Security management systems for the supply chain—Best practices for implementing supply chain security,assessments and plans—Requirements and guidance
other information
drafter:Qin Tingxin, Wang Jingjing, Ye Yaohua, Pan Ying, Bai Yuanlong, Sun Shijun, Song Yuewei, Sun Hongzhi, Zhang Chao, Zeng Yao, Wei Jun, Chen Wei, Zhang Jian, Wang Yong, Wu Wanguang
Drafting unit:China National Institute of Standardization, Beijing Urban System Engineering Research Center, Yaotai Logistics Co., Ltd., Fujian Nita Gongchuang Network Technology Co., Ltd., China Quality Certification Center, Jiangsu Huiyuan Supply Chain Managemen
Focal point unit:National Public Security Basic Standardization Technical Committee (SAC/TC 351)
Proposing unit:National Public Security Basic Standardization Technical Committee (SAC/TC 351)
Publishing department:State Administration for Market Regulation National Standardization Administration
competent authority:National Public Security Basic Standardization Technical Committee (SAC/TC 351)
Some standard content:
ICS03.100.01
National Standard of the People's Republic of China
GB/T38702—2020/IS028001:2007 Supply Chain Security Management System
Best practices for implementing supply chain security,
assessments and plans
Requirements and guidance
Security management systems for the supply chain Best practices for implementing supply chain security,
assessments and plans Requirements and guidance
(ISO28001:2007, IDT)
Published on March 31, 2020
State Administration for Market Regulation
National Administration of Standardization
Implementation on September 1, 2020
Normative references
Terms and Definition
Scope of application
Supply chain security assurance process
Appendix A (Informative Appendix)
Appendix B (Informative Appendix)
Appendix C (Informative Appendix)
References
Supply chain security process
..............
Guidelines for the development of security risk assessment methods and countermeasures and obtaining consulting advice and certification
GB/T38702—2020/IS028001:2007..
This standard was drafted in accordance with the rules given in GB/T1.1-2009. GB/T38702—2020/IS028001:2007 This standard uses the translation method equivalent to ISO28001:2007 "Supply chain security management system implementation supply chain security, assessment and planning requirements and guidelines".
Best Practices of Planning
This standard is proposed and managed by the National Technical Committee for Standardization of Public Security Basics (SAC/TC351). Drafting units of this standard: China National Institute of Standardization, Beijing Urban System Engineering Research Center, Yaotai Logistics Co., Ltd., Fujian Youta Gongchuang Network Technology Co., Ltd., China Quality Certification Center, Jiangsu Huiyuan Supply Chain Management Co., Ltd., State Grid Shandong Electric Power Company, Fangyuan Mark Certification Group Co., Ltd., China Network Security Review Technology and Certification Center The main drafters of this standard: Qin Tingxin, Wang Jingjing, Ye Yaohua, Pan Ying, Bai Yuanlong, Sun Shijun, Song Yuewei, Sun Hongzhi, Zhang Chao, Zeng Yaoweijun, Chen Wei, Zhang Jian, Wang Yong, Wu Wanguang. m
GB/T38702—2020/IS028001:2007 Introduction
Security incidents in the international supply chain have threatened the development of international trade and the economy of all trading countries. People, goods, infrastructure and equipment, including means of transport, must be protected from security incidents and their potential destructive effects. In general, such protection is beneficial to all aspects of the economy and society. The international supply chain is highly dynamic and consists of many entities and business partners. This standard recognizes this complexity, and organizations can apply the requirements of this standard based on their specific business model and their roles and functions in the international supply chain. This standard provides organizations with options for determining and documenting reasonable security levels in international supply chains and their components, enabling organizations to make better decisions based on security risks in international supply chains. This standard is diverse and is intended to coordinate and supplement the World Customs Organization (WCO) Global Trade Security and Facilitation Framework of Standards. This standard is not intended to cover, replace or supersede the supply chain security programs, certification and verification requirements of various customs agencies. This standard is intended to help organizations determine the appropriate level of security for the parts they control in the international supply chain. It also provides a basis for internal or external auditors or government agencies that use international standards as acceptance criteria for supply chain security programs to confirm or verify the organization's current level of supply chain security. Customers, business partners, government agencies and others may require organizations that claim to comply with this standard to demonstrate such compliance by undergoing an audit or verification. Government agencies may mutually recognize verifications performed by other government agencies. If a third-party organization is required to conduct the audit, the organization should consider engaging a third-party certification body that is recognized by a member of the International Accreditation Forum (IAF) of the competent authority (see Annex C).
