ISO/TS 22318:2015

TECHNICAL ISO/TS
SPECIFICATION 22318
First edition
2015-09-01
Societal security — Business
continuity management systems —
Guidelines for supply chain continuity
Sécurité sociétale — Systèmes de management de la continuité
en affaires — Lignes directrices pour la continuité de la chaîne
d’approvisionnement
Reference number
©
ISO 2015
© ISO 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2015 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
3.1 Terms included in ISO 22300 . 1
3.2 Terms included in ISO 22301 . 3
3.3 Terms and definitions applicable to this Technical Specification . 5
4 Why supply chain continuity is important . 6
4.1 General . 6
4.2 Describing the supply chain . 6
4.3 Dynamics of supply chains . 8
4.3.1 General. 8
4.3.2 Supplier and contract lifecycle . . 8
4.3.3 Who owns the risk? . 9
4.4 The essentials for SCCM . 9
4.5 Benefits of effective SCCM .10
4.6 Challenges to effective SCCM .10
4.7 Key points of Clause 4: Why supply chain continuity is important .11
5 Analysis of the supply chain .11
5.1 General .11
5.2 Considerations for analysing the supply chain .11
5.3 Define the approach .12
5.4 Structure of the analysis .12
5.5 Conducting the analysis .13
5.6 Output of analysis .14
5.7 Key points of Clause 5: Analysis of the supply chain .14
6 SCCM strategies .15
6.1 General .15
6.2 Continuity strategy options .15
6.2.1 Option 1 — Accept status quo .15
6.2.2 Option 2 — Reduce dependency .15
6.2.3 Option 3 — Increase resilience .15
6.2.4 Option 4 — Work with the supplier .16
6.2.5 Option 5 — Ending the relationship .16
6.3 Including SCCM capability into a supply contract .16
6.4 Ownership of SCCM .17
6.5 Key points of Clause 6: Considering options: developing strategies .17
7 Managing a disruption in the supply chain .17
7.1 General .17
7.2 Before an incident happens .18
7.3 Incident detection and notification .18
7.4 During an incident .18
7.5 Return to business as usual .19
7.6 Key points of Clause 7: Managing a disruption in the supply chain .19
8 Performance evaluation .19
8.1 General .19
8.2 Engaging with suppliers .20
8.3 Implementing an SCCM performance evaluation programme .20
8.4 Maintaining the analysis .20
8.5 Outcomes of performance evaluation .21
8.6 Key points of Clause 8: Performance management .21
Bibliography .22
iv © ISO 2015 – All rights reserved

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/TC 292, Security and resilience.
Introduction
This Technical Specification expands the business continuity guidance on establishing appropriate
levels of continuity management within an organization’s supply chain given in ISO 22301 and
ISO 22313. It assumes that the organization seeking to establish supply chain continuity management
(SCCM) is aware of the principles of business continuity management and has established, or intends
to implement, a business continuity management system (BCMS) broadly aligned to the established
standards. It also considers the implications to the organization of suppliers of products or services
that do not have adequate continuity arrangements in place.
This Technical Specification will be useful to those who buy, manage or are responsible for a product
or service that is necessary for the organization to produce its own products or services and will assist
them to apply good BCM practice in line with established standards.
Organizations rely on suppliers to deliver products or services on time and to agreed quality or
standards. It is important for an organization, as part of its wider approach to business continuity
management, to recognize the potential impact to its activities of disruption within its supply chain.
Failure by a supplier to deliver on time to an agreed quality and cost, a product or service may trigger
a business disruption event. Conflicting objectives must be managed between reducing supply chain
cost, for example, by reducing cycle times and buffer stock, and managing the supply chain continuity
risk arising from single source and just-in-time supply approaches.
This Technical Specification is relevant to both the supply of products and services from external
suppliers and internal relationships within divisions of the same organization, under any type of
continuing supplier relationship. It also has applicability to single one time sourcing arrangements
where failure to deliver could impact the future of the organization.
