Security management systems for the supply chain - Requirements for bodies providing audit and certification of supply chain security management systems

ISO/PAS 28003:2006 contains principles and requirements for bodies providing the audit and certification of supply chain security management systems according to management system specifications and standards such as ISO/PAS 28000. It defines the minimum requirements of a certification body and its associated auditors recognizing the unique need for confidentiality when auditing and certifying/registering a client organization. Requirements for supply chain security management systems can originate from a number of sources, and ISO/PAS 28003:2006 has been developed to assist in the certification of supply chain security management systems that fulfill the requirements of ISO/PAS 28000, Specification for security supply chain security management systems for the supply chain. The contents of ISO/PAS 28003:2006 may also be used to support certification of supply chain security management systems that are based on other sets of specified supply chain security management systems requirements. ISO/PAS 28003:2006 provides harmonized guidance for the accreditation of certification bodies applying for ISO/PAS 28000 (or other sets of specified supply chain security management systems requirements) certification/registration; defines the rules applicable for the audit and certification of a supply chain security management systems complying with the ISO/PAS 28000 requirements (or other sets of specified supply chain security management systems requirements); provides customers with the necessary information and confidence about the way certification of their suppliers has been granted.

Systèmes de management de la sûreté pour la chaîne d'approvisionnement — Exigences pour les organismes effectuant l'audit et la certification des systèmes de management de la sureté pour la chaîne d'approvisionnement

General Information

Status
Withdrawn
Publication Date
04-Oct-2006
Withdrawal Date
04-Oct-2006
Current Stage
9599 - Withdrawal of International Standard
Completion Date
02-Aug-2007
Ref Project

Relations

Buy Standard

Technical specification
ISO/PAS 28003:2006 - Security management systems for the supply chain - Requirements for bodies providing audit and certification of supply chain security management systems
English language
45 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

PUBLICLY ISO/PAS
AVAILABLE 28003
SPECIFICATION
First edition
2006-10-01

Security management systems for
the supply chain — Requirements for
bodies providing audit and certification
of supply chain security management
systems
Systèmes de management de la sûreté pour la chaîne
d'approvisionnement — Exigences pour les organismes effectuant
l'audit et la certification des systèmes de management de la sureté
pour la chaîne d'approvisionnement




Reference number
ISO/PAS 28003:2006(E)
©
ISO 2006

---------------------- Page: 1 ----------------------
ISO/PAS 28003:2006(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


©  ISO 2006
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2006 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/PAS 28003:2006(E)
Contents
Foreword . v
Introduction . vi
1 Scope .1
2 Normative references .1
3 Terms and definitions .2
4 Principles for certification bodies .2
4.1 General .2
4.2 Impartiality .3
4.3 Competence .3
4.4 Responsibility .3
4.5 Openness .4
4.6 Confidentiality .4
4.7 Resolution of complaints .4
5 General requirements .4
5.1 Legal and contractual matters .4
5.2 Management of impartiality .4
5.3 Liability and financing .6
6 Structural requirements .6
6.1 Organizational structure and top management .6
6.2 Committee for safeguarding impartiality .7
7 Resource requirements .7
7.1 Competence of management and personnel .7
7.2 Personnel involved in the certification activities .7
7.3 Use of external auditors and external technical experts .9
7.4 Personnel records .10
7.5 Outsourcing .11
7.6 Auditor Training .12
7.7 Examinations .12
8 Information requirements .13
8.1 Publicly accessible information .13
8.2 Certification documents .13
8.3 Directory of certified clients .14
8.4 Reference to certification and use of marks .14
8.5 Confidentiality .14
8.6 Information exchange between a certification body and its clients .15
9 Process requirements .16
9.1 General requirements applicable to any audit .16
9.2 Initial audit and certification .17
9.3 Surveillance activities .22
9.4 Recertification .24
9.5 Special audits .26
9.6 Suspending, withdrawing or reducing scope of certification .26
9.7 Appeals .27
9.8 Complaints .27
9.9 Records on applicants and clients .28
10 Management system requirements for certification bodies .29
10.1 Option 1 — Management system requirements in accordance with ISO 9001 .29
10.2 Option 2 — General management system requirements .29
© ISO 2006 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/PAS 28003:2006(E)
Annex A (informative) Guide for process to determine auditor time . 33
Annex B (normative) Criteria for auditing organizations with multiple sites . 35
Annex C (informative) Auditor Training . 40
Annex D (informative) Auditor training requirements . 42
Bibliography . 45

