SIST CWA 15374:2016

SLOVENSKI STANDARD
SIST CWA 15374:2016
01-april-2016
Sistem upravljanja varnosti za dobavitelje varne tiskarske industrije
Security Management System for suppliers to secure printing industry
Ta slovenski standard je istoveten z: CWA 15374:2005
ICS:
37.100.01 *UDILþQDWHKQRORJLMDQD Graphic technology in
VSORãQR general
SIST CWA 15374:2016 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST CWA 15374:2016

---------------------- Page: 2 ----------------------

SIST CWA 15374:2016
CEN
CWA 15374
WORKSHOP
August 2005
AGREEMENT
ICS 37.100.01
English version
Security Management System for suppliers to secure printing
industry
This CEN Workshop Agreement has been drafted and approved by a Workshop of representatives of interested parties, the constitution of
which is indicated in the foreword of this Workshop Agreement.
The formal process followed by the Workshop in the development of this Workshop Agreement has been endorsed by the National
Members of CEN but neither the National Members of CEN nor the CEN Management Centre can be held accountable for the technical
content of this CEN Workshop Agreement or possible conflicts with standards or legislation.
This CEN Workshop Agreement can in no way be held as being an official standard developed by CEN and its Members.
This CEN Workshop Agreement is publicly available as a reference document from the CEN Members National Standard Bodies.
CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia,
Slovenia, Spain, Sweden, Switzerland and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: rue de Stassart, 36  B-1050 Brussels
© 2005 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members.
Ref. No.:CWA 15374:2005 E

---------------------- Page: 3 ----------------------

SIST CWA 15374:2016
CWA 15374:2005 (E)
Contents


Foreword . 3
0 Introduction. 4
0.1 General . 4
0.2 Process approach . 4
0.3 Basic principles . 5
1 Scope . 6
1.1 General . 6
1.2 Application. 6
2 Normative Reference. 6
3 Terms and definitions . 6
4 Security management system. 8
4.1 General Requirements . 8
4.2 Documentation requirements . 8
5 Management responsibility . 9
5.1 Management commitment. 9
5.2 Customer focus . 10
5.3 Security policy . 10
5.4 Planning . 10
5.5 Responsibility, authority and communication. 10
5.6 Management review. 11
6 Resource management . 11
6.1 Provision of resources. 11
6.2 Human resources. 12
6.3 Infrastructure. 12
6.4 Work environment . 12
7 Product Realization Requirements . 12
7.1 Planning of product realization . 12
7.2 Customer-related processes . 13
7.3 Design and development inputs . 14
7.4 Purchasing . 14
7.5 Production and service provision. 15
7.6 Control of monitoring and measuring devices. 16
8 Measurement, analysis and improvement requirements. 16
8.1 General . 16

8.2 Monitoring and measurement. 17
8.3 Control of non-conforming product . 18
8.4 Analysis of data. 18
8.5 Improvement . 18

2

---------------------- Page: 4 ----------------------

SIST CWA 15374:2016
CWA 15374:2005 (E)
Foreword
The formal process followed by the Workshop in the development of the CEN Workshop Agreement
has been endorsed by the National Members of CEN but neither the National Members of CEN nor
the CEN Management Centre can be held accountable for the technical content of the CEN Workshop
Agreement or possible conflict with standards or legislation. This CEN Workshop Agreement can in no
way be held as being an official standard developed by CEN and it’s members.

The date of acceptance for this document was 14 June 2005.

This CEN Workshop Agreement is publicly available as a reference document from the National
Members of CEN: AENOR, AFNOR, BSI, CSNI, CYS, DIN, DS, ELOT, EVS, IBN, IPQ, IST,
LVS, LST, MSA, MSZT, NEN, NSAI, ON, PKN, SEE, SIS, SIST, SFS, SN, SNV, SUTN and
UNI.

Comments or suggestions from the users of the CEN Workshop Agreement are welcome and should
be addressed to the CEN Management Centre.

3

---------------------- Page: 5 ----------------------

SIST CWA 15374:2016
CWA 15374:2005 (E)
0 Introduction
0.1 General
The quality of products and services is one of the leading criteria for assessing the extent to which the
transactions and operation of a certain (corporate) organisation or company correspond to the desired
goals. For producers of secured materials, special machinery or special services for security printers
however, the quality requirements for the processes and products are not sufficient: the processes
and products/services must be produced, managed and delivered under safe conditions in all stages
of production (from the initial contact with the possible customer to the aftercare that may be required
after the delivery) in order to meet the requirements of the customers. Technical requirements alone
no longer provide sufficient guarantees that the requirements set by the customers will be
continuously observed. Due to the lack of technical specification, but also to possible deficiencies
within an organisation or company, discrepancies with the requirements set by the customer may
occur.

