ISO 14298:2021
(Main)Graphic technology - Management of security printing processes
Graphic technology - Management of security printing processes
This document specifies requirements for a security printing management system for security printers. This document specifies a minimum set of security printing management system requirements. Organizations ensure that customer security requirements are met as appropriate, provided these do not conflict with the requirements of this document.
Technologie graphique — Management des procédés d'impression de sécurité
Grafična tehnologija - Upravljanje procesov v varnostnem tisku
Ta dokument določa zahteve za sisteme upravljanja varnostnega tiska za varnostne tiskalnike.
Ta dokument določa minimalni sklop zahtev za sisteme upravljanja varnostnega tiska. Organizacije zagotovijo, da so varnostne zahteve strank ustrezno izpolnjene, pod pogojem, da te niso v nasprotju z zahtevami tega dokumenta.
General Information
Relations
Overview
ISO 14298:2021 - Graphic technology - Management of security printing processes - specifies requirements for a security printing management system applicable to security printers. The standard defines a minimum set of requirements that organisations can establish, document, implement and maintain to ensure consistent protection of security products, processes and assets. It promotes a process approach, requires regular review and continual improvement, and is written so its requirements can be objectively audited for certification/registration purposes.
Key topics and technical requirements
ISO 14298:2021 is structured around classic management-system clauses and focuses on practical security controls. Key topics include:
- Context of the organization: understanding internal/external issues and interested parties that affect security printing.
- Leadership and policy: top management commitment, a documented security policy, and defined roles and responsibilities.
- Planning: risk assessment, actions to address risks and opportunities, and the setting of security objectives.
- Support: resource allocation, competence, awareness, communication and documented information control.
- Operation: implementation and control of security printing processes to meet customer and regulatory requirements.
- Performance evaluation: monitoring, measurement, internal audit and management review.
- Improvement: handling nonconformities, security breaches, corrective/preventive actions and continual improvement.
- Annex A (normative): guidance on determination of security requirements related to the security printing management system.
The standard emphasizes protecting products, production means, premises, information and raw material supplies, and ensuring customer security requirements are met provided they do not conflict with the document.
Practical applications and users
ISO 14298:2021 is intended for organisations involved in secure printing and graphic technology, such as:
- Security printers producing banknotes, security documents, certificates, stamps, ID cards and other anti-fraud printed items
- Print service providers with dedicated secure print operations
- Organisations seeking third‑party certification of their security printing controls
Practical benefits include strengthened risk management, demonstrable controls against counterfeiting or diversion, improved customer confidence and a framework for audits and certification.
Related standards
- ISO 14298 series (other parts) - see ISO catalogue for the series listing
- General management-system standards (commonly implemented alongside ISO 14298), such as ISO 9001 for quality management
- ISO/IEC Directives referenced for standard development and terminology
Keywords: ISO 14298:2021, security printing management system, security printing processes, security printers, security controls, risk assessment, graphic technology, secure printing.
Frequently Asked Questions
ISO 14298:2021 is a standard published by the International Organization for Standardization (ISO). Its full title is "Graphic technology - Management of security printing processes". This standard covers: This document specifies requirements for a security printing management system for security printers. This document specifies a minimum set of security printing management system requirements. Organizations ensure that customer security requirements are met as appropriate, provided these do not conflict with the requirements of this document.
This document specifies requirements for a security printing management system for security printers. This document specifies a minimum set of security printing management system requirements. Organizations ensure that customer security requirements are met as appropriate, provided these do not conflict with the requirements of this document.
ISO 14298:2021 is classified under the following ICS (International Classification for Standards) categories: 37.100.01 - Graphic technology in general. The ICS classification helps identify the subject area and facilitates finding related standards.
ISO 14298:2021 has the following relationships with other standards: It is inter standard links to ISO 14298:2021/Amd 1:2024, ISO 14298:2013. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase ISO 14298:2021 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of ISO standards.