This standard is not intended to duplicate government requirements and follow the relevant supply chain security standards of the World Customs Organization (WCO) Framework of Standards for Secure and Facilitated Global Trade. Organizations that have been certified or verified by mutually recognized governments are in compliance with this standard. This standard can output the following results:
Description of coverage: Define the supply chain boundaries covered by the security plan; - Security assessment: Document supply chain vulnerabilities to define security threat scenarios and describe the reasonably expected impact from each potential security threat scenario:
- Security plan: Describe security measures whose purpose is to manage the security threat scenarios identified by the security assessment - Training program: State how security personnel will be trained to meet the security requirements related to their tasks. In order to implement the security assessment required to develop a security plan, the organization using this standard will: Identify the threats (security threat scenarios); - Determine the methods by which personnel will advance the security threat scenarios identified by the security assessment into security incidents. Decisions are made by reviewing the current security status of the supply chain. Based on the findings of this review, professional judgment is used to identify the extent to which the supply chain is exposed to each security threat scenario.
If the supply chain is considered to be exposed to an unacceptable level for each security threat scenario, the organization will develop additional procedures or make operational adjustments to reduce the likelihood of occurrence or the impact, or both. These are called countermeasures. Based on the principle of priority, countermeasures need to be included in the security plan to reduce the threat to an acceptable level. Based on the security process of expanding personnel, property and international supply chain tasks, Annexes A and B provide illustrative examples of risk management, which can help organizations adopt a macro approach for complex supply chains and/or a more discrete approach for parts of the supply chain. These annexes are also intended to:
Promote the understanding, adoption and implementation of such approaches and can be adjusted by organizations as needed; - Provide guidance for continuous improvement of basic security management; Help organizations manage resources to address existing and emerging security risks; N
GB/T38702-2020/IS028001:2007 - Describes possible methods for implementing risk assessment and mitigating security threats in the supply chain (from raw material distribution to storage, manufacturing and transportation of finished products to the market).
If an organization adopts and implements this standard, Annex C provides guidance for obtaining consulting advice and certification. V
1 Scope
GB/T38702—2020/IS028001:2007 Supply Chain Security Management System Room
Implementation of supply chain security,
Requirements and guidance
Best practices for assessment and planning
This standard provides requirements and guidance for organizations in international supply chains to: Develop and implement supply chain security processes;
Establish and document the minimum security level of the entire or part of the supply chain; Assist organizations to meet the applicable Authorized Economic Operator (AEO) criteria within the World Customs Organization Framework of Standards and comply with national supply chain security programs. Www.bzxZ.net
Note: Only national customs agencies participating in the framework can designate organizations as Authorized Economic Operators (AEOs) in accordance with their supply chain security programs and related certification and verification requirements.
In addition. This standard identifies some document requirements that can be used as verification. Users of this standard will:
Identify the links in the established secure international supply chain (see 4.1);-Implement security assessments on this link of the supply chain and develop appropriate countermeasures; develop and implement a supply chain security plan;
Train security personnel on security responsibilities, 2 Normative references
The following documents are essential for the application of this document. For any dated reference, only the dated version applies to this document. For any undated reference, the latest version (including all amendments) applies to this document. ISO/PAS20858 Ship and marine technology—Maritime port facility security assessments and security plan development International Maritime Organization International Convention for the Safety of Life at Sea (SOLAS), 1974, as amended [International Convention for the Safety of Life at Sea (SOLAS), 1974, as amended 3 Terms and definitions
The following terms and definitions apply to this document. 3.1
appropriate law enforcement and other government officials
Personnel of governments and law enforcement agencies with specific legal jurisdiction over the international supply chain or its links. 3.2
asset(s)
Plant, machinery, property, buildings, vehicles, ships, aircraft, means of transport and other infrastructure, or factories and related systems with specific and quantifiable business functions or services. Note: This definition includes all information systems and security management applications necessary for the secure delivery, 1
GB/T38702—2020/IS028001:20073.3
Authorized Economic Operator
Authorized Economic Operator
A party involved in the international transport of goods in any authorized function and recognized by the customs authorities as complying with the World Customs Organization or corresponding supply chain security standards.