The adoption of a security management system should be a strategic decision of an organisation or
company. The design and implementation of an organisation or company’s security management
system is influenced by varying needs, particular objectives, products provided, processes employed
and by the size and the structure of the organisation or company.

It is not the intent of this CWA to imply uniformity in the structure of the security management system
or uniformity of documentation.

To achieve the product and process security objectives for an organisation or company, the technical,
administrative and human factors that have an influence on the aforementioned security must be
effectively controlled. Such control must be geared to reducing, eliminating and above all preventing
discrepancies.

The CWA is intended to apply to all sorts of suppliers to graphical companies, irrespective of their
scope. The CWA contains requirements that can be objectively audited for certification / registration
purposes.

Certification is only possible, if the organisation or company has established a security management
system that complies with the provisions described in the risk inventory. Furthermore the security
management system has to comply with laws and regulations in force and with additional specific
requirements from the customer.

The security management system requirements specified in this CWA are complementary to
requirements for products. Information marked “ Remark” is for guidance in understanding or clarifying
the associated requirement.

Conformity to this CWA also requires compliance with two restricted documents:
� Risk Inventory
� Guideline for implementation.
For security and confidentiality reasons these restricted documents will only be supplied to appropriate
parties upon justification of their quality supported by client and bank references, legal status and
financial status. For certification organisations a specific procedure to follow has been established.
The restricted documents are owned by Intergraf, International Confederation for Printing and Allied
Industries a.i.s.b.l., Brussels. More information about the procedures can be found on the website of
Intergraf or by contacting the Intergraf offices in Brussels.
0.2 Process approach
This CWA promotes the adoption of a process approach when developing, implementing, and
improving the effectiveness of a security management system, to enhance customer satisfaction by
meeting security requirements of the customer.

4

---------------------- Page: 6 ----------------------

SIST CWA 15374:2016
CWA 15374:2005 (E)
To function effectively an organisation or company has to identify and manage numerous linked
activities. An activity using resources, and managed in order to enable the transformation of inputs into
outputs, can be considered as a process. Often the output from one process directly forms the input to
the next.

The application of a system of processes within an organisation or company, together with the
identification and interaction of these processes, and their management, can be referred to as a
“process approach”.

An advantage of a “process approach” is the ongoing control that it provides over the linkage between
individual processes within the system of processes, as well as over their combination and interaction.

When used within a security management system, such an approach emphasizes the importance of:

a) understanding and meeting security requirements;
b) the need to consider processes in terms of added value;
c) obtaining results of security performance and effectiveness; and
d) continual improvement of the security based on objective measurement.
0.3 Basic principles
The organisation or company must endeavour to attain the following security objectives:

• The organisation or company must attain the security of products, processes, premises,
information, etc. and use it to continue to meet demonstrably the requirements, and naturally, the
needs of customers.
• The organisation or company must give its own management the confidence that the targeted
degree of security is actually achieved and remains up to par.
• The organisation or company must give the customers the confidence that the agreed nature and
degree of security is or will be attained. If contractually required, this can entail that requirements
are agreed on demonstrating justification for this confidence.

The 'Security Management System' is based on the quality standard ISO 9001:2000 on the following
grounds:
• The systematic methods of the ISO 9001:2000 (according to the Plan, Do, Check and Act –
Deming circle) is adopted, which entails, inter alia, that the management is demonstrably prepared
and capable of learning from experience so as to be able to manage, guarantee and improve
security;
• The CWA prescribes which elements a security management system contains and not how a
specific organisation or company implements these elements. The specific situation within
companies always varies;
• All aspects of operational management which are needed in order to be able to control, guarantee,
and in so far as possible improve security (organisation or company, responsibilities, procedures,
supplies, etc.) are represented in the CWA;
• The security management system has the same chapters (in the same order) as the ISO
9001:2000, whereby the security criteria can be added, per chapter, to the quality criteria.
Companies, which already have a quality system that meets the ISO 9001:2000 can thereby,
integrate the two assurance systems relatively easily.

Each element of every requirement of the security varies in importance in relation to the type of activity
and product. An assurance system must therefore be developed and implemented in such a way that
it meets the objectives set in the security policy of an organisation or company.

To facilitate the integration of this CWA with the quality system pursuant to ISO 9001:2000, the same
numbers of the various chapters have been retained where possible.
5

---------------------- Page: 7 ----------------------

SIST CWA 15374:2016
CWA 15374:2005 (E)
1 Scope
1.1 General
This CWA specifies requirements for a security management system according to which an
organisation or company:

a) Needs to demonstrate its ability to consistently provide products that meet security
requirements set by law and regulations, requirements from the Secure Printing Industry and
customers, and provisions of the risk inventory.

b) Aims to enhance customer satisfaction through the effective application of the security
management system, including processes for continual improvement of the system and the
conformity to security requirements set by law and regulations, requirements from and customers,
and results of the risk inventory.

