1、raising standards worldwideNO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBSI Standards PublicationBS ISO 14298:2013Graphic technology Management of securityprinting processesBS ISO 14298:2013 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of I
2、SO 14298:2013.The UK participation in its preparation was entrusted to TechnicalCommittee PAI/43, Graphic technology.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract
3、. Users are responsible for its correctapplication. The British Standards Institution 2013. Published by BSI StandardsLimited 2013ISBN 978 0 580 72689 7ICS 37.100.01Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority
4、 of theStandards Policy and Strategy Committee on 30 April 2013.Amendments issued since publicationDate Text affectedBS ISO 14298:2013 ISO 2013Graphic technology Management of security printing processesTechnologie graphique Management des procds dimpression de scuritINTERNATIONAL STANDARDISO14298Fi
5、rst edition2013-04-15Reference numberISO 14298:2013(E)BS ISO 14298:2013ISO 14298:2013(E)ii ISO 2013 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO 2013All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means
6、, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20T
7、el. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandBS ISO 14298:2013ISO 14298:2013(E) ISO 2013 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Context of the organization
8、 . 54.1 Understanding the organization and its context . 54.2 Understanding the needs and expectations of interested parties 54.3 Determining the scope of the security printing management system 64.4 Security printing management system 65 Leadership 75.1 Leadership and commitment . 75.2 Policy . 85.
9、3 Organization roles, responsibilities and authorities 86 Planning . 96.1 Actions to address risks and opportunities . 96.2 Security objectives and planning to achieve them . 96.3 Security printing management system planning .107 Support 107.1 Resources 107.2 Competence 107.3 Awareness 117.4 Communi
10、cation . 117.5 Documented information 118 Operation 139 Performance evaluation 139.1 Monitoring, measurement, analysis and evaluation 139.2 Internal audit . 149.3 Management review 1410 Improvement .1510.1 Nonconformity, security breaches and corrective actions .1510.2 Preventive actions . 1510.3 Co
11、ntinual improvement .16Annex A (normative) Determination of security requirements related to the security printing management system 17Bibliography .20BS ISO 14298:2013ISO 14298:2013(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of national standards bo
12、dies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizatio
13、ns, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to develop this document and those intended for its further
14、 maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2. www.iso.org/directivesAtten
15、tion is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction
16、 and/or on the ISO list of patent declarations received. www.iso.org/patentsAny trade name used in this document is information given for the convenience of users and does not constitute an endorsement.The committee responsible for this document is ISO/TC 130, Graphic technology.iv ISO 2013 All righ
17、ts reservedBS ISO 14298:2013ISO 14298:2013(E)IntroductionGeneralThis International Standard specifies requirements for a security printing management system for security printers.Current security printing management practices lack sufficient guarantees that effective security controls are maintained
18、 to protect the interest of the customer as well as the general public. Using this International Standard the organization establishes, documents, implements and maintains a security printing management system. This security printing management system is regularly reviewed to continually improve its
19、 effectiveness. It is recognized that customer requirements sometimes exceed the requirements of this International Standard so the security printing management system also addresses customer requirements that are beyond the scope of this International Standard.The adoption of a security printing ma
20、nagement system is a strategic decision of an organization. The design and implementation of an organizations security printing management system is influenced by varying needs, particular objectives, products provided, processes employed, security environment, cultural issues, legal limitations, ri
21、sk assessment and by size and structure of the organization.To achieve the objectives of this security printing management system standard measures are taken to mitigate all of the security threats determined by an organizational risk assessment. Such controls focus upon reducing, eliminating and pr
22、eventing acts that compromise the security printing management system of the organization.It is not the intent of this International Standard to obtain uniformity in the structure of the security printing management system or uniformity of documented information. The security printing management sys
23、tem complies with laws and regulations in force. The requirements specified in this International Standard are supplementary to requirements for products and processes of an organization and allow for additional specific requirements from the customer.This International Standard is intended to apply
24、 to security printers. It contains requirements that when implemented by a security printer may be objectively audited for certification/registration purposes.Process approachThis International Standard promotes the adoption of a process approach when developing, implementing and improving the effec
25、tiveness of a security printing management system.The application of a system of processes within an organization, together with the identification and interaction of these processes, and their management, is referred to as a “process approach”. An advantage of a “process approach” is the ongoing co
26、ntrol that it provides over the interaction between individual processes within the system of processes, as well as over their combination.Basic principlesWhen implemented, the security printing management system:a) achieves the security of products, processes, means of production, premises, informa
