1、raising standards worldwideNO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBSI Standards PublicationBS ISO 28002:2011Security managementsystems for the supplychain Development ofresilience in the supply chain Requirements with guidancefor useBS ISO 28002:2011 BRITISH STANDARDNa
2、tional forewordThis British Standard is the UK implementation of ISO 28002:2011.The UK participation in its preparation was entrusted to TechnicalCommittee SME/32, Ships and marine technology - Steeringcommittee.A list of organizations represented on this committee can beobtained on request to its s
3、ecretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. BSI 2011ISBN 978 0 580 70768 1ICS 03.100.10; 47.020.99Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standa
4、rd was published under the authority of theStandards Policy and Strategy Committee on 31 August 2011.Amendments issued since publicationDate Text affectedBS ISO 28002:2011Reference numberISO 28002:2011(E)ISO 2011INTERNATIONAL STANDARD ISO28002First edition2011-08-01Security management systems for th
5、e supply chain Development of resilience in the supply chain Requirements with guidance for use Systmes de management de la scurit pour la chane dapprovisionnement Dveloppement de la rsilience dans la chane dapprovisionnement Exigences avec mode demploi BS ISO 28002:2011ISO 28002:2011(E) COPYRIGHT P
6、ROTECTED DOCUMENT ISO 2011 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO
7、s member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2011 All rights reservedBS ISO 28002:2011ISO 28002:2011(E) ISO 2011 All rights re
8、served iiiContents Page Foreword iv Introduction.v 0.1 General .v 0.2 Supply Chain Environment.v 0.3 Process Approachvi 0.4 “Plan-Do-Check-Act” (PDCA) model viii 1 Scope1 2 Normative references2 3 Terms and definitions .2 4 Requirements of Management System containing Resilience Policy .12 4.1 Gener
9、al .12 4.2 Understanding the Organization and its Context 13 4.3 Scope of Resilience Management Policy14 4.4 Provision of Resources for the Resilience Management Policy 14 4.5 Resilience Management Policy 14 4.6 Resilience Policy Statement.14 Annex A (informative) Informative guidance on the incorpo
10、ration of this International Standard into a management standard .16 Annex B (informative) Informative Guidance on the Use of this International Standard 30 Annex C (informative) Terminology Conventions .53 Annex D (informative) Qualifiers to Application 54 Bibliography55 BS ISO 28002:2011ISO 28002:
11、2011(E) iv ISO 2011 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member bod
12、y interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrote
13、chnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by
14、 the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rig
15、hts. ISO shall not be held responsible for identifying any or all such patent rights. ISO 28002 was prepared by Technical Committee ISO/TC 8, Ships and marine technology, in collaboration with other relevant technical committees responsible for specific nodes of the supply chain. This first edition
16、cancels and replaces ISO/PAS 28002:2010. BS ISO 28002:2011ISO 28002:2011(E) ISO 2011 All rights reserved vIntroduction 0.1 General Organizations across the globe are rapidly developing risk management and resilience programs to address uncertainty in achieving their objectives. There is a strong dem
17、and for standards and best practices, as organizations are seeking assurance that their suppliers and the extended supply chain have planned for, and taken steps to prevent and mitigate the threats and hazards to which they are exposed. To assure resilience in the supply chain, organizations must en
18、gage in a comprehensive and systematic process of prevention, protection, preparedness, mitigation, response, continuity and recovery. The survivability of organizations within a supply chain depends largely on the resilience of their suppliers and customers. As a result, incorporating resilience, a
19、nd improving the resilience of an organization within the supply chain, must be focused both within the organization and externally on its suppliers and customers. During a supply chain disruption it must be emphasized that the exact nature of the disruption will probably not be fully understood at
20、first and may only become fully understood over time. As a result resilience plans and policies developed should stress adaptation and continual evaluation of new information to ensure actions being taken are appropriate. Supply chain disruptions of sufficient magnitude will most likely attract the
21、news media. Failure to properly manage news media relations can negatively impact resiliency response operations, resulting in a loss of stakeholder confidence. This loss of confidence can result in loss of customers, increased demand for information by government or financial organizations, and res
22、trictions imposed by external organizations. This International Standard has applicability in the private, not-for-profit, non-governmental, and public sector environments. It is a management framework for action planning and decision making needed to anticipate, prevent if possible, and prepare for
23、 and respond to a disruptive incident (emergency, crisis, or disaster). When implemented within a management system it enhances an organizations capacity to manage and survive the event, and take all appropriate actions to help ensure the organizations continued viability. Regardless of the organiza
24、tion, its leadership has a duty to stakeholders to plan for its survival. The body of this International Standard provides generic auditable criteria to establish, check, maintain, and improve resilience policy when implemented in a management system to enhance prevention, preparedness (readiness),
25、mitigation, response, continuity, and recovery from disruptive incidents. This International Standard is designed to be integral to ISO 28000. It also might possibly be integrated into other management systems within an organization that follow the Plan-Do-Check-Act model. If third-party independent
26、 certification is chosen, the certification will be applied to the overall management system standard that incorporates this International Standard. The integrated adaptive, proactive, and reactive resilience approach can leverage the perspectives, knowledge, and capabilities of divisions and indivi
27、duals within an organization. Because of the relatively low probability and yet potentially high consequence nature of many natural, intentional, or unintentional threats and hazards that an organization may face, an integrated approach allows an organization to establish priorities that address its