Suppliers are classified according to their criticality considering the impact on the organization of a
disruption to the supplied products or services and the “supplier tier”, which defines that supplier’s
relationship with the organization. A Tier 1 supplier has a direct contractual relationship with the
organization, while a Tier 2 supplier provides products and services to a Tier 1 supplier. The same
supply chain continuity considerations apply to relationships between tiers. Tier 1 suppliers would be
responsible for assuring their own supply chain relationships, recognizing that the customer may need
visibility of these relationships both to ensure there is adequate resilience in the supply chain beyond
Tier 1 and to take account of factors such as corporate social responsibility which may require visibility
of further tiers.
The guidance given in this Technical Specification also has relevance to the supplier both so that it
can prepare to meet the business continuity expectations of its customers and also to consider
vulnerabilities which might arise from dependence on a single customer.
This Technical Specification recognizes that suppliers may also comply with the requirements of the
ISO 28000 series of standards for security management within the supply chain. Conformance with
these standards will give organizations further confidence in the resilience of their supply chain and
potentially reduces the risk of disruption when buying goods or services.
The text is aligned with the elements of business continuity management (see Figure 1).
vi © ISO 2015 – All rights reserved

Figure 1 — Elements of business continuity management (BCM) (Source: ISO 22313:2012,
Figure 5)
Table 1 — Elements of business continuity management and relevant Clause in this Technical
Specification
BCMS element ISO/TS 22318 Clause
Operational planning and control Clause 4
Business impact analysis and risk assessment Clause 5
Business continuity strategy Clause 6
Establish and implement business continuity
Clause 7
procedures
Exercising and testing Clause 8
TECHNICAL SPECIFICATION ISO/TS 22318:2015(E)
Societal security — Business continuity management
systems — Guidelines for supply chain continuity
1 Scope
This Technical Specification gives guidance on methods for understanding and extending the principles
of BCM embodied in ISO 22301 and ISO 22313 to the management of supplier relationships. This
Technical Specification is generic and applicable to all organizations (or parts thereof), regardless of
type, size and nature of business. It is applicable to the supply of products and services, both internally
and externally. The extent of application of this Technical Specification depends on the organization’s
operating environment and complexity.
Supply chain management considers the full range of activities concerned with the provision of supplies
or services to an organization as a part of business-as-usual. The scope of this Technical Specification
is less broad in that it specifically considers the issues faced by an organization which needs continuity
of supply of products and services to protect its business activities or processes, and the continuity
strategies for current suppliers within supply chains, which can be used to mitigate the impact of
disruption; this is SCCM.
Guidance on developing a business continuity plan or business continuity management system is set
out in ISO 22301 and ISO 22313.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO 22300, Societal security — Terminology
ISO 22301, Societal security — Business continuity management systems — Requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 22300, ISO 22301, and the
following apply.
NOTE All terms and definitions contained in ISO 22300 are available on the ISO Online Browsing Platform:
www.iso.org/obp.
3.1 Terms included in ISO 22300
3.1.1
business continuity
capability of the organization to continue delivery of products or services at acceptable predefined
levels following disruptive incident
[SOURCE: ISO 22300:2012, 2.1.10]
3.1.2
business impact analysis
process of analysing activities and the effect that the business disruption might have upon them
[SOURCE: ISO 22300:2012, 2.2.6]
3.1.3
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can be one or more occurrences and can have several causes.
Note 2 to entry: An event can consist of something not happening.
Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.
Note 4 to entry: An event without consequences can also be referred to as a “near miss”, “incident”, “near hit” or
“close call”.
[SOURCE: ISO 22300:2012, 2.1.8]
3.1.4
exercise
process to train for, assess, practice, and improve performance in an organization
Note 1 to entry: Exercises can be used for validating policies, plans, procedures, training, equipment, and
interorganizational agreements, clarifying and training personnel in roles and responsibilities, improving
interorganizational coordination and communications, identifying gaps in resources, improving individual
performance and identifying opportunities for improvement, and a controlled opportunity to practice
improvisation.
Note 2 to entry: A test is a unique and particular type of exercise, which incorporates an expectation of a pass or
fail element within the goal or objectives of the exercise being planned.
[SOURCE: ISO 22300:2012, 2.4.8]
3.1.5
incident
situation that might be, or could lead to, a disruption, loss, emergency or crisis
[SOURCE: ISO 22300:2012, 2.1.15]
3.1.6
mutual aid agreement
pre-arranged understanding between two or more entities to render assistance to each other
[SOURCE: ISO 22300:2012, 2.2.13]
3.1.7
prioritized activities
activities to which priority must be given following an incident in order to mitigate impacts
Note 1 to entry: Terms in common used to describe activities within this group include critical, essential, vital,
urgent and key.