27、tion, raw material supplies;b) is used to continue to meet demonstrably the requirements, and naturally, the needs of customers;c) affords management the confidence that the targeted degree of security is actually achieved and remains effective;d) affords the customers the confidence that the agreed
28、 nature and degree of security is or will be attained.This International Standard prescribes which elements a security printing management system contains and not how a specific organization implements these elements. ISO 2013 All rights reserved vBS ISO 14298:2013BS ISO 14298:2013Graphic technology
29、 Management of security printing processes1 ScopeThis International Standard specifies requirements for a security printing management system for security printers.This International Standard specifies a minimum set of security printing management system requirements. Organizations ensure that custo
30、mer security requirements are met as appropriate provided these do not conflict with the requirements of this International Standard.2 Normative referencesNo normative references are cited.3 Terms and definitionsFor the purposes of this document the following terms and definitions apply.NOTE Italic
31、type in a definition indicates a cross-reference to another term defined in this clause; the number reference for the term is given in parentheses.3.1organizationperson or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives (3.8)N
32、ote 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.3.2interested partystakeholderperson or organ
33、ization (3.1) that can affect, be affected by, or perceive themselves to be affected by a decision or activity3.3requirementneed or expectation that is stated, generally implied or obligatoryNote 1 to entry: “Generally implied” means that it is custom or common practice for the organization and inte
34、rested parties that the need or expectation under consideration is implied.Note 2 to entry: A specified requirement is one that is stated, for example in documented information.3.4management systemset of interrelated or interacting elements of an organization (3.1) to establish policies (3.7) and ob
35、jectives (3.8), and processes (3.12) to achieve those objectivesNote 1 to entry: A management system can address a single discipline or several disciplines.INTERNATIONAL STANDARD ISO 14298:2013(E) ISO 2013 All rights reserved 1BS ISO 14298:2013ISO 14298:2013(E)Note 2 to entry: The system elements in
36、clude the organizations structure, roles and responsibilities, planning, operation, etc.Note 3 to entry: The scope of a management system may include the whole of the organization, specific and identified functions of the organization, specific and identified sections of the organization, or one or
37、more functions across a group of organizations.Note 4 to entry: A management system contains documented information to direct and control the organization.3.5top managementperson or group of people who directs and controls an organization (3.1) at the highest levelNote 1 to entry: Top management has
38、 the power to delegate authority and provide resources within the organization.Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization then top management refers to those who direct and control that part of the organization.3.6effectivenessextent to which pla
39、nned activities are realized and planned results achieved3.7policyintentions and direction of an organization (3.1) as formally expressed by its top management (3.5)3.8objectiveresult to be achievedNote 1 to entry: An objective can be strategic, tactical, or operational.Note 2 to entry: Objectives c
40、an relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels such as strategic, organization-wide, project, product and process (3.12).Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a
41、purpose, an operational criterion, as a security objective (3.32) or by the use of other words with similar meaning (e.g. aim, goal, or target).Note 4 to entry: In the context of security printing management systems security objectives (3.32) are set by the organization, consistent with the security
42、 policy, to achieve specific results.3.9riskeffect of uncertaintyNote 1 to entry: An effect is a deviation from the expected positive or negative.Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence
43、, or likelihood.Note 3 to entry: Risk is often characterized by reference to potential events (ISO Guide 73, 3.5.1.3) and consequences (ISO Guide 73:2009, 3.6.1.3), or a combination of these.Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
44、 changes in circumstances) and the associated likelihood (ISO Guide 73:2009, 3.6.1.1) of occurrence.3.10competenceability to apply knowledge and skills to achieve intended results2 ISO 2013 All rights reservedBS ISO 14298:2013ISO 14298:2013(E)3.11documented informationinformation required to be cont
45、rolled and maintained by an organization (3.1) and the medium on which it is containedNote 1 to entry: Documented information can be in any format and media and from any source.Note 2 to entry: Documented information can refer to the management system (3.4), including related processes (3.12); infor
46、mation created in order for the organization to operate (documentation); and evidence of results achieved (records).3.12processset of interrelated or interacting activities which transforms inputs into outputs3.13performancemeasurable resultNote 1 to entry: Performance can relate either to quantitat
47、ive or qualitative findings.Note 2 to entry: Performance can relate to the management of activities, processes (3.12), products (including services), systems or organizations (3.1).3.14outsource (verb)make an arrangement where an external organization (3.1) performs part of an organizations function
48、 or process (3.12)Note 1 to entry: An external organization is outside the scope of the management system (3.4), although the outsourced function or process is within the scope.3.15monitoringdetermining the status of a system, a process (3.12) or an activityNote 1 to entry: To determine the status t
49、here may be a need to check, measure, supervise or critically observe.3.16measurementprocess (3.12) to determine a value3.17auditsystematic, independent and documented process (3.12) for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilledNote 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines).Note 2 to entry: “Audit evidence” and “audit criteria” are de
