1、August 2015 Translation by DIN-Sprachendienst.English price group 12No part of this translation may be reproduced without prior permission ofDIN Deutsches Institut fr Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,has the exclusive right of sale for German Standards (DIN-Normen).ICS
2、 03.100.10; 47.020.05!%ED“2342933www.din.deDDIN ISO 28000Specification for security management systems for the supply chain(ISO 28000:2007),English translation of DIN ISO 28000:2015-08Spezifikation fr Sicherheitsmanagementsysteme fr die Lieferkette (ISO 28000:2007),Englische bersetzung von DIN ISO 2
3、8000:2015-08Spcifications pour les systmes de management de la sret pour la chanedapprovisionnement (ISO 28000:2007),Traduction anglaise de DIN ISO 28000:2015-08www.beuth.deDocument comprises 21 pagesIn case of doubt, the German-language original shall be considered authoritative.08.15 A comma is us
4、ed as the decimal marker. Contents Page National foreword. 3 Introduction 4 1 Scope . 6 2 Normative references . 6 3 Terms and definitions. 6 4 Security management system elements 8 4.1 General requirements. 8 4.2 Security management policy . 9 4.3 Security risk assessment and planning . 9 4.4 Imple
5、mentation and operation 12 4.5 Checking and corrective action 15 4.6 Management review and continual improvement . 17 Annex A (informative) Correspondence between ISO 28000:2007, ISO 14001:2004 and ISO 9001:2000 18 Bibliography . 21 DIN ISO 28000:2015-08 2 National foreword This document (ISO 28000:
6、2007) has been prepared by Technical Committee ISO/TC 8 Ships and marine technology“ (Secretariat: SAC, China and DIN, Germany) and has been adopted, unchanged, as DIN ISO 28000:2015-08. The responsible German body involved in its preparation was the DIN-Normenstelle Schiffs- und Meerestechnik (DIN
7、Standards Committee Shipbuilding and Marine Technology), Working Committee NA 132 BR-01 SO Internationale Normung (Sp ISO/TC 8). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. DIN and/or DKE shall not be held responsible for iden
8、tifying any or all such patent rights. Users of the German version of this standard should note the following: Compliance with this standard does not confer to an organization immunity from its legal obligations, even if such compliance has been verified by internal or external audit. In the German
9、translation of this standard, “security” has been translated as Sicherheit (which can also mean “safety”). DIN ISO 28000:2015-08 3 Introduction This International Standard has been developed in response to demand from industry for a security management standard. Its ultimate objective is to improve
10、the security of supply chains. It is a high-level management standard that enables an organization to establish an overall supply chain security management system. It requires the organization to assess the security environment in which it operates and to determine if adequate security measures are
11、in place and if other regulatory requirements already exist with which the organization complies. If security needs are identified by this process, the organization should implement mechanisms and processes to meet these needs. Since supply chains are dynamic in nature, some organizations managing m
12、ultiple supply chains may look to their service providers to meet related governmental or ISO supply chain security standards as a condition of being included in that supply chain in order to simplify security management as illustrated in Figure 1. ISO 28000:Securitymanagement systemsfor the supply
13、chainISO20858:MaritimePortFacilitySecurityAssessmentsandSecurityPlanISO28001:BestPracticesCustodyinSupplyChainSecurityOtherspecificexistingstandardsorthosetobedeveloped.Figure 1 Relationship between ISO 28000 and other relevant standards Specification for security management systems for the supply c
14、hain DIN ISO 28000:2015-08 4 This International Standard is intended to apply in cases where an organizations supply chains are required to be managed in a secure manner. A formal approach to security management can contribute directly to the business capability and credibility of the organization.