1.2 Application
The CWA is intended to apply to all sorts of suppliers to the Secure Printing Industry, irrespective of
their scope. The CWA contains requirements that can be objectively audited for certification /
registration purposes.

Certification is only possible, if the organisation or company has established a security management
system that is in accordance with the specifications of the risk inventory. The risk inventory is a special
document owned by Intergraf. Furthermore the security management system has to comply with laws
and regulations in force and specific requirements from the customer.

If any requirement of this CWA cannot be applied due to the nature of an organisation or company and
its product, it shall be considered as excluded from the certification.

Where exclusions are made, claims of conformity to this CWA are not acceptable unless these
exclusions are limited to requirements within Clause 7 hereafter, and such exclusions do not effect the
organisation or company’s ability, or responsibility to meet security and applicable regulatory
requirements.
2 Normative Reference
There are no normative references at this time.
3 Terms and definitions
Secured companies
In this CWA Secured Companies are companies producing raw materials, semi-finished and finished
products and/or providing services to the Secure Printing Industry and having a security management
system conform to this CWA and the requirements of the Risk Inventory for suppliers to the Secure
Printing Industry.

Securing
Taking measures intended to protect products, production processes and means of production against
violence, threats, danger or damage, theft and embezzlement or other illegal activities.

Security Management System
The system with which all security measures in the organisation or company can be controlled.

6

---------------------- Page: 8 ----------------------

SIST CWA 15374:2016
CWA 15374:2005 (E)
Security policy
General objectives and direction of an organisation or company in regard to security, as formally made
known by the management. The objectives of an organisation or company in regard to security, as
well as the means that lead to the attainment of these objectives, as formally set out in a management
statement.

Security objectives
What is intended or to what is strived for in regard to security.

Remark 1:
Security objectives are in general based on the security policy of the organisation or company.

Remark 2:
Security objectives are in general specified for relevant functions and levels in the organisation or
company.

Security management
The coordinated activities to direct and control an organisation or company in regard to security.

Remark:
Direct and control in regard to the security in general entails the establishment of the security policy
and security objectives, security planning, security control, security assurance and security
improvement.

Security planning
The aspect of security management aimed at the establishment of the security objectives and the
specification of the necessary operational processes and the coherent resources to satisfy to the
security objectives.

Security plan
The document that specifies the security procedures and resources to produce the products.

Security control
The aspect of security management aimed at the satisfaction of security requirements.

Security assurance
The aspect of the total management function that is decisive for charting and implementing the
security policy.

Security guarantee
All planned and systematic actions needed to give a sufficient degree of confidence that a product or
process meets the security requirements.

Security improvement
The aspect of security management aimed at the improvement of the ability to satisfy the security
requirements.

Verification
Verification is the systematic method with which the quantities from substrate (base) raw material to a
finished security product are monitored and checked. The way and level of verification correspond to
the classification of the product.

0-document
The security requirements a company has to meet if it wants to be audited on all the requirements
mentioned in the Risk Inventory. This is depending on the risk analysis of the company, the company’s
policy and the requirements of the customer.

7

---------------------- Page: 9 ----------------------

SIST CWA 15374:2016
CWA 15374:2005 (E)
A-document
The security requirements the company has to meet and can guarantee to its clients. These are the
mandatory requirements mentioned in the Risk Inventory for secured suppliers to the secure printing
industry.

B-document
The specific security arrangements between the company and the customer set out either per
customer, or per order.

4 Security management system
4.1 General Requirements
The organisation or company needs to establish, document, implement and maintain a security
management system and continually improve its effectiveness in accordance with the requirements of
this CWA.

The organisation or company needs to:

a) identify the processes needed for implementation and maintenance of the security
management system;
b) determine the interaction and sequence of these processes;
c) determine criteria and methods to ensure that the operation and control of these processes
are effective;
d) ensure the availability of resources and information necessary to support the security of these
processes;
e) monitor, measure and analyse the processes of an organisation or company regarding
security of the products or service;
f) implement actions necessary to achieve continual improvement of the security of products,
production process or services.

These processes shall be managed by the organisation or company in accordance with the
requirements of this CWA.

Where an organisation or company chooses to outsource any process that effects the security
requirements of the product(s) and service(s), the organisation or company shall ensure control over
these processes. This control needs to be identified within the security management system.
4.2 Documentation requirements
4.2.1 General
The security management system documentation shall include:

a) documented statements of the security policy and security objectives;
b) a security manual;
c) documented procedure required by this CWA;
d) plans and operations needed to describe how security is attained;
e) the risk inventory; and
f) records required by this CWA.