iv © ISO 2006 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/PAS 28003:2006(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standard s is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. In the field
of conformity assessment, the ISO Committee on conformity assessment (CASCO) is responsible for the
development of International Standards and Guides.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
In other circumstances, particularly when there is an urgent market requirement for such documents, a
technical committee may decide to publish other types of normative document:
— an ISO Publicly Available Specification (ISO/PAS) represents an agreement between technical experts in
an ISO working group and is accepted for publication if it is approved by more than 50 % of the members
of the parent committee casting a vote;
— an ISO Technical Specification (ISO/TS) represents an agreement between the members of a technical
committee and is accepted for publication if it is approved by 2/3 of the members of the committee
casting a vote.
An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for a
further three years, revised to become an ISO/PAS, or withdrawn. If the ISO/PAS or ISO/TS is confirmed, it is
reviewed again after a further three years, at which time it must either be transformed into an ISO/PAS or be
withdrawn.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/PAS 28003 was prepared jointly by the ISO Committee on conformity assessment (ISO/CASCO) and
ISO/TC 8, Ships and marine technology.
ISO/PAS 28003 encompasses the requirements from ISO/IEC 17021, Conformity assessment —
Requirements for bodies providing audit and certification of management systems. When assessing security
supply chain security management systems, a number of requirements need to be met which go beyond what
is required for the assessment and certification of supply chain security management systems covering other
operational aspects of organizations. To formulate these additional requirements, ISO/IEC 17021 has been
amended or modified where needed.

© ISO 2006 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/PAS 28003:2006(E)
Introduction
This Publicly Available Specification is intended for use by bodies that carry out audit and certification of
supply chain security management systems. Certification of supply chain security management systems is a
third party conformity assessment activity (see clause 5.5 of ISO/IEC 17000:2004). Bodies performing this
activity are therefore third party conformity assessment bodies, named 'certification body/bodies' in this
Publicly Available Specification. This wording should not be an obstacle to the use of this Publicly Available
Specification by bodies with other designations that undertake activities covered by the scope of this Publicly
Available Specification. Indeed, this Publicly Available Specification will be usable by any body involved in the
assessment of supply chain security management systems.

Certification of supply chain security management systems of an organization is one means of providing
assurance that the organization has implemented a system for supply chain security management in line with
its policy.

Certification of supply chain security management systems will be delivered by certification bodies accredited
by a recognized body, such as IAF members.

This Publicly Available Specification specifies requirements for certification bodies. Observance of these
requirements is intended to ensure that certification bodies operate supply chain security management
systems certification in a competent, consistent and reliable manner, thereby facilitating the recognition of
such bodies and the acceptance of their certifications on a national and international basis. This Publicly
Available Specification will serve as a foundation for facilitating the recognition of supply chain security
management systems certification in the interests of international trade.
Certification of a supply chain security management system provides independent verification that the supply
chain security management system of the organization
a) conforms to specified requirements;
b) is capable of consistently achieving its stated policy and objectives;
c) is effectively implemented.
Certification of a supply chain security management system thereby provides value to the organization, its
customers and interested parties.
This Publicly Available Specification aims at being the basis for recognition of the competence of certification
bodies in their provision of supply chain security management system certification. This Publicly Available
Specification can be used as the basis for recognition of the competence of certification bodies in their
provision of supply chain security management system certification (such recognition may be in the form of
notification, peer assessment, or direct recognition by regulatory authorities or industry consortia).

Observance of the requirements in this Publicly Available Specification is intended to ensure that certification
bodies operate supply chain security management system certification in a competent, consistent and reliable
manner, thereby facilitating the recognition of such bodies and the acceptance of their certifications on a
national and international basis. This Publicly Available Specification should serve as a foundation for
facilitating the recognition of supply chain security management system certification in the interests of
international trade.

Certification activities involve the audit of an organization's supply chain security management system. The
form of attestation of conformity of an organization's supply chain security management system to a specific
standard (for example ISO/PAS 28000) or other specified requirements is normally a certification document or
a certificate.