Standards Content (Sample)
SLOVENSKI STANDARD
01-maj-2022
Nadomešča:
SIST ISO 14298:2020
Grafična tehnologija - Upravljanje procesov v varnostnem tisku
Graphic technology - Management of security printing processes
Technologie graphique - Management des procédés d'impression de sécurité
Ta slovenski standard je istoveten z: ISO 14298:2021
ICS:
37.100.01 Grafična tehnologija na Graphic technology in
splošno general
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
INTERNATIONAL ISO
STANDARD 14298
Second edition
2021-08
Graphic technology — Management of
security printing processes
Technologie graphique — Management des procédés d'impression de
sécurité
Reference number
©
ISO 2021
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 5
4.1 Understanding the organization and its context . 5
4.2 Understanding the needs and expectations of interested parties . 5
4.3 Determining the scope of the security printing management system . 6
4.4 Security printing management system . 6
5 Leadership . 7
5.1 Leadership and commitment . 7
5.2 Policy . 8
5.3 Organization roles, responsibilities and authorities . 8
6 Planning . 8
6.1 Actions to address risk and opportunities . 8
6.2 Security objectives and planning to achieve them . 9
6.3 Security printing management system planning . 9
7 Support .10
7.1 Resources .10
7.2 Competence .10
7.3 Awareness .10
7.4 Communication .11
7.5 Documented information .11
7.5.1 General.11
7.5.2 Creating and updating .12
7.5.3 Control of documented information .12
8 Operation .13
9 Performance evaluation .13
9.1 Monitoring, measurement, analysis and evaluation .13
9.2 Internal audit .14
9.3 Management review .14
10 Improvement .15
10.1 Nonconformity, security breaches and corrective actions .15
10.2 Preventive actions .15
10.3 Continual improvement .16
Annex A (normative) Determination of security requirements related to the security
printing management system .17
Bibliography .21
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC130, Graphic technology.
This second edition cancels and replaces the first edition (ISO 14298:2013), which has been technically
revised.
The main changes compared to the previous edition are as follows:
— definitions have been updated according to the latest version of ISO/IEC Directives, Part 1,
Consolidated ISO Supplement;
— editorial changes have been applied;
— the lay-out has been updated.
A list of all parts in the ISO 14298 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO 2021 – All rights reserved
Introduction
0.1 General
This document specifies requirements for a security printing management system for security printers.
Current security printing management practices lack sufficient guarantees that effective security
controls are maintained to protect the interest of the customer as well as the general public. Using this
document, the organization establishes, documents, implements and maintains a security printing
management system. This security printing management system is regularly reviewed to continually
improve its effectiveness. It is recognized that customer requirements sometimes exceed the
requirements of this document, so the security printing management system also addresses customer
requirements that are beyond the scope of this document.
The adoption of a security printing management system is a strategic decision of an organization. The
design and implementation of an organization’s security printing management system is influenced by
varying needs, particular objectives, products provided, processes employed, security environment,
cultural issues, legal limitations, risk assessment and by size and structure of the organization.
To achieve the objectives of this security printing management system standard, measures are taken to
mitigate all of the security threats determined by an organizational risk assessment. Such controls focus
upon reducing, eliminating and preventing acts that compromise the security printing management
system of the organization.
It is not the intent of this document to obtain uniformity in the structure of the security printing
management system or uniformity of documented information. The security printing management
system complies with laws and regulations in force. The requirements specified in this document are
supplementary to requirements for products and processes of an organization and allow for additional
specific requirements from the customer.
This document is intended to apply to security printers. It contains requirements that when
implemented by a security printer may be objectively audited for certification/registration purposes.
0.2 Process approach
This document promotes the adoption of a process approach when developing, implementing and
improving the effectiveness of a security printing management system.
The application of a system of processes within an organization, together with the identification
and interaction of these processes, and their management, is referred to as a “process approach”. An
advantage of a “process approach” is the ongoing control that it provides over the interaction between
individual processes within the system of processes, as well as over their combination.