Note 1: Authorized Economic Operator is a term defined in the World Customs Organization Framework of Standards. Note 2 to entry: Authorized operators include other manufacturers, importers, exporters, customs brokers, carriers, tallymen, intermediaries, ports, airports, cargo terminal operators, integrated operators, warehouse operators and distributors. 3.4
business partner
businesspartner
contractor, supplier and service provider of an organization (3.15) that enters into a contract with the organization and assists it in becoming part of the supply chain. 3.5
cargo transport unit
cargotransportunit
road freight car, rail freight car, freight container, road tank car, rail tank car or portable storage tank. 3.6
consequence
loss of life, property damage or economic disruption that could reasonably be expected to result from an attack on the organization in its supply chain or the use of the supply chain as a weapon, including disruption to the transport system. 3.7
conveyance
conveyance
The means of transporting goods from one location to another in international trade. Examples: crates, pallets, containers, cargo handling equipment, trucks, ships, aircraft, and rail cars. 3.8
countermeasure
Measures taken to reduce the likelihood of a security threat scenario to achieve an objective or to reduce the possible consequences of a security threat scenario (3.6).
custody
The direct control of an organization in a supply chain over the manufacture, processing, handling, and transportation of goods in a supply chain, as well as the shipping information associated with them, for a period of time.
downstream
The handling, processing, and movement of goods in a supply chain when they are no longer in the custody of an organization. 3.11
goods
The parts or materials in a supply chain that are manufactured, processed, handled, or transported for use or consumption by a buyer after the buyer has placed an order. 3.12
International supply chain
international supply chain
A supply chain that crosses international or economic borders at some stage. Note 1: All stages of the supply chain are international, from order fulfillment to the goods being released from customs control by the destination country or economy. Note 2: If a convention or regional agreement exempts goods from customs clearance from a specific country or economy, the end point of the international supply chain is the port of entry in the importing country or economy. If the agreement or convention does not have this provision, the goods must be declared at the port of entry. 3.13
Probability
likelihood
The ease with which a security threat scenario may develop into a security incident. 2
GB/T38702—2020/IS028001:2007 Note: The likelihood is based on the evaluation of the resistance of the existing security process to the occurrence of security incidents, including the examination of security threat scenarios and the description in qualitative or quantitative ways
Management system
managementsystem
The structure of an organization to manage its processes or activities and transform input resources into products or services to achieve the organization's goals. Note: The purpose of this standard is not to specify a specific management system or to require the creation of an independent safety management system. ISO9001 (quality management system), ISO14001 (environmental management system), ISO28000 (supply chain safety management system) and the International Maritime Organization's International Safety Management (ISM) Code are all examples of management systems.
