CWA 15374:2005

SLOVENSKI STANDARD
01-april-2016
Sistem upravljanja varnosti za dobavitelje varne tiskarske industrije
Security Management System for suppliers to secure printing industry
Ta slovenski standard je istoveten z: CWA 15374:2005
ICS:
37.100.01 *UDILþQDWHKQRORJLMDQD Graphic technology in
VSORãQR general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

CEN
CWA 15374
WORKSHOP
August 2005
AGREEMENT
ICS 37.100.01
English version
Security Management System for suppliers to secure printing
industry
This CEN Workshop Agreement has been drafted and approved by a Workshop of representatives of interested parties, the constitution of
which is indicated in the foreword of this Workshop Agreement.
The formal process followed by the Workshop in the development of this Workshop Agreement has been endorsed by the National
Members of CEN but neither the National Members of CEN nor the CEN Management Centre can be held accountable for the technical
content of this CEN Workshop Agreement or possible conflicts with standards or legislation.
This CEN Workshop Agreement can in no way be held as being an official standard developed by CEN and its Members.
This CEN Workshop Agreement is publicly available as a reference document from the CEN Members National Standard Bodies.
CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia,
Slovenia, Spain, Sweden, Switzerland and United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: rue de Stassart, 36  B-1050 Brussels
© 2005 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members.
Ref. No.:CWA 15374:2005 E
Contents
Foreword . 3
0 Introduction. 4
0.1 General . 4
0.2 Process approach . 4
0.3 Basic principles . 5
1 Scope . 6
1.1 General . 6
1.2 Application. 6
2 Normative Reference. 6
3 Terms and definitions . 6
4 Security management system. 8
4.1 General Requirements . 8
4.2 Documentation requirements . 8
5 Management responsibility . 9
5.1 Management commitment. 9
5.2 Customer focus . 10
5.3 Security policy . 10
5.4 Planning . 10
5.5 Responsibility, authority and communication. 10
5.6 Management review. 11
6 Resource management . 11
6.1 Provision of resources. 11
6.2 Human resources. 12
6.3 Infrastructure. 12
6.4 Work environment . 12
7 Product Realization Requirements . 12
7.1 Planning of product realization . 12
7.2 Customer-related processes . 13
7.3 Design and development inputs . 14
7.4 Purchasing . 14
7.5 Production and service provision. 15
7.6 Control of monitoring and measuring devices. 16
8 Measurement, analysis and improvement requirements. 16
8.1 General . 16

8.2 Monitoring and measurement. 17
8.3 Control of non-conforming product . 18
8.4 Analysis of data. 18
8.5 Improvement . 18

Foreword
The formal process followed by the Workshop in the development of the CEN Workshop Agreement
has been endorsed by the National Members of CEN but neither the National Members of CEN nor
the CEN Management Centre can be held accountable for the technical content of the CEN Workshop
Agreement or possible conflict with standards or legislation. This CEN Workshop Agreement can in no
way be held as being an official standard developed by CEN and it’s members.

The date of acceptance for this document was 14 June 2005.

This CEN Workshop Agreement is publicly available as a reference document from the National
Members of CEN: AENOR, AFNOR, BSI, CSNI, CYS, DIN, DS, ELOT, EVS, IBN, IPQ, IST,
LVS, LST, MSA, MSZT, NEN, NSAI, ON, PKN, SEE, SIS, SIST, SFS, SN, SNV, SUTN and
UNI.
Comments or suggestions from the users of the CEN Workshop Agreement are welcome and should
be addressed to the CEN Management Centre.

0 Introduction
0.1 General
The quality of products and services is one of the leading criteria for assessing the extent to which the
transactions and operation of a certain (corporate) organisation or company correspond to the desired
goals. For producers of secured materials, special machinery or special services for security printers
however, the quality requirements for the processes and products are not sufficient: the processes
and products/services must be produced, managed and delivered under safe conditions in all stages
of production (from the initial contact with the possible customer to the aftercare that may be required
after the delivery) in order to meet the requirements of the customers. Technical requirements alone
no longer provide sufficient guarantees that the requirements set by the customers will be
continuously observed. Due to the lack of technical specification, but also to possible deficiencies
within an organisation or company, discrepancies with the requirements set by the customer may
occur.
The adoption of a security management system should be a strategic decision of an organisation or
company. The design and implementation of an organisation or company’s security management
system is influenced by varying needs, particular objectives, products provided, processes employed
and by the size and the structure of the organisation or company.

It is not the intent of this CWA to imply uniformity in the structure of the security management system
or uniformity of documentation.

To achieve the product and process security objectives for an organisation or company, the technical,
administrative and human factors that have an influence on the aforementioned security must be
effectively controlled. Such control must be geared to reducing, eliminating and above all preventing
discrepancies.
The CWA is intended to apply to all sorts of suppliers to graphical companies, irrespective of their
scope. The CWA contains requirements that can be objectively audited for certification / registration
purposes.
Certification is only possible, if the organisation or company has established a security management
system that complies with the provisions described in the risk inventory. Furthermore the security
management system has to comply with laws and regulations in force and with additional specific
requirements from the customer.

