ISO/PAS 28004:2006

PUBLICLY ISO/PAS
AVAILABLE 28004
SPECIFICATION
First edition
2006-09-01

Security management systems for
the supply chain — Guidelines for
the implementation of ISO/PAS 28000
Systèmes de management de la sûreté pour la chaîne
d'approvisionnement — Lignes directrices pour la mise en application
de l'ISO/PAS 28000




Reference number
ISO/PAS 28004:2006(E)
©
ISO 2006

---------------------- Page: 1 ----------------------
ISO/PAS 28004:2006(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO 2006
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2006 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/PAS 28004:2006(E)
Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Normative references . 2
3 Terms and definitions. 2
4 Security management system elements . 4
4.1 General requirements. 4
4.2 Security management policy . 5
4.3 Security risk assessment and planning . 9
4.4 Implementation and operation . 21
4.5 Checking and corrective action . 35
4.6 Management review and continual improvement . 50
Annex A (informative) Correspondence between ISO/PAS 28000:2005, ISO 14001:2004 and
ISO 9001:2000. 53
Bibliography . 56

© ISO 2006 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/PAS 28004:2006(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
In other circumstances, particularly when there is an urgent market requirement for such documents, a
technical committee may decide to publish other types of normative document:
— an ISO Publicly Available Specification (ISO/PAS) represents an agreement between technical experts in
an ISO working group and is accepted for publication if it is approved by more than 50 % of the members
of the parent committee casting a vote;
— an ISO Technical Specification (ISO/TS) represents an agreement between the members of a technical
committee and is accepted for publication if it is approved by 2/3 of the members of the committee casting
a vote.
An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for a
further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or ISO/TS is
confirmed, it is reviewed again after a further three years, at which time it must either be transformed into an
International Standard or be withdrawn.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/PAS 28004 was prepared by Technical Committee ISO/TC 8, Ships and marine technology.

iv © ISO 2006 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/PAS 28004:2006(E)
Introduction
ISO/PAS 28000:2005, Specification for security management systems for the supply chain and this Publicly
Available Specification have been developed in response to the need for a recognizable supply chain
management system standard against which their security management systems can be assessed and
certified and for guidance on the implementation of such a standard.
ISO/PAS 28000 is compatible with the ISO 9001:2000 (Quality) and ISO 14001:2004 (Environmental)
management systems standards. They facilitate the integration of quality, environmental and supply chain
management systems by organizations, should they wish to do so.
This Publicly Available Specification includes a box at the beginning of each clause/subclause, which gives
the complete requirements from ISO/PAS 28000; this is followed by relevant guidance. The clause numbering
of this Publicly Available Specification is aligned with that of ISO/PAS 28000.
This Publicly Available Specification will be reviewed or amended when considered appropriate. Reviews will
be conducted when ISO/PAS 28000 is revised.
This Publicly Available Specification does not purport to include all necessary provisions of a contract between
supply chain operators, suppliers and stakeholders. Users are responsible for its correct application.
Compliance with this Publicly Available Specification does not of itself confer immunity from legal obligations.

© ISO 2006 – All rights reserved v

---------------------- Page: 5 ----------------------
PUBLICLY AVAILABLE SPECIFICATION ISO/PAS 28004:2006(E)