Organization in the supply chain
organization in the supply chain an entity that performs any of the following activities:
manufacturing, handling, processing, loading, consolidating, unloading or receiving goods for purchase orders, at some point crossing international or economic boundary; - transporting goods in any manner in an international supply chain, whether or not any part of the supply chain crosses national (or economic boundary) boundaries; or
providing, managing or implementing the generation, publication or flow of shipping information used by customs authorities or business administration 3.16
Risk management
riskmanagement
The process of making management decisions based on an analysis of potential threats, their consequences and the probability or likelihood of their occurrence. NOTE The risk management process is usually initiated with the goal of optimizing the allocation of resources required for the organization to operate in a particular environment. 3.17
Scope of service
seope of service
One or more functions performed by an organization in the supply chain, whenever performed. 3.18
security declaration
security declaration
documented commitment by a business partner describing the security measures to be implemented by the business partner, including at least how goods and equipment in international trade and related information will be protected and how the security measures will be verified and validated. NOTE: This statement will be used by organizations in the supply chain to evaluate the adequacy of security measures related to goods security. 3.19
security plan
securityplan
planned arrangements to ensure that security is adequately managed NOTE 1: A security plan aims to ensure that measures are implemented to protect the organization from security incidents. NOTE 2: A security plan may be included in other operational plans. 3.20
security
resistance to intentional acts intended to cause damage or disruption to or by the supply chain. 3.21
security incident
security incident
Any action or situation that has a consequence (3.6). 3.22
securitypersonnel
security personnel
A person who has relevant security responsibilities in an organization in the supply chain. Note: These people may be employees of the organization or not. 3
GB/T38702—2020/IS028001:20073.23
securitysensitiveinformationsecuritysensitiveinformation
securitysensitivematerials
information or data generated by or included in the supply chain security process, including information and data related to security processes, shipments or government instructions, which are not convenient to provide to the public or can be used by certain people to create security incidents. 3.24
supplychain
supplychain
a chain of links and resources from the purchase of raw materials to the manufacture, processing, loading and unloading and delivery of goods and the provision of related services to the buyer based on the buyer's order.
Note: The supply chain may include dealers, manufacturers, logistics service providers, internal distribution centers, distributors, wholesalers and other entities related to the manufacture, processing, loading and unloading and delivery of goods and related services. 3.25
targettarget
people, transportation methods, goods, tangible assets, manufacturing processes and loading and unloading, control or documentation systems within the organization in the supply chain. 3.26
Security threat scenario
security threat scenario
A situation in which a potential security incident may occur. 3.27
upstream
The handling, processing and movement of goods before an organization in the supply chain takes custody of the goods. 3.28
World Customs Organization
World Customs Organization; the WCO is an independent intergovernmental body whose mission is to improve the effectiveness and efficiency of customs administrations. Note: The WCO is the only global intergovernmental organization dealing with customs matters. 4 Scope of application
Application form
An organization in the supply chain shall describe in the Application Form the link in the international supply chain for which it claims to comply with this standard. The Application Form shall contain at least the following information:
Organization details;
Scope of services;
Names and contact details of all business partners within the defined scope of services; Date of completion of the security assessment and the validity period of the security assessment; Signature of a person authorized to sign on behalf of the organization. The organization in the supply chain may include other parts of the supply chain in the Application, such as the final destination. 4.2
Business partners
If the Application states that the organization in the supply chain works with business partners, the organization shall require these business partners to provide a security statement in accordance with 4.3 and 4.4. The organization shall consider this security statement when conducting a security assessment and may require specific countermeasures. 4.3
Internationally recognized certificates or approvals
Transport GB/T38702-2020/IS028001:2007 companies and facilities that hold internationally recognized certificates or approvals issued in accordance with mandatory international conventions (governing security in various transport sectors) have security regulations, plans and processes that meet the applicable requirements of this standard and do not need to be audited to confirm compliance. For shipping companies, ships and port facilities, certificates or approvals should be issued in accordance with the provisions of XI-2/4 or XI-2/10 of the International Convention for the Safety of Life at Sea (SOLAS), as applicable. In addition to having an internationally recognized security certificate or approval, national customs authorities may also require transport companies and facilities to implement additional security measures and specifications as a condition for designation as an Authorized Economic Operator (AEO) provided that they meet the characteristics of paragraph 1. Business partners exempted from security declaration requirements
The business partner confirms to the organization that it:
has been verified to comply with this standard or ISO20858; a)
complies with the requirements covered by 4.3; or
has been designated as an Authorized Economic Operator (AEO) based on the national customs department's supply chain security program, which is determined in accordance with the World Trade Organization's Security and Facilitation Framework of Standards (WCOSAFE). All of the above should be listed in the Application. However, the organization does not need to conduct additional security assessments or require security declarations for such business partners.
