1、BRITISH STANDARDBS ISO 28000:2007Specification for security management systems for the supply chainICS 03.100.10; 47.020.99g49g50g3g38g50g51g60g44g49g42g3g58g44g55g43g50g56g55g3g37g54g44g3g51g40g53g48g44g54g54g44g50g49g3g40g59g38g40g51g55g3g36g54g3g51g40g53g48g44g55g55g40g39g3g37g60g3g38g50g51g60g53
2、g44g42g43g55g3g47g36g58BS ISO 28000:2007This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 December 2007 BSI 2007ISBN 978 0 580 57619 5National forewordThis British Standard is the UK implementation of ISO 28000:2007. It supersedes DD ISO/PAS
3、 28000:2005 which is withdrawn. The UK participation in its preparation was entrusted to Technical Committee SME/32, Ships and marine technology Steering committee.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to i
4、nclude all the necessary provisions of a contract. Users are responsible for its correct application.Compliance with a British Standard cannot confer immunity from legal obligations.Amendments issued since publicationAmd. No. Date CommentsReference numberISO 28000:2007(E)INTERNATIONAL STANDARD ISO28
5、000First edition2007-09-15Specification for security management systems for the supply chain Spcifications pour les systmes de management de la sret pour la chane dapprovisionnement BS ISO 28000:2007ii iiiContents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references . 1 3 Terms and def
6、initions. 1 4 Security management system elements 3 4.1 General requirements. 3 4.2 Security management policy . 4 4.3 Security risk assessment and planning . 4 4.4 Implementation and operation 7 4.5 Checking and corrective action 10 4.6 Management review and continual improvement . 12 Annex A (info
7、rmative) Correspondence between ISO 28000:2007, ISO 14001:2004 and ISO 9001:2000 13 Bibliography . 16 BS ISO 28000:2007iv Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International
8、Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, al
9、so take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committ
10、ees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the poss
11、ibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 28000 was prepared by Technical Committee ISO/TC 8, Ships and marine technology, in collaboration with other relevant technical
12、 committees responsible for specific nodes of the supply chain. This first edition of ISO 28000 cancels and replaces ISO/PAS 28000:2005, which has been technically revised BS ISO 28000:2007vIntroduction This International Standard has been developed in response to demand from industry for a security
13、 management standard. Its ultimate objective is to improve the security of supply chains. It is a high-level management standard that enables an organization to establish an overall supply chain security management system. It requires the organization to assess the security environment in which it o
14、perates and to determine if adequate security measures are in place and if other regulatory requirements already exist with which the organization complies. If security needs are identified by this process, the organization should implement mechanisms and processes to meet these needs. Since supply
15、chains are dynamic in nature, some organizations managing multiple supply chains may look to their service providers to meet related governmental or ISO supply chain security standards as a condition of being included in that supply chain in order to simplify security management as illustrated in Fi
16、gure 1. ISO 28000:Securitymanagement systemsfor the supply chainISO20858:MaritimePortFacilitySecurityAssessmentsandSecurityPlanISO28001:BestPracticesCustodyinSupplyChainSecurityOtherspecificexistingstandardsorthosetobedeveloped.Figure 1 Relationship between ISO 28000 and other relevant standards BS
17、ISO 28000:2007vi This International Standard is intended to apply in cases where an organizations supply chains are required to be managed in a secure manner. A formal approach to security management can contribute directly to the business capability and credibility of the organization. Compliance w
18、ith an International Standard does not in itself confer immunity from legal obligations. For organizations that so wish, compliance of the security management system with this International Standard may be verified by an external or internal auditing process. This International Standard is based on
19、the ISO format adopted by ISO 14001:2004 because of its risk based approach to management systems. However, organizations that have adopted a process approach to management systems (e.g. ISO 9001:2000) may be able to use their existing management system as a foundation for a security management syst
20、em as prescribed in this International Standard. It is not the intention of this International Standard to duplicate governmental requirements and standards regarding supply chain security management to which the organization has already been certified or verified compliant. Verification may be by a
21、n acceptable first, second, or third party organization. NOTE This International Standard is based on the methodology known as Plan-Do-Check-Act (PDCA). PDCA can be described as follows. Plan: establish the objectives and processes necessary to deliver results in accordance with the organizations se
22、curity policy. Do: implement the processes. Check: monitor and measure processes against security policy, objectives, targets, legal and other requirements, and report results. Act: take actions to continually improve performance of the security management system. BS ISO 28000:20071Specification for
23、 security management systems for the supply chain 1 Scope This International Standard specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. Security management is linked to many other aspects of business management. A
24、spects include all activities controlled or influenced by organizations that impact on supply chain security. These other aspects should be considered directly, where and when they have an impact on security management, including transporting these goods along the supply chain. This International St
25、andard is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to: a) establish, implement, maintain and improve a security management system; b) assure conformance with
26、stated security management policy; c) demonstrate such conformance to others; d) seek certification/registration of its security management system by an Accredited third party Certification Body; or e) make a self-determination and self-declaration of conformance with this International Standard. Th
27、ere are legislative and regulatory codes that address some of the requirements in this International Standard. It is not the intention of this International Standard to require duplicative demonstration of conformance. Organizations that choose third party certification can further demonstrate that