[SOURCE: ISO 22300:2012, 2.3.5]
3.1.8
risk
effect of uncertainty on objectives
Note 1 to entry: An effect is a deviation from the expected: positive and/or negative.
Note 2 to entry: Objectives can have different aspects (such as financial, health and safety, and environmental
goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
Note 3 to entry: Risk is often characterized by reference to potential events, and consequences, or a
combination of these.
2 © ISO 2015 – All rights reserved

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated likelihood of occurrence.
Note 5 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
[SOURCE: ISO 22300:2012, 2.1.5]
3.1.9
top management
person or group of people that directs and controls an organization at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: An organization can, for this purpose, be identified by reference to the scope of the implementation
of a management system.
[SOURCE: ISO 22300:2012, 2.2.4]
3.2 Terms included in ISO 22301
3.2.1
activity
process or set of processes undertaken by an organization (or on its behalf) that produces or supports
one or more products and services
EXAMPLE Such processes include accounts, call centre, IT, manufacture, distribution.
[SOURCE: ISO 22301:2012, 3.1]
3.2.2
business continuity management
holistic management process that identifies potential threats to an organization and the impacts to
business operations those threats, if realized, might cause, and which provides a framework for building
organizational resilience with the capability of an effective response that safeguards the interests of its
key stakeholders, reputation, brand and value-creating activities
[SOURCE: ISO 22301:2012, 3.4]
3.2.3
business continuity management system
BCMS
part of the overall management system that establishes, implements, operates, monitors, reviews,
maintains and improves business continuity
Note 1 to entry: The management system includes organizational structure, policies, planning activities,
responsibilities, procedures, processes and resources.
[SOURCE: ISO 22301:2012, 3.5]
3.2.4
business continuity plan
documented procedures that guide organizations to respond, recover, resume, and restore to a pre-
defined level of operation following disruption
Note 1 to entry: Typically, this covers resources, services and activities required to ensure the continuity of
critical business functions.
[SOURCE: ISO 22301:2012, 3.6]
3.2.5
business continuity programme
ongoing management and governance process supported by top management and appropriately
resourced to implement and maintain business continuity management
[SOURCE: ISO 22301:2012, 3.7]
3.2.6
interested party
stakeholder
person or organization that can affect, be affected by, or perceive themselves to be affected by a
decision or activity
Note 1 to entry: This can be an individual or group that has an interest in any decision or activity of an
organization.
[SOURCE: ISO 22301:2012, 3.21]
3.2.7
minimum business continuity objective
MBCO
minimum level of services and/or products that is acceptable to the organization to achieve its business
objectives during a disruption
[SOURCE: ISO 22301:2012, 3.28]
3.2.8
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
Note 2 to entry: For organizations with more than one operating unit, a single operating unit can be defined as an
organization.
[SOURCE: ISO 22301:2012, 3.33]
3.2.9
outsource
make an arrangement where an external organization performs part of an organization’s function or
process
Note 1 to entry: An external organization is outside the scope of the management system, although the outsourced
function or process is within the scope.
[SOURCE: ISO 22301:2012, 3.34]
3.2.10
products and services
beneficial outcomes provided by an organization to its customers, recipients and interested parties, e.g.
manufactured items, car insurance and community nursing
[SOURCE: ISO 22301:2012, 3.41]
3.2.11
recovery time objective
RTO
period of time following an incident within which
— product or service must be resumed,
4 © ISO 2015 – All rights reserved

— activity must be resumed, or
— resources must be recovered
Note 1 to entry: For products, services and activities, the recovery time objective must be less than the time it
would take for the adverse impacts that would arise as a result of not providing a product/service or performing
an activity to become unacceptable.
[SOURCE: ISO 22301:2012, 3.45]
3.2.12
resources
all assets, people, skills, information, technology (including plant and equipment), premises, and
supplies and information (whether electronic or not) that an organization has to have available to use,
when needed, in order to operate and meet its objective
[SOURCE: ISO 22301:2012, 3.47]
3.3 Terms and definitions applicable to this Technical Specification
3.3.1
critical customer
individual or entity, the loss of whose business would threaten the survival of the organization
3.3.2
critical supplier
provider of critical products or services
Note 1 to entry: This includes an “internal supplier”, who is part of the same organization as its customer.