Security review of business partners
In addition to business partners complying with the requirements of 4.3 or 4.4, organizations in the supply chain should conduct reviews of business partners' processes and facilities to confirm the validity of their security declarations. The scope and frequency of the review shall be determined by an analysis of the relevant risks. The organization shall retain the results of such review.
Note: For ease of reading, the organization claiming compliance, including supply chain links operated by business partners, whether or not in compliance with this standard, will be referred to as "the organization" in the following paragraphs. Unless otherwise explicitly required, 5 Supply Chain Security Processes
5.1 General
Organizations that adopt this standard in the international supply chain need to manage the security of their links in the supply chain and establish a management system to support this goal. This standard requires the establishment and implementation of security practices and/or processes to reduce the risk to the international supply chain caused by activities that may lead to security incidents.
Organizations in the supply chain claiming compliance with this standard shall develop a security plan. The security plan shall be based on the outputs of the security assessment, including the documentation of existing security measures and procedures and the inclusion of countermeasures applicable to the international supply chain links included in its application. Identification of the scope of the security assessment
The scope of the security assessment shall include all activities performed by the organization, as described in its Application (see 4.1). Assessments shall be conducted regularly and the security plan shall be revised as appropriate. The results of the assessment shall be recorded and retained. The security assessment shall cover information systems, documents and networks related to the handling and movement of goods during the custody of the organization. The organization shall assess the existing security arrangements (mentioned in 4.3 and 4.4) in all its sites and assess business partners with potential security vulnerabilities.
Implementation of security assessment
5.3.1 Assessors
The person or team conducting the security assessment shall possess the following skills and knowledge, including but not limited to: Assessment techniques applicable to all aspects of the international supply chain, from the organization's custody of the goods in the supply chain to the time when the goods are no longer in the custody of the organization or 53
Internationally recognized certificates or approvals
Transport GB/T38702-2020/IS028001:2007 companies and facilities holding internationally recognized certificates or approvals issued under mandatory international conventions (governing the safety of various transport sectors) have safety regulations, plans and processes that meet the applicable requirements of this standard and do not need to be audited to confirm compliance. For shipping companies, ships and port facilities, where applicable, the certificate or approval should be issued in accordance with the provisions of XI-2/4 or XI-2/10 of the International Convention for the Safety of Life at Sea (SOLAS). Under the premise of meeting the characteristics of paragraph 1, in addition to having an internationally recognized safety certificate or approval, the customs authorities of various countries may also require them to implement additional security measures and regulations as a condition for designation as an authorized economic operator (AEO). Business partners exempted from security declaration requirements
The business partner confirms to the organization that it:
has been verified to comply with this International Standard or ISO 20858;a)
complies with the requirements covered by 4.3; or
has been designated as an Authorized Economic Operator (AEOs) based on the national customs department's supply chain security program, which is determined in accordance with the "World Trade Security and Facilitation Framework of Standards" (WCOSAFE). All of the above should be listed in the Application. However, the organization is not required to conduct additional security assessments on such business partners or require them to provide security declarations.
Security review of business partners
In addition to the business partner's compliance with the requirements of 4.3 or 4.4, the organization in the supply chain should conduct reviews of the business partner's processes and facilities to confirm the validity of its security declaration. The scope and frequency of the review should be determined by an analysis of the relevant risks. The organization should retain the results of such reviews.
Note: For ease of reading, organizations claiming compliance, including supply chain links operated by business partners, whether or not they comply with this standard, will be referred to as "organizations" in the following paragraphs unless otherwise explicitly required. 5 Supply Chain Security Processes
5.1 General
Organizations that adopt this standard in international supply chains need to manage the security of their links in the supply chain and establish a management system to support this goal. This standard requires the establishment and implementation of security practices and/or processes to reduce the risk to the international supply chain from activities that may lead to security incidents.