The security management system requirements specified in this CWA are complementary to
requirements for products. Information marked “ Remark” is for guidance in understanding or clarifying
the associated requirement.
Conformity to this CWA also requires compliance with two restricted documents:
� Risk Inventory
� Guideline for implementation.
For security and confidentiality reasons these restricted documents will only be supplied to appropriate
parties upon justification of their quality supported by client and bank references, legal status and
financial status. For certification organisations a specific procedure to follow has been established.
The restricted documents are owned by Intergraf, International Confederation for Printing and Allied
Industries a.i.s.b.l., Brussels. More information about the procedures can be found on the website of
Intergraf or by contacting the Intergraf offices in Brussels.
0.2 Process approach
This CWA promotes the adoption of a process approach when developing, implementing, and
improving the effectiveness of a security management system, to enhance customer satisfaction by
meeting security requirements of the customer.

To function effectively an organisation or company has to identify and manage numerous linked
activities. An activity using resources, and managed in order to enable the transformation of inputs into
outputs, can be considered as a process. Often the output from one process directly forms the input to
the next.
The application of a system of processes within an organisation or company, together with the
identification and interaction of these processes, and their management, can be referred to as a
“process approach”.
An advantage of a “process approach” is the ongoing control that it provides over the linkage between
individual processes within the system of processes, as well as over their combination and interaction.

When used within a security management system, such an approach emphasizes the importance of:

a) understanding and meeting security requirements;
b) the need to consider processes in terms of added value;
c) obtaining results of security performance and effectiveness; and
d) continual improvement of the security based on objective measurement.
0.3 Basic principles
The organisation or company must endeavour to attain the following security objectives:

• The organisation or company must attain the security of products, processes, premises,
information, etc. and use it to continue to meet demonstrably the requirements, and naturally, the
needs of customers.
• The organisation or company must give its own management the confidence that the targeted
degree of security is actually achieved and remains up to par.
• The organisation or company must give the customers the confidence that the agreed nature and
degree of security is or will be attained. If contractually required, this can entail that requirements
are agreed on demonstrating justification for this confidence.

The 'Security Management System' is based on the quality standard ISO 9001:2000 on the following
grounds:
• The systematic methods of the ISO 9001:2000 (according to the Plan, Do, Check and Act –
Deming circle) is adopted, which entails, inter alia, that the management is demonstrably prepared
and capable of learning from experience so as to be able to manage, guarantee and improve
security;
• The CWA prescribes which elements a security management system contains and not how a
specific organisation or company implements these elements. The specific situation within
companies always varies;
• All aspects of operational management which are needed in order to be able to control, guarantee,
and in so far as possible improve security (organisation or company, responsibilities, procedures,
supplies, etc.) are represented in the CWA;
• The security management system has the same chapters (in the same order) as the ISO
9001:2000, whereby the security criteria can be added, per chapter, to the quality criteria.
Companies, which already have a quality system that meets the ISO 9001:2000 can thereby,
integrate the two assurance systems relatively easily.

Each element of every requirement of the security varies in importance in relation to the type of activity
and product. An assurance system must therefore be developed and implemented in such a way that
it meets the objectives set in the security policy of an organisation or company.

To facilitate the integration of this CWA with the quality system pursuant to ISO 9001:2000, the same
numbers of the various chapters have been retained where possible.
1 Scope
1.1 General
This CWA specifies requirements for a security management system according to which an
organisation or company:
a) Needs to demonstrate its ability to consistently provide products that meet security
requirements set by law and regulations, requirements from the Secure Printing Industry and
customers, and provisions of the risk inventory.

b) Aims to enhance customer satisfaction through the effective application of the security
management system, including processes for continual improvement of the system and the
conformity to security requirements set by law and regulations, requirements from and customers,
and results of the risk inventory.

1.2 Application
The CWA is intended to apply to all sorts of suppliers to the Secure Printing Industry, irrespective of
their scope. The CWA contains requirements that can be objectively audited for certification /
registration purposes.
Certification is only possible, if the organisation or company has established a security management
system that is in accordance with the specifications of the risk inventory. The risk inventory is a special
document owned by Intergraf. Furthermore the security management system has to comply with laws
and regulations in force and specific requirements from the customer.

If any requirement of this CWA cannot be applied due to the nature of an organisation or company and
its product, it shall be considered as excluded from the certification.

