1、BSI Standards PublicationBS ISO 28004-2:2014Security managementsystems for the supplychain Guidelines for theimplementation of ISO 28000Part 2: Guidelines for adopting ISO 28000for use in medium and small seaportoperationsBS ISO 28004-2:2014 BRITISH STANDARDNational forewordThis British Standard is
2、the UK implementation of ISO 28004-2:2014.It supersedes PD ISO/PAS 28004-2:2012 which is withdrawn.The UK participation in its preparation was entrusted to TechnicalCommittee SME/32, Ships and marine technology - Steeringcommittee.A list of organizations represented on this committee can beobtained
3、on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2014. Published by BSI StandardsLimited 2014ISBN 978 0 580 77200 9ICS 47.020.99Compliance with a Bri
4、tish Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 28 February 2014.Amendments issued since publicationDate Text affectedBS ISO 28004-2:2014 ISO 2014Security management systems for the su
5、pply chain Guidelines for the implementation of ISO 28000 Part 2: Guidelines for adopting ISO 28000 for use in medium and small seaport operationsSystmes de management de la sret pour la chane dapprovisionnement Lignes directrices pour la mise en application de lISO 28000 Partie 2: Lignes directrice
6、s pour ladoption de lISO 28000 lors de lutilisation dans les oprations portuaires petites et moyennesINTERNATIONAL STANDARDISO28004-2First edition2014-02-01Reference numberISO 28004-2:2014(E)BS ISO 28004-2:2014ISO 28004-2:2014(E)ii ISO 2014 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO 2014All
7、 rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested fr
8、om either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandBS ISO 28004-2:2014ISO 28004-2:2014(E) ISO 2014 All rig
9、hts reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Overview . 12.1 Objective . 12.2 Background 12.3 ISO 28000, 4.3.1 requirements for security risk assessment . 22.4 Risk assessment requirements . 33 Supply chain seaport risk areas . 63.1 General . 63.2 Accidents Port operations 63.3
10、 Criminal activity risks . 73.4 Fire risks . 93.5 Stakeholder financial risks 103.6 Labour related risks 123.7 Mechanical/equipment breakdown risks . 133.8 Political and governmental risks 143.9 Terrorist risks . 153.10 Weather related risks . 174 Seaport security plan evaluation criteria and rating
11、 process 184.1 General 184.2 Security plan evaluation process and procedures.184.3 Evaluation criteria for assessing conformance 194.4 Use of ISO 20858 security evaluation and assessment procedures .204.5 Security plan assessment rating system 20Bibliography .22BS ISO 28004-2:2014ISO 28004-2:2014(E)
12、ForewordISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a te
13、chnical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters
14、of electrotechnical standardization.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This documen
15、t was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such
16、patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).Any trade name used in this document is information given for the convenience of users and does n
17、ot constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary informatio
18、nThe committee responsible for this document is ISO/TC 8, Ships and marine technology.This first edition of ISO 28004-2 cancels and replaces ISO/PAS 28004-2:2012. It also incorporates the Amendment ISO 28004-1:2007/DAmd1.ISO 28004 consists of the following parts, under the general title Security man
19、agement systems for the supply chain Guidelines for the implementation of ISO 28000: Part 1: General principles Part 2: Guidelines for adopting ISO 28000 for use in medium and small seaport operations Part 3: Additional specific guidance for adopting ISO 28000 for use by medium and small businesses
20、(other than marine ports) Part 4: Additional specific guidance on implementing ISO 28000 if compliance with ISO 28001 is a management objectiveiv ISO 2014 All rights reservedBS ISO 28004-2:2014ISO 28004-2:2014(E)IntroductionThis part of ISO 28004 is designed to provide guidance and amplifying inform
21、ation for medium and small seaports desiring to adopt ISO 28000. The amplifying information is designed to enhance, but not alter, the general guidance currently specified in ISO 28004. No alterations to ISO 28004, other than the addition of supplements, will be undertaken.Relationship with ISO rele
22、vant technical standardsThere are several established and pending related ISO technical standards that when coupled with this part of ISO 28004, provide additional guidance and instructions for the seaport operators for establishing their security management plans and evaluating the capability of th
23、ose plans to protect the integrity of the supply chain cargo while under their direct control. These international standards: ISO 20858, ISO 28001, ISO 28002, ISO 28003, including the ISO 28004 series are referenced in this part of ISO 28004 and in order to provide specific guidance steps to operato
24、rs. The relevance of these international standards to ISO 28000 is presented in Table 1.Table 1 Relevant ISO technical standardsISO technical stand-ardTechnical descriptionISO 28004-1 Provides guidance to certifying bodies on assessing conformance of an organization with the requirements of ISO 2800
25、0ISO 20858 Provides a professional interpretation of the IMO ISPS for port facility security and guidance for evaluating the port security management plans and installed operational procedures.ISO 28001 Provides security requirements addresses the core secu-rity requirements of the World Customs Org
26、anization (WCO) Authorized Economic Operator ProgramISO 28002 Provides guidance on establishing a policy to enhance the resilience of an organizations supply chainISO 28003 Provides guidance to certifying bodies on assessing conformance of an organization with the requirements of ISO 28000 ISO 2014
27、All rights reserved vBS ISO 28004-2:2014BS ISO 28004-2:2014Security management systems for the supply chain Guidelines for the implementation of ISO 28000 Part 2: Guidelines for adopting ISO 28000 for use in medium and small seaport operations1 ScopeThis part of ISO 28004 identifies supply chain ris
28、k and threat scenarios, procedures for conducting risks/threat assessments, and evaluation criteria for measuring conformance and effectiveness of the documented security plans in accordance with ISO 28000 and the ISO 28004 series implementation guidelines. An output of this effort will be a level o
