ISO 14298:2013
(Main)Graphic technology — Management of security printing processes
Graphic technology — Management of security printing processes
ISO 14298:2013 specifies requirements for a security printing management system for security printers. ISO 14298:2013 specifies a minimum set of security printing management system requirements. Organizations ensure that customer security requirements are met as appropriate provided these do not conflict with the requirements of ISO 14298:2013.
Technologie graphique — Management des procédés d'impression de sécurité
L'ISO 14298:2013 spécifie les exigences requises pour un système de management des impressions de sécurité destiné aux imprimeurs de documents de sécurité. L'ISO 14298:2013 spécifie un ensemble minimal d'exigences propres au système de management des impressions de sécurité. Les organismes veillent à ce que les exigences de sécurité de leur clientèle soient satisfaites, à condition qu'elles n'entrent pas en conflit avec les exigences de l'ISO 14298:2013.
Grafična tehnologija - Upravljanje procesov v varnostnem tisku
General Information
Relations
Buy Standard
Standards Content (Sample)
SLOVENSKI STANDARD
SIST ISO 14298:2020
01-april-2020
Grafična tehnologija - Upravljanje procesov v varnostnem tisku
Graphic technology - Management of security printing processes
Technologie graphique - Management des procédés d'impression de sécurité
Ta slovenski standard je istoveten z: ISO 14298:2013
ICS:
37.100.01 Grafična tehnologija na Graphic technology in
splošno general
SIST ISO 14298:2020 en,fr
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
---------------------- Page: 1 ----------------------
SIST ISO 14298:2020
---------------------- Page: 2 ----------------------
SIST ISO 14298:2020
INTERNATIONAL ISO
STANDARD 14298
First edition
2013-04-15
Graphic technology — Management of
security printing processes
Technologie graphique — Management des procédés d’impression de
sécurité
Reference number
ISO 14298:2013(E)
©
ISO 2013
---------------------- Page: 3 ----------------------
SIST ISO 14298:2020
ISO 14298:2013(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2013 – All rights reserved
---------------------- Page: 4 ----------------------
SIST ISO 14298:2020
ISO 14298:2013(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 5
4.1 Understanding the organization and its context . 5
4.2 Understanding the needs and expectations of interested parties . 5
4.3 Determining the scope of the security printing management system . 6
4.4 Security printing management system . 6
5 Leadership . 7
5.1 Leadership and commitment . 7
5.2 Policy . 8
5.3 Organization roles, responsibilities and authorities . 8
6 Planning . 9
6.1 Actions to address risks and opportunities . 9
6.2 Security objectives and planning to achieve them . 9
6.3 Security printing management system planning .10
7 Support .10
7.1 Resources .10
7.2 Competence .10
7.3 Awareness .11
7.4 Communication .11
7.5 Documented information .11
8 Operation .13
9 Performance evaluation .13
9.1 Monitoring, measurement, analysis and evaluation .13
9.2 Internal audit .14
9.3 Management review .14
10 Improvement .15
10.1 Nonconformity, security breaches and corrective actions .15
10.2 Preventive actions .15
10.3 Continual improvement .16
Annex A (normative) Determination of security requirements related to the security printing
management system .17
Bibliography .20
© ISO 2013 – All rights reserved iii
---------------------- Page: 5 ----------------------
SIST ISO 14298:2020
ISO 14298:2013(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2. www.iso.org/directives
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received. www.iso.org/patents
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
The committee responsible for this document is ISO/TC 130, Graphic technology.
iv © ISO 2013 – All rights reserved
---------------------- Page: 6 ----------------------
SIST ISO 14298:2020
ISO 14298:2013(E)
Introduction
General
This International Standard specifies requirements for a security printing management system for
security printers.
Current security printing management practices lack sufficient guarantees that effective security
controls are maintained to protect the interest of the customer as well as the general public. Using this
International Standard the organization establishes, documents, implements and maintains a security
printing management system. This security printing management system is regularly reviewed to
continually improve its effectiveness. It is recognized that customer requirements sometimes exceed
the requirements of this International Standard so the security printing management system also
addresses customer requirements that are beyond the scope of this International Standard.
The adoption of a security printing management system is a strategic decision of an organization. The
design and implementation of an organization’s security printing management system is influenced by
varying needs, particular objectives, products provided, processes employed, security environment,
cultural issues, legal limitations, risk assessment and by size and structure of the organization.
To achieve the objectives of this security printing management system standard measures are taken to
mitigate all of the security threats determined by an organizational risk assessment. Such controls focus
upon reducing, eliminating and preventing acts that compromise the security printing management
system of the organization.
It is not the intent of this International Standard to obtain uniformity in the structure of the security
printing management system or uniformity of documented information. The security printing
management system complies with laws and regulations in force. The requirements specified in this
International Standard are supplementary to requirements for products and processes of an organization
and allow for additional specific requirements from the customer.
This International Standard is intended to apply to security printers. It contains requirements that when
implemented by a security printer may be objectively audited for certification/registration purposes.
Process approach
This International Standard promotes the adoption of a process approach when developing, implementing
and improving the effectiveness of a security printing management system.
The application of a system of processes within an organization, together with the identification
and interaction of these processes, and their management, is referred to as a “process approach”. An
advantage of a “process approach” is the ongoing control that it provides over the interaction between
individual processes within the system of processes, as well as over their combination.
Basic principles
When implemented, the security printing management system:
a) achieves the security of products, processes, means of production, premises, information, raw
material supplies;
b) is used to continue to meet demonstrably the requirements, and naturally, the needs of customers;
c) affords management the confidence that the targeted degree of security is actually achieved and
remains effective;
d) affords the customers the confidence that the agreed nature and degree of security is or will be attained.
This International Standard prescribes which elements a security printing management system contains
and not how a specific organization implements these elements.
© ISO 2013 – All rights reserved v
---------------------- Page: 7 ----------------------
SIST ISO 14298:2020
---------------------- Page: 8 ----------------------
SIST ISO 14298:2020
INTERNATIONAL STANDARD ISO 14298:2013(E)
Graphic technology — Management of security printing
processes
1 Scope
This International Standard specifies requirements for a security printing management system for
security printers.
This International Standard specifies a minimum set of security printing management system
requirements. Organizations ensure that customer security requirements are met as appropriate
provided these do not conflict with the requirements of this International Standard.
2 Normative references
No normative references are cited.
3 Terms and definitions
For the purposes of this document the following terms and definitions apply.
NOTE Italic type in a definition indicates a cross-reference to another term defined in this clause; the number
reference for the term is given in parentheses.
