《DD-ISO-PAS-28000-2005.pdf》由会员分享,可在线阅读,更多相关《DD-ISO-PAS-28000-2005.pdf(26页珍藏版)》请在三一文库上搜索。
1、DRAFT FOR DEVELOPMENT DD ISO/PAS 28000:2005 Specification for security management systems for the supply chain ICS 47.020.99 ? Licensed Copy: London South Bank University, London South Bank University, Tue Dec 12 05:18:03 GMT+00:00 2006, Uncontrolled Copy, (c) BSI DD ISO/PAS 28000:2005 was published
2、 under the authority of the Standards Policy and Strategy Committee on 30 January 2006 BSI 30 January 2006 ISBN 0 580 47391 0 National foreword This Draft for Development reproduces verbatim ISO/PAS 28000:2005. This publication is not to be regarded as a British Standard. It is being issued in the D
3、raft for Development series of publications and is of a provisional nature because it is still under development and, with insufficient data as yet to relate it to experience in the field, it may be subject to significant change. It should be applied on this provisional basis, so that information an
4、d experience of its practical application may be obtained. A PAS is a Technical Specification not fulfilling the requirements for a standard, but made available to the public and established in an organization operating under a given procedure. Comments arising from the use of this Draft for Develop
5、ment are requested so that UK experience can be reported to the international organization responsible for the Technical Specification. A review of this publication will be initiated not later than 3 years after its publication by the international organization so that a decision can be taken on its
6、 status at the end of its 3-year life. Notification of the start of the review period will be made in an announcement in the appropriate issue of Update Standards. According to the replies received by the end of the review period, the responsible BSI Committee will decide whether to support the conv
7、ersion into an international standard, to extend the life of the Technical Specification for another 3 years or to withdraw it. Comments should be sent in writing to the Secretary of BSI Technical Committee SME/32, Ships and marine technology, at British Standards House, 389 Chiswick High Road, Lond
8、on W4 4AL, giving the document reference and clause number and proposing, where possible, an appropriate revision of the text. A list of organizations represented on this committee can be obtained on request to its secretary. Cross-references The British Standards which implement international publi
9、cations referred to in this document may be found in the BSI Catalogue under the section entitled “International Standards Correspondence Index”, or by using the “Search” facility of the BSI Electronic Catalogue or of British Standards Online. This publication does not purport to include all the nec
10、essary provisions of a contract. Users are responsible for its correct application. Compliance with a Draft for Development does not of itself confer immunity from legal obligations. Summary of pages This document comprises a front cover, an inside front cover, the ISO/PAS title page, pages ii to vi
11、, pages 1 to 16, an inside back cover and a back cover. The BSI copyright date displayed in this document indicates when the document was last issued. Amendments issued since publication Amd. No. DateComments This Draft for Development Licensed Copy: London South Bank University, London South Bank U
12、niversity, Tue Dec 12 05:18:03 GMT+00:00 2006, Uncontrolled Copy, (c) BSI Reference number ISO/PAS 28000:2005(E) PUBLICLY AVAILABLE SPECIFICATION ISO/PAS 28000 First edition 2005-11-15 Specification for security management systems for the supply chain Spcifications pour les systmes de management de
13、la sret pour la chane dapprovisionnement DD ISO/PAS 28000:2005 Licensed Copy: London South Bank University, London South Bank University, Tue Dec 12 05:18:03 GMT+00:00 2006, Uncontrolled Copy, (c) BSI ii Licensed Copy: London South Bank University, London South Bank University, Tue Dec 12 05:18:03 G
14、MT+00:00 2006, Uncontrolled Copy, (c) BSI DD ISO/PAS 28000:2005 iii Contents Page Foreword iv Introduction v 1 Scope 1 2 Normative references . 1 3 Terms and definitions. 1 4 Security management system elements.3 4.1 General requirements . 3 4.2 Security management policy . 4 4.3 Security risk asses
15、sment and planning . 4 4.4 Implementation and operation. 7 4.5 Checking and corrective action. 10 4.6 Management review and continual improvement 12 Annex A (informative) Correspondence between ISO/PAS 28000:2005, ISO 14001:2004 and ISO 9001:2000 13 Bibliography . 16 Licensed Copy: London South Bank
16、 University, London South Bank University, Tue Dec 12 05:18:03 GMT+00:00 2006, Uncontrolled Copy, (c) BSI DD ISO/PAS 28000:2005 iv Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing Inter
17、national Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison wit
18、h ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technica
19、l committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. In other circumstance
20、s, particularly when there is an urgent market requirement for such documents, a technical committee may decide to publish other types of normative document: an ISO Publicly Available Specification (ISO/PAS) represents an agreement between technical experts in an ISO working group and is accepted fo
21、r publication if it is approved by more than 50 % of the members of the parent committee casting a vote; an ISO Technical Specification (ISO/TS) represents an agreement between the members of a technical committee and is accepted for publication if it is approved by 2/3 of the members of the committ
22、ee casting a vote. An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for a further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or ISO/TS is confirmed, it is reviewed again after a further three years, at whic
23、h time it must either be transformed into an International Standard or be withdrawn. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO/PAS 28000 wa
24、s prepared by Technical Committee ISO/TC 8, Ships and marine technology, in collaboration with other relevant technical committees responsible for specific nodes of the supply chain. Licensed Copy: London South Bank University, London South Bank University, Tue Dec 12 05:18:03 GMT+00:00 2006, Uncont
25、rolled Copy, (c) BSI v Introduction This Publicly Available Specification has been developed in response to demand from industry for a security management standard. Its ultimate objective is to improve the security of supply chains. This Publicly Available Specification is a high level management st
26、andard that enables an organization to establish an overall supply chain security management system. It requires the organization to assess the security environment in which it operates and to determine if adequate security measures are in place and if other regulatory requirements already exist wit