29、f confidence rating system based on the quality of the security management plans and procedures implemented by the seaport to safeguard the security and ensure continuity of operations of the supply chain cargo being processed by the seaport. The rating system will be used as a means of identifying
30、a measurable level of confidence (on a scale of 1 to 5) that the seaport security operations are in conformance with ISO 28000 for protecting the integrity of the supply chain.2 Overview2.1 ObjectiveThe objective of this part of ISO 28004 is to provide guidance to medium and small ports that wish to
31、 adopt ISO 28000. This guidance provides a self-evaluation criterion that could be used by these ports as they implement ISO 28000. While the self-certification criteria will not result in a third party certification, it can be used to determine the capability of the seaport stakeholders security ma
32、nagement plans for safeguarding the integrity of supply chain in accordance with the security provisions and guidelines specified in ISO 28000 and the ISO 28004 series. The goal is to develop a risk assessment evaluation rating scale metric that can be used to evaluate the capability of the port sec
33、urity management plans to provide uninterrupted security protection and continuous operations for the supply chain cargo being received, stored, and transferred by the seaport. The use of these self-evaluation criteria will enable the user to determine if the seaport has addressed each requirement o
34、f ISO 28000 in adequate detail.2.2 BackgroundThe International Ship and Port Facility Security (ISPS) Code requires that each maritime port facility develop a comprehensive port facility security plan that includes the cargo under their direct control. The port security plan should address those app
35、lications, security systems and operations measures designed to protect the personnel, port facilities, ships at berth, cargo, and cargo transport units, including rail and ground within the port facility physical boundaries from the risks of a security incident (ISO 20858 provides clear guidance on
36、 meeting these requirements). ISO 28000 and the ISO 28004 series have established guidelines for protecting the Global Supply Chain at a very high level, but do not provide enough specific detail that would allow a consistent level of implementation to cover all of the security provisions and applic
37、ations for large, medium and smaller seaports that are integral parts of the global supply chain security infrastructure. To ensure long term and consistent security of the supply chain, there is a need for each of the stakeholders in this integrated global network to be measured and held accountabl
38、e for contributing to the safety and uninterrupted delivery of goods.The Medium and Small seaports are an integral part of the supply chain delivery infrastructure especially considering that these ports are typically the first entry points for a majority of the goods INTERNATIONAL STANDARD ISO 2800
39、4-2:2014(E) ISO 2014 All rights reserved 1BS ISO 28004-2:2014ISO 28004-2:2014(E)being shipped and distributed to local and international destinations. These smaller ports are the feeder ports for goods being shipped to the larger mega ports for consolidating cargo for distribution to long haul shipm
40、ent to other mega ports and global destinations. Therefore, it is critical that these Medium and Small sized seaports implement and maintain proven security provisions that can ensure the protection and continued safe passage of goods being shipped through their port facilities.While ISO 28000 and t
41、he ISO 28004 series provide general overviews of the expected requirements to secure the supply chain, there are limited instructions, measurable requirements and acceptance criteria that would allow an entity to create and implement a security management plan that would ensure that the established
42、standards in ISO 28000 were met. Therefore, this part of ISO 28004 is designed to provide the methods, procedures, guidelines and acceptance criteria that will be used for measuring the level of conformance with ISO 28004 security provisions.2.3 ISO 28000, 4.3.1 requirements for security risk assess
43、mentISO 28000, 4.3.3 states “When establishing and reviewing its objectives, an organization shall take into account: a) legal, statutory and other security regulatory requirements” The ISPS Code as adopted by each member state establishes such security risk assessment requirements. Clause 4.3.1 of
44、ISO 28000 therefore requires, the seaport stakeholders and governing organization establish and maintain procedures for the ongoing identification and assessment of security threats, security management-related threats and risks, and the identification and implementation of the necessary management
45、control measures to safeguard the supply chain. The security threats and risk identification, assessment and control methods should, as a minimum, be appropriate to the nature and scale of the seaport operations. This assessment shall consider the likelihood of an event and all of its consequences t
46、o the seaport stakeholders, threats to continuity of operations, supply chain security, and disaster recovery. Specifically, the risk assessment should address at a minimum, the following:a) Operational threats and risks, including the control of the security, human factors and other activities, whi
47、ch affect the organizations performance, condition or safety.b) Natural environmental events (storms, floods, high winds, etc.), which may render security measures and equipment ineffective.c) Factors outside of the organizations control, such as failures in externally supplied equipment and service
48、s, changes in local and international security policies and regulations, and political changes affecting seaport ownership and operations.d) Stakeholder threats and risks such as failure to meet regulatory requirements, financial constraints, or ownership changes that affect port operations and supp
49、ly chain security.e) Design, installation, validation and maintenance of security equipment including installation of new systems and training of staff to operate, repair and maintain.f) Failure of critical information, data management and communication systems used to manage and safeguard the supply chain.The seaport stakeholder organizations responsible for providing security protection for supply chain goods shall ensure that the results of these assessments and the appropriate security controls are in place to safeguard the integri