0.3 Basic principles
When implemented, the security printing management system:
a) achieves the security of products, processes, means of production, premises, information, raw
material supplies;
b) is used to continue to meet demonstrably the requirements, and naturally, the needs of customers;
c) affords management the confidence that the targeted degree of security is actually achieved and
remains effective;
d) affords the customers the confidence that the agreed nature and degree of security is or will be
attained.
This document prescribes which elements a security printing management system contains and not
how a specific organization implements these elements.
INTERNATIONAL STANDARD ISO 14298:2021(E)
Graphic technology — Management of security printing
processes
1 Scope
This document specifies requirements for a security printing management system for security printers.
This document specifies a minimum set of security printing management system requirements.
Organizations ensure that customer security requirements are met as appropriate, provided these do
not conflict with the requirements of this document.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.8)
Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
3.2
interested party
stakeholder
person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
3.3
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and
interested parties that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, for example in documented information.
3.4
management system
set of interrelated or interacting elements of an organization (3.1) to establish policies (3.7) and
objectives (3.8), and processes (3.12) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning
and operation.
Note 3 to entry: The scope of a management system may include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.
3.5
top management
person or group of people who directs and controls an organization (3.1) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization then top
management refers to those who direct and control that part of the organization.
3.6
effectiveness
extent to which planned activities are realized and planned results achieved
3.7
policy
intentions and direction of an organization (3.1) as formally expressed by its top management (3.5)
3.8
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and
environmental goals) and can apply at different levels [such as strategic, organization-wide, project, product and
process (3.12)].
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an
operational criterion, as a security objective (3.32) or by the use of other words with similar meaning (e.g. aim,
goal, or target).
Note 4 to entry: In the context of security printing management systems security objectives (3.32) are set by the
organization, consistent with the security policy, to achieve specific results.
3.9
risk
effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential “events” (see ISO Guide 73:2009, 3.5.1.3) and
“consequences” (see ISO Guide 73:2009, 3.6.1.3), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated “likelihood” (see ISO Guide 73:2009, 3.6.1.1) of occurrence.
3.10
competence
ability to apply knowledge and skills to achieve intended results
2 © ISO 2021 – All rights reserved
3.11
documented information
information required to be controlled and maintained by an organization (3.1) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to the management system (3.4), including related processes
(3.12); information created in order for the organization to operate (documentation); and evidence of results
achieved (records).
3.12
process
set of interrelated or interacting activities which transforms inputs into outputs
3.13
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to the management of activities, processes (3.12), products (including
services), systems or organizations (3.1).
3.14
outsource (verb)
make an arrangement where an external organization (3.1) performs part of an organization’s function
or process (3.12)
Note 1 to entry: An external organization is outside the scope of the management system (3.4), although the
outsourced function or process is within the scope.
3.15
monitoring
determining the status of a system, a process (3.12) or an activity
Note 1 to entry: To determine the status there may be a need to check, measure, supervise or critically observe.
3.16
measurement
process (3.12) to determine a value
3.17
audit
systematic, independent and documented process (3.12) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
or it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” (see ISO 19011).