Security management systems for the supply chain —
Guidelines for the implementation of ISO/PAS 28000
1 Scope
This Publicly Available Specification provides generic advice on the application of ISO/PAS 28000:2005,
Specification for security management systems for the supply chain.
It explains the underlying principles of ISO/PAS 28000 and describes the intent, typical inputs, processes and
typical outputs, for each requirement of ISO/PAS 28000. This is to aid the understanding and implementation of
ISO/PAS 28000.
This Publicly Available Specification does not create additional requirements to those specified in
ISO/PAS 28000, nor does it prescribe mandatory approaches to the implementation of ISO/PAS 28000.
ISO/PAS 28000
1 Scope
This Publicly Available Specification specifies the requirements for a security management system, including
those aspects critical to security assurance of the supply chain. These aspects include, but are not limited to,
financing, manufacturing, information management and the facilities for packing, storing and transferring
goods between modes of transport and locations. Security management is linked to many other aspects of
business management. These other aspects should be considered directly, where and when they have an
impact on security management, including transporting these goods along the supply chain.
This Publicly Available Specification is applicable to all sizes of organizations, from small to multinational, in
manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:
a) establish, implement, maintain and improve a security management system;
b) assure compliance with stated security management policy;
c) demonstrate such compliance to others;
d) seek certification/registration of its security management system by an Accredited third party
Certification Body; or
e) make a self-determination and self-declaration of compliance with this Publicly Available Specification.
There are legislative and regulatory codes that address some of the requirements in this Publicly Available
Specification. It is not the intention of this Publicly Available Specification to require duplicative demonstration
of compliance.
Organizations that choose third party certification can further demonstrate that they are contributing
significantly to supply chain security.
© ISO 2006 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/PAS 28004:2006(E)
2 Normative references
No normative references are cited. This clause is included in order to retain clause numbering similar to
ISO/PAS 28000.
3 Terms and definitions
ISO/PAS 28000
3 Terms and definitions
3.1
facility
plant, machinery, property, buildings, vehicles, ships, port facilities and other items of infrastructure or plant
and related systems that have a distinct and quantifiable business function or service
NOTE This definition includes any software code that is critical to the delivery of security and the application of
security management.
3.2
security
resistance to intentional, unauthorized act(s) designed to cause harm or damage to or by, the supply chain
3.3
security management
systematic and coordinated activities and practices through which an organization optimally manages its
risks and the associated potential threats and impacts there from
3.4
security management objective
specific outcome or achievement required of security in order to meet the security management policy
NOTE It is essential that such outcomes are linked either directly or indirectly to providing the products, supply or
services delivered by the total business to its customers or end users.
3.5
security management policy
overall intentions and direction of an organization, related to the security and the framework for the control of
security-related processes and activities that are derived from and consistent with the organization’s policy
and regulatory requirements
3.6
security management programmes
the means by which a security management objective is achieved
3.7
security management target
specific level of performance required to achieve a security management objective
3.8
stakeholder
person or entity having a vested interest in the organization’s performance, success or the impact of its
activities
NOTE Examples include customers, shareholders, financiers, insurers, regulators, statutory bodies, employees,
contractors, suppliers, labour organizations or society.

2 © ISO 2006 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/PAS 28004:2006(E)
3.9
supply chain
linked set of resources and processes that begins with the sourcing of raw material and extends through the
delivery of products or services to the end user across the modes of transport
NOTE The supply chain may include vendors, manufacturing facilities, logistics providers, internal distribution
centres, distributors, wholesalers and other entities that lead to the end user.
3.9.1
downstream
refers to the actions, processes and movements of the cargo in the supply chain that occur after the cargo
leaves the direct operational control of the organization, including but not limited to insurance, finance, data
management and the packing, storing and transferring of cargo
3.9.2
upstream
refers to the actions, processes and movements of the cargo in the supply chain that occur before the cargo
comes under the direct operational control of the organization. Including but not limited to insurance, finance,
data management and the packing, storing and transferring of cargo
3.10
top management
person or group of people who directs and controls an organization at the highest level
NOTE Top management, especially in a large multinational organization, may not be personally involved as described
in the Specification; however top management accountability through the chain of command shall be manifest.
3.11
continual improvement
recurring process of enhancing the security management system in order to achieve improvements in over
security performance consistent with the organization’s security policy
For the purposes of this document, the terms and definitions given in ISO/PAS 28000 and the following apply.
3.1
risk
likelihood of a security threat materializing and the consequences
3.2
security cleared
process of verifying the trustworthiness of people who will have access to security sensitive material
3.3
threat
any possible intentional action or series of actions with a damaging potential to any of the stakeholders, the
facilities, operations, the supply chain, society, economy or business continuity and integrity
© ISO 2006 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/PAS 28004:2006(E)
4 Security management system elements
ReReReReRevivivivivieeeeewwwww
Management
PolicyPolicyPolicyPolicyPolicyPolicy
& Strategy& Strategy& Strategy
Review
4.64.64.64.64.6
4.24.24.24.24.24.2
4.6
SecuritSecuritSecurityyy
ManagementManagementManagement
Security risk
CCCCCheckheckheckheckheckiiiiingngngngng & & & & &
Checking & SySySysssttteeemmm AAASecSecMMM Info, ri Info, ri Info, riuurirityty ris risskskskkk
assessment &
corcorcorcorcorrrrrreeeeectivctivctivctivctive ae ae ae ae accccctititititiononononon
aaaaassssssesesesesessssssssssmmmmmeeeeennnnnttttt
Corrective Ac4.54.54.54.54.5tion
planning
& plan& plan& plan& plan& planninninninninninggggg
4.34.34.34.34.3
4.5 4.3
ImplImplImplemeemeemennntattattatiiiononon
& operat& operat& operationionion
4.44.44.4

