《BS-ISO-28004-2007.pdf》由会员分享,可在线阅读,更多相关《BS-ISO-28004-2007.pdf(66页珍藏版)》请在三一文库上搜索。
1、BRITISH STANDARD BS ISO 28004:2007 Security management systems for the supply chain Guidelines for the implementation of ISO 28000 ICS 03.100.10; 47.020.99 ? Licensed Copy: London South Bank University, London South Bank University, Wed Jan 02 01:59:53 GMT+00:00 2008, Uncontrolled Copy, (c) BSI BS I
2、SO 28004:2007 This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 December 2007 BSI 2007 ISBN 978 0 580 57669 0 National foreword This British Standard is the UK implementation of ISO 28004:2007. It supersedes DD ISO/PAS 28004:2006 which is wi
3、thdrawn. The UK participation in its preparation was entrusted to Technical Committee SME/32, Ships and marine technology Steering committee. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necess
4、ary provisions of a contract. Users are responsible for its correct application. Compliance with a British Standard cannot confer immunity from legal obligations. Amendments issued since publication Amd. No. DateComments Licensed Copy: London South Bank University, London South Bank University, Wed
5、Jan 02 01:59:53 GMT+00:00 2008, Uncontrolled Copy, (c) BSI Reference number ISO 28004:2007(E) INTERNATIONAL STANDARD ISO 28004 First edition 2007-10-15 Security management systems for the supply chain Guidelines for the implementation of ISO 28000 Systmes de management de la sret pour la chane dappr
6、ovisionnement Lignes directrices pour la mise en application de lISO 28000 BS ISO 28004:2007 Licensed Copy: London South Bank University, London South Bank University, Wed Jan 02 01:59:53 GMT+00:00 2008, Uncontrolled Copy, (c) BSI ii Licensed Copy: London South Bank University, London South Bank Uni
7、versity, Wed Jan 02 01:59:53 GMT+00:00 2008, Uncontrolled Copy, (c) BSI iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references. 2 3 Terms and definitions. 2 4 Security management system elements 4 4.1 General requirements. 4 4.2 Security management policy. 5 4.3 Security ris
8、k assessment and planning. 8 4.4 Implementation and operation 20 4.5 Checking and corrective action 34 4.6 Management review and continual improvement . 49 Annex A (informative) Correspondence between ISO 28000:2007, ISO 14001:2004 and ISO 9001:2000 53 Bibliography. 56 BS ISO 28004:2007 Licensed Cop
9、y: London South Bank University, London South Bank University, Wed Jan 02 01:59:53 GMT+00:00 2008, Uncontrolled Copy, (c) BSI iv Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing Interna
10、tional Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with
11、ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical
12、committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to t
13、he possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 28004 was prepared by Technical Committee ISO/TC 8, Ships and marine technology, in collaboration with other relevant te
14、chnical committees responsible for specific nodes of the supply chain. This first edition of ISO 28004 cancels and replaces ISO/PAS 28004:2006, which has been technically revised. BS ISO 28004:2007 Licensed Copy: London South Bank University, London South Bank University, Wed Jan 02 01:59:53 GMT+00:
15、00 2008, Uncontrolled Copy, (c) BSI v Introduction ISO 28000:2007, Specification for security management systems for the supply chain, and this International Standard have been developed in response to the need for a recognizable supply chain management system standard against which their security m
16、anagement systems can be assessed and certified and for guidance on the implementation of such a standard. ISO 28000 is compatible with the ISO 9001:2000 (Quality) and ISO 14001:2004 (Environmental) management systems standards. They facilitate the integration of quality, environmental and supply ch
17、ain management systems by organizations, should they wish to do so. This International Standard includes a box at the beginning of each clause/subclause, which gives the complete requirements from ISO 28000; this is followed by relevant guidance. The clause numbering of this International Standard i
18、s aligned with that of ISO 28000. This International Standard will be reviewed or amended when considered appropriate. Reviews will be conducted when ISO 28000 is revised. This International Standard does not purport to include all necessary provisions of a contract between supply chain operators, s
19、uppliers and stakeholders. Users are responsible for its correct application. Compliance with this International Standard does not of itself confer immunity from legal obligations. BS ISO 28004:2007 Licensed Copy: London South Bank University, London South Bank University, Wed Jan 02 01:59:53 GMT+00
20、:00 2008, Uncontrolled Copy, (c) BSI blank Licensed Copy: London South Bank University, London South Bank University, Wed Jan 02 01:59:53 GMT+00:00 2008, Uncontrolled Copy, (c) BSI 1 Security management systems for the supply chain Guidelines for the implementation of ISO 28000 1 Scope This Internat
21、ional Standard provides generic advice on the application of ISO 28000:2007, Specification for security management systems for the supply chain. It explains the underlying principles of ISO 28000 and describes the intent, typical inputs, processes and typical outputs, for each requirement of ISO 280
22、00. This is to aid the understanding and implementation of ISO 28000. This International Standard does not create additional requirements to those specified in ISO 28000, nor does it prescribe mandatory approaches to the implementation of ISO 28000. ISO 28000 1 Scope This International Standard spec
23、ifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. These aspects include, but are not limited to, financing, manufacturing, information management and the facilities for packing, storing and transferring goods between
24、modes of transport and locations. Security management is linked to many other aspects of business management. These other aspects should be considered directly, where and when they have an impact on security management, including transporting these goods along the supply chain. This International St
25、andard is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to: a) establish, implement, maintain and improve a security management system; b) assure compliance with s
26、tated security management policy; c) demonstrate such compliance to others; d) seek certification/registration of its security management system by an Accredited third party Certification Body; or e) make a self-determination and self-declaration of compliance with this International Standard. There
27、 are legislative and regulatory codes that address some of the requirements in this International Standard. It is not the intention of this International Standard to require duplicative demonstration of compliance. Organizations that choose third party certification can further demonstrate that they