28、 individual needs for risk management within an economically sound context. 0.2 Supply Chain Environment Managing risks in the supply chain requires an understanding of the organizations environment as well as the context of the global environment of the entire supply chain. Each node of the organiz
29、ations supply chain involves a set of risks and management processes of plan, source, make, deliver and return. All of these management processes should be included in an organizations overall resilience policy. With this understanding, an organization will define to which level or tier in their sup
30、ply chain to include their resilience program. BS ISO 28002:2011ISO 28002:2011(E) vi ISO 2011 All rights reservedCustomersSuppliersSuppliersEnvironmentCustomersEnvironmentOrganizations Environment Global Environment(and outsourcemanufacturing)OrganizationCustomer FacingSupplier FacingInternal Facing
31、Figure 1 Resilience Management Policy in the Supply Chain (Source: Supply Chain Council 2007) 0.3 Process Approach The management systems approach encourages organizations to analyse organizational and stakeholder requirements and define processes that contribute to success. A management system can
32、provide the framework for continual improvement to increase the likelihood of enhancing security, preparedness, response, continuity, and resilience. It provides confidence to the organization and its customers that the organization is able to provide a safe and secure environment which fulfils orga
33、nizational and stakeholder requirements. This International Standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organizations resiliency to supply chain disruptions. An organization needs to identify and manage many activ
34、ities in order to function effectively. Any activity using resources and managed in order to enable the transformation of inputs into outputs can be considered to be a process. Often the output from one process directly forms the input to the next process. The application of a system of processes wi
35、thin an organization, together with the identification and interactions of these processes and their management, can be referred to as a “process approach”. Figure 2 depicts the process approach for resilience management in the supply chain presented in this International Standard which encourages i
36、ts users to emphasize the importance of a) understanding an organizations risk, security, preparedness, response, continuity, and recovery requirements, b) establishing a policy and objectives to manage risks, c) implementing and operating controls to manage an organizations risks within the context
37、 of the organizations objectives, BS ISO 28002:2011ISO 28002:2011(E) ISO 2011 All rights reserved viid) monitoring and reviewing the performance and effectiveness of the resilience management policy, and e) continual improvement based on objective measurement. Establish Program and Apply ResourcesDe
38、fine the Supply Chain and Objectives Identify Supply Chain RisksQuantify and Prioritize Risks - GoalsExecute Risk Treatment ProgramsMonitor Supply Chain Environment for RisksContinuous risk monitoringReassessment of management actionsReassessment of risk exposureReassessment of risk sourcesReassessm
39、ent of supply chainReassessment of risk programFigure 2 Process Approach for Resilience Management in the Supply Chain 0.3.1 Establish a Supply Chain Resilience Program and Apply Resources Recognize supply chain risk management as a priority Secure top management support for the program and Secure r
40、esources necessary to execute the program 0.3.2 Define the Supply Chain and Resilience Objectives Define the supply chain scope and map the supply chain Define the objectives of managing risk in the subject supply chain 0.3.3 Identify Supply Chain Risks Comprehensively review the supply chain to ide
41、ntify risks Document identified risks to the extent possible 0.3.4 Quantify and Prioritize Risks Quantify each risk in terms of likelihood of occurrence and potential impact Use the quantification of the risks to prioritize the risks according to defined objectives BS ISO 28002:2011ISO 28002:2011(E)
42、 viii ISO 2011 All rights reserved0.3.5 Execute Risk Treatment Programs Develop risk management actions consistent with each risks priority Define each actions value in terms of reducing the likelihood and impact of the risk Develop and execute an implementation plan for the identified actions 0.3.6
43、 Monitor Supply Chain Environment for Risks Continuously monitor the supply chain environment for risk events or precursors When thresholds are triggered, execute applicable mitigation actions Document results for after action review and program improvement 0.4 “Plan-Do-Check-Act” (PDCA) model This
44、International Standard is designed to be incorporated into a management system that uses the “Plan-Do-Check-Act” (PDCA) model, which in turn will guide the implementation and execution of the resilience management policy processes. Figure 3 illustrates how a management system can incorporate a resil
45、ience management policy that captures the requirements and expectations of the interested parties and through the necessary actions and processes, produce risk management outcomes that meet those requirements and expectations. Figure 3 also illustrates the links in the processes presented in Clause
46、4 of this International Standard. Stakeholders and InterestedPartiesStakeholders and InterestedPartiesResilience and risk managementsystems requirementsand expectationsManaged riskDoDevise a SolutionPlan the nature and scale of its activities, products, and services; and the location where, and the
47、conditions in which, the organization functions. This International Standard provides generic requirements as a framework, applicable to all types of organizations (or parts thereof) regardless of size and function in the supply chain. This International Standard provides guidance for organizations
48、to develop their own specific performance criteria, enabling the BS ISO 28002:2011ISO 28002:2011(E) 2 ISO 2011 All rights reservedorganization to tailor and implement a resilience management policy appropriate to its needs and those of its stakeholders. This International Standard emphasizes resilie
49、nce, the adaptive capacity of an organization in a complex and changing environment, as well as protection of critical supply chain assets and processes. Applying this International Standard positions an organization to more readily prevent, if possible, prepare for, and respond to all manner of intentional, unintentional, and/or naturally-caused disruptive events, which, if unmanaged, could escalate into an emergency, crisis, or disaster. This International Standard covers all phase