3.1
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.8)
Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
3.2
interested party
stakeholder
person or organization (3.1) that can affect, be affected by, or perceive themselves to be affected by a
decision or activity
3.3
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested
parties that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, for example in documented information.
3.4
management system
set of interrelated or interacting elements of an organization (3.1) to establish policies (3.7) and objectives
(3.8), and processes (3.12) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
© ISO 2013 – All rights reserved 1
---------------------- Page: 9 ----------------------
SIST ISO 14298:2020
ISO 14298:2013(E)
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning,
operation, etc.
Note 3 to entry: The scope of a management system may include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.
Note 4 to entry: A management system contains documented information to direct and control the organization.
3.5
top management
person or group of people who directs and controls an organization (3.1) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization then top
management refers to those who direct and control that part of the organization.
3.6
effectiveness
extent to which planned activities are realized and planned results achieved
3.7
policy
intentions and direction of an organization (3.1) as formally expressed by its top management (3.5)
3.8
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental
goals) and can apply at different levels [such as strategic, organization-wide, project, product and process (3.12)].
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational
criterion, as a security objective (3.32) or by the use of other words with similar meaning (e.g. aim, goal, or target).
Note 4 to entry: In the context of security printing management systems security objectives (3.32) are set by the
organization, consistent with the security policy, to achieve specific results.
3.9
risk
effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events (ISO Guide 73, 3.5.1.3) and consequences
(ISO Guide 73:2009, 3.6.1.3), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated likelihood (ISO Guide 73:2009, 3.6.1.1) of occurrence.
3.10
competence
ability to apply knowledge and skills to achieve intended results
2 © ISO 2013 – All rights reserved
---------------------- Page: 10 ----------------------
SIST ISO 14298:2020
ISO 14298:2013(E)
3.11
documented information
information required to be controlled and maintained by an organization (3.1) and the medium on which
it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to the management system (3.4), including related processes
(3.12); information created in order for the organization to operate (documentation); and evidence of results
achieved (records).
3.12
process
set of interrelated or interacting activities which transforms inputs into outputs
3.13
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to the management of activities, processes (3.12), products (including
services), systems or organizations (3.1).
3.14
outsource (verb)
make an arrangement where an external organization (3.1) performs part of an organization’s function
or process (3.12)
Note 1 to entry: An external organization is outside the scope of the management system (3.4), although the
outsourced function or process is within the scope.
3.15
monitoring
determining the status of a system, a process (3.12) or an activity
Note 1 to entry: To determine the status there may be a need to check, measure, supervise or critically observe.
3.16
measurement
process (3.12) to determine a value
3.17
audit
systematic, independent and documented process (3.12) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
3.18
conformity
fulfilment of a requirement (3.3)
3.19
nonconformity
non-fulfilment of a requirement (3.3)
3.20
correction
action to eliminate a detected nonconformity (3.19)
© ISO 2013 – All rights reserved 3
---------------------- Page: 11 ----------------------
SIST ISO 14298:2020
ISO 14298:2013(E)
3.21
corrective action
action to eliminate the cause of a nonconformity (3.19) and to prevent recurrence
3.22
continual improvement
recurring activity to enhance performance (3.13)
3.23
risk assessment
overall process of risk identification, risk analysis and risk evaluation
[ISO Guide 73:2009, 3.4.1 ]
3.24
security printer
producer of printed documents or products of value or entitlement, ID documents or security foils (3.25)
which are physically protected against forgery, counterfeiting and alteration by security features (3.26)
3.25
security printing
set of processes (3.12) which transform raw materials into documents or products of value or entitlement,
ID documents or security foils (3.25) physically protected by security features (3.26)
3.26
security foil
thin film material that contains an optical variable element or similar security feature (3.26), which is applied
onto documents or products to physically protect them against forgery, counterfeiting and alteration
3.27
security feature
component integrated in the product to protect against forgery, counterfeiting and alteration
3.28
security
protection of products, processes, information, means of production, security features and the supply chain
3.29
threat
action or potential occurrence, whether or not malicious, to breach the security (3.27) of the system
3.30
security breach
infraction or violation of security
3.31
documented procedure
established way of working, documented, implemented and maintained
3.32
security objective
result to be achieved with regard to security (3.28)
Note 1 to entry: Security objectives are in general based on the security policy of the organization.
Note 2 to entry: Security objectives are in general specified for relevant functions and levels in the organization.
4 © ISO 2013 – All rights reserved
---------------------- Page: 12 ----------------------
SIST ISO 14298:2020
ISO 14298:2013(E)
3.33
security management
coordinated activities to direct and control an organization with regard to security (3.28)
Note 1 to entry: “Direct and control” in general entails the establishment of the policy, objectives, planning,
control, security assurance and improvements with regards to security (3.28). Security assurance represents all
planned and systematic actions needed to give a sufficient degree of confidence that a product or process (3.12)
meets the security requirements.
3.34
security plan
documented information that specifies the procedures and resources to satisfy the security requirements
of the organization
3.35
security control
aspect of security management (3.33) aimed at the fulfilment of the security requirements
3.36
preventive action
action to prevent the cause of a nonconformity (3.19)
3.37
traceability
ability to trace the history, application or location of that which is under consideration
Note 1 to entry: When considering product, traceability can relate to the origin of materials and parts, the
processing history and the distribution and location of the product after delivery.
(ISO 9000:2005, 3.5.4, modified)
3.38
resource
personnel, information, premises, process equipment (software and hardware) and tools
3.39
supply chain
set of interconnected processes (3.12) and resources (3.38) that starts with the sourcing of raw materials
and ends with the delivery of products and services to the customer
Note 1 to entry: Supply chains include producers, suppliers, manufacturers, distributors, wholesalers, vendors,
and logistics providers. They include facilities, plants, offices, warehouses, and branches and can be both internal
and external to an organization.
Note 2 to entry: Supply chain management as related to this International Standard includes the vetting of suppliers
and customers from the point of initial security value, which is the point at which security is added to the product.
4 Context of the organization
4.1 Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that
affect its ability to achieve the intended outcome(s) of its security printing management system.
4.2 Understanding the needs and expectations of interested parties
The organization shall determine:
— the interested parties that are relevant to the security printing management system, and
— the requirements of these interested parties.
© ISO 2013 – All rights reserved 5
---------------------- Page: 13 ----------------------
SIST ISO 14298:2020
ISO 14298:2013(E)
Certification is only possible if the organization has followed the regulations of the certification
procedure and if it has established a security printing management system in accordance with the
specifications of this procedure. Furthermore the security printing management system has to comply
with laws and regulations in force.
