1、BRITISH STANDARDBS ISO 28003:2007Security management systems for the supply chain Requirements for bodies providing audit and certification of supply chain security management systems ICS 03.100.10; 47.020.99g49g50g3g38g50g51g60g44g49g42g3g58g44g55g43g50g56g55g3g37g54g44g3g51g40g53g48g44g54g54g44g50
2、g49g3g40g59g38g40g51g55g3g36g54g3g51g40g53g48g44g55g55g40g39g3g37g60g3g38g50g51g60g53g44g42g43g55g3g47g36g58BS ISO 28003:2007This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 December 2007 BSI 2007ISBN 978 0 580 58090 1National forewordThis
3、British Standard is the UK implementation of ISO 28003:2007. It supersedes DD ISO/PAS 28003:2006 which is withdrawn.The UK participation in its preparation was entrusted to Technical Committee SME/32, Ships and marine technology Steering committee.A list of organizations represented on this committe
4、e can be obtained on request to its secretary.A list of organizations represented on this committee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application.Compliance with a
5、 British Standard cannot confer immunity from legal obligations.Amendments issued since publicationAmd. No. Date CommentsReference numberISO 28003:2007(E)INTERNATIONAL STANDARD ISO28003First edition2007-08-01Security management systems for the supply chain Requirements for bodies providing audit and
6、 certification of supply chain security management systems Systmes de management de la sret pour la chane dapprovisionnement Exigences pour les organismes effectuant laudit et la certification des systmes de management de la sret pour la chane dapprovisionnement BS ISO 28003:2007ii iiiContents Page
7、Foreword . iv Introduction . v 1 Scope . 1 2 Normative references . 1 3 Terms and definitions 2 4 Principles for certification bodies . 2 4.1 General . 2 4.2 Impartiality 3 4.3 Competence 4 4.4 Responsibility . 4 4.5 Openness . 4 4.6 Confidentiality . 4 4.7 Resolution of complaints . 4 5 General req
8、uirements 4 5.1 Legal and contractual matters . 4 5.2 Management of impartiality . 5 5.3 Liability and financing 6 6 Structural requirements . 6 6.1 Organizational structure and top management . 6 6.2 Committee for safeguarding impartiality . 7 7 Resource requirements . 8 7.1 Competence of managemen
9、t and personnel . 8 7.2 Personnel involved in the certification activities 8 7.3 Use of external auditors and external technical experts 10 7.4 Personnel records 11 7.5 Outsourcing . 12 8 Information requirements 13 8.1 Publicly accessible information 13 8.2 Certification documents . 13 8.3 Director
10、y of certified clients 14 8.4 Reference to certification and use of marks 14 8.5 Confidentiality . 14 8.6 Information exchange between a certification body and its clients 15 9 Process requirements 16 9.1 General requirements applicable to any audit . 16 9.2 Initial audit and certification 18 9.3 Su
11、rveillance activities 23 9.4 Recertification . 25 9.5 Special audits 27 9.6 Suspending, withdrawing or reducing scope of certification 27 9.7 Appeals 28 9.8 Complaints 28 9.9 Records on applicants and clients . 29 10 Management system requirements for certification bodies 30 10.1 Option 1 Management
12、 system requirements in accordance with ISO 9001 30 10.2 Option 2 General management system requirements . 30 Annex A (informative) Guide for process to determine auditor time . 34 Annex B (normative) Criteria for auditing organizations with multiple sites 36 Annex C (normative) Auditor education, w
13、ork and audit experience and training durations 40 Annex D (normative) Auditor competence requirements . 41 Bibliography . 43 BS ISO 28003:2007iv Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of
14、preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for whom a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental,
15、in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. In the field of conformity assessment, the ISO Committee on conformity assessment (CASCO) is responsible for the deve
16、lopment of International Standards and Guides. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are
17、circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO 28003 was prepared jo
18、intly by the ISO Committee on conformity assessment (ISO/CASCO) and ISO/TC 8, Ships and marine technology. This first edition cancels and replaces ISO/PAS 28003:2006, which has been technically revised. ISO 28003 encompasses the requirements from ISO/IEC 17021, Conformity assessment Requirements for
19、 bodies providing audit and certification of management systems. When assessing security supply chain security management systems, a number of requirements need to be met which go beyond what is required for the assessment and certification of supply chain security management systems covering other
20、operational aspects of organizations. To formulate these additional requirements, ISO/IEC 17021 has been amended or modified where needed. BS ISO 28003:2007vIntroduction This International Standard is intended for use by bodies that carry out audit and certification of supply chain security manageme
21、nt systems. Certification of supply chain security management systems is a third party conformity assessment activity (see clause 5.5 of ISO/IEC 17000:2004). Bodies performing this activity are therefore third party conformity assessment bodies, named certification body/bodies in this International
22、Standard. This wording should not be an obstacle to the use of this International Standard by bodies with other designations that undertake activities covered by the scope of this International Standard. Indeed, this International Standard will be usable by any body involved in the assessment of sup
23、ply chain security management systems. Certification of supply chain security management systems of an organization is one means of providing assurance that the organization has implemented a system for supply chain security management in line with its policy. Certification of supply chain security
24、management systems will be delivered by certification bodies accredited by a recognized body, such as IAF members. This International Standard specifies requirements for certification bodies. Observance of these requirements is intended to ensure that certification bodies operate supply chain securi
25、ty management systems certification in a competent, consistent and reliable manner, thereby facilitating the recognition of such bodies and the acceptance of their certifications on a national and international basis. This International Standard will serve as a foundation for facilitating the recogn
26、ition of supply chain security management systems certification in the interests of international trade. Certification of a supply chain security management system provides independent verification that the supply chain security management system of the organization a) conforms to specified requirem