Remark 1
The quantity, detail, and form of the documentation can differ from one organisation or company to
another depending on size, type of activities and complexity of processes.

Remark 2
The documentation can be in any form or type of medium.


8

---------------------- Page: 10 ----------------------

SIST CWA 15374:2016
CWA 15374:2005 (E)
Remark 3
In this CWA the term “documented procedure” means that the procedure is established, documented,
implemented and maintained.
4.2.2 Security manual
The security manual describes:
a) the extent of the security management system, including details and justification for exclusions
of certain sections of the CWA that do not pertain to the organisation or company;
b) the documented procedures established for the security management system or references to
these procedures;
c) a description of the interaction between processes making up the security management
system.

4.2.3 Control of documents
Documents required by the security management system shall be controlled.
A documented procedure shall be established to ensure that all documents in the security
management system are legible, identified, reviewed, authorized, up-to-date, issued, distributed,
periodically updated and kept in restricted area.

Obsolete documents have to be identified and protected from unintended use.

Documents that come from outside the organisation or company have to be identified and controlled.

Remark:
In addition to manuals, system documents can also include non-order related protocols and a list of
employees with specific competencies.
Order-related documents can, for example, include: confidentiality declarations geared to an order, a
list of employees involved in an order, and order-related instructions.
4.2.4 Control of records
Records need to be kept to demonstrate how the security management system is operating. These
records must be legible, and easy to identify and retrieve.

A documented procedure must describe how they are identified, stored, protected, retrievable, and
has to define their retention and disposal times.

It shall also be stipulated who has access to these data.
5 Management responsibility
5.1 Management commitment
The top management shall provide evidence of its commitment to the development and
implementation of the security management system and continually improving its effectiveness.

Therefore the top management has the following responsibilities:

a) communicating to the organisation or company the importance of meeting security
requirements, including customer, legal, and regulatory requirements;
b) overseeing the creation of the security management system;
c) establishing the security policy;
d) ensuring the security objectives;
e) providing adequate resources for the operation of the security management system;
f) reviewing the operation of the security management system; and
g) setting the specific security criteria that the company wishes to meet in the “A Document”.
9

---------------------- Page: 11 ----------------------

SIST CWA 15374:2016
CWA 15374:2005 (E)


Remark
The management must, among other things, indicate what its security policy contains; this policy must
be consistent with other policies within the organisation or company and made known and understood
at each level of the organisation or company. Furthermore the management must make a selection
from the “O-document” drawn up for the risk inventory of the specific security requirements which the
company wishes to be able to meet and set them out in the so called “A-document”.
5.2 Customer focus
The top management must ensure that customer security requirements are understood and met.
5.3 Security policy
The security policy identifies the main goals of the security management system. The security policy
must:
a) be appropriate to the organisation or company’s purposes;
b) include a commitment to meet customer, legal and regulatory requirements and requirements
of the results of the risk inventory;
c) create a background for establishing and reviewing security objectives;
d) be communicated and understood throughout the organisation or company; and
e) be reviewed for ongoing suitability to the security needs of the organisation or company and its
customers.
5.4 Planning
5.4.1 Security objectives
The management has to establish measurable security objectives that support the security policy and
communicate them throughout the organisation or company.
5.4.2 Security management system planning
The management has to ensure that:
a) the planning of the security management system is carried out in order to meet the security
objectives and requirements, and
b) the integrity of the security management system is maintained when it is changed to
implement improvements.
5.5 Responsibility, authority and communication
5.5.1 Responsibility and authority
Effective work depends on a clear understanding of each person’s tasks, responsibility and authority.
Therefore tasks, responsibility and authority must be defined and communicated within the
organisation or company.
5.5.2 Management Representative
The top management must appoint a manager or another employee who, irrespective of other
responsibilities, has the responsibility for the security management system. The Management
Representative has the responsibility and authority that includes:

a) ensuring that the security management system according to the requirements of this CWA is
set up, implemented, and maintained;
10

---------------------- Page: 12 ----------------------

SIST CWA 15374:2016
CWA 15374:2005 (E)
b) reporting on the performance of the security management system and any improvements
needed;
c) promoting awareness of security requirements throughout the organisation or company.
5.5.3 Internal communication
Top management needs to set up an effective system of communication to ensure effective operation
of the security management system.

5.6 Management review
5.6.1 General
The top management is required to regularly review certain aspects of the security management
system to make sure that the goals are being achieved and to look for ways to improve the security
management system. This review must cover suitability, adequacy, and effectiveness of the security
management system. The review also includes assessing opportunities for improvement and required
changes to the security management syst
...