It is for the organization being certified to develop its own supply chain security management systems
(including ISO/PAS 28000 supply chain security management system, other sets of specified supply chain
security management system requirements, quality systems, environmental supply chain security
management systems or occupational health and safety supply chain security management systems) and,
vi © ISO 2006 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/PAS 28003:2006(E)
other than where relevant legislative requirements specify to the contrary, it is for the organization to decide
how the various components of these are to be arranged. The degree of integration between the various
supply chain security management system components will vary from organization to organization. It is
therefore appropriate for certification bodies that operate in accordance with this Publicly Available
Specification to take into account the culture and practices of their clients in respect of the integration of their
supply chain security management system within the wider organization.

© ISO 2006 – All rights reserved vii

---------------------- Page: 7 ----------------------
PUBLICLY AVAILABLE SPECIFICATION ISO/PAS 28003:2006(E)

Security management systems for the supply chain —
Requirements for bodies providing audit and certification
of supply chain security management systems
1 Scope
This Publicly Available Specification contains principles and requirements for bodies providing the audit and
certification of supply chain security management systems according to management system specifications
and standards such as ISO/PAS 28000.
It defines the minimum requirements of a certification body and its associated auditors, recognizing the unique
need for confidentiality when auditing and certifying/registering a client organization.

Requirements for supply chain security management systems can originate from a number of sources, and
this Publicly Available Specification has been developed to assist in the certification of supply chain security
management systems that fulfil the requirements of ISO/PAS 28000, Specification for security management
systems for the supply chain. The contents of this Publicly Available Specification may also be used to support
certification of supply chain security management systems that are based on other sets of specified supply
chain security management system requirements.

This Publicly Available Specification

• provides harmonized guidance for the accreditation of certification bodies applying for ISO/PAS 28000 (or
other sets of specified supply chain security management system requirements) certification/registration;
• defines the rules applicable for the audit and certification of a supply chain security management system
complying with the ISO/PAS 28000 requirements (or other sets of specified supply chain security
management system requirements);
• provides customers with the necessary information and confidence about the way certification of their
suppliers has been granted.

NOTE 1 Certification of a supply chain security management system is sometimes also called registration, and certification
bodies are sometimes called registrars.
NOTE 2 A certification body can be nongovernmental or governmental (with or without regulatory authority).
NOTE 3 This Publicly Available Specification can be used as a criteria document for accreditation or peer assessment or
other audit processes.


2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 17000:2004, Conformity assessment — Vocabulary and general principles
ISO 19011:2002, Guidelines for quality and/or environmental management systems auditing
ISO/PAS 28000:2005, Specification for security management systems for the supply chain
© ISO 2006 – All rights reserved 1

---------------------- Page: 8 ----------------------
ISO/PAS 28003:2006(E)
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17000 and the following apply.
3.1
certified client
organization whose supply chain security management system has been certified/registered by a qualified
third party
3.2
impartiality
actual and perceived presence of objectivity
NOTE 1 Objectivity means that conflicts of interest do not exist or are resolved so as not to adversely influence
subsequent activities of the certification body.
NOTE 2 Other terms that are useful in conveying the element of impartiality are objectivity, independence, freedom from
conflict of interests, freedom from bias, lack of prejudice, neutrality, fairness, open-mindedness, even-handedness,
detachment and balance.
3.3
management system consultancy and/or associated risk assessments
participation in designing, implementing or maintaining a supply chain security management system and in
conducting risk assessments
EXAMPLES
a) preparing or producing manuals or procedures;
b) giving specific advice, instructions or solutions towards the development and implementation of a supply chain
security management system;
c) conducting internal audits;
d) conducting risk assessment and analysis.
NOTE Arranging training and participating as a trainer is not considered consultancy, provided that where the course
relates to supply chain security management systems or auditing, the course is confined to the provision of generic
information that is freely available in the public domain, i.e. the trainer does not provide company-specific solutions.