4.3 Determining the scope of the security printing management system
The organization shall determine the boundaries and applicability of the security printing management
system to establish its scope.
When determining this scope, the organization shall consider:
— the external and internal issues referred to in 4.1, and
— the requirements referred to in 4.2.
The scope shall be available as documented information.
4.4 Security printing management system
The organization shall establish, implement, maintain and continually improve a security printing
management system in accordance with the requirements of this International Standard including the
processes needed as outlined in normative Annex A and their interactions.
It is recognized that customer requirements may exceed the requirements of this International Standard
so the security printing management system also addresses customer requirements that are beyond the
scope of this International Standard.
The organization shall conduct a risk assessment on at least the following:
a) Customer-related risk
EXAMPLE Unauthorized purchase, distribution or illegal use of a product by a customer.
b) Information-related risk
EXAMPLE Unwanted, unintended, prompted or unprompted disclosure of information.
c) Security material, product and waste-related risk
EXAMPLE Theft, damage, sabotage or loss of security materials.
d) Supply chain-related risk
EXAMPLE Any subversion or compromise of the security of the organization’s security products and
related services at any point in the supply chain.
e) Physical intrusion and access-related risk
EXAMPLE Intrusion into sensitive physical areas.
f) Personnel-related risk
EXAMPLE Personnel fraud or unauthorized actions.
g) Disaster-related risk
EXAMPLE Security breakdowns that result from either man-made or natural disasters.
h) Security failure-related risk
EXAMPLE Occurrence of security breaches.
i) Security management-related risk
6 © ISO 2013 – All rights reserved
---------------------- Page: 14 ----------------------
SIST ISO 14298:2020
ISO 14298:2013(E)
EXAMPLE Lack of security management competences.
j) Use of machinery-related risk
EXAMPLE Unauthorized use of the means of production.
k) Sales of equipment-related risk
EXAMPLE Sale, distribution of any equipment or component for illegal use.
l) Transportation-related risk
EXAMPLE Theft, modification, damage or destruction of products, security raw materials and security
features during loading, unloading, storage and transportation.
m) Any additional security-related risks unique to the organization
This risk assessment shall be the basis for the establishment of a security plan (see 6.3).
NOTE ISO 31000 contains guidance for risk assessment.
5 Leadership
5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the security printing
management system by:
a) ensuring that the security policy and security objectives are established and are compatible with
the strategic direction of the organization;
b) ensuring the integration of the security printing management system requirements into the
organization’s business processes;
c) ensuring that the resources needed for the security printing management system are available;
d) communicating the importance of effective security printing management and of conforming to
the security printing management system requirements, including customer, legal, and regulatory
requirements;
e) ensuring that the security printing management system achieves its intended outcome(s);
f) directing and supporting persons to contribute to the effectiveness of the security printing
management system;
g)
...
INTERNATIONAL ISO
STANDARD 14298
First edition
2013-04-15
Graphic technology — Management of
security printing processes
Technologie graphique — Management des procédés d’impression de
sécurité
Reference number
ISO 14298:2013(E)
©
ISO 2013
---------------------- Page: 1 ----------------------
ISO 14298:2013(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2013 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 14298:2013(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 5
4.1 Understanding the organization and its context . 5
4.2 Understanding the needs and expectations of interested parties . 5
4.3 Determining the scope of the security printing management system . 6
4.4 Security printing management system . 6
5 Leadership . 7
5.1 Leadership and commitment . 7
5.2 Policy . 8
5.3 Organization roles, responsibilities and authorities . 8
6 Planning . 9
6.1 Actions to address risks and opportunities . 9
6.2 Security objectives and planning to achieve them . 9
6.3 Security printing management system planning .10
7 Support .10
7.1 Resources .10
7.2 Competence .10
7.3 Awareness .11
7.4 Communication .11
7.5 Documented information .11
8 Operation .13
9 Performance evaluation .13
9.1 Monitoring, measurement, analysis and evaluation .13
9.2 Internal audit .14
9.3 Management review .14
10 Improvement .15
10.1 Nonconformity, security breaches and corrective actions .15
10.2 Preventive actions .15
10.3 Continual improvement .16
Annex A (normative) Determination of security requirements related to the security printing
management system .17
Bibliography .20
© ISO 2013 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 14298:2013(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2. www.iso.org/directives
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received. www.iso.org/patents
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
The committee responsible for this document is ISO/TC 130, Graphic technology.
iv © ISO 2013 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 14298:2013(E)
Introduction
General
This International Standard specifies requirements for a security printing management system for
security printers.
Current security printing management practices lack sufficient guarantees that effective security
controls are maintained to protect the interest of the customer as well as the general public. Using this
International Standard the organization establishes, documents, implements and maintains a security
printing management system. This security printing management system is regularly reviewed to
continually improve its effectiveness. It is recognized that customer requirements sometimes exceed
the requirements of this International Standard so the security printing management system also
addresses customer requirements that are beyond the scope of this International Standard.
The adoption of a security printing management system is a strategic decision of an organization. The
design and implementation of an organization’s security printing management system is influenced by
varying needs, particular objectives, products provided, processes employed, security environment,
cultural issues, legal limitations, risk assessment and by size and structure of the organization.
To achieve the objectives of this security printing management system standard measures are taken to
mitigate all of the security threats determined by an organizational risk assessment. Such controls focus
upon reducing, eliminating and preventing acts that compromise the security printing management
system of the organization.
It is not the intent of this International Standard to obtain uniformity in the structure of the security
printing management system or uniformity of documented information. The security printing
management system complies with laws and regulations in force. The requirements specified in this
International Standard are supplementary to requirements for products and processes of an organization
and allow for additional specific requirements from the customer.
This International Standard is intended to apply to security printers. It contains requirements that when
implemented by a security printer may be objectively audited for certification/registration purposes.
Process approach
This International Standard promotes the adoption of a process approach when developing, implementing
and improving the effectiveness of a security printing management system.
The application of a system of processes within an organization, together with the identification
and interaction of these processes, and their management, is referred to as a “process approach”. An
advantage of a “process approach” is the ongoing control that it provides over the interaction between
individual processes within the system of processes, as well as over their combination.
Basic principles
When implemented, the security printing management system:
a) achieves the security of products, processes, means of production, premises, information, raw
material supplies;
b) is used to continue to meet demonstrably the requirements, and naturally, the needs of customers;
c) affords management the confidence that the targeted degree of security is actually achieved and
remains effective;
d) affords the customers the confidence that the agreed nature and degree of security is or will be attained.
This International Standard prescribes which elements a security printing management system contains
and not how a specific organization implements these elements.
