1、BSI Standards PublicationBS ISO 28004-4:2014Security managementsystems for the supplychain Guidelines for theimplementation of ISO 28000Part 4: Additional specific guidance onimplementing ISO 28000 if compliance withISO 28001 is a management objectiveBS ISO 28004-4:2014 BRITISH STANDARDNational fore
2、wordThis British Standard is the UK implementation of ISO 28004-4:2014.It supersedes PD ISO/PAS 28004-4:2013 which is withdrawn.The UK participation in its preparation was entrusted to TechnicalCommittee SME/32, Ships and marine technology - Steeringcommittee.A list of organizations represented on t
3、his committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2014. Published by BSI StandardsLimited 2014ISBN 978 0 580 77202 3ICS 4
4、7.020.99Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 28 February 2014.Amendments issued since publicationDate Text affectedBS ISO 28004-4:2014 ISO 2014Security
5、management systems for the supply chain Guidelines for the implementation of ISO 28000 Part 4: Additional specific guidance on implementing ISO 28000 if compliance with ISO 28001 is a management objectiveSystmes de management de la sret pour la chane dapprovisionnement Lignes directrices pour la mis
6、e en application de lISO 28000 Partie 4: Lignes directrices spcifiques supplmentaires concernant la mise en oeuvre de lISO 28000 si la conformit lISO 28001 est un objectif de managementINTERNATIONAL STANDARDISO28004-4First edition2014-02-01Reference numberISO 28004-4:2014(E)BS ISO 28004-4:2014ISO 28
7、004-4:2014(E)ii ISO 2014 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO 2014All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the inter
8、net or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.is
9、o.orgPublished in SwitzerlandBS ISO 28004-4:2014ISO 28004-4:2014(E) ISO 2014 All rights reserved iiiContents PageForeword ivIntroduction v1 Scope . 12 Normative references 13 General information . 24 Organization of this part of ISO 28004 25 Synergy between the World Customs Organization SAFE Framew
10、ork Authorized Economic Operator requirements . 36 Practical guidance as to where the various requirements of ISO 28001 would plug into ISO 28000 as inputs, processes or outputs . 57 Notes on terminology 6BS ISO 28004-4:2014ISO 28004-4:2014(E)ForewordISO (the International Organization for Standardi
11、zation) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to b
12、e represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used t
13、o develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of t
14、he ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified du
15、ring the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the me
16、aning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary informationThe committee responsible for this document is ISO/TC 8,
17、 Ships and marine technology.This first edition cancels and replaces ISO/PAS 28004-4:2012. It also incorporates the Amendment ISO 28004-1:2007/DAmd3.ISO 28004 consists of the following parts, under the general title Security management systems for the supply chain Guidelines for the implementation o
18、f ISO 28000: Part 1: General principles Part 2: Guidelines for adopting ISO 28000 for use in medium and small seaport operations Part 3: Additional specific guidance for adopting ISO 28000 for use by medium and small businesses (other than marine ports) Part 4: Additional specific guidance on implem
19、enting ISO 28000 if compliance with ISO 28001 is a management objectiveiv ISO 2014 All rights reservedBS ISO 28004-4:2014ISO 28004-4:2014(E)IntroductionThis part of ISO 28004 has been developed to supplement ISO 28004-1. The additional guidance in this part of ISO 28004, while amplifying the general
20、 guidance provided in the main body of ISO 28004-1, does not conflict with the general guidance. While ISO 28000 is less specific than ISO 28001 on certain technical security requirements, they do not conflict. This part of ISO 28004 helps to meet the Authorized Economic Operator security criteria.
21、ISO 2014 All rights reserved vBS ISO 28004-4:2014BS ISO 28004-4:2014Security management systems for the supply chain Guidelines for the implementation of ISO 28000 Part 4: Additional specific guidance on implementing ISO 28000 if compliance with ISO 28001 is a management objective1 ScopeThis part of
22、 ISO 28004 provides additional guidance for organizations adopting ISO 28000 that also wish to incorporate the Best Practices identified in ISO 28001 as a management objective on their international supply chains. The Best Practices in ISO 28001 both help organizations establish and document levels
23、of security within an international supply chain and facilitate validation in national Authorized Economic Operator (AEO) programmes that are designed in accordance with the World Customs Organization (WCO) Framework of Standards.This part of ISO 28004 is not designed as a standalone document. The m
24、ain body of ISO 28004-1 provides significant guidance pertaining to required inputs, processes, outputs and other elements required by ISO 28000. This part of ISO 28004 provides additional specific guidance on implementing ISO 28000 if compliance with ISO 28001 is a management objective.Some require
25、ments specified in the WCO AEO programme are government functions and are not addressed in the ISO international standards. These include: Demonstrated Compliance with Customs Requirements. Customs are to take into account the demonstrated compliance history of a prospective AEO when considering the
26、 request for AEO status. Satisfactory System for Management of Commercial Records. The AEO is to maintain timely, accurate, complete and verifiable records relating to import and export. Maintenance of verifiable commercial records is an essential element in the security of the international trade s
27、upply chain. Financial Viability. Financial viability of the AEO is an important indicator of an ability to maintain and improve upon measures to secure the supply chain. Consultation, Co-operation and Communication. Customs, other competent authorities and the AEO at all levels international, natio
28、nal and local should consult regularly on matters of mutual interest, including supply chain security and facilitation measures, in a manner which will not jeopardize enforcement activities. The results of this consultation should contribute to Customs development and maintenance of its risk managem