Figure 1 — Elements of successful security management
4.1 General requirements
a) ISO/PAS 28000 requirement
The organization shall establish, document, implement, maintain and continually improve an effective
security management system for identifying security risks and controlling and mitigating their consequences.
The organization shall continually improve its effectiveness in accordance with the requirements set out in
the whole of Clause 4.
The organization shall define the scope of its security management system. Where an organization chooses
to outsource any process that affects conformity with these requirements, the organization shall ensure that
such processes are controlled. The necessary controls and responsibilities of such outsourced processes
shall be identified within the security management system.
b) Intent
The organization should establish and maintain a management system that conforms to all of the requirements
of ISO/PAS 28000. This may assist the organization in meeting security regulations, requirements and laws.
The level of detail and complexity of the security management system, the extent of documentation and the
resources devoted to it are dependent on the size and complexity of an organization and the nature of its
activities.
An organization has the freedom and flexibility to define its boundaries and may choose to implement
ISO/PAS 28000 with respect to the entire organization or to specific operating units or activities of the
organization.
4 © ISO 2006 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/PAS 28004:2006(E)
Caution should be taken when defining the boundaries and scope of the management system. Organizations
should not attempt to limit their scope so as to exclude from assessment, an operation or activity required for
the overall operation of the organization or those that can impact on the security of its employees and other
interested parties.
If ISO/PAS 28000 is implemented for a specific operating unit or activity, the security policies and procedures
developed by other parts of the organization may be able to be used by the specific operating unit or activity to
assist in meeting the requirements of ISO/PAS 28000. This may require that these security policies or
procedures are subject to minor revision or amendment, to ensure that they are applicable to the specific
operating unit or activity.
c) Typical input
All input requirements are specified in ISO/PAS 28000.
d) Typical output
A typical output is an effectively implemented and maintained security management system that assists the
organization in continually seeking for improvements.
4.2 Security management policy

Figure 2 — Security management policy
© ISO 2006 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/PAS 28004:2006(E)
a) ISO/PAS 28000 requirement
The organization’s top management shall authorize an overall security management policy.
The policy shall:
a) be consistent with other organizational policies;
b) provide the framework which, enables the specific security management objectives, targets and
programmes to be produced;
c) be consistent with the organization’s overall security threat and risk management framework;
d) be appropriate to the threats to the organization and the nature and scale of its operations;
e) clearly state the overall/broad security management objectives;
f) include a commitment to continual improvement of the security management process;
g) include a commitment to comply with current applicable legislation, regulatory and statutory
requirements and with other requirements to which the organization subscribes;
h) be visibly endorsed by top management;
i) be documented, implemented and maintained;
j) be communicated to all relevant employees and third parties including contractors and visitors with the
intent that these persons are made aware of their individual security management-related obligations;
k) be available to stakeholders where appropriate;
l) provide for its review in case of the acquisition of or merger with other organizations or other change to
the business scope of the organization which may affect the continuity or relevance of the security
management system.
NOTE Organizations may choose to have a detailed security management policy for internal use which would
provide sufficient information and direction to drive the security management system (parts of which may be confidential)
and have a summarized (non-confidential) version containing the broad objectives for dissemination to its stakeholders
and other interested parties.
b) Intent
A security policy is a concise statement of top management’s commitment to security. A security policy
establishes an overall sense of direction and sets the principles of action for an organization. It sets security
objectives for security responsibility and performance required throughout the organization.
A documented security policy should be produced and authorized by the organization's top management.
c) Typical inputs
In establishing the security policy, management should consider the following items, especially in relation to its
supply chain:
• policy and objectives relevant to the organization's business as a whole;
• historical and current security performance by the organization;
6 © ISO 2006 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/PAS 28004:2006(E)
• needs of stakeholders;
• opportunities and needs for continual improvement;
• resources needed;
• contributions of employees;
• contributions of contractors, stakeholders and other external personnel.
d) Process
When establishing and authorizing a security policy, top management should take into account the points
listed below.
An effectively formulated and communicated security policy should:
1) be appropriate to the nature and scale of the organization’s security risks;
Threat identification, risk assessment and risk management are at the heart of a successful security
management system and should be reflected in the organization’s security policy.
The security policy should be consistent with a vision of the organization’s future. It should be realistic
and should neither overstate the nature of the risks the organization faces, nor trivialize them.
2) include a commitment to continual improvement;
Global security threats increase the pressure on organizations to reduce the risk of incidents in the supply
chain. In addition to meeting legal, national and regulatory responsibilities, and other regulations and
guidance prepared by organizations such as the World Customs Organization (WCO), the organization
should aim to improve its security performance and its security management system, effectively and
efficiently, to meet the needs of changing global trade, business and regulatory needs.
Planned performance improvement should be expressed in the security objectives (see 4.3.2) and
managed through the security management programme (see 4.3.5) although the security policy
statement may include broad areas for action.
3) include a commitment to at least conform to current applicable security regulations and with other
requirements to which the organization subscribes;
Organizations are required to conform to applicable security regulatory requirements. The security policy
commitment is a public acknowledgement by the organization that it has a duty to conform to, if not
exceed, any legislation, or other requirements, either legally mandated or adopted voluntarily subscribed
to, such as the WCO Framework of Standards.
NOTE “Other requirements” can mean, for example, corporate or group policies, the organization's own internal
standards or specifications or codes of practice to which the organization subscribes.
4) be documented, implemented and maintained;
Planning and preparation are the key to successful implementation. Often, security policy statements and
security objectives are unrealistic because there are inadequate or inappropriate resources available to
deliver them. Before making any public declarations the organization should ensure that any necessary
finance, skills and resources are available and that all security objectives are realistically achievable
within this framework.
In order for the security policy to be effective, it should be documented and be periodically reviewed for
continuing adequacy and amended or revised if needed.
© ISO 2006 – All rights reserved 7

