience. ISO 2015 All rights reserved v PD ISO/TS 22318:2015 ISO/TS 22318:2015(E) Introduction This Technical Specification expands the business continuity guidance on establishing appropriate levels of continuity management within an organiz
22、ations supply chain given in ISO 22301 and ISO 22313. It assumes that the organization seeking to establish supply chain continuity management (SCCM) is aware of the principles of business continuity management and has established, or intends to implement, a business continuity management system (BC
23、MS) broadly aligned to the established standards. It also considers the implications to the organization of suppliers of products or services that do not have adequate continuity arrangements in place. This Technical Specification will be useful to those who buy, manage or are responsible for a prod
24、uct or service that is necessary for the organization to produce its own products or services and will assist them to apply good BCM practice in line with established standards. Organizations rely on suppliers to deliver products or services on time and to agreed quality or standards. It is importan
25、t for an organization, as part of its wider approach to business continuity management, to recognize the potential impact to its activities of disruption within its supply chain. Failure by a supplier to deliver on time to an agreed quality and cost, a product or service may trigger a business disru
26、ption event. Conflicting objectives must be managed between reducing supply chain cost, for example, by reducing cycle times and buffer stock, and managing the supply chain continuity risk arising from single source and just-in-time supply approaches. This Technical Specification is relevant to both
27、 the supply of products and services from external suppliers and internal relationships within divisions of the same organization, under any type of continuing supplier relationship. It also has applicability to single one time sourcing arrangements where failure to deliver could impact the future o
28、f the organization. Suppliers are classified according to their criticality considering the impact on the organization of a disruption to the supplied products or services and the “supplier tier”, which defines that suppliers relationship with the organization. A Tier 1 supplier has a direct contrac
29、tual relationship with the organization, while a Tier 2 supplier provides products and services to a Tier 1 supplier. The same supply chain continuity considerations apply to relationships between tiers. Tier 1 suppliers would be responsible for assuring their own supply chain relationships, recogni
30、zing that the customer may need visibility of these relationships both to ensure there is adequate resilience in the supply chain beyond Tier 1 and to take account of factors such as corporate social responsibility which may require visibility of further tiers. The guidance given in this Technical S
31、pecification also has relevance to the supplier both so that it can prepare to meet the business continuity expectations of its customers and also to consider vulnerabilities which might arise from dependence on a single customer. This Technical Specification recognizes that suppliers may also compl
32、y with the requirements of the ISO 28000 series of standards for security management within the supply chain. Conformance with these standards will give organizations further confidence in the resilience of their supply chain and potentially reduces the risk of disruption when buying goods or servic
33、es. The text is aligned with the elements of business continuity management (see Figure 1).vi ISO 2015 All rights reserved PD ISO/TS 22318:2015 ISO/TS 22318:2015(E) Figure 1 Elements of business continuity management (BCM) (Source: ISO 22313:2012, Figure 5) Table 1 Elements of business continuity ma
34、nagement and relevant Clause in this Technical S p e c i f ic at ion BCMS element ISO/TS 22318 Clause Operational planning and control Clause 4 Business impact analysis and risk assessment Clause 5 Business continuity strategy Clause 6 Establish and implement business continuity procedures Clause 7
35、Exercising and testing Clause 8 ISO 2015 All rights reserved vii PD ISO/TS 22318:2015 Societal security Business continuity management systems Guidelines for supply chain continuity 1 Scope This Technical Specification gives guidance on methods for understanding and extending the principles of BCM e
36、mbodied in ISO 22301 and ISO 22313 to the management of supplier relationships. This Technical Specification is generic and applicable to all organizations (or parts thereof), regardless of type, size and nature of business. It is applicable to the supply of products and services, both internally an
37、d externally. The extent of application of this Technical Specification depends on the organizations operating environment and complexity. Supply chain management considers the full range of activities concerned with the provision of supplies or services to an organization as a part of business-as-u
38、sual. The scope of this Technical Specification is less broad in that it specifically considers the issues faced by an organization which needs continuity of supply of products and services to protect its business activities or processes, and the continuity strategies for current suppliers within su
39、pply chains, which can be used to mitigate the impact of disruption; this is SCCM. Guidance on developing a business continuity plan or business continuity management system is set out in ISO 22301 and ISO 22313. 2 Normative references The following documents, in whole or in part, are normatively re
40、ferenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 22300, Societal security Terminology ISO 22301, Societal security B
41、usiness continuity management systems Requirements 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO 22300, ISO 22301, and the following apply. NOTE All terms and definitions contained in ISO 22300 are available on the ISO Online Browsing Platform:
42、www.iso.org/obp. 3.1 Terms included in ISO 22300 3.1.1 business continuity capability of the organization to continue delivery of products or services at acceptable predefined levels following disruptive incident SOURCE: ISO 22300:2012, 2.1.10 3.1.2 business impact analysis process of analysing acti
43、vities and the effect that the business disruption might have upon them SOURCE: ISO 22300:2012, 2.2.6 TECHNICAL SPECIFICATION ISO/TS 22318:2015(E) ISO 2015 All rights reserved 1 PD ISO/TS 22318:2015 ISO/TS 22318:2015(E) 3.1.3 event occurrence or change of a particular set of circumstances Note 1 to
44、entry: An event can be one or more occurrences and can have several causes. Note 2 to entry: An event can consist of something not happening. Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”. Note 4 to entry: An event without consequences can also be referred to
45、as a “near miss”, “incident”, “near hit” or “close call”. SOURCE: ISO 22300:2012, 2.1.8 3.1.4 exercise process to train for, assess, practice, and improve performance in an organization Note 1 to entry: Exercises can be used for validating policies, plans, procedures, training, equipment, and intero
46、rganizational agreements, clarifying and training personnel in roles and responsibilities, improving interorganizational coordination and communications, identifying gaps in resources, improving individual performance and identifying opportunities for improvement, and a controlled opportunity to pra
47、ctice improvisation. Note 2 to entry: A test is a unique and particular type of exercise, which incorporates an expectation of a pass or fail element within the goal or objectives of the exercise being planned. SOURCE: ISO 22300:2012, 2.4.8 3.1.5 incident situation that might be, or could lead to, a
48、 disruption, loss, emergency or crisis SOURCE: ISO 22300:2012, 2.1.15 3.1.6 mutual aid agreement pre-arranged understanding between two or more entities to render assistance to each other SOURCE: ISO 22300:2012, 2.2.13 3.1.7 prioritized activities activities to which priority must be given following
49、 an incident in order to mitigate impacts Note 1 to entry: Terms in common used to describe activities within this group include critical, essential, vital, urgent and key. SOURCE: ISO 22300:2012, 2.3.5 3.1.8 risk effect of uncertainty on objectives Note 1 to entry: An effect is a deviation from the expected: positive and/or negative. Note 2 to entry: Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as