ISO 28001:2007 pdf download – Security management systems for the supply chain — Best practices for implementing supply chain security, assessments and plans — Requirements and guidance.
4.4 Business partners exempt from security declaration requirement Those business partners that confirm to the organization that they a) are verified compliant with this International Standard or ISO 20858, b) are covered by 4.3, or c) have been designated as AEOs in accordance with a national customs agency’s supply chain security programme which has been determined to be in accordance with the WCO SAFE Framework, shall be listed on the Statement of Application. However, the organization does not need to conduct additional security assessments for such business partners or require them to provide security declarations. 4.5 Security reviews of business partners Except for business partners covered by 4.3 or 4.4, the organization in the supply chain shall conduct reviews of their business partners’ processes and facilities to ascertain the validity of their declarations of security. The extent and the frequency of these reviews shall be determined through an analysis of the risks involved. The organization shall maintain results of these reviews. NOTE To provide for ease of reading the organization claiming compliance, including those parts of its supply chain operated by business partners, whether compliant with this International Standard or not, is in the ensuing paragraphs referred to as the “organization” unless clarity demands otherwise.
5 Supply chain security process 5.1 General Organizations in international supply chains that have adopted this International Standard are required both to manage security throughout their portion of the supply chain and to have a management system in place in support of that objective. This International Standard requires security practices and/or processes to be established and implemented in order to reduce the risk to the international supply chain from activities that could lead to a security incident. Organizations in the supply chain claiming compliance with this International Standard shall have a security plan based on the output from the security assessment that documents existing security measures and procedures and incorporates countermeasures as applicable for the portion of the international supply chain that they have included in their Statement of Application. 5.2 Identification of the scope of the security assessment The scope of the security assessment shall include all activities performed by the organization as described in its Statement of Application (see 4.1). The assessment shall be periodically performed and the security plan shall be revised as appropriate. The results of the assessment shall be documented and retained. The security assessment shall also cover information systems, documents and networks pertaining to the handling and movement of the goods while in the custody of the organization. Existing security arrangements shall, subject to 4.3 and 4.4, be assessed at all locations and for business partners where there are potential security vulnerabilities.