27、h which the organization complies. If security needs are identified by this process, the organization should implement mechanisms and processes to meet these needs. Since supply chains are dynamic in nature, some organizations managing multiple supply chains may look to their service providers to me
28、et related governmental or ISO supply chain security standards as a condition of being included in that supply chain in order to simplify security management as illustrated in Figure 1. Figure 1 Relationship between ISO/PAS 28000 and other relevant standards ISO/PAS 28000: Specification for security
29、 management systems for the supply chain Other specific existing standards or those to be developed. ISO/PAS 20858: Maritime port facility security assessments and security plan development ISO/PAS28001: Custody best practices to enhance supply chain security DD ISO/PAS 28000:2005 Licensed Copy: Lon
30、don South Bank University, London South Bank University, Tue Dec 12 05:18:03 GMT+00:00 2006, Uncontrolled Copy, (c) BSI vi This Publicly Available Specification is intended to apply in cases where an organizations supply chains are required to be managed in a secure manner. A formal approach to secu
31、rity management can contribute directly to the business capability and credibility of the organization. Compliance with a Publicly Available Specification does not in itself confer immunity from legal obligations. For organizations that so wish, compliance of the security management system to this P
32、ublicly Available Specification may be verified by an external or internal auditing process. This Publicly Available Specification is based on the ISO format adopted by ISO 14001:2004 because of its risk based approach to management systems. However, organizations that have adopted a process approac
33、h to management systems (e.g. ISO 9001:2000) may be able to use their existing management system as a foundation for a security management system as prescribed in this Publicly Available Specification. It is not the intention of this Publicly Available Specification to duplicate governmental require
34、ments and standards regarding supply chain security management to which the organization has already been certified or verified compliant. Verification may be by an acceptable first, second, or third party organization. NOTE This Publicly Available Specification is based on the methodology known as
35、Plan-Do-Check-Act (PDCA). PDCA can be described as follows. Plan: establish the objectives and processes necessary to deliver results in accordance with the organizations security policy. Do: implement the processes. Check: monitor and measure processes against security policy, objectives, targets,
36、legal and other requirements, and report results. Act: take actions to continually improve performance of the security management system. DD ISO/PAS 28000:2005 Licensed Copy: London South Bank University, London South Bank University, Tue Dec 12 05:18:03 GMT+00:00 2006, Uncontrolled Copy, (c) BSI 1
37、Specification for security management systems for the supply chain 1 Scope This Publicly Available Specification specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. These aspects include, but are not limited to, fin
38、ancing, manufacturing, information management and the facilities for packing, storing and transferring goods between modes of transport and locations. Security management is linked to many other aspects of business management. These other aspects should be considered directly, where and when they ha
39、ve an impact on security management, including transporting these goods along the supply chain. This Publicly Available Specification is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or suppl
40、y chain that wishes to: a) establish, implement, maintain and improve a security management system; b) assure compliance with stated security management policy; c) demonstrate such compliance to others; d) seek certification/registration of its security management system by an Accredited third party
41、 Certification Body; or e) make a self-determination and self-declaration of compliance with this Publicly Available Specification. There are legislative and regulatory codes that address some of the requirements in this Publicly Available Specification. It is not the intention of this Publicly Avai
42、lable Specification to require duplicative demonstration of compliance. Organizations that choose third party certification can further demonstrate that they are contributing significantly to supply chain security. 2 Normative references No normative references are cited. This clause is included in
43、order to retain clause numbering similar to other management system standards. 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 facility plant, machinery, property, buildings, vehicles, ships, port facilities and other items of infrastructure
44、or plant and related systems that have a distinct and quantifiable business function or service NOTE This definition includes any software code that is critical to the delivery of security and the application of security management. DD ISO/PAS 28000:2005 Licensed Copy: London South Bank University,
45、London South Bank University, Tue Dec 12 05:18:03 GMT+00:00 2006, Uncontrolled Copy, (c) BSI 2 3.2 security resistance to intentional, unauthorized act(s) designed to cause harm or damage to, or by, the supply chain 3.3 security management systematic and coordinated activities and practices through
46、which an organization optimally manages its risks, and the associated potential threats and impacts there from 3.4 security management objective specific outcome or achievement required of security in order to meet the security management policy NOTE It is essential that such outcomes are linked eit
47、her directly or indirectly to providing the products, supply or services delivered by the total business to its customers or end users. 3.5 security management policy overall intentions and direction of an organization, related to the security and the framework for the control of security-related pr
48、ocesses and activities that are derived from and consistent with the organizations policy and regulatory requirements 3.6 security management programmes means by which a security management objective is achieved 3.7 security management target specific level of performance required to achieve a secur
49、ity management objective 3.8 stakeholder person or entity having a vested interest in the organizations performance, success or the impact of its activities NOTE Examples include customers, shareholders, financiers, insurers, regulators, statutory bodies, employees, contractors, suppliers, labour organizations, or society. 3.9 supply chain linked set of resources and processes that begins with the sourcing of raw material and extends through the delivery of products or services to the end