3.3.3
critical products or services
resources obtained from a supplier which, if unavailable, would disrupt the organization’s critical
activities and threaten the survival of the organization
Note 1 to entry: Critical products or services are essential resources to support an organization’s high priority
activities and processes identified in its BIA.
3.3.4
disruption
event, whether anticipated (e.g. a labour strike or hurricane) or unanticipated (e.g. a blackout or
earthquake), which causes an unplanned, negative deviation from the expected delivery of products or
services according to the organization’s objectives
3.3.5
supply chain
network of organizations that are involved, through upstream and downstream linkages, in the
processes and activities that produce value in the form of products and services in the hands of the
ultimate consumer
3.3.6
supply chain continuity management
SCCM
application of business continuity management to a supply chain
Note 1 to entry: BCM should be applied to all the tiers of an organization’s supply chain.
Note 2 to entry: In practice, an organization usually would only apply it to the first tier of their suppliers and
influence critical suppliers to apply SCCM to their suppliers.
Outbound logistics
3.3.7
Tier 1 supplier
directly supplies products or services to the organization usually through a contractual arrangement
3.3.8
Tier 2 supplier
provides products or services to an organization indirectly and through a Tier 1 supplier
4 Why supply chain continuity is important
4.1 General
This Clause considers the factors which provide the structure within which SCCM is conducted. Supply
chains are becoming increasingly complex, extended (often extending internationally) and frequently
changing, exposing the organization to additional risk of supply chain interruption. As a supply chain is
always subject to potential disruption, SCCM is required.
Usually, the customer-supplier relationship will be governed by contractual agreements including
service level agreements (SLA) for external outsource arrangements and operational level agreements
(OLA) governing internal service arrangements between the organization and the supplier but it may
also be applicable to one time purchases.
4.2 Describing the supply chain
A broad view of a supply chain includes both the manufacturing and distribution of products and
services, outsourcing and off-shoring. It is applicable to organizations of all types and sizes. Figure 2
illustrates a simple supply chain model.
Supplier B
External
Supplier C
Organization Customer
Supplier A
Supplier D
Internal
Relationship
Tier 2 and beyond Tier 1 Suppliers
Suppliers
Suppliers
Figure 2 — Supply chain model
NOTE 1 Real supply chains will be more complex.
NOTE 2 External Supplier A could provide products or be an outsourced service.
NOTE 3 Internal suppliers include any relationship where the organization buys services or facilities from
within its wider business group.
A supply chain exists where product or service delivery depends on inputs that are not under the direct
management or control of the operating unit (the organization). It includes both internal and external
6 © ISO 2015 – All rights reserved
Tier 2 Inbound logiscs
Inbound logistics
Decreasing ability to inluence or control
supply relationships. The relationships with the various suppliers vary with the degree of flexibility
and the ability of the organization to control the relationship (see Figure 3).
Information, Consumables,
Mobile assets (people, vehicles)
Single sources of supply
Long term contracts
Complex components, raw materials,
Fixed asset dependencies
National/international
transport and distribution networks
infrastructure
regulation
Figure 3 — Supply chain – Flexibility, influence and control
The range of potential customer relationship types includes the following:
— business-to-business (including distributors, wholesalers, etc.);
— business-to-consumer;
— third-party served (customers are served or supplied directly by subcontractors or agents).
The range of potential supplier relationship types includes the following:
— recurring product or service suppliers of components, raw materials, financing, property rental,
essential fixed asset maintenance, etc.;
— one time or infrequent product or service suppliers (providing, for example, new capital equipment);
— outsourced or contracted service or business process suppliers (payroll bureau, IT services, contact
centres, logistics or distribution);
— strategic partners/alliances (franchises, distributors and joint ventures);
— co-operative relationships or interdependencies between suppliers.
Other interested parties, in addition to customers and suppliers, might be involved and impacted by
supply chain interruptions. Interested parties may include local communities such as the community
from which the work force is drawn, informal community network members, trade bodies, contracted
consortium partners, and partial competitors.