© ISO 2013 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO 14298:2013(E)
Graphic technology — Management of security printing
processes
1 Scope
This International Standard specifies requirements for a security printing management system for
security printers.
This International Standard specifies a minimum set of security printing management system
requirements. Organizations ensure that customer security requirements are met as appropriate
provided these do not conflict with the requirements of this International Standard.
2 Normative references
No normative references are cited.
3 Terms and definitions
For the purposes of this document the following terms and definitions apply.
NOTE Italic type in a definition indicates a cross-reference to another term defined in this clause; the number
reference for the term is given in parentheses.
3.1
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.8)
Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
3.2
interested party
stakeholder
person or organization (3.1) that can affect, be affected by, or perceive themselves to be affected by a
decision or activity
3.3
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested
parties that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, for example in documented information.
3.4
management system
set of interrelated or interacting elements of an organization (3.1) to establish policies (3.7) and objectives
(3.8), and processes (3.12) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
© ISO 2013 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO 14298:2013(E)
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning,
operation, etc.
Note 3 to entry: The scope of a management system may include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.
Note 4 to entry: A management system contains documented information to direct and control the organization.
3.5
top management
person or group of people who directs and controls an organization (3.1) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization then top
management refers to those who direct and control that part of the organization.
3.6
effectiveness
extent to which planned activities are realized and planned results achieved
3.7
policy
intentions and direction of an organization (3.1) as formally expressed by its top management (3.5)
3.8
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental
goals) and can apply at different levels [such as strategic, organization-wide, project, product and process (3.12)].
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational
criterion, as a security objective (3.32) or by the use of other words with similar meaning (e.g. aim, goal, or target).
Note 4 to entry: In the context of security printing management systems security objectives (3.32) are set by the
organization, consistent with the security policy, to achieve specific results.
3.9
risk
effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events (ISO Guide 73, 3.5.1.3) and consequences
(ISO Guide 73:2009, 3.6.1.3), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated likelihood (ISO Guide 73:2009, 3.6.1.1) of occurrence.
3.10
competence
ability to apply knowledge and skills to achieve intended results
2 © ISO 2013 – All rights reserved
---------------------- Page: 7 ----------------------
ISO 14298:2013(E)
3.11
documented information
information required to be controlled and maintained by an organization (3.1) and the medium on which
it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to the management system (3.4), including related processes
(3.12); information created in order for the organization to operate (documentation); and evidence of results
achieved (records).
3.12
process
set of interrelated or interacting activities which transforms inputs into outputs
3.13
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to the management of activities, processes (3.12), products (including
services), systems or organizations (3.1).
3.14
outsource (verb)
make an arrangement where an external organization (3.1) performs part of an organization’s function
or process (3.12)
Note 1 to entry: An external organization is outside the scope of the management system (3.4), although the
outsourced function or process is within the scope.
3.15
monitoring
determining the status of a system, a process (3.12) or an activity
Note 1 to entry: To determine the status there may be a need to check, measure, supervise or critically observe.
3.16
measurement
process (3.12) to determine a value
3.17
audit
systematic, independent and documented process (3.12) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
3.18
conformity
fulfilment of a requirement (3.3)
3.19
nonconformity
non-fulfilment of a requirement (3.3)
3.20
correction
action to eliminate a detected nonconformity (3.19)
© ISO 2013 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO 14298:2013(E)
3.21
corrective action
action to eliminate the cause of a nonconformity (3.19) and to prevent recurrence
3.22
continual improvement
recurring activity to enhance performance (3.13)
3.23
risk assessment
overall process of risk identification, risk analysis and risk evaluation
[ISO Guide 73:2009, 3.4.1 ]
3.24
security printer
producer of printed documents or products of value or entitlement, ID documents or security foils (3.25)
which are physically protected against forgery, counterfeiting and alteration by security features (3.26)
3.25
security printing
set of processes (3.12) which transform raw materials into documents or products of value or entitlement,
ID documents or security foils (3.25) physically protected by security features (3.26)
3.26
security foil
thin film material that contains an optical variable element or similar security feature (3.26), which is applied
onto documents or products to physically protect them against forgery, counterfeiting and alteration
3.27
security feature
component integrated in the product to protect against forgery, counterfeiting and alteration
3.28
security
protection of products, processes, information, means of production, security features and the supply chain
3.29
threat
action or potential occurrence, whether or not malicious, to breach the security (3.27) of the system
3.30
security breach
infraction or violation of security
3.31
documented procedure
established way of working, documented, implemented and maintained
3.32
security objective
result to be achieved with regard to security (3.28)
Note 1 to entry: Security objectives are in general based on the security policy of the organization.
Note 2 to entry: Security objectives are in general specified for relevant functions and levels in the organization.
4 © ISO 2013 – All rights reserved
---------------------- Page: 9 ----------------------
ISO 14298:2013(E)
3.33
security management
coordinated activities to direct and control an organization with regard to security (3.28)
Note 1 to entry: “Direct and control” in general entails the establishment of the policy, objectives, planning,
control, security assurance and improvements with regards to security (3.28). Security assurance represents all
planned and systematic actions needed to give a sufficient degree of confidence that a product or process (3.12)
meets the security requirements.
3.34
security plan
documented information that specifies the procedures and resources to satisfy the security requirements
of the organization
3.35
security control
aspect of security management (3.33) aimed at the fulfilment of the security requirements
3.36
preventive action
action to prevent the cause of a nonconformity (3.19)
3.37
traceability
ability to trace the history, application or location of that which is under consideration
Note 1 to entry: When considering product, traceability can relate to the origin of materials and parts, the
processing history and the distribution and location of the product after delivery.
(ISO 9000:2005, 3.5.4, modified)
3.38
resource
personnel, information, premises, process equipment (software and hardware) and tools
3.39
supply chain
set of interconnected processes (3.12) and resources (3.38) that starts with the sourcing of raw materials
and ends with the delivery of products and services to the customer
Note 1 to entry: Supply chains include producers, suppliers, manufacturers, distributors, wholesalers, vendors,
and logistics providers. They include facilities, plants, offices, warehouses, and branches and can be both internal
and external to an organization.
Note 2 to entry: Supply chain management as related to this International Standard includes the vetting of suppliers
and customers from the point of initial security value, which is the point at which security is added to the product.
4 Context of the organization
4.1 Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that
affect its ability to achieve the intended outcome(s) of its security printing management system.
4.2 Understanding the needs and expectations of interested parties
The organization shall determine:
— the interested parties that are relevant to the security printing management system, and
— the requirements of these interested parties.
