ISO/PAS 28003:2006

Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Principles for certification bodies
   4.1 General
   4.2 Impartiality
   4.3 Competence
   4.4 Responsibility
   4.5 Openness
   4.6 Confidentiality
   4.7 Resolution of complaints
5 General requirements
   5.1 Legal and contractual matters
   5.2 Management of impartiality
   5.3 Liability and financing
6 Structural requirements
   6.1 Organizational structure and top management
   6.2 Committee for safeguarding impartiality
7 Resource requirements
   7.1 Competence of management and personnel
   7.2 Personnel involved in the certification
        activities
   7.3 Use of external auditors and external technical
        experts
   7.4 Personnel records
   7.5 Outsourcing
   7.6 Auditor Training
   7.7 Examinations
8 Information requirements
   8.1 Publicly accessible information
   8.2 Certification documents
   8.3 Directory of certified clients
   8.4 Reference to certification and use of marks
   8.5 Confidentiality
   8.6 Information exchange between a certification body
        and its clients
9 Process requirements
   9.1 General requirements applicable to any audit
   9.2 Initial audit and certification
   9.3 Surveillance activities
   9.4 Recertification
   9.5 Special audits
   9.6 Suspending, withdrawing or reducing scope of
        certification
   9.7 Appeals
   9.8 Complaints
   9.9 Records on applicants and clients
10 Management system requirements for certification bodies
   10.1 Option 1 - Management system requirements in
                   accordance with ISO 9001
   10.2 Option 2 - General management system requirements
Annex A (informative) Guide for process to determine auditor
                      time
Annex B (normative) Criteria for auditing organizations with
                    multiple sites
Annex C (informative) Auditor Training
Annex D (informative) Auditor training requirements
Bibliography

ISO/PAS 28003:2006 contains principles and requirements for bodies providing the audit and certification of supply chain security management systems according to management system specifications and standards such as ISO/PAS 28000.

It defines the minimum requirements of a certification body and its associated auditors recognizing the unique need for confidentiality when auditing and certifying/registering a client organization.

Requirements for supply chain security management systems can originate from a number of sources, and ISO/PAS 28003:2006 has been developed to assist in the certification of supply chain security management systems that fulfill the requirements of ISO/PAS 28000, Specification for security supply chain security management systems for the supply chain. The contents of ISO/PAS 28003:2006 may also be used to support certification of supply chain security management systems that are based on other sets of specified supply chain security management systems requirements.

ISO/PAS 28003:2006

• provides harmonized guidance for the accreditation of certification bodies applying for ISO/PAS 28000 (or other sets of specified supply chain security management systems requirements) certification/registration;
• defines the rules applicable for the audit and certification of a supply chain security management systems complying with the ISO/PAS 28000 requirements (or other sets of specified supply chain security management systems requirements);
• provides customers with the necessary information and confidence about the way certification of their suppliers has been granted.