3.18
conformity
fulfilment of a requirement (3.3)
3.19
nonconformity
non-fulfilment of a requirement (3.3)
3.20
correction
action to eliminate a detected nonconformity (3.19)
3.21
corrective action
action to eliminate the cause of a nonconformity (3.19) and to prevent recurrence
3.22
continual improvement
recurring activity to enhance performance (3.13)
3.23
risk assessment
overall process of risk identification, risk analysis and risk evaluation
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.24
security printer
producer of printed documents or products of value or entitlement, ID documents or security foils (3.26)
which are physically protected against forgery, counterfeiting and alteration by security features (3.27)
3.25
security printing
set of processes (3.12) which transform raw materials into documents or products of value or
entitlement, ID documents or security foils (3.26) physically protected by security features (3.27)
3.26
security foil
thin film material that contains an optical variable element or similar security feature (3.27), which
is applied onto documents or products to physically protect them against forgery, counterfeiting and
alteration
3.27
security feature
component integrated in the product to protect against forgery, counterfeiting and alteration
3.28
security
protection of products, processes, information, means of production, security features and the supply
chain
3.29
threat
action or potential occurrence, whether or not malicious, to breach the security (3.28) of the system
3.30
security breach
infraction or violation of security
3.31
documented procedure
established way of working, documented, implemented and maintained
3.32
security objective
result to be achieved with regard to security (3.28)
Note 1 to entry: Security objectives are in general based on the security policy of the organization.
Note 2 to entry: Security objectives are in general specified for relevant functions and levels in the organization.
4 © ISO 2021 – All rights reserved
3.33
security management
coordinated activities to direct and control an organization with regard to security (3.28)
Note 1 to entry: “Direct and control” in general entails the establishment of the policy, objectives, planning,
control, security assurance and improvements with regards to security (3.28). Security assurance represents all
planned and systematic actions needed to give a sufficient degree of confidence that a product or process (3.12)
meets the security requirements.
3.34
security plan
documented information that specifies the procedures and resources to satisfy the security
requirements of the organization
3.35
security control
aspect of security management (3.33) aimed at the fulfilment of the security requirements
3.36
preventive action
action to prevent the cause of a nonconformity (3.19)
3.37
traceability
ability to trace the history, application or location of an object
Note 1 to entry: When considering a product or a service, traceability can relate to the origin of materials and
parts, the processing history and the distribution and location of the product or service after delivery.
(SOURCE: ISO 9000:2015, 3.6.13, modified — Note 2 to entry has been omitted.)
3.38
resource
personnel, information, premises, process equipment (software and hardware) and tools
3.39
supply chain
set of interconnected processes (3.12) and resources (3.38) that starts with the sourcing of raw materials
and ends with the delivery of products and services to the customer
Note 1 to entry: Supply chains include producers, suppliers, manufacturers, distributors, wholesalers, vendors,
and logistics providers. They include facilities, plants, offices, warehouses, and branches and can be both internal
and external to an organization.
Note 2 to entry: Supply chain management as related to this document includes the vetting of suppliers and
customers from the point of initial security value, which is the point at which security is added to the product.
4 Context of the organization
4.1 Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that
affect its ability to achieve the intended outcome(s) of its security printing management system.
4.2 Understanding the needs and expectations of interested parties
The organization shall determine:
— the interested parties that are relevant to the security printing management system;
— the relevant requirements of these interested parties.
Certification is only possible if the organization has followed the regulations of the certification
procedure and if it has established a security printing management system in accordance with the
specifications of this procedure.
4.3 Determining the scope of the security printing management system
The organization shall determine the boundaries and applicability of the security printing management
system to establish its scope.
When determining this scope, the organization shall consider:
— the external and internal issues referred to in 4.1;
— the requirements referred to in 4.2.
The scope shall be available as documented information.
4.4 Security printing management system
The organization shall establish, implement, maintain and continually improve a security printing
management system including the processes needed and their interactions in accordance with the
requirements of this document and including the processes needed as outlined in Annex A and their
interactions.
It is recognized that customer requirements may exceed the requirements of this document, so the
security printing management system also addresses customer requirements that are beyond the
scope of this document.
The organization shall conduct a risk assessment on at least the following:
a) Customer-related risk
EXAMPLE 1 Unauthorized purchase, distribution or illegal use of a product by a customer.
b) Information-related risk
EXAMPLE 2 Unwanted, unintended, prompted or unprompted disclosure of information.
c) Security material, product and waste-related risk
EXAMPLE 3 Theft, damage, sabotage or loss of security materials.
d) Supply chain-related risk
EXAMPLE 4 Any subversion or compromise of the security
...