© ISO 2013 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO 14298:2013(E)
Certification is only possible if the organization has followed the regulations of the certification
procedure and if it has established a security printing management system in accordance with the
specifications of this procedure. Furthermore the security printing management system has to comply
with laws and regulations in force.
4.3 Determining the scope of the security printing management system
The organization shall determine the boundaries and applicability of the security printing management
system to establish its scope.
When determining this scope, the organization shall consider:
— the external and internal issues referred to in 4.1, and
— the requirements referred to in 4.2.
The scope shall be available as documented information.
4.4 Security printing management system
The organization shall establish, implement, maintain and continually improve a security printing
management system in accordance with the requirements of this International Standard including the
processes needed as outlined in normative Annex A and their interactions.
It is recognized that customer requirements may exceed the requirements of this International Standard
so the security printing management system also addresses customer requirements that are beyond the
scope of this International Standard.
The organization shall conduct a risk assessment on at least the following:
a) Customer-related risk
EXAMPLE Unauthorized purchase, distribution or illegal use of a product by a customer.
b) Information-related risk
EXAMPLE Unwanted, unintended, prompted or unprompted disclosure of information.
c) Security material, product and waste-related risk
EXAMPLE Theft, damage, sabotage or loss of security materials.
d) Supply chain-related risk
EXAMPLE Any subversion or compromise of the security of the organization’s security products and
related services at any point in the supply chain.
e) Physical intrusion and access-related risk
EXAMPLE Intrusion into sensitive physical areas.
f) Personnel-related risk
EXAMPLE Personnel fraud or unauthorized actions.
g) Disaster-related risk
EXAMPLE Security breakdowns that result from either man-made or natural disasters.
h) Security failure-related risk
EXAMPLE Occurrence of security breaches.
i) Security management-related risk
6 © ISO 2013 – All rights reserved
---------------------- Page: 11 ----------------------
ISO 14298:2013(E)
EXAMPLE Lack of security management competences.
j) Use of machinery-related risk
EXAMPLE Unauthorized use of the means of production.
k) Sales of equipment-related risk
EXAMPLE Sale, distribution of any equipment or component for illegal use.
l) Transportation-related risk
EXAMPLE Theft, modification, damage or destruction of products, security raw materials and security
features during loading, unloading, storage and transportation.
m) Any additional security-related risks unique to the organization
This risk assessment shall be the basis for the establishment of a security plan (see 6.3).
NOTE ISO 31000 contains guidance for risk assessment.
5 Leadership
5.1 Leadership and commitment
Top management shall demonstrate leadership and commitment with respect to the security printing
management system by:
a) ensuring that the security policy and security objectives are established and are compatible with
the strategic direction of the organization;
b) ensuring the integration of the security printing management system requirements into the
organization’s business processes;
c) ensuring that the resources needed for the security printing management system are available;
d) communicating the importance of effective security printing management and of conforming to
the security printing management system requirements, including customer, legal, and regulatory
requirements;
e) ensuring that the security printing management system achieves its intended outcome(s);
f) directing and supporting persons to contribute to the effectiveness of the security printing
management system;
g) promoting continual improvement;
h) supporting other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility;
i) developing and implementing the security printing management system and continually improving
its effectiveness;
j) ensuring that a risk assessment is conducted on a continuous basis to ascertain any needed changes
in the security printing management system;
k) ensuring that security requirements are understood and met;
l) reviewing the operation of the security printing management system;
m) assuring conformance to the requirements of this International Standard.
© ISO 2013 – All rights reserved 7
---------------------- Page: 12 ----------------------
ISO 14298:2013(E)
NOTE Reference to “business” in this International Standard should be interpreted broadly to mean those
activities that are core to the purposes of the organization’s existence.
5.2 Policy
Top management shall establish a sec
...
NORME ISO
INTERNATIONALE 14298
Première édition
2013-04-15
Technologie graphique —
Management des procédés
d’impression de sécurité
Graphic technology — Management of security printing processes
Numéro de référence
ISO 14298:2013(F)
©
ISO 2013
---------------------- Page: 1 ----------------------
ISO 14298:2013(F)
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2013
Droits de reproduction réservés. Sauf indication contraire, aucune partie de cette publication ne peut être reproduite ni utilisée
sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie, l’affichage sur
l’internet ou sur un Intranet, sans autorisation écrite préalable. Les demandes d’autorisation peuvent être adressées à l’ISO à
l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Publié en Suisse
ii © ISO 2013 – Tous droits réservés
---------------------- Page: 2 ----------------------
ISO 14298:2013(F)
Sommaire Page
Avant-propos .iv
Introduction .v
1 Domaine d’application . 1
2 Références normatives . 1
3 Termes et définitions . 1
4 Contexte de l’organisme . 6
4.1 Comprendre l’organisme et son contexte . 6
4.2 Comprendre les besoins et les attentes des parties intéressées . 6
4.3 Déterminer le champ d’application du système de management des impressions
de sécurité . 6
4.4 Système de management des impressions de sécurité . 6
5 Primauté. 7
5.1 Primauté et engagement. 7
5.2 Politique . 8
5.3 Rôles de l’organisme, responsabilités et autorités . 8
6 Planification . 9
6.1 Actions visant à traiter les risques et les opportunités . 9
6.2 Objectifs de sécurité et planification de leur réalisation . 9
6.3 Planification du système de management des impressions de sécurité .10
7 Soutien .10
7.1 Ressources .10
7.2 Compétence .11
7.3 Sensibilisation .11
7.4 Communication .11
7.5 Informations documentées .12
8 Fonctionnement .13
9 Évaluation de la performance .14
9.1 Surveillance, mesurage, analyse et évaluation .14
9.2 Audit interne .14
9.3 Revue de direction .15
10 Amélioration .16
10.1 Non-conformité, manquements à la sûreté et actions correctives .16
10.2 Actions préventives .16
10.3 Amélioration continue .16
Annexe A (normative) Détermination des exigences en matière de sûreté liées au système de
management des impressions de sécurité .18
Bibliographie
.22
© ISO 2013 – Tous droits réservés iii
---------------------- Page: 3 ----------------------
ISO 14298:2013(F)
Avant-propos
L’ISO (Organisation internationale de normalisation) est une fédération mondiale d’organismes
nationaux de normalisation (comités membres de l’ISO). L’élaboration des Normes internationales est
en général confiée aux comités techniques de l’ISO. Chaque comité membre intéressé par une étude
a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,
gouvernementales et non gouvernementales, en liaison avec l’ISO participent également aux travaux.
