BS ISO 28001:2007

Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Field of application
  4.1 Statement of application
  4.2 Business partners
  4.3 Internationally accepted certificates or
      approvals
  4.4 Business partners exempt from security
      declaration requirement
  4.5 Security reviews of business partners
5 Supply chain security process
  5.1 General
  5.2 Identification of the scope of security
      assessment
  5.3 Conduction of the security assessment
  5.4 Development of the supply chain security plan
  5.5 Execution of the supply chain security plan
  5.6 Documentation and monitoring of the supply
      chain security process
  5.7 Actions required after a security incident
  5.8 Protection of the security information
Annex A (informative) - Supply chain security process
        A.1 General
        A.2 Identification of the scope of the
             security assessment
        A.3 Conduction of the security assessment
        A.4 Development of the security plan
        A.5 Execution of the security plan
        A.6 Documentation and monitoring of the
             security process
        A.7 Continual improvement
Annex B (informative) - Methodology for security risk
                        assessment and development of
                        countermeasures
        B.1 General
        B.2 Step one - Consideration of the security
             threat scenarios
        B.3 Step two - Classification of consequences
        B.4 Step three - Classification of likelihood
             of security incidents
        B.5 Step four - Security incident scoring
        B.6 Step five - Development of countermeasures
        B.7 Step six - Implementation of countermeasures
        B.8 Step seven - Evaluation of countermeasures
        B.9 Step eight - Repetition of the process
        B.10 Continuation of the process
Annex C (informative) - Guidance for obtaining advice
                        and certification
        C.1 General
        C.2 Demonstrating conformance with
             ISO 28001 by audit
        C.3 Certification of ISO 28001 by third
             party certification bodies
Bibliography

Describes requirements and guidance for organizations in international supply chains to: - develop and implement supply chain security processes; - establish and document a minimum level of security within a supply chain(s) or segment of a supply chains; - assist in meeting the applicable authorized economic operator (AEO) criteria set forth in the World Customs Organization Framework of Standards and conforming national supply chain security programmes.

This International Standard provides requirements and guidance for organizations in international supply chains to

• develop and implement supply chain security processes;

• establish and document a minimum level of security within a supply chain(s) or segment of a supply chain;

• assist in meeting the applicable authorized economic operator (AEO) criteria set forth in the World Customs Organization Framework of Standards and conforming national supply chain security programmes.

NOTE Only a participating National Customs Agency can designate organizations as AEOs in accordance with its supply chain security programme and its attendant certification and validation requirements.

In addition, this International Standard establishes certain documentation requirements that would permit verification.

Users of this International Standard will

• define the portion of an international supply chain within which they have established security (see 4.1);

• conduct security assessments on that portion of the supply chain and develop adequate countermeasures;

• develop and implement a supply chain security plan;

• train security personnel in their security related duties.