INTERNATIONAL ISO
STANDARD 14298
Second edition
2021-08
Graphic technology — Management of
security printing processes
Technologie graphique — Management des procédés d'impression de
sécurité
Reference number
©
ISO 2021
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization . 5
4.1 Understanding the organization and its context . 5
4.2 Understanding the needs and expectations of interested parties . 5
4.3 Determining the scope of the security printing management system . 6
4.4 Security printing management system . 6
5 Leadership . 7
5.1 Leadership and commitment . 7
5.2 Policy . 8
5.3 Organization roles, responsibilities and authorities . 8
6 Planning . 8
6.1 Actions to address risk and opportunities . 8
6.2 Security objectives and planning to achieve them . 9
6.3 Security printing management system planning . 9
7 Support .10
7.1 Resources .10
7.2 Competence .10
7.3 Awareness .10
7.4 Communication .11
7.5 Documented information .11
7.5.1 General.11
7.5.2 Creating and updating .12
7.5.3 Control of documented information .12
8 Operation .13
9 Performance evaluation .13
9.1 Monitoring, measurement, analysis and evaluation .13
9.2 Internal audit .14
9.3 Management review .14
10 Improvement .15
10.1 Nonconformity, security breaches and corrective actions .15
10.2 Preventive actions .15
10.3 Continual improvement .16
Annex A (normative) Determination of security requirements related to the security
printing management system .17
Bibliography .21
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC130, Graphic technology.
This second edition cancels and replaces the first edition (ISO 14298:2013), which has been technically
revised.
The main changes compared to the previous edition are as follows:
— definitions have been updated according to the latest version of ISO/IEC Directives, Part 1,
Consolidated ISO Supplement;
— editorial changes have been applied;
— the lay-out has been updated.
A list of all parts in the ISO 14298 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
iv © ISO 2021 – All rights reserved
Introduction
0.1 General
This document specifies requirements for a security printing management system for security printers.
Current security printing management practices lack sufficient guarantees that effective security
controls are maintained to protect the interest of the customer as well as the general public. Using this
document, the organization establishes, documents, implements and maintains a security printing
management system. This security printing management system is regularly reviewed to continually
improve its effectiveness. It is recognized that customer requirements sometimes exceed the
requirements of this document, so the security printing management system also addresses customer
requirements that are beyond the scope of this document.
The adoption of a security printing management system is a strategic decision of an organization. The
design and implementation of an organization’s security printing management system is influenced by
varying needs, particular objectives, products provided, processes employed, security environment,
cultural issues, legal limitations, risk assessment and by size and structure of the organization.
To achieve the objectives of this security printing management system standard, measures are taken to
mitigate all of the security threats determined by an organizational risk assessment. Such controls focus
upon reducing, eliminating and preventing acts that compromise the security printing management
system of the organization.
It is not the intent of this document to obtain uniformity in the structure of the security printing
management system or uniformity of documented information. The security printing management
system complies with laws and regulations in force. The requirements specified in this document are
supplementary to requirements for products and processes of an organization and allow for additional
specific requirements from the customer.
This document is intended to apply to security printers. It contains requirements that when
implemented by a security printer may be objectively audited for certification/registration purposes.
0.2 Process approach
This document promotes the adoption of a process approach when developing, implementing and
improving the effectiveness of a security printing management system.
The application of a system of processes within an organization, together with the identification
and interaction of these processes, and their management, is referred to as a “process approach”. An
advantage of a “process approach” is the ongoing control that it provides over the interaction between
individual processes within the system of processes, as well as over their combination.
0.3 Basic principles
When implemented, the security printing management system:
a) achieves the security of products, processes, means of production, premises, information, raw
material supplies;
b) is used to continue to meet demonstrably the requirements, and naturally, the needs of customers;
c) affords management the confidence that the targeted degree of security is actually achieved and
remains effective;
d) affords the customers the confidence that the agreed nature and degree of security is or will be
attained.