L’ISO collabore étroitement avec la Commission électrotechnique internationale (CEI) en ce qui concerne
la normalisation électrotechnique.
Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont
décrites dans les Directives ISO/CEI, Partie 1. Il convient, en particulier de prendre note des différents
critères d’approbation requis pour les différents types de documents ISO. Le présent document a été
rédigé conformément aux règles de rédaction données dans les Directives ISO/CEI, Partie 2 (voir www.
iso.org/directives).
L’attention est appelée sur le fait que certains des éléments du présent document peuvent faire l’objet de
droits de propriété intellectuelle ou de droits analogues. L’ISO ne saurait être tenue pour responsable
de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant les
références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de l’élaboration
du document sont indiqués dans l’Introduction et/ou sur la liste ISO des déclarations de brevets reçues
(voir www.iso.org/patents).
Les éventuelles appellations commerciales utilisées dans le présent document sont données pour
information à l’intention des utilisateurs et ne constituent pas une approbation ou une recommandation.
Le comité chargé de l’élaboration du présent document est l’ISO/TC 130 Technologie graphique.
iv © ISO 2013 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO 14298:2013(F)
Introduction
Généralités
La présente Norme internationale spécifie les exigences requises pour un système de management des
impressions de sécurité destiné aux imprimeurs de documents de sécurité.
Les pratiques actuelles en matière de management des impressions de sécurité n’offrent pas les garanties
suffisantes pour maintenir des contrôles de sécurité efficaces permettant de protéger l’intérêt du client
et du grand public. En utilisant la présente Norme internationale, l’organisme établit, documente, met en
œuvre et maintient un système de management des impressions de sécurité. Ce système de management
des impressions de sécurité est continuellement révisé afin d’en améliorer l’efficacité. Il est reconnu que
les exigences de la clientèle dépassent parfois celles de la présente Norme internationale; par conséquent,
le système de management des impressions de sécurité traite également les exigences de la clientèle qui
vont au-delà du champ d’application de la présente Norme internationale.
L’adoption d’un système de management des impressions de sécurité est une décision stratégique prise
par un organisme. La conception et la mise en œuvre d’un système de management des impressions de
sécurité au sein d’un organisme dépendent de besoins variables, d’objectifs particuliers ainsi que des
produits fournis, des processus employés, de l’environnement de sécurité, des questions culturelles, des
limites juridiques, de l’appréciation du risque, de la taille et de la structure de l’organisme.
Pour atteindre les objectifs du système de management des impressions de sécurité, des mesures types
sont prises afin de limiter l’ensemble des menaces relatives à la sûreté, lesquelles sont déterminées
par une appréciation organisationnelle du risque. Ces contrôles se concentrent sur la diminution,
l’élimination et la prévention des actes préjudiciables au système de management des impressions de
sécurité de l’organisme.
La présente Norme internationale ne prétend pas uniformiser la structure du système de management
des impressions de sécurité, ni uniformiser les informations documentées. Le système de management
des impressions de sécurité est conforme à la législation et à la réglementation en vigueur. Les exigences
spécifiées dans la présente Norme internationale viennent s’ajouter à celles s’appliquant aux produits et
processus de l’organisme et permettent l’ajout d’exigences spécifiques émanant du client.
La présente Norme internationale a vocation à s’appliquer aux imprimeurs de documents de sécurité.
Elle contient des exigences qui, lorsqu’elles sont mises en œuvre par un imprimeur de documents de
sécurité, peuvent faire l’objet d’un audit objectif en vue de leur certification/enregistrement.
Approche processus
La présente Norme internationale encourage l’adoption d’une «approche processus» lors de l’élaboration,
la mise en œuvre et l’amélioration de l’efficacité d’un système de management des impressions de sécurité.
L’«approche processus» désigne l’application d’un système de processus au sein d’un organisme, ainsi
que l’identification, l’interaction et le management de ces processus. L’un des avantages de l’«approche
processus» est qu’elle permet d’exercer un contrôle continu sur l’interaction et la combinaison des
processus individuels au sein du système de processus.
Principes de base
Lorsqu’il est mis en œuvre, le système de management des impressions de sécurité:
a) garantit la sécurité des produits, des processus, des moyens de production, des locaux, des
informations et des approvisionnements en matières premières;
b) est employé pour répondre aux exigences des clients et, naturellement, à leurs besoins, de manière
continue et démontrable;
c) offre à la direction l’assurance que le niveau de sûreté ciblé est effectivement atteint et qu’il
demeure efficace;
© ISO 2013 – Tous droits réservés v
---------------------- Page: 5 ----------------------
ISO 14298:2013(F)
d) offre aux clients l’assurance que la nature et le niveau de sûreté convenus sont ou seront atteints.
La présente Norme internationale spécifie la nature des éléments qui composent un système de
management des impressions de sécurité et non la façon dont un organisme spécifique met en œuvre
ces éléments.
vi © ISO 2013 – Tous droits réservés
---------------------- Page: 6 ----------------------
NORME INTERNATIONALE ISO 14298:2013(F)
Technologie graphique — Management des procédés
d’impression de sécurité
1 Domaine d’application
La présente Norme internationale spécifie les exigences requises pour un système de management des
impressions de sécurité destiné aux imprimeurs de documents de sécurité.
La présente Norme internationale spécifie un ensemble minimal d’exigences propres au système de
management des impressions de sécurité. Les organismes veillent à ce que les exigences de sécurité
de leur clientèle soient satisfaites, à condition qu’elles n’entrent pas en conflit avec les exigences de la
présente Norme internationale.
2 Références normatives
Aucune référence normative n’est citée.
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions suivants s’appliquent.
NOTE Dans une définition, les caractères en italique indiquent qu’il est fait référence à un autre terme défini
dans le présent article; le numéro de référence correspondant à ce terme est donné entre parenthèses.
3.1
organisme
personne ou groupe de personnes qui a ses propres fonctions et use des responsabilités, pouvoirs et
relations nécessaires pour atteindre ses objectifs (3.8)
Note 1 à l’article: Le concept d’organisme comprend, entre autres, les travailleurs indépendants, compagnies,
sociétés, firmes, entreprises, autorités, partenariats, œuvres de bienfaisance ou institutions, partie ou combinaison
de ceux-ci, constitués en société ou pas, publics ou privés.
3.2
partie intéressée
partie prenante
personne ou organisme (3.1) susceptible d’affecter, d’être affecté ou de se sentir lui-même affecté par
une décision ou une activité
3.3
exigence
besoin ou attente formulés, habituellement implicites, ou imposés
Note 1 à l’article: «Habituellement implicite» signifie qu’il est d’usage ou de pratique courante pour l’organisme et
les parties intéressées de considérer le besoin ou l’attente en question comme implicite.