28、 are contributing significantly to supply chain security. BS ISO 28004:2007 Licensed Copy: London South Bank University, London South Bank University, Wed Jan 02 01:59:53 GMT+00:00 2008, Uncontrolled Copy, (c) BSI 2 2 Normative references No normative references are cited. This clause is included in
29、 order to retain clause numbering similar to ISO 28000. 3 Terms and definitions ISO 28000 3 Terms and definitions 3.1 facility plant, machinery, property, buildings, vehicles, ships, port facilities and other items of infrastructure or plant and related systems that have a distinct and quantifiable
30、business function or service NOTE This definition includes any software code that is critical to the delivery of security and the application of security management. 3.2 security resistance to intentional, unauthorized act(s) designed to cause harm or damage to or by, the supply chain 3.3 security m
31、anagement systematic and coordinated activities and practices through which an organization optimally manages its risks and the associated potential threats and impacts there from 3.4 security management objective specific outcome or achievement required of security in order to meet the security man
32、agement policy NOTE It is essential that such outcomes are linked either directly or indirectly to providing the products, supply or services delivered by the total business to its customers or end users. 3.5 security management policy overall intentions and direction of an organization, related to
33、the security and the framework for the control of security-related processes and activities that are derived from and consistent with the organizations policy and regulatory requirements 3.6 security management programmes means by which a security management objective is achieved 3.7 security manage
34、ment target specific level of performance required to achieve a security management objective 3.8 stakeholder person or entity having a vested interest in the organizations performance, success or the impact of its activities NOTE Examples include customers, shareholders, financiers, insurers, regul
35、ators, statutory bodies, employees, contractors, suppliers, labour organizations or society. BS ISO 28004:2007 Licensed Copy: London South Bank University, London South Bank University, Wed Jan 02 01:59:53 GMT+00:00 2008, Uncontrolled Copy, (c) BSI 3 3.9 supply chain linked set of resources and proc
36、esses that begins with the sourcing of raw material and extends through the delivery of products or services to the end user across the modes of transport NOTE The supply chain may include vendors, manufacturing facilities, logistics providers, internal distribution centres, distributors, wholesaler
37、s and other entities that lead to the end user. 3.9.1 downstream refers to the actions, processes and movements of the cargo in the supply chain that occur after the cargo leaves the direct operational control of the organization, including but not limited to insurance, finance, data management and
38、the packing, storing and transferring of cargo 3.9.2 upstream refers to the actions, processes and movements of the cargo in the supply chain that occur before the cargo comes under the direct operational control of the organization. Including but not limited to insurance, finance, data management a
39、nd the packing, storing and transferring of cargo 3.10 top management person or group of people who directs and controls an organization at the highest level NOTE Top management, especially in a large multinational organization, may not be personally involved as described in this International Stand
40、ard; however top management accountability through the chain of command shall be manifest. 3.11 continual improvement recurring process of enhancing the security management system in order to achieve improvements in overall security performance consistent with the organizations security policy For t
41、he purposes of this document, the terms and definitions given in ISO 28000 and the following apply. 3.1 risk likelihood of a security threat materializing and the consequences 3.2 security cleared process of verifying the trustworthiness of people who will have access to security sensitive material
42、3.3 threat any possible intentional action or series of actions with a damaging potential to any of the stakeholders, the facilities, operations, the supply chain, society, economy or business continuity and integrity BS ISO 28004:2007 Licensed Copy: London South Bank University, London South Bank U
43、niversity, Wed Jan 02 01:59:53 GMT+00:00 2008, Uncontrolled Copy, (c) BSI 4 4 Security management system elements Figure 1 Elements of successful security management 4.1 General requirements a) ISO 28000 requirement The organization shall establish, document, implement, maintain and continually impr
44、ove an effective security management system for identifying security threats, assessing risks and controlling and mitigating their consequences. The organization shall continually improve its effectiveness in accordance with the requirements set out in the whole of Clause 4. The organization shall d
45、efine the scope of its security management system. Where an organization chooses to outsource any process that affects conformity with these requirements, the organization shall ensure that such processes are controlled. The necessary controls and responsibilities of such outsourced processes shall
46、be identified within the security management system. b) Intent The organization should establish and maintain a management system that conforms to all of the requirements of ISO 28000. This may assist the organization in meeting security regulations, requirements and laws. The level of detail and co
47、mplexity of the security management system, the extent of documentation and the resources devoted to it are dependent on the size and complexity of an organization and the nature of its activities. Security management policy Security management policy Security planningSecurity planning Risk assessme
48、nt Regulatory requirements Security objectives and targets Security management programme CONTINUAL IMPROVEMENT Implementation and operation Implementation and operation Responsibilities and competence, Communication Documentation Operational control Emergency preparedness Checking and corrective act
49、ionChecking and corrective action Measurement and monitoring System evaluation Non-conformance and corrective and preventive action Records Audit Management review and continual improvement Management review and continual improvement BS ISO 28004:2007 Licensed Copy: London South Bank University, London South Bank University, Wed Jan 02 01:59:53 GMT+00:00 2008, Uncontrolled Copy, (c) BSI 5 An organization has the freedom and flexibility to define its boundaries and may choose to implement ISO 28000