This document prescribes which elements a security printing management system contains and not
how a specific organization implements these elements.
INTERNATIONAL STANDARD ISO 14298:2021(E)
Graphic technology — Management of security printing
processes
1 Scope
This document specifies requirements for a security printing management system for security printers.
This document specifies a minimum set of security printing management system requirements.
Organizations ensure that customer security requirements are met as appropriate, provided these do
not conflict with the requirements of this document.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.8)
Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
3.2
interested party
stakeholder
person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
3.3
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and
interested parties that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, for example in documented information.
3.4
management system
set of interrelated or interacting elements of an organization (3.1) to establish policies (3.7) and
objectives (3.8), and processes (3.12) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning
and operation.
Note 3 to entry: The scope of a management system may include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.
3.5
top management
person or group of people who directs and controls an organization (3.1) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization then top
management refers to those who direct and control that part of the organization.
3.6
effectiveness
extent to which planned activities are realized and planned results achieved
3.7
policy
intentions and direction of an organization (3.1) as formally expressed by its top management (3.5)
3.8
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and
environmental goals) and can apply at different levels [such as strategic, organization-wide, project, product and
process (3.12)].
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an
operational criterion, as a security objective (3.32) or by the use of other words with similar meaning (e.g. aim,
goal, or target).
Note 4 to entry: In the context of security printing management systems security objectives (3.32) are set by the
organization, consistent with the security policy, to achieve specific results.
3.9
risk
effect of uncertainty
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential “events” (see ISO Guide 73:2009, 3.5.1.3) and
“consequences” (see ISO Guide 73:2009, 3.6.1.3), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including
changes in circumstances) and the associated “likelihood” (see ISO Guide 73:2009, 3.6.1.1) of occurrence.
3.10
competence
ability to apply knowledge and skills to achieve intended results
2 © ISO 2021 – All rights reserved
3.11
documented information
information required to be controlled and maintained by an organization (3.1) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to the management system (3.4), including related processes
(3.12); information created in order for the organization to operate (documentation); and evidence of results
achieved (records).
3.12
process
set of interrelated or interacting activities which transforms inputs into outputs
3.13
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to the management of activities, processes (3.12), products (including
services), systems or organizations (3.1).
3.14
outsource (verb)
make an arrangement where an external organization (3.1) performs part of an organization’s function
or process (3.12)
Note 1 to entry: An external organization is outside the scope of the management system (3.4), although the
outsourced function or process is within the scope.
3.15
monitoring
determining the status of a system, a process (3.12) or an activity
Note 1 to entry: To determine the status there may be a need to check, measure, supervise or critically observe.
3.16
measurement
process (3.12) to determine a value
3.17
audit
systematic, independent and documented process (3.12) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
or it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” (see ISO 19011).
3.18
conformity
fulfilment of a requirement (3.3)
3.19
nonconformity
non-fulfilment of a requirement (3.3)
3.20
correction
action to eliminate a detected nonconformity (3.19)
3.21
corrective action
action to eliminate the cause of a nonconformity (3.19) and to prevent recurrence
3.22
continual improvement
recurring activity to enhance performance (3.13)
3.23
risk assessment
overall process of risk identification, risk analysis and risk evaluation
[SOURCE: ISO Guide 73:2009, 3.4.1]
3.24
security printer
producer of printed documents or products of value or entitlement, ID documents or security foils (3.26)
which are physically protected against forgery, counterfeiting and alteration by security features (3.27)
3.25
security printing
set of processes (3.12) which transform raw materials into documents or products of value or
entitlement, ID documents or security foils (3.26) physically protected by security features (3.27)
3.26
security foil
thin film material that contains an optical variable element or similar security feature (3.27), which
is applied onto documents or products to physically protect them against forgery, counterfeiting and
alteration
3.27
security feature
component integrated in the product to protect against forgery, counterfeiting and alteration
3.28
security
protection of products, processes, information, means of production, security features and the supply
chain
3.29
threat
action or potential occurrence, whether or not malicious, to breach the security (3.28) of the system
3.30
security breach
infraction or violation of security
3.31
documented procedure
established way of working, documented, implemented and maintained
3.32
security objective
result to be achieved with regard to security (3.28)
Note 1 to entry: Security objectives are in general based on the security policy of the organization.