27、ents; b) is capable of consistently achieving its stated policy and objectives; c) is effectively implemented. Certification of a supply chain security management system thereby provides value to the organization, its customers and interested parties. This International Standard aims at being the ba
28、sis for recognition of the competence of certification bodies in their provision of supply chain security management system certification. This International Standard can be used as the basis for recognition of the competence of certification bodies in their provision of supply chain security manage
29、ment system certification (such recognition may be in the form of notification, peer assessment, or direct recognition by regulatory authorities or industry consortia). Observance of the requirements in this International Standard is intended to ensure that certification bodies operate supply chain
30、security management system certification in a competent, consistent and reliable manner, thereby facilitating the recognition of such bodies and the acceptance of their certifications on a national and international basis. This International Standard will serve as a foundation for facilitating the r
31、ecognition of supply chain security management system certification in the interests of international trade. Certification activities involve the audit of an organizations supply chain security management system. The form of attestation of conformity of an organizations supply chain security managem
32、ent system to a specific standard (for example ISO 28000) or other specified requirements is normally a certification document or a certificate. BS ISO 28003:2007vi It is for the organization being certified to develop its own supply chain security management systems (including ISO 28000 supply chai
33、n security management system, other sets of specified supply chain security management system requirements, quality systems, environmental supply chain security management systems or occupational health and safety supply chain security management systems) and, other than where relevant legislative r
34、equirements specify to the contrary, it is for the organization to decide how the various components of these are to be arranged. The degree of integration between the various supply chain security management system components will vary from organization to organization. It is therefore appropriate
35、for certification bodies that operate in accordance with this International Standard to take into account the culture and practices of their clients in respect of the integration of their supply chain security management system within the wider organization. BS ISO 28003:20071Security management sys
36、tems for the supply chain Requirements for bodies providing audit and certification of supply chain security management systems 1 Scope This International Standard contains principles and requirements for bodies providing the audit and certification of supply chain security management systems accord
37、ing to management system specifications and standards such as ISO 28000. It defines the minimum requirements of a certification body and its associated auditors, recognizing the unique need for confidentiality when auditing and certifying/registering a client organization. Requirements for supply ch
38、ain security management systems can originate from a number of sources, and this International Standard has been developed to assist in the certification of supply chain security management systems that fulfil the requirements of ISO 28000, Specification for security management systems for the suppl
39、y chain, and other supply chain security management system International Standards. The contents of this International Standard may also be used to support certification of supply chain security management systems that are based on other specified supply chain security management system requirements
40、. This International Standard provides harmonized guidance for the accreditation of certification bodies applying for ISO 28000 (or other specified supply chain security management system requirements) certification/registration; defines the rules applicable for the audit and certification of a supp
41、ly chain security management system complying with the supply chain security management system standards requirements (or other sets of specified supply chain security management system requirements); provides the customers with the necessary information and confidence about the way certification of
42、 their suppliers has been granted. NOTE 1 Certification of a supply chain security management system is sometimes also called registration, and certification bodies are sometimes called registrars. NOTE 2 A certification body can be nongovernmental or governmental (with or without regulatory authori
43、ty). NOTE 3 This International Standard can be used as a criteria document for accreditation or peer assessment or other audit processes. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited app
44、lies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC 17000:2004, Conformity assessment Vocabulary and general principles ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing BS ISO 28003:20072 ISO 2
45、8000:1), Specification for security management systems for the supply chain 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 17000 and the following apply. 3.1 certified client organization whose supply chain security management system has been ce
46、rtified/registered by a qualified third party 3.2 impartiality actual and perceived presence of objectivity NOTE 1 Objectivity means that conflicts of interest do not exist or are resolved so as not to adversely influence subsequent activities of the certification body. NOTE 2 Other terms that are u
47、seful in conveying the element of impartiality are objectivity, independence, freedom from conflict of interests, freedom from bias, lack of prejudice, neutrality, fairness, open-mindedness, even-handedness, detachment and balance. 3.3 management system consultancy and/or associated risk assessments
48、 participation in designing, implementing or maintaining a supply chain security management system and in conducting risk assessments EXAMPLES a) preparing or producing manuals or procedures; b) giving specific advice, instructions or solutions towards the development and implementation of a supply
49、chain security management system; c) conducting internal audits; d) conducting risk assessment and analysis. NOTE Arranging training and participating as a trainer is not considered consultancy, provided that where the course relates to supply chain security management systems or auditing, the course is confined to the provision of generic information that is freely available in the public domain, i.e. the trainer does not provide company-specific solutions. 4 Principles for certification bodies 4.1 General 4.1.1 The principles