29、ent strategy.2 Normative referencesThe following referenced documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced docume
30、nt (including any amendments) applies.ISO 20858, Ships and marine technology Maritime port facility security assessments and security plan developmentISO 28000, Specification for security management systems for the supply chainINTERNATIONAL STANDARD ISO 28004-4:2014(E) ISO 2014 All rights reserved 1
31、BS ISO 28004-4:2014ISO 28004-4:2014(E)ISO 28001, Security management systems for the supply chain Best practices for implementing supply chain security, assessments and plans Requirements and guidanceISO 28004-1, Security management systems for the supply chain Guidelines for the implementation of I
32、SO 28000 Part 1: General principles3 General informationThe diagram in Figure 1 provides an illustration of how compliance and possible certification to ISO 28000 incorporating the best practices of ISO 28001 complements the requirements of national, regional or economic Authorized Economic Operator
33、 programs and as well as those of certain industry programs and facilitates the validations of such programs. Organizations may also choose to adopt ISO 28000 and ISO 28001 to improve and document supply chain security management without the goal of achieving AEO certification.Figure 1 Complementary
34、 security standards to secure supply chain4 Organization of this part of ISO 28004Clause 5 provides a series of charts showing the synergy between the World Customs Organization SAFE Framework Authorized Economic Operator requirements and the clauses in ISO 28000 and ISO 28001 that address the AEO r
35、equirements.Clause 6 provides practical guidance as to where the various requirements of ISO 28001 would plug into ISO 28000 as inputs, processes or outputs.Clause 7 provides notes, to clarify slight differences in terminology used in ISO 28000 and ISO 28001.2 ISO 2014 All rights reservedBS ISO 2800
36、4-4:2014ISO 28004-4:2014(E)5 Synergy between the World Customs Organization SAFE Framework Author-ized Economic Operator requirementsIn Tables 1 to 9 that follow, the AEO requirement sections are listed first in Bold type. This is followed by a brief summary of that requirement. In the boxes below e
37、ach summary are the clauses of ISO 28000 and ISO 28001 that address those requirements. The majority of the WCO AEO requirements are addressed in Tables 1 to 9 and those defined as government functions in the introduction section of this part of ISO 28004. Please note that National AEO programs may
38、have additional requirements such as specific minimum criteria that may not be fully addressed in ISO 28000 or ISO 28001.Table 1A. Education, Training and AwarenessCustoms and AEOs shall develop mechanisms for the education and training of personnel regarding secu-rity policies, recognition of devia
39、tions from those policies and understanding what actions must be taken in response to security lapsesISO 28000, 4.4.2 (Competence, training and awareness)ISO 28001, 5.3.1 (Assessment personnel)Table 2B. Information Exchange, Access and ConfidentialityCustoms and AEOs, as part of an overall comprehen
40、sive strategy to secure sensitive information, shall develop or enhance the means by which entrusted information is protected against misuse and unauthorized altera-tion.ISO 28000, 4.2 (Security management policy), 4.4.5 (Document and data control), 4.5.4 (Controls of Records)ISO 28001, 5.8 (Protect
41、ion of the security information)Table 3C. Cargo SecurityCustoms and AEOs shall establish and/or bolster measures to ensure that the integrity of cargo is maintained and that access controls are at the highest appropriate level, as well as establishing routine procedures that contribute to the securi
42、ty of cargo.ISO 28000, 4.4.6 (Operational control)ISO 28001, 5.4 (Development of the supply chain security plan)Table 4D. Conveyance SecurityCustoms and AEOs shall jointly work toward the establishment of effective control regimes, where not already provided for by other national or international re
43、gulatory mandate, to ensure that transport conveyances are capable of being effectively secured and maintainedISO 28000, 4.4.6 (Operational control)ISO 28001, 5.4 (Development of the supply chain security plan) ISO 2014 All rights reserved 3BS ISO 28004-4:2014ISO 28004-4:2014(E)Table 5E. Premises Se
44、curityCustoms, after taking into account the views of AEOs and their necessary compliance with mandatory interna-tional standards, shall establish the requirements for the implementation of meaningful Customs-specific secu-rity enhancement protocols that secure buildings, as well as ensure the monit
45、oring and controlling of exterior and interior perimeters.ISO 28000, 4.4.6 (Operational control)ISO 28001, 5.4 (Development of the supply chain security plan)Table 6F. Personnel SecurityCustoms and AEOs shall, based on their authorities and competencies, screen the background of prospective employee
46、s to the extent legally possible. In addition, they shall prohibit unauthorized access to facilities, trans-port conveyances, loading docks and cargo areas that may reasonably affect the security of those areas in the supply chain under their responsibilityISO 28000, 4.4.6 (Operational control)ISO 2
47、8001, 5.4 (Development of the supply chain security plan)Table 7G. Trading Partner SecurityCustoms shall establish AEO requirements and mechanisms whereby the security of the global supply chain can be bolstered through the commitment of trading partners to voluntarily increase their security measur
48、es.ISO 28000, 4.4.6 (Operational control)ISO 28001, 4.1 (Statement of application), 4.2 (Business partners), 4.3 (Internationally accepted certificates or approvals), 4.4 (Business partners exempt from security declaration requirement), 4.5 (Field of Application)Table 8H. Crisis Management and Incid
49、ent RecoveryIn order to minimize the impact of a disaster or terrorist incident, crisis management and recovery procedures should include advance planning and establishment of processes to operate in such extraordinary circum-stances.ISO 28000, 4.5.3 (Security-related failures, incidents, non-conformances and corrective and preventive action), 4.4.6 (Operational control), 4.4.7 (Emergency preparedness, response and security recovery)ISO 28001, 5.7 (Actions required after a security incident)Table 9I. Measurement,