4 Principles for certification bodies
4.1 General
4.1.1 The principles are the basis for the subsequent specific performance and descriptive requirements in this
Publicly Available Specification. This Publicly Available Specification does not give specific requirements for all
situations that can occur. These principles should be applied as guidance for the decisions that may need to be
made for unanticipated situations. Principles are not requirements.
4.1.2 The overall aim of certification is to give confidence to all parties that a supply chain security management
system, process or product (including services) fulfils specified requirements. The value of certification is the degree
of public confidence and trust that is established in a management system, process or product (including services)
after it has been impartially and competently assessed by a third-party. Parties that have an interest in certification
include, but are not limited to:
a) the clients of the certification bodies;
b) the customers of the organizations whose management systems are certified;
c) governmental authorities;
2 © ISO 2006 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/PAS 28003:2006(E)
d) nongovernmental organizations;
e) consumers and other members of the public.
4.1.3 Principles for inspiring confidence include:
a) impartiality;
b) competence;
c) responsibility;
d) openness;
e) confidentiality;
f) responsiveness to complaints.
4.2 Impartiality
4.2.1 Being impartial, and being perceived to be impartial, is necessary for a certification body to deliver certification
that provides confidence.
4.2.2 It is recognized that the source of revenue for a certification body is its client paying for certification, and that
this is a potential threat to impartiality.
4.2.3 To obtain and maintain confidence, a certification body has to be able to demonstrate that its decisions are
based on objective evidence of conformity (or nonconformity) obtained by the certification body, and that its
decisions are not influenced by other interests or by other parties.
4.2.4 Threats to impartiality include:
a) Self-interest threats — threats that arise from a person or body acting in their own interest. A concern related to
certification, as a threat to impartiality, is financial self-interest.
b) Self-review threats — threats that arise from a person or body reviewing the work done by themselves.
Auditing the supply chain security management systems of a client to whom the certification body provided
supply chain security management systems consultancy would be a self-review threat and therefore is not
acceptable.
c) Familiarity (or trust) threats — threats that arise from a person or body being too familiar or trusting of another
person instead of seeking audit evidence is a familiarity threat to impartiality.
d) Intimidation threats — threats that arise from a person or body having a perception of being coerced openly or
secretively, such as a threat to be replaced or reported to a supervisor.
4.3 Competence
Competence of the personnel supported by the organizational infrastructure is necessary for the certification body to
deliver certification that provides confidence. Competence is the demonstrated ability to apply appropriate
knowledge and skills effectively.
4.4 Responsibility
4.4.1 The client organization, not the certification body, has the responsibility for conformity with the requirements
for certification.
4.4.2 The certification body has the responsibility to assess sufficient objective evidence upon which to base a
recommendation for certification. Based on audit recommendations it makes a decision to grant certification if there
is sufficient evidence of conformity, or not to grant certification if there is not sufficient evidence of conformity.
© ISO 2006 – All rights reserved 3

---------------------- Page: 10 ----------------------
ISO/PAS 28003:2006(E)
NOTE Audit evidence shall be verifiable. It is based on samples of the information available, since an audit is conducted during a
finite period of time and with finite resources. The appropriate use of sampling is closely related to the confidence that can be
placed in the audit conclusions.
4.5 Openness
4.5.1 A certification body needs to provide public access or disclosure of appropriate and timely information about
the audit process and certification process, and about the certification status. (i.e. the granting, suspending,
reducing the scope of, or withdrawing of certification) of any organization, in order to gain confidence in the integrity
and credibility of certification. Openness is access to or disclosure of information.
4.5.2 To gain or maintain confidence in certification, a certification body needs to provide appropriate access, or
disclosure to, non-confidential information about the conclusions of specific audits (e.g. audits in response to
complaints), to specific interested parties.
4.6 Confidentiality
To gain the privileged access to information that is needed for the certification body to assess conformity to
requirements for certification adequately, a certification body needs to keep confidential any sensitive, proprietary,
and/or vulnerability-related information about an organization's supply chain security management system.
4.7 Resolution of complaints
Parties that rely on certification expect to have complaints investigated and, if these are found to be valid, should
have confidence that the complaints will be appropriately addressed and a reasonable effort will be made to resolve
the complaints.
NOTE An appropriate balance between the principles of openness and confidentiality, including resolution of complaints, is
necessary in order to demonstrate integrity and credibility to all users of certification.


5 General requirements
5.1 Legal and contractual matters
5.1.1 Legal responsibility
The certification body shall be a legal entity, or a defined part of a legal entity, such that it can be held legally
responsible for all its certification activities. A governmental certification body is deemed to be a legal entity on the
basis of its governmental status.
5.1.2 Certification agreement
The certification body shall have a legally enforceable agreement for the provision of certification activities to its
client organizations. In addition, where there are multiple offices of certification bodies or multiple sites of a certified
client, the certification body shall ensure there is a legally enforceable agreement between the certification body
granting certification and issuing
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.