The factors upon which supply chain relationships may be based include the following:
— people and personal relationships;
— formal agreements such as contracts, work orders, service level agreements, and operating
level agreements;
— information provided electronically or on paper such as purchase orders and design specifications;
— processes describing workflow, product/service creation and delivery;
Increasing lexibility
— infrastructure such as transportation systems, Internet;
— cultural factors such as business networks, trading relationships;
— environment: political, economic, regulatory, etc.
NOTE This list provides examples only and is not intended to be complete.
4.3 Dynamics of supply chains
4.3.1 General
The supply chain is important to organizations of all types and sizes, particularly as they seek to
reduce costs and enhance efficiency. Through reducing inventory, time and other inefficiencies, goods,
services, information and money can move more efficiently, which in turn means that the impact of an
interruption to the supply chain will be felt more acutely, sooner and more often. An increasing and
significant proportion of costs lie within the supply chain, presenting both a risk and an opportunity.
Poor supply chain management can destroy value and jeopardize brand and reputation.
Supply chains have extended beyond the organization’s direct control, both in terms of geography and
the number and type of suppliers. The drivers for this include the following:
— the global access at relative low cost provided by the Internet;
— the reduction of international trade barriers and the free movement of capital;
— the availability of educated and relatively low-cost skilled workers;
— the focus by the management of organizations on core, value-adding activities and a trend to
outsource peripheral business processes, such as logistics, distribution, payroll, catering, cleaning,
security and IT, makes organizations more interdependent;
— any global excess of demand over supply resulting in resource constraints where certain supplies,
including some natural resources, are only available in some parts of the world.
As organizations become increasingly interconnected and interdependent and supply chains become
more global in their reach, new vulnerabilities are created, exposure is increased and horizon scanning
to identify changing risk profiles (see Clause 7) becomes more challenging. As supply chains become
more integrated and lean, any event affecting one link may affect other links in the chain. The BIA
should uncover interdependence across a supply chain but may not extend into the supply chain past
Tier 1 (direct) suppliers with whom the organization has contractual relations to those in Tier 2, the
direct suppliers to Tier 1 suppliers, and beyond.
4.3.2 Supplier and contract lifecycle
Suppliers and contracts exist within a lifecycle of supply and service acquisition, operation and
discontinuation (see Figure 4). Entry into a new contract or renewing an existing contract presents
an opportunity for the organization to influence future supplier behaviour through contract and/or
service level changes. Conversely, long term contractual commitments and high supplier switching
costs can shift the balance of power between the organization and its supplier, creating resistance
to changing future supplier behaviour (see Figure 3). Implementing SCCM has to be achieved within
this environment. The analysis of the supply chain (see Clause 5) will help to identify the high priority
relationships and the requirements and opportunities for implementing SCCM.
8 © ISO 2015 – All rights reserved

Figure 4 — Integrating SCCM into the supply chain lifecycle
4.3.3 Who owns the risk?
The organization retains the risk it might be unable to deliver its products or services to its customers
as a consequence of a disruption in its supply chain and it is responsible for mitigating this risk by being
prepared to respond to supply chain disruption. Customers hold the organization and not its suppliers
responsible for failure to deliver products or services so an organization’s brand is at risk of damage if
there is a problem within its supply chain.
In extreme cases, a supply chain disruption could adversely affect an industry, market sector or the
wider economy, government and public stakeholders.
4.4 The essentials for SCCM
The following are the essential requirements for effective SCCM:
— top management support for an integrated BCM and SCCM programme;
— to set the priorities and standards required;
— to allocate resources for conduct of the analysis;
— to evaluate the impact of supply chain or individual supplier failure on the organization’s high
priority activities or processes;
— analysis to understand the organization’s supply chain and the risk to the organization arising from
its disruption;
— application of appropriate continuity strategies to each supplier;
— procedures for confirming that suppliers have appropriate continuity measures in place;
— a programme for supplier relationship management;
— a long-term strategy to build a more resilient supply chain.
4.5 Benefits of effective SCCM
Potential benefits of effective SCCM include the following:
— better understanding of the supply chain and potential threats;
— improved supplier relationship management to reduce the impact of supply chain disruption;
— improved response to supply chain disruptions resulting from effective collaboration with suppliers
and customers;
— identification and mitigation of supply chain risks before they happen or before the organization is
impacted;
— improved planning, due diligence, assurance and working relationships with suppliers;
— competitive advantage over competitors who do not have effective SCCM arrangements.