28、they are contributing significantly to supply chain security. 2 Normative references No normative references are cited. This clause is included in order to retain clause numbering similar to other management system standards. 3 Terms and definitions For the purposes of this document, the following t
29、erms and definitions apply. 3.1 facility plant, machinery, property, buildings, vehicles, ships, port facilities and other items of infrastructure or plant and related systems that have a distinct and quantifiable business function or service NOTE This definition includes any software code that is c
30、ritical to the delivery of security and the application of security management. BS ISO 28000:20072 3.2 security resistance to intentional, unauthorized act(s) designed to cause harm or damage to, or by, the supply chain 3.3 security management systematic and coordinated activities and practices thro
31、ugh which an organization optimally manages its risks, and the associated potential threats and impacts therefrom 3.4 security management objective specific outcome or achievement required of security in order to meet the security management policy NOTE It is essential that such outcomes are linked
32、either directly or indirectly to providing the products, supply or services delivered by the total business to its customers or end users. 3.5 security management policy overall intentions and direction of an organization, related to the security and the framework for the control of security-related
33、 processes and activities that are derived from and consistent with the organizations policy and regulatory requirements 3.6 security management programmes means by which a security management objective is achieved 3.7 security management target specific level of performance required to achieve a se
34、curity management objective 3.8 stakeholder person or entity having a vested interest in the organizations performance, success or the impact of its activities NOTE Examples include customers, shareholders, financiers, insurers, regulators, statutory bodies, employees, contractors, suppliers, labour
35、 organizations, or society. 3.9 supply chain linked set of resources and processes that begins with the sourcing of raw material and extends through the delivery of products or services to the end user across the modes of transport NOTE The supply chain may include vendors, manufacturing facilities,
36、 logistics providers, internal distribution centers, distributors, wholesalers and other entities that lead to the end user. 3.9.1 downstream refers to the actions, processes and movements of the cargo in the supply chain that occur after the cargo leaves the direct operational control of the organi
37、zation, including but not limited to insurance, finance, data management, and the packing, storing and transferring of cargo 3.9.2 upstream refers to the actions, processes and movements of the cargo in the supply chain that occur before the cargo comes under the direct operational control of the or
38、ganization, including but not limited to insurance, finance, data management, and the packing, storing and transferring of cargo BS ISO 28000:200733.10 top management person or group of people who directs and controls an organization at the highest level NOTE Top management, especially in a large mu
39、ltinational organization, may not be personally involved as described in this International Standard; however top management accountability through the chain of command shall be manifest. 3.11 continual improvement recurring process of enhancing the security management system in order to achieve imp
40、rovements in overall security performance consistent with the organizations security policy 4 Security management system elements Figure 2 Security management system elements 4.1 General requirements The organization shall establish, document, implement, maintain and continually improve an effective
41、 security management system for identifying security threats, assessing risks and controlling and mitigating their consequences. The organization shall continually improve its effectiveness in accordance with the requirements set out in the whole of Clause 4. The organization shall define the scope
42、of its security management system. Where an organization chooses to outsource any process that affects conformity with these requirements, the organization shall ensure that such processes are controlled. The necessary controls and responsibilities of such outsourced processes shall be identified wi
43、thin the security management system. Security management policy Security planningRisk assessment Regulatory requirements Security objectives and targets Security management programme CONTINUALIMPROVEMENT Implementation and operation Responsibilities and competence, Communication Documentation Operat
44、ional control Emergency preparedness Checking and corrective actionMeasurement and monitoring System evaluation Non-conformance and corrective and preventive action Records Audit Management review and continual improvement BS ISO 28000:20074 4.2 Security management policy The organizations top manag
45、ement shall authorize an overall security management policy. The policy shall: a) be consistent with other organizational policies; b) provide the framework which, enables the specific security management objectives, targets and programmes to be produced; c) be consistent with the organizations over
46、all security threat and risk management framework; d) be appropriate to the threats to the organization and the nature and scale of its operations; e) clearly state the overall/broad security management objectives; f) include a commitment to continual improvement of the security management process;
47、g) include a commitment to comply with current applicable legislation, regulatory and statutory requirements and with other requirements to which the organization subscribes; h) be visibly endorsed by top management; i) be documented, implemented and maintained; j) be communicated to all relevant em
48、ployees and third parties including contractors and visitors with the intent that these persons are made aware of their individual security management-related obligations; k) be available to stakeholders where appropriate; l) provide for its review in case of the acquisition of, or merger with other
49、 organizations, or other change to the business scope of the organization which may affect the continuity or relevance of the security management system. NOTE Organizations may choose to have a detailed security management policy for internal use which would provide sufficient information and direction to drive the security management system (parts of which may be confidential) and have a summarized (non-confidential) version containing the broad objectives for dissemination to its stakeholders and other interested parties. 4.3 Security risk assessment and planning
