1、BSI Standards PublicationBS ISO 28004-3:2014Security managementsystems for the supplychain Guidelines for theimplementation of ISO 28000Part 3: Additional specific guidance foradopting ISO 28000 for use by medium andsmall businesses (other than marine ports)BS ISO 28004-3:2014 BRITISH STANDARDNation
2、al forewordThis British Standard is the UK implementation of ISO 28004-3:2014.The UK participation in its preparation was entrusted to TechnicalCommittee SME/32, Ships and marine technology - Steeringcommittee.A list of organizations represented on this committee can beobtained on request to its sec
3、retary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2014. Published by BSI StandardsLimited 2014ISBN 978 0 580 77201 6ICS 47.020.99Compliance with a British Standard cannot
4、confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 28 February 2014.Amendments issued since publicationDate Text affectedBS ISO 28004-3:2014 ISO 2014Security management systems for the supply chain Guidelines
5、 for the implementation of ISO 28000 Part 3: Additional specific guidance for adopting ISO 28000 for use by medium and small businesses (other than marine ports)Systmes de management de la sret pour la chane dapprovisionnement Lignes directrices pour la mise en application de lISO 28000 Partie 3: Li
6、gnes directrices spcifiques supplmentaires concernant la mise en oeuvre de lISO 28000 pour lutilisation dans les petites et moyennes affaires (autres que les ports marins)INTERNATIONAL STANDARDISO28004-3First edition2014-02-01Reference numberISO 28004-3:2014(E)BS ISO 28004-3:2014ISO 28004-3:2014(E)i
7、i ISO 2014 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO 2014All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intr
8、anet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso.orgPublished
9、 in SwitzerlandBS ISO 28004-3:2014ISO 28004-3:2014(E) ISO 2014 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Normative references 13 Additional guidance 14 Documentation 135 Guidance for small and medium-sized businesses obtaining advice and certification .135.1 General 1
10、35.2 Demonstrating conformance with ISO 28000 by audit 135.3 Certification of ISO 28000 by third party certification bodies .14Bibliography .15BS ISO 28004-3:2014ISO 28004-3:2014(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
11、 (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations,
12、governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to develop this document and those intended for its further mai
13、ntenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Att
14、ention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introducti
15、on and/or on the ISO list of patent declarations received (see www.iso.org/patents).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conform
16、ity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary informationThe committee responsible for this document is ISO/TC 8, Ships and marine technology.This first edition of ISO 28004-3
17、 cancels and replaces ISO/PAS 28004-3:2012.ISO 28004 consists of the following parts, under the general title Security management systems for the supply chain Guidelines for the implementation of ISO 28000: Part 1: General principles Part 2: Guidelines for adopting ISO 28000 for use in medium and sm
18、all seaport operations Part 3: Additional specific guidanceforadopting ISO 28000 for use by medium and small business (other than marine ports) Part 4: Additional specific guidance on implementing ISO 28000 if compliance with ISO 28001 is a management objectiveiv ISO 2014 All rights reservedBS ISO 2
19、8004-3:2014ISO 28004-3:2014(E)IntroductionISO 28000:2007 and the guidance contained in ISO 28004, have been developed in response to the need for a recognizable supply chain management system evaluation criteria (validation process) against which their security management systems can be assessed and
20、 certified for determining conformance with ISO 28000 and ISO 28004. The guidance currently contained in ISO 28004 is designed to assist organizations adopting ISO 28000. Because the types of organizations that can use ISO 28000 are vast, the guidance provided in ISO 28004 is general in nature. As a
21、 result, some smaller organizations have had difficulty in defining the scope of measures needed to address each of the requirements established in ISO 28000. Therefore, the purpose of this part of ISO 28004 is to provide guidance and amplifying information that can be used by medium and small busin
22、esses (other than marine ports) to assist them in defining the scope of validation and verification measures needed to comply with the security provisions specified in ISO 28000 and ISO 28004.ISO 28000 requires that stakeholder organizations evaluate the capabilities of their security protection man
23、agement plans and procedures through periodic reviews, testing, post-incident reports, and training exercises to measure the effectiveness of their installed security protection systems and methods. It is critical to the overall continued end-to-end safety of the supply chain that stakeholder organi
24、zations ensure the transportation industry that they have sufficient safeguards in place to protect the integrity of the supply chain while those goods are under their direct control. The failure by one of the stakeholder organizations to protect the supply chain from any one of the global threats a
25、nd operational risks can severely impact the integrity of the system and erode the confidence of those who depend on the secure transportation of their valuable goods.Medium and small businesses stakeholder organizations are an integral part of the supply transportation system and will be required t
26、o conduct these performance capabilities reviews and verify to the transportation industry that they are in conformance with relevant legislation and regulations, industry best practices and conformance with its own security policy and objectives based on the identified threats and risks to their op
27、erations. The information contained in this part of ISO 28004 provides guidance and criteria for evaluating the quality of medium and small businesses (other than marine ports) security management plans developed in accordance with ISO 28000 to protect the integrity of the supply chain. The amplifyi
28、ng information is designed to enhance, but not alter, the general guidance currently specified in ISO 28004. No alterations to ISO 28004, other than the addition of supplements, are made. ISO 2014 All rights reserved vBS ISO 28004-3:2014BS ISO 28004-3:2014Security management systems for the supply c