4.6 Challenges to effective SCCM
SCCM presents a number of challenges, including the following:
— scale and complexity, especially in large organizations with thousands of suppliers;
— distance and visibility of suppliers in the supply chain (geographic separation and number of tiers
along the chain);
— persuading suppliers to participate openly and transparently because SCCM adds value to the
relationship;
— inflexible contractual relationships making the service open to alteration less often;
— no structured approach describing where to start, how to proceed and how to overcome apathy or
inertia;
— failure to develop the business case and to secure top management commitment and the necessary
resources, including trained people;
— defining and embedding responsibility for SCCM across interested party functions within the
organization and across organizations in the supply chain;
— balancing the expense of supply chain risk reduction and the long term payback with the short-term
financial rewards of lower supply chain capital and operating costs;
— differences in risk tolerance/appetites between individuals, organizations and cultures;
— shortage of organization and supplier resources to implement preferred strategies;
— single and sole source suppliers;
— cultural differences including consideration of diversity issues;
— different regulatory requirements for the organization and the supplier;
— imbalance of power in the supply chain where a small organization is dealing with a larger supplier
with multiple customers;
— obtaining confidence in product or service supply continuity arrangements from suppliers (might a
supplier divert supplies to another customer in times of shortage?);
— difficulty in identifying indirect impacts such as when the loss of one supplier makes another
supplier critical;
10 © ISO 2015 – All rights reserved

— difficulty understanding the full cost of disruption.
4.7 Key points of Clause 4: Why supply chain continuity is important
a) A supply chain exists wherever an organization’s product or service delivery depends on inputs
that are not under its direct management or control.
b) Supply chain continuity is important in an increasingly global, interconnected and fast-moving
world, in which most organizations spend a significant proportion of their total costs via their
supply chains, which are increasingly exposed to new and elevated risks.
c) Disruption to the supply chain can severely impact the ability of an organization to deliver its
priority business processes.
d) Supply chains are frequently composed of a large number of suppliers organized in series (like a
chain) or networks (like a web). These interrelationships and the transactions between them are
dynamic.
e) There are many supply chain stakeholders or interested parties, both within and between
organizations, which need to collaborate effectively during supply chain disruption.
f) The responsibility is on organizations (and not their suppliers) to mitigate their supply chain risk
and respond to supply chain disruptions.
g) An organization shall manage the conflicting objectives of reducing supply chain cost and reducing
supply chain risk.
h) A supplier needs to demonstrate continuity capability following a disruption, to reinstate, within
an acceptable timeframe, the supply of product or service to an organization.
5 Analysis of the supply chain
5.1 General
Consistent analysis of all suppliers allows an organization to understand and assess the risk and
potential impacts of a disruption in the supply chain. The supplier’s criticality to the organization’s
activities and the level of risk to which they are exposed will determine the depth of analysis. Suppliers
are responsible for extending the analysis process to their own supply chains and communicating the
outcomes back to the organization.
5.2 Considerations for analysing the supply chain
The following are to be considered when conducting the analysis:
— the depth of analysis required to provide assurance that dependencies, risks and impacts have been
identified and understood;
— use of a consistent, auditable approach that can be maintained over time;
— the cost/benefit;
— defining the organization’s continuity framework and requirement for sourcing and ongoing
supplier relationship management;
— integration of identified supply chain risks into the organization’s risk management process;
— identification of the legal or regulatory constraints on the suppliers;
— results of the BIA.
5.3 Define the approach
The organization should identify its operational and environmental needs and consider them when
conducting the analysis to ensure consistency across the organization and to create an approach that is
sustainable over time. These should include the following:
— assessing supplier criticality, using a ranked approach. As an example, suppliers may be divided into
two ranks as follows:
— “critical”: suppliers are those whose failure to deliver products or services on time or to quality
or cost would significantly impact the ability of the organization to continue its high priority
activities or processes and whose loss could jeopardize the survival of the organization;
— “non-critical”: suppliers, the loss of whose products or services could be tolerated for a limited
period without adversely impacting the core activities of the organization;
— c
...