Note 2 à l’article: Une exigence spécifiée est une exigence qui est formulée, par exemple dans des informations
documentées.
3.4
système de management
ensemble d’éléments corrélés ou interactifs d’un organisme (3.1) visant à établir des politiques (3.7), des
objectifs (3.8), et des processus (3.12) afin d’atteindre ces objectifs
Note 1 à l’article: Un système de management peut recouvrir une ou plusieurs disciplines.
© ISO 2013 – Tous droits réservés 1
---------------------- Page: 7 ----------------------
ISO 14298:2013(F)
Note 2 à l’article: Les éléments du système comprennent la structure de l’organisme, les rôles et les responsabilités,
la planification, les opérations, etc.
Note 3 à l’article: Le domaine d’un système de management peut comprendre l’organisme dans son ensemble,
certaines fonctions spécifiques et identifiées de l’organisme, certaines sections spécifiques et identifiées de
l’organisme, ou une ou plusieurs fonctions au sein d’un groupe d’organismes.
Note 4 à l’article: Un système de management contient des informations documentées permettant d’orienter et de
contrôler l’organisme.
3.5
direction
personne ou groupe de personnes qui oriente et contrôle un organisme (3.1) au plus haut niveau
Note 1 à l’article: La direction a le pouvoir de déléguer l’autorité et de fournir des ressources au sein de l’organisme.
Note 2 à l’article: Si le domaine du système de management (3.4) ne s’étend qu’à une partie de l’organisme, alors la
direction renvoie à l’équipe qui oriente et contrôle cette partie de l’organisme.
3.6
efficacité
niveau de réalisation des activités planifiées et d’obtention des résultats escomptés
3.7
politique
intentions et orientation d’un organisme (3.1), telles que formalisées par sa direction (3.5)
3.8
objectif
résultat à atteindre
Note 1 à l’article: Un objectif peut être stratégique, tactique ou opérationnel.
Note 2 à l’article: Les objectifs peuvent se rapporter à différentes disciplines (par exemple, à la finance, à la santé
et à la sécurité, ou à l’environnement) et peuvent s’appliquer à différents niveaux [niveau stratégique, à l’échelle
de l’organisme tout entier, au niveau des projets, des produits et des processus (3.12)].
Note 3 à l’article: Un objectif peut être exprimé de différentes manières, par exemple: comme un résultat
recherché, un but, un critère opérationnel, un objectif de sécurité (3.32), ou en utilisant d’autres mots de sens
similaire (exemple: but, intention ou cible).
Note 4 à l’article: Dans le contexte des systèmes de management des impressions de sécurité, les objectifs de sécurité
(3.32) sont établis par l’organisme, conformément à la politique de sûreté, afin d’obtenir des résultats spécifiques.
3.9
risque
effet de l’incertitude
Note 1 à l’article: Un effet est un écart, positif ou négatif, par rapport à une attente.
Note 2 à l’article: L’incertitude est l’état, même partiel, de défaut d’information concernant la compréhension ou la
connaissance d’un événement, de ses conséquences ou de sa vraisemblance.
Note 3 à l’article: Un risque est souvent caractérisé en référence à des événements (Guide ISO 73, 3.5.1.3) et à des
conséquences (Guide ISO 73:2009, 3.6.1.3) potentiels ou à une combinaison des deux.
Note 4 à l’article: Un risque est souvent exprimé en termes de combinaison de conséquences d’un événement
(incluant des changements de circonstances) et de sa vraisemblance (Guide ISO 73: 2009, 3.6.1.1).
3.10
compétence
aptitude à mettre en œuvre des connaissances et savoir-faire en vue d’obtenir des résultats prévus
2 © ISO 2013 – Tous droits réservés
---------------------- Page: 8 ----------------------
ISO 14298:2013(F)
3.11
informations documentées
informations devant être contrôlées et mises à jour par un organisme (3.1) et le support sur lequel elles
sont contenues
Note 1 à l’article: Les informations documentées peuvent être dans n’importe quel format, sur n’importe quel
support, et provenir de n’importe quelle source.
Note 2 à l’article: Les informations documentées peuvent se rapporter au système de management (3.4), y compris
aux processus associés (3.12), aux informations créées pour le fonctionnement de l’organisme (documentation) et
aux preuves d’obtention des résultats (enregistrement).
3.12
processus
ensemble d’activités corrélées ou interactives qui transforme des éléments d’entrée en éléments de sortie
3.13
performance
résultat mesurable
Note 1 à l’article: La performance peut se rapporter à des observations quantitatives ou qualitatives.
Note 2 à l’article: La performance peut se rapporter au management des activités, des processus (3.12), des
produits (y compris les services), des systèmes ou des organismes (3.1).
3.14
externaliser (verbe)
prendre des dispositions pour qu’un organisme (3.1) externe assure une partie des fonctions ou des
processus (3.12) d’un organisme
Note 1 à l’article: Un organisme externe se situe hors du champ d’application du système de management (3.4), bien
que les fonctions ou processus externalisés en fassent partie.
3.15
surveillance
détermination du statut d’un système, d’un processus (3.12) ou d’une activité
Note 1 à l’article: Pour déterminer le statut, il peut s’avérer nécessaire de vérifier, de mesurer, de superviser ou
d’observer de manière critique.
3.16
mesurage
processus (3.12) permettant de déterminer une valeur
3.17
audit
processus (3.12) méthodique, indépendant et documenté permettant d’obtenir des preuves d’audit et de
les évaluer de manière objective pour déterminer dans quelle mesure les critères d’audit sont satisfaits
Note 1 à l’article: Un audit peut être interne (audit de première partie) ou externe (audit de seconde ou de tierce
partie), et peut également être un audit combiné (combinant deux disciplines ou plus).
Note 2 à l’article: Les termes «preuves d’audit» et «critères d’audit» sont définis dans l’ISO 19011.