---------------------- Page: 12 ----------------------
ISO/PAS 28004:2006(E)
5) be communicated to all employees with the intent that employees are made aware of their individual
security obligations;
The involvement and commitment of employees is vital for successful security.
Employees need to be made aware of the effects of security management on the quality of their own work
environment and should be encouraged to contribute actively to security management.
Employees (at all levels, including management levels) are unlikely to be able to make an effective
contribution to security management unless they understand the organization’s policy and their
responsibilities and are competent to perform their required tasks.
This requires the organization to communicate its security policies and security objectives to its
employees clearly, to enable them to have a framework against which they can measure their own
individual security performance.
6) be available to stakeholders;
Any individual or group (either internal or external) concerned with or affected by the security
performance of the organization would be particularly interested in the security policy statement.
Therefore, a process should exist to communicate the security policy to them. The process should ensure
that stakeholders receive the security policy where appropriate.
7) be reviewed periodically to ensure that it remains relevant and appropriate to the organization.
Change is inevitable, regulations and legislation evolve and stakeholders’ expectations increase.
Consequently, the organization’s security policy and management system needs to be reviewed regularly
to ensure their continuing suitability and effectiveness.
If changes are introduced, these should be communicated as soon as practicable.
e) Typical output
A typical output is a comprehensive, concise, understandable, security policy that is communicated throughout
the organization and to stakeholders as necessary.
8 © ISO 2006 – All rights reserved

---------------------- Page: 13 ----------------------
ISO/PAS 28004:2006(E)
4.3 Security risk assessment and planning

Figure 3 — Planning
4.3.1 Security risk assessment
a) ISO/PAS 28000 requirement
The organization shall establish and maintain procedures for the ongoing identification and assessment of
security threats and security management-related threats and risks and the identification and implementation
of necessary management control measures. Security threats and risk identification, assessment and control
methods should, as a minimum, be appropriate to the nature and scale of the operations. This assessment
shall consider the likelihood of an event and all of its consequences which shall include:
a) physical failure threats and risks, such as functional failure, incidental damage, malicious damage or
terrorist or criminal action;
b) operational threats and risks, including the control of the security, human factors and other activities
which affect the organizations performance, condition or safety;
c) natural environmental events (storm, floods, etc.), which may render security measures and equipment
ineffective;
d) factors outside of the organization’s control, such as failures in externally supplied equipment and
services;
e) stakeholder threats and risks such as failure to meet regulatory requirements or damage to reputation or
brand;
f) design and installation of security equipment including replacement, maintenance, etc.
g) information and data management and communications.
h) a threat to continuity of operations.
© ISO 2006 – All rights reserved 9

---------------------- Page: 14 ----------------------
ISO/PAS 28004:2006(E)
The organization shall ensure that the results of these assessments and the effects of these controls are
considered and where appropriate, provide input into:
a) security management objectives and targets;
b) security management programmes;
c) the determination of requirements for the design, specification and installation;
d) identification of adequate resources including staffing levels;
e) identification of training needs and skills (see 4.4.2);
f) development of operational controls (see 4.4.6);
g) the organization’s overall threat and risk management framework.
The organization shall document and keep the above information up to date.
The organization’s methodology for threat and risk identification and assessment shall:
a) be defined with respect to its scope, nature and timing to ensure it is proactive rather than reactive;
b) include the collection of information related to security threats and risks;
c) provide for the classification of threats and risks and identification of those that are to be avoided,
eliminated or controlled;
d) provide for the monitoring of actions to ensure effectiveness and the timeliness of their implementation
(see 4.5.1).
b) Intent
The organization should have a total appreciation of significant security risk, threats and vulnerabilities in its
domain, after using the processes of security threat identification, risk assessment and risk management.
The security threat identification, risk assessment and risk management processes and their outputs should
be the basis of the whole sec
...