Where exclusions are made, claims of conformity to this CWA are not acceptable unless these
exclusions are limited to requirements within Clause 7 hereafter, and such exclusions do not effect the
organisation or company’s ability, or responsibility to meet security and applicable regulatory
requirements.
2 Normative Reference
There are no normative references at this time.
3 Terms and definitions
Secured companies
In this CWA Secured Companies are companies producing raw materials, semi-finished and finished
products and/or providing services to the Secure Printing Industry and having a security management
system conform to this CWA and the requirements of the Risk Inventory for suppliers to the Secure
Printing Industry.
Securing
Taking measures intended to protect products, production processes and means of production against
violence, threats, danger or damage, theft and embezzlement or other illegal activities.

Security Management System
The system with which all security measures in the organisation or company can be controlled.

Security policy
General objectives and direction of an organisation or company in regard to security, as formally made
known by the management. The objectives of an organisation or company in regard to security, as
well as the means that lead to the attainment of these objectives, as formally set out in a management
statement.
Security objectives
What is intended or to what is strived for in regard to security.

Remark 1:
Security objectives are in general based on the security policy of the organisation or company.

Remark 2:
Security objectives are in general specified for relevant functions and levels in the organisation or
company.
Security management
The coordinated activities to direct and control an organisation or company in regard to security.

Remark:
Direct and control in regard to the security in general entails the establishment of the security policy
and security objectives, security planning, security control, security assurance and security
improvement.
Security planning
The aspect of security management aimed at the establishment of the security objectives and the
specification of the necessary operational processes and the coherent resources to satisfy to the
security objectives.
Security plan
The document that specifies the security procedures and resources to produce the products.

Security control
The aspect of security management aimed at the satisfaction of security requirements.

Security assurance
The aspect of the total management function that is decisive for charting and implementing the
security policy.
Security guarantee
All planned and systematic actions needed to give a sufficient degree of confidence that a product or
process meets the security requirements.

Security improvement
The aspect of security management aimed at the improvement of the ability to satisfy the security
requirements.
Verification
Verification is the systematic method with which the quantities from substrate (base) raw material to a
finished security product are monitored and checked. The way and level of verification correspond to
the classification of the product.

0-document
The security requirements a company has to meet if it wants to be audited on all the requirements
mentioned in the Risk Inventory. This is depending on the risk analysis of the company, the company’s
policy and the requirements of the customer.

A-document
The security requirements the company has to meet and can guarantee to its clients. These are the
mandatory requirements mentioned in the Risk Inventory for secured suppliers to the secure printing
industry.
B-document
The specific security arrangements between the company and the customer set out either per
customer, or per order.
4 Security management system
4.1 General Requirements
The organisation or company needs to establish, document, implement and maintain a security
management system and continually improve its effectiveness in accordance with the requirements of
this CWA.
The organisation or company needs to:

a) identify the processes needed for implementation and maintenance of the security
management system;
b) determine the interaction and sequence of these processes;
c) determine criteria and methods to ensure that the operation and control of these processes
are effective;
d) ensure the availability of resources and information necessary to support the security of these
processes;
e) monitor, measure and analyse the processes of an organisation or company regarding
security of the products or service;
f) implement actions necessary to achieve continual improvement of the security of products,
production process or services.

These processes shall be managed by the organisation or company in accordance with the
requirements of this CWA.
Where an organisation or company chooses to outsource any process that effects the security
requirements of the product(s) and service(s), the organisation or company shall ensure control over
these processes. This control needs to be identified within the security management system.
4.2 Documentation requirements
4.2.1 General
The security management system documentation shall include:

a) documented statements of the security policy and security objectives;
b) a security manual;
c) documented procedure required by this CWA;
d) plans and operations needed to describe how security is attained;
e) the risk inventory; and
f) records required by this CWA.

Remark 1
The quantity, detail, and form of the documentation can differ from one organisation or company to
another depending on size, type of activities and complexity of processes.

Remark 2
The documentation can be in any form or type of medium.

Remark 3
In this CWA the term “documented procedure” means that the procedure is established, documented,
implemented and maintained.
4.2.2 Security manual
The security manual describes:
a) the extent of the security management system, including details and justification for exclusions
of certain sections of the CWA that do not pertain to the organisation or company;
b) the documented procedures established for the security management system or references to
these procedures;
c) a description of the interaction between processes making up the security management
system.
4.2.3 Control of documents
Documents required by the security management system shall be controlled.
A documented procedure shall be established to ensure that all documents in the security
management system are legible, identified, reviewed, authorized, up-to-date, issued, distributed,
periodically updated and kept in restricted area.

Obsolete documents have to be identified and protected from unintended use.

Documents that come from outside the organisation or company have to be identified and controlled.

Remark:
In addition to manuals, system documents can also include non-order related protocols and a list of
employees with specific competencies.
Order-related documents can, for example, include: confidentiality declarations geared to an order, a
list of employees involved in an order, and order-related instructions.
4.2.4 Control of records
Records need to be kept to demonstrate how the security management system is operating. These
records must be legible, and easy to identify and retrieve.

A documented procedure must describe how
...