3.18
conformité
satisfaction d’une exigence (3.3)
3.19
non-conformité
non-satisfaction d’une exigence (3.3)
© ISO 2013 – Tous droits réservés 3
---------------------- Page: 9 ----------------------
ISO 14298:2013(F)
3.20
correction
action visant à éliminer une non-conformité (3.19) détectée
3.21
action corrective
action visant à éliminer la cause d’une non-conformité (3.19) et à empêcher sa répétition
3.22
amélioration continue
activité régulière destinée à améliorer les performances (3.13)
3.23
appréciation du risque
ensemble du processus d’identification des risques, d’analyse du risque et d’évaluation du risque
[SOURCE: Guide ISO 73:2009, 3.4.1]
3.24
imprimeur de documents de sécurité
producteur de documents imprimés, de produits de valeur ou d’habilitation, de documents d’identification
ou de films de sécurité (3.26) qui bénéficient d’une protection physique contre la falsification, la
contrefaçon et l’altération, au moyen d’éléments de sécurité (3.27)
3.25
impression de sécurité
ensemble de processus (3.12) par lesquels les matières premières sont transformées en documents ou
produits de valeur ou d’habilitation, en documents d’identification ou en films de sécurité (3.26) protégés
physiquement par des éléments de sécurité (3.27)
3.26
film de sécurité
fine pellicule de matériau qui contient un élément optiquement variable ou autre élément de sécurité
(3.27) similaire, appliquée sur les documents ou produits afin de les protéger matériellement contre la
falsification, la contrefaçon et l’altération
3.27
élément de sécurité
composant intégré au produit afin de le protéger contre la falsification, la contrefaçon et l’altération
3.28
sûreté
protection des produits, des processus, des informations, des moyens de production, des éléments de
sécurité et de la chaîne d’approvisionnement
3.29
menace
action ou occurrence potentielle, malveillante ou non, visant à porter atteinte à la sûreté (3.28) du système
3.30
manquement à la sûreté
infraction ou violation de la sécurité
3.31
procédure documentée
méthode de travail établie, documentée, mise en œuvre et maintenue
4 © ISO 2013 – Tous droits réservés
---------------------- Page: 10 ----------------------
ISO 14298:2013(F)
3.32
objectif de sécurité
résultat à atteindre en matière de sûreté (3.28)
Note 1 à l’article: En règle générale, les objectifs de sécurité reposent sur la politique de sûreté de l’organisme.
Note 2 à l’article: En règle générale, les objectifs de sécurité sont spécifiés pour les fonctions et les échelons
pertinents au sein de l’organisme.
3.33
management de la sûreté
activités coordonnées permettant d’orienter et de contrôler un organisme en matière de sûreté (3.28)
Note 1 à l’article: En règle générale, l’expression «orienter et contrôler» entraîne l’établissement de la politique,
des objectifs, de la planification, du contrôle, de la garantie de sécurité et des améliorations en matière de sûreté
(3.28). La garantie de sécurité représente l’ensemble des actions planifiées et systématiques nécessaires pour
générer un niveau de confiance suffisant quant à la conformité d’un produit ou d’un processus (3.12) aux exigences
requises en matière de sûreté.
3.34
plan de sûreté
informations documentées qui spécifient les procédures et les ressources permettant de répondre aux
exigences de l’organisme en matière de sûreté
3.35
contrôle de sûreté
aspect du management de la sûreté (3.33) visant à satisfaire aux exigences requises en matière de sûreté
3.36
action préventive
action visant à éliminer la cause d’une non-conformité (3.19)
3.37
traçabilité
aptitude à retrouver l’historique, la mise en œuvre ou l’emplacement de ce qui est examiné
Note 1 à l’article: Dans le cas d’un produit, la traçabilité peut être liée à l’origine des matériaux et des composants,
à l’historique de réalisation, à la distribution et à l’emplacement du produit après livraison.
(ISO 9000:2005, 3.5.4, modifiée)
3.38
ressource
personnel, informations, locaux, matériel opérationnel (logiciel et matériel physique) et outils
3.39
chaîne d’approvisionnement
ensemble de processus (3.12) et de ressources (3.38) interconnectés, qui commence par l’identification
de l’origine de la source des matières premières et se termine par la livraison des produits et des
services au client
Note 1 à l’article: Les chaînes d’approvisionnement incluent les producteurs, les fournisseurs, les fabricants, les
distributeurs, les grossistes, les vendeurs et les prestataires de services logistiques. Elles incluent les installations,
les usines, les bureaux, les entrepôts, les succursales et peuvent être à la fois internes et externes à un organisme.
Note 2 à l’article: Dans le cadre de la présente Norme internationale, le management de la chaîne d’approvisionnement
inclut le contrôle des fournisseurs et des clients dès lors que le produit acquiert une certaine valeur et qu’un
certain niveau de sûreté lui est donc attribué.
© ISO 2013 – Tous droits réservés 5
---------------------- Page: 11 ----------------------
ISO 14298:2013(F)
4 Contexte de l’organisme
4.1 Comprendre l’organisme et son contexte
L’organisme doit déterminer des questions externes et internes qui soient cohérentes avec son but et qui
affectent sa capacité à obtenir le(s) résultat(s) escompté(s) dans le cadre de son système de management
des impressions de sécurité.
4.2 Comprendre les besoins et les attentes des parties intéressées
L’organisme doit déterminer:
— les parties intéressées qui sont concernées par le système de management des impressions de
sécurité, et
— les exigences de ces parties intéressées.
La certification n’est possible que si l’organisme a suivi les règlementations de la procédure de
certification et que s’il a établi un système de management des impressions de sécurité conforme aux
spécifications de ladite procédure. En outre, le système de management des impressions de sécurité doit
être conforme aux lois et réglementations en vigueur.
4.3 Déterminer le champ d’application du système de management des impressions de
sécurité
L’organisme doit déterminer les limites et l’applicabilité du système de management des impressions de
sécurité afin d’en définir la portée.
Pendant la définition de ce champ d’application, l’organisme doit prendre en compte:
— les questions internes et externes mentionnées en 4.1, et
— les exigences mentionnées en 4.2.
Le champ d’application doit être disponible sous la forme d’informations documentées.
4.4 Système de management des impressions de sécurité
L’organisme doit établir, mettre en œuvre, maintenir et améliorer continuellement un système de
management des impressions de sécurité en veillant à satisfaire aux exigences de la présente Norme
internationale, y compris les processus nécessaires exposés à l’Annexe A (normative) et leurs interactions.
Il est reconnu que les exigences de la clientèle peuvent dépasser celles de la présente Norme internationale;
par conséquent, le système de management des impressions de sécurité traite également les exigences
de la clientèle qui vont au-delà du champ d’application de la présente Norme internationale.
L’organisme doit conduire une appréciation des risques concernant, au minimum, les aspects suivants:
a) Les risques liés à la clientèle.
EXEMPLE L’achat non autorisé, la distribution ou l’utilisation illégale d’un produit par un client.
b) Les risques liés aux informations.
EXEMPLE La divulgation involontaire, accidentelle, avec ou sans incitation, des informations.
c) Les risques liés à la documentation et aux produits
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.