1、BRITISH STANDARDBS ISO 28001:2007Security management systems for the supply chain Best practices for implementing supply chain security Requirements and guidanceICS 03.100.10; 47.020.99g49g50g3g38g50g51g60g44g49g42g3g58g44g55g43g50g56g55g3g37g54g44g3g51g40g53g48g44g54g54g44g50g49g3g40g59g38g40g51g55
2、g3g36g54g3g51g40g53g48g44g55g55g40g39g3g37g60g3g38g50g51g60g53g44g42g43g55g3g47g36g58BS ISO 28001:2007This British Standard was published under the authority of the Standards Policy and Strategy Committee on 30 November 2007 BSI 2007ISBN 978 0 580 58319 3National forewordThis British Standard is the
3、 UK implementation of ISO 28001:2007. It supersedes DD ISO/PAS 28001:2006 which is withdrawn.The UK participation in its preparation was entrusted to Technical Committee SME/32, Ships and marine technology Steering committee.A list of organizations represented on this committee can be obtained on re
4、quest to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.Compliance with a British Standard cannot confer immunity from legal obligations.Amendments issued since publicationAmd. No. Date Comments
5、Reference numberISO 28001:2007(E)INTERNATIONAL STANDARD ISO28001First edition2007-10-15Security management systems for the supply chain Best practices for implementing supply chain security, assessments and plans Requirements and guidanceSystmes de management de la sret pour la chane dapprovisionnem
6、ent Meilleures pratiques pour la mise en application de la sret de la chane dapprovisionnement, valuations et plans Exigences et guidageBS ISO 28001:2007ii iiiContents Page Foreword iv Introduction.v 1 Scope1 2 Normative references1 3 Terms and definitions .2 4 Field of application5 4.1 Statement of
7、 application.5 4.2 Business partners .5 4.3 Internationally accepted certificates or approvals 5 4.4 Business partners exempt from security declaration requirement .6 4.5 Security reviews of business partners6 5 Supply chain security process 6 5.1 General .6 5.2 Identification of the scope of securi
8、ty assessment.6 5.3 Conduction of the security assessment .7 5.4 Development of the supply chain security plan.8 5.5 Execution of the supply chain security plan 8 5.6 Documentation and monitoring of the supply chain security process .8 5.7 Actions required after a security incident 8 5.8 Protection
9、of the security information 9 Annex A (informative) Supply chain security process10 A.1 General .10 A.2 Identification of the scope of the security assessment 10 A.3 Conduction of the security assessment .11 A.4 Development of the security plan15 A.5 Execution of the security plan .17 A.6 Documentat
10、ion and monitoring of the security process 17 A.7 Continual improvement 17 Annex B (informative) Methodology for security risk assessment and development of countermeasures.18 B.1 General .18 B.2 Step one Consideration of the security threat scenarios 20 B.3 Step two Classification of consequences .
11、22 B.4 Step three Classification of likelihood of security incidents.23 B.5 Step four Security incident scoring24 B.6 Step five Development of countermeasures .24 B.7 Step six Implementation of countermeasures 25 B.8 Step seven Evaluation of countermeasures25 B.9 Step eight Repetition of the process
12、25 B.10 Continuation of the process.25 Annex C (informative) Guidance for obtaining advice and certification.26 C.1 General .26 C.2 Demonstrating conformance with ISO 28001 by audit 26 C.3 Certification of ISO 28001 by third party certification bodies.26 Bibliography27 BS ISO 28001:2007iv Foreword I
13、SO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical c
14、ommittee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electr
15、otechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the m
16、ember bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identi
17、fying any or all such patent rights. ISO 28001 was prepared by Technical Committee ISO/TC 8, Ships and marine technology, in collaboration with other relevant technical committees responsible for specific nodes of the supply chain. This first edition of ISO 28001 cancels and replaces ISO/PAS 28001:2
18、006, which has been technically revised. BS ISO 28001:2007vIntroduction Security incidents against international supply chains are threats to international trade and the economic growth of trading nations. People, goods, infrastructure and equipment including means of transport need to be protected
19、against security incidents and their potentially devastating effects. Such protection benefits the economy and society as a whole. International supply chains are highly dynamic and consist of many entities and business partners. This International Standard recognizes this complexity. It has been de
20、veloped to allow an individual organization in the supply chain to apply its requirements in conformance with the organizations particular business model and its role and function in the international supply chain. This International Standard provides an option for organizations to establish and doc
21、ument reasonable levels of security within international supply chains and their components. It will enable such organizations to make better risk-based decisions concerning the security in those international supply chains. This International Standard is multimodal and is intended to be in concert
22、with and to complement the World Customs Organizations Framework of Standards to secure and facilitate global trade (Framework). It does not attempt to cover, replace or supersede individual customs agencies supply chain security programmes and their certification and validation requirements. The us
23、e of this International Standard will help an organization to establish adequate levels of security within those part(s) of an international supply chain which it controls. It is also a basis for determining or validating the level of existing security within such organizations supply chain(s) by in
24、ternal or external auditors or by those government agencies that choose to use compliance with this International Standard as the baseline for acceptance into their supply chain security programmes. Customers, business partners, government agencies and others might request organizations which claim
25、compliance with this International Standard to undergo an audit or a validation to confirm such compliance. Government agencies might find it mutually agreeable to accept validations conducted by other governments agencies. If a third-party organization audit is to be conducted, then the organizatio
26、n needs to consider employing a third-party certification body accredited by a competent body, which is a member of the International Accreditation Forum (see Annex C). It is not the intention of this International Standard to duplicate governmental requirements and standards regarding supply chain