15、Compliance with an International Standard does not in itself confer immunity from legal obligations. For organizations that so wish, compliance of the security management system with this International Standard may be verified by an external or internal auditing process. This International Standard
16、is based on the ISO format adopted by ISO 14001:2004 because of its risk based approach to management systems. However, organizations that have adopted a process approach to management systems (e.g. ISO 9001:2000) may be able to use their existing management system as a foundation for a security man
17、agement system as prescribed in this International Standard. It is not the intention of this International Standard to duplicate governmental requirements and standards regarding supply chain security management to which the organization has already been certified or verified compliant. Verification
18、 may be by an acceptable first, second, or third party organization. NOTE This International Standard is based on the methodology known as Plan-Do-Check-Act (PDCA). PDCA can be described as follows. Plan: establish the objectives and processes necessary to deliver results in accordance with the orga
19、nizations security policy. Do: implement the processes. Check: monitor and measure processes against security policy, objectives, targets, legal and other requirements, and report results. Act: take actions to continually improve performance of the security management system. DIN ISO 28000:2015-08 5
20、 1 Scope This International Standard specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. Security management is linked to many other aspects of business management. Aspects include all activities controlled or influ
21、enced by organizations that impact on supply chain security. These other aspects should be considered directly, where and when they have an impact on security management, including transporting these goods along the supply chain. This International Standard is applicable to all sizes of organization
22、s, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to: a) establish, implement, maintain and improve a security management system; b) assure conformance with stated security management policy; c) demonstrate
23、 such conformance to others; d) seek certification/registration of its security management system by an Accredited third party Certification Body; or e) make a self-determination and self-declaration of conformance with this International Standard. There are legislative and regulatory codes that add
24、ress some of the requirements in this International Standard. It is not the intention of this International Standard to require duplicative demonstration of conformance. Organizations that choose third party certification can further demonstrate that they are contributing significantly to supply cha
25、in security. 2 Normative references No normative references are cited. This clause is included in order to retain clause numbering similar to other management system standards. 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 facility plant, m
26、achinery, property, buildings, vehicles, ships, port facilities and other items of infrastructure or plant and related systems that have a distinct and quantifiable business function or service NOTE This definition includes any software code that is critical to the delivery of security and the appli
27、cation of security management. DIN ISO 28000:2015-08 6 3.2 security resistance to intentional, unauthorized act(s) designed to cause harm or damage to, or by, the supply chain 3.3 security management systematic and coordinated activities and practices through which an organization optimally manages
28、its risks, and the associated potential threats and impacts therefrom 3.4 security management objective specific outcome or achievement required of security in order to meet the security management policy NOTE It is essential that such outcomes are linked either directly or indirectly to providing t
29、he products, supply or services delivered by the total business to its customers or end users. 3.5 security management policy overall intentions and direction of an organization, related to the security and the framework for the control of security-related processes and activities that are derived f
30、rom and consistent with the organizations policy and regulatory requirements 3.6 security management programmes means by which a security management objective is achieved 3.7 security management target specific level of performance required to achieve a security management objective 3.8 stakeholder
31、person or entity having a vested interest in the organizations performance, success or the impact of its activities NOTE Examples include customers, shareholders, financiers, insurers, regulators, statutory bodies, employees, contractors, suppliers, labour organizations, or society. 3.9 supply chain
32、 linked set of resources and processes that begins with the sourcing of raw material and extends through the delivery of products or services to the end user across the modes of transport NOTE The supply chain may include vendors, manufacturing facilities, logistics providers, internal distribution
33、centers, distributors, wholesalers and other entities that lead to the end user. 3.9.1 downstream refers to the actions, processes and movements of the cargo in the supply chain that occur after the cargo leaves the direct operational control of the organization, including but not limited to insuran
34、ce, finance, data management, and the packing, storing and transferring of cargo 3.9.2 upstream refers to the actions, processes and movements of the cargo in the supply chain that occur before the cargo comes under the direct operational control of the organization, including but not limited to ins
35、urance, finance, data management, and the packing, storing and transferring of cargo DIN ISO 28000:2015-08 7 3.10 top management person or group of people who directs and controls an organization at the highest level NOTE Top management, especially in a large multinational organization, may not be p
36、ersonally involved as described in this International Standard; however top management accountability through the chain of command shall be manifest. 3.11 continual improvement recurring process of enhancing the security management system in order to achieve improvements in overall security performa
37、nce consistent with the organizations security policy 4 Security management system elements Figure 2 Security management system elements 4.1 General requirements The organization shall establish, document, implement, maintain and continually improve an effective security management system for identi
38、fying security threats, assessing risks and controlling and mitigating their consequences. The organization shall continually improve its effectiveness in accordance with the requirements set out in the whole of Clause 4. The organization shall define the scope of its security management system. Whe
39、re an organization chooses to outsource any process that affects conformity with these requirements, the organization shall ensure that such processes are controlled. The necessary controls and responsibilities of such outsourced processes shall be identified within the security management system. S
40、ecurity management policy Security planningRisk assessment Regulatory requirements Security objectives and targets Security management programme CONTINUALIMPROVEMENT Implementation and operation Responsibilities and competence, Communication Documentation Operational control Emergency preparedness C
41、hecking and corrective actionMeasurement and monitoring System evaluation Non-conformance and corrective and preventive action Records Audit Management review and continual improvement DIN ISO 28000:2015-08 8 4.2 Security management policy The organizations top management shall authorize an overall
42、security management policy. The policy shall: a) be consistent with other organizational policies; b) provide the framework which, enables the specific security management objectives, targets and programmes to be produced; c) be consistent with the organizations overall security threat and risk mana
43、gement framework; d) be appropriate to the threats to the organization and the nature and scale of its operations; e) clearly state the overall/broad security management objectives; f) include a commitment to continual improvement of the security management process; g) include a commitment to comply
44、 with current applicable legislation, regulatory and statutory requirements and with other requirements to which the organization subscribes; h) be visibly endorsed by top management; i) be documented, implemented and maintained; j) be communicated to all relevant employees and third parties includi
45、ng contractors and visitors with the intent that these persons are made aware of their individual security management-related obligations; k) be available to stakeholders where appropriate; l) provide for its review in case of the acquisition of, or merger with other organizations, or other change t
46、o the business scope of the organization which may affect the continuity or relevance of the security management system. NOTE Organizations may choose to have a detailed security management policy for internal use which would provide sufficient information and direction to drive the security management system (parts of which may be confidential) and have a summarized (non-confidential) version containing the broad objectives for dissemination to its stakeholders and other interested parties. 4.3 Security risk assessment and planning 4.3.1 Security risk assessment The organization shall