29、hain Guidelines for the implementation of ISO 28000 Part 3: Additional specific guidance for adopting ISO 28000 for use by medium and small businesses (other than marine ports)1 ScopeThis part of ISO 28004 has been developed to supplement ISO 28004-1 by providing additional guidance to medium and sm
30、all businesses (other than marine ports) that wish to adopt ISO 28000. The additional guidance in this part of ISO 28004, while amplifying the general guidance provided in the main body of ISO 28004-1, does not conflict with the general guidance, nor does it amend ISO 28000.2 Normative referencesThe
31、 following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO 28000:2
32、007, Specification for security management systems for the supply chainISO 28004-1:2007, Security management systems for the supply chain Guidelines for the implementation of ISO 28000 Part 1: General principles3 Additional guidanceISO 28000 is designed to be adopted by any size organization interes
33、ted in better securing their supply chain or services they provide to supply chain operators. The main body of ISO 28004 is designed to provide guidance to organizations of any size that wish to adopt ISO 28000. Because ISO 28004 is designed to provide guidance to a wide size range of organizations
34、it may appear more complex than is needed by a smaller sized organization. The purpose of this part of ISO 28004 is to simplify the guidance for use by smaller sized organization. Entities using this part of ISO 28004 for guidance should refer to the main body of ISO 28004 when more information on s
35、pecific issues is needed than is provided in this part of ISO 28004. The guidance provided in this part of ISO 28004 does not amend ISO 28000 or the main body of ISO 28004. Where specific methodologies are discussed in this part of ISO 28004 they are provided for illustrative purposes (to explain wh
36、at needs to be accomplished) and other methodologies could be substituted.Organizations adopting ISO 28000 will need to: specify what their objectives are in regard to providing supply chain security; assess the current state of supply chain security; develop plans that will include existing supply
37、chain processes and procedures, and any additional processes/procedures or systems that have been identified as necessary to meet the stated supply chain security objectives; train personnel as to their duties and responsibilities as defined in the supply chain security plan;INTERNATIONAL STANDARD I
38、SO 28004-3:2014(E) ISO 2014 All rights reserved 1BS ISO 28004-3:2014ISO 28004-3:2014(E) install/maintain any systems or equipment specified in the supply chain security plan; begin execution of the supply chain security plan; monitor performance of the supply chain security plan execution; periodica
39、lly reassess the state of supply chain security to detect changes in conditions including new threats; periodically test the organizations plans (exercises) and investigate any supply chain security incidents; update objectives, plans, and personnel training based on input from performance monitorin
40、g, reassessments, exercises, or investigations.Users of ISO 28004 that have not previously worked with management standards will note the use of the words intent, input, and output that are used in regard to each requirement discussed in this part of ISO 28004. Intent is used as the title of the cla
41、use that explains what the organization needs to accomplish. Input is used as the title of the clause that explains what needs to be analysed or considered. Output is used as the title of the clause that explains what the organizations objectives are or what actions will be taken in regard to that s
42、pecific requirement.Step 1 - Preparatory workPrior to beginning the process of adopting ISO 28000 an organization may wish to consider whether they wish to include all or specific parts of their organization within the supply chain security management system (within the scope of application). The or
43、ganization is not limited in what it should consider in making this decision, however, it may wish to consider some of the following in making this decision: Its corporate objectives. Customer needs or expectations. Government interests, if the management system is being adopted to address a governm
44、ent policy or program. Its familiarity or lack of familiarity with ISO management systems.Within the planned scope of application, the security management system should be extended to all areas and functions related to the supply chain. To help identify what areas and functions may be involved the o
45、rganization may consider but not be limited to the following. Where goods are being manufactured, processed or handled prior to being loaded in a transport unit, palletized, or otherwise prepared for shipment. Where goods prepared for shipment are stored or consolidated prior to transportation. Wher
46、e goods are being transported. Where goods are loaded into or unloaded from a conveyance. Where custody of the goods changes hands. Where documentation or information pertaining to goods being shipped is handled, generated or accessible. Transportation routes and means of conveyance used by the vari
47、ous modes of transportation. Other.Step 2 - Setting Security Management Policy (Clause 4.2 in ISO 28000 and ISO 28004-1)2 ISO 2014 All rights reservedBS ISO 28004-3:2014ISO 28004-3:2014(E)After the scope of applicability has been preliminarily determined the next step will be establish the Security
48、Management Policy. Security Management Policy is very important since the entire supply chain security management system will be built upon it and if certification is sought, the policy will become the criteria upon which all objectives, activities and plans will be evaluated.While it may appear tha
49、t Security Management Policy would be established first and then an assessment of existing conditions would be conducted policy, there is synergy between them as actual initial conditions become known and resource needs are identified.The security management policy should be contained in a statement that has been endorsed by senior management. The policy must be meaningful and clearly state the overall/broad security management objectives of the organization. To be meaningful they should reflect known