27、security in compliance with the WCO SAFE Framework. Organizations that have already been certified or validated by mutually recognizing governments are compliant with this International Standard. Outputs resulting from this International Standard will be the following. A Statement of Coverage that d
28、efines the boundaries of the supply chain that is covered by the security plan. A Security Assessment that documents the vulnerabilities of the supply chain to defined security threat scenarios. It also describes the impacts that can reasonably be expected from each of the potential security threat
29、scenarios. A Security Plan that describes security measures in place to manage the security threat scenarios identified by the Security assessment. A training programme setting out how security personnel will be trained to meet their assigned security related duties. BS ISO 28001:2007vi To undertake
30、 the security assessment needed to produce the security plan, an organization using this International Standard will identify the threats posed (security threat scenarios); determine how likely persons could progress each of the security threat scenarios identified by the Security Assessment into a
31、security incident. This determination is made by reviewing the current state of security in the supply chain. Based on the findings of that review, professional judgment is used to identify how vulnerable the supply chain is to each security threat scenario. If the supply chain is considered unaccep
32、tably vulnerable to a security threat scenario, the organization will develop additional procedures or operational changes to lower likelihood, consequence or both. These are called countermeasures. Based upon a system of priorities, countermeasures need to be incorporated into the security plan to
33、reduce the threat to an acceptable level. Annexes A and B are illustrative examples of risk management based security processes for protecting people, assets and international supply chain missions. They facilitate both a macro approach for complex supply chains and/or more discrete approaches for p
34、ortions thereof. These annexes are also intended to facilitate understanding, adoption and implementation of methodologies, which can be customized by organizations; provide guidance for baseline security management for continual improvement; assist organizations to manage resources to address exist
35、ing and emerging security risks; describe possible means for assessment of risk and mitigation of security threats in the supply chain from raw materiel allocation through storage, manufacturing and transportation of finished goods to the market place. Annex C provides guidance for obtaining advice
36、and certification for this International Standard if an organization using it chooses to exercise this option. BS ISO 28001:20071Security management systems for the supply chain Best practices for implementing supply chain security, assessments and plans Requirements and guidance 1 Scope This Intern
37、ational Standard provides requirements and guidance for organizations in international supply chains to develop and implement supply chain security processes; establish and document a minimum level of security within a supply chain(s) or segment of a supply chain; assist in meeting the applicable au
38、thorized economic operator (AEO) criteria set forth in the World Customs Organization Framework of Standards and conforming national supply chain security programmes. NOTE Only a participating National Customs Agency can designate organizations as AEOs in accordance with its supply chain security pr
39、ogramme and its attendant certification and validation requirements. In addition, this International Standard establishes certain documentation requirements that would permit verification. Users of this International Standard will define the portion of an international supply chain within which they
40、 have established security (see 4.1); conduct security assessments on that portion of the supply chain and develop adequate countermeasures; develop and implement a supply chain security plan; train security personnel in their security related duties. 2 Normative references The following referenced
41、documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 20858:1), Ships and marine technology Maritime port facility security
42、assessments and security plan development 1) To be published. Revision of ISO/PAS 20858:2004.BS ISO 28001:20072 International Convention for the Safety of Life at Sea (SOLAS), 1974, as amended, International Maritime Organization 3 Terms and definitions For the purposes of this document, the followi
43、ng terms and definitions apply. 3.1 appropriate law enforcement and other government officials those government and law enforcement personnel that have specific legal jurisdiction over the international supply chain or portions of it 3.2 asset(s) plant, machinery, property, buildings, vehicles, ship
44、s, aircraft, conveyances and other items of infrastructure or plant and related systems that have a distinct and quantifiable business function or service NOTE This definition includes any information system that is integral to the delivery of security and the application of security management. 3.3
45、 authorized economic operator party involved in the international movement of goods in whatever function that has been approved by or on behalf of a national customs administration as complying with WCO or equivalent supply chain security standards NOTE 1 Authorized economic operator is a term defin
46、ed in the World Customs Organization Framework of Standards. NOTE 2 Authorized economic operators include inter alia manufacturers, importers, exporters, brokers, carriers, consolidators, intermediaries, ports, airports, terminal operators, integrated operators, warehouses and distributors. 3.4 busi
47、ness partner those contractors, suppliers or service providers that an organization contracts with to assist the organization in its function as an organization in the supply chain (3.15) 3.5 cargo transport unit road freight vehicle, railway freight wagon, freight container, road tank vehicle, rail
48、way tank wagon or portable tank 3.6 consequence loss of life, damage to property or economic disruption, including disruption to transport systems, that can reasonably be expected as a result of an attack on an organization in the supply chain or by the use of the supply chain as a weapon 3.7 convey
49、ance physical instrument of international trade that transports goods from one location to another EXAMPLES Box, pallet, cargo transport unit, cargo handling equipment, truck, ship, aircraft and railcar. 3.8 countermeasures actions taken to lower the likelihood of a security threat scenario succeeding in its objectives, or to reduce the likely consequences of a security threat scenario BS ISO 28001:200733.9 custody period of time where an organization in the supply chain is directly controlling the manuf