Organizations in the supply chain claiming compliance with this standard shall develop a security plan. The security plan shall be based on the outputs of the security assessment, including the documentation of existing security measures and procedures and the inclusion of countermeasures applicable to the international supply chain links included in its application. Identification of the scope of the security assessment
The scope of the security assessment shall include all activities performed by the organization, as described in its application (see 4.1). Assessments shall be conducted regularly and the security plan shall be revised as appropriate. The results of the assessment shall be recorded and retained. The security assessment should cover information systems, documents and networks related to the handling and movement of goods during the custody of the organization. The organization should evaluate the existing security arrangements (mentioned in 4.3 and 4.4) in all its sites and evaluate business partners with potential security vulnerabilities.
Implementation of security assessment
5.3.1 Assessors
The person or team conducting the security assessment should have the following skills and knowledge, including but not limited to: assessment techniques applicable to all aspects of the international supply chain, from the organization's custody of the goods in the supply chain to the time when the goods are no longer in the custody of the organization or 53
Internationally recognized certificates or approvals
Transport GB/T38702-2020/IS028001:2007 companies and facilities holding internationally recognized certificates or approvals issued under mandatory international conventions (governing the safety of various transport sectors) have safety regulations, plans and processes that meet the applicable requirements of this standard and do not need to be audited to confirm compliance. For shipping companies, ships and port facilities, where applicable, the certificate or approval should be issued in accordance with the provisions of XI-2/4 or XI-2/10 of the International Convention for the Safety of Life at Sea (SOLAS). Under the premise of meeting the characteristics of paragraph 1, in addition to having an internationally recognized safety certificate or approval, the customs authorities of various countries may also require that the transport company and facility implement additional security measures and regulations as a condition for designation as an authorized economic operator (AEO). Business partners exempted from security declaration requirements
The business partner confirms to the organization that it:
has been verified to comply with this International Standard or ISO 20858;a)
complies with the requirements covered by 4.3; or
has been designated as an Authorized Economic Operator (AEOs) based on the national customs department's supply chain security program, which is determined in accordance with the "World Trade Security and Facilitation Framework of Standards" (WCOSAFE). All of the above should be listed in the Application. However, the organization is not required to conduct additional security assessments on such business partners or require them to provide security declarations.
Security review of business partners
In addition to the business partner's compliance with the requirements of 4.3 or 4.4, the organization in the supply chain should conduct reviews of the business partner's processes and facilities to confirm the validity of its security declaration. The scope and frequency of the reviews should be determined by an analysis of the relevant risks. The organization should retain the results of such reviews.
Note: For ease of reading, organizations claiming compliance, including supply chain links operated by business partners, whether or not they comply with this standard, will be referred to as "organizations" in the following paragraphs unless otherwise explicitly required. 5 Supply Chain Security Processes
5.1 General
Organizations that adopt this standard in international supply chains need to manage the security of their links in the supply chain and establish a management system to support this goal. This standard requires the establishment and implementation of security practices and/or processes to reduce the risk to the international supply chain from activities that may lead to security incidents.
Organizations in the supply chain claiming compliance with this standard shall develop a security plan. The security plan shall be based on the outputs of the security assessment, including the documentation of existing security measures and procedures and the inclusion of countermeasures applicable to the international supply chain links included in its application. Identification of the scope of the security assessment
The scope of the security assessment shall include all activities performed by the organization, as described in its application (see 4.1). Assessments shall be conducted regularly and the security plan shall be revised as appropriate. The results of the assessment shall be recorded and retained. The security assessment should cover information systems, documents and networks related to the handling and movement of goods during the custody of the organization. The organization should evaluate the existing security arrangements (mentioned in 4.3 and 4.4) in all its sites and evaluate business partners with potential security vulnerabilities.
Implementation of security assessment
5.3.1 Assessors
The person or team conducting the security assessment should have the following skills and knowledge, including but not limited to: assessment techniques applicable to all aspects of the international supply chain, from the organization's custody of the goods in the supply chain to the time when the goods are no longer in the custody of the organization or 5
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.