Note 2 to entry: Security objectives are in general specified for relevant functions and levels in the organization.
4 © ISO 2021 – All rights reserved
3.33
security management
coordinated activities to direct and control an organization with regard to security (3.28)
Note 1 to entry: “Direct and control” in general entails the establishment of the policy, objectives, planning,
control, security assurance and improvements with regards to security (3.28). Security assurance represents all
planned and systematic actions needed to give a sufficient degree of confidence that a product or process (3.12)
meets the security requirements.
3.34
security plan
documented information that specifies the procedures and resources to satisfy the security
requirements of the organization
3.35
security control
aspect of security management (3.33) aimed at the fulfilment of the security requirements
3.36
preventive action
action to prevent the cause of a nonconformity (3.19)
3.37
traceability
ability to trace the history, application or location of an object
Note 1 to entry: When considering a product or a service, traceability can relate to the origin of materials and
parts, the processing history and the distribution and location of the product or service after delivery.
(SOURCE: ISO 9000:2015, 3.6.13, modified — Note 2 to entry has been omitted.)
3.38
resource
personnel, information, premises, process equipment (software and hardware) and tools
3.39
supply chain
set of interconnected processes (3.12) and resources (3.38) that starts with the sourcing of raw materials
and ends with the delivery of products and services to the customer
Note 1 to entry: Supply chains include producers, suppliers, manufacturers, distributors, wholesalers, vendors,
and logistics providers. They include facilities, plants, offices, warehouses, and branches and can be both internal
and external to an organization.
Note 2 to entry: Supply chain management as related to this document includes the vetting of suppliers and
customers from the point of initial security value, which is the point at which security is added to the product.
4 Context of the organization
4.1 Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and that
affect its ability to achieve the intended outcome(s) of its security printing management system.
4.2 Understanding the needs and expectations of interested parties
The organization shall determine:
— the interested parties that are relevant to the security printing management system;
— the relevant requirements of these interested parties.
Certification is only possible if the organization has followed the regulations of the certification
procedure and if it has established a security printing management system in accordance with the
specifications of this procedure.
4.3 Determining the scope of the security printing management system
The organization shall determine the boundaries and applicability of the security printing management
system to establish its scope.
When determining this scope, the organization shall consider:
— the external and internal issues referred to in 4.1;
— the requirements referred to in 4.2.
The scope shall be available as documented information.
4.4 Security printing management system
The organization shall establish, implement, maintain and continually improve a security printing
management system including the processes needed and their interactions in accordance with the
requirements of this document and including the processes needed as outlined in Annex A and their
interactions.
It is recognized that customer requirements may exceed the requirements of this document, so the
security printing management system also addresses customer requirements that are beyond the
scope of this document.
The organization shall conduct a risk assessment on at least the following:
a) Customer-related risk
EXAMPLE 1 Unauthorized purchase, distribution or illegal use of a product by a customer.
b) Information-related risk
EXAMPLE 2 Unwanted, unintended, prompted or unprompted disclosure of information.
c) Security material, product and waste-related risk
EXAMPLE 3 Theft, damage, sabotage or loss of security materials.
d) Supply chain-related risk
EXAMPLE 4 Any subversion or compromise of the security of the organization's security products and
related services at any point in the supply chain.
e) Physical intrusion and access-related risk
EXAMPLE 5 Intrusion into sensitive physical areas.
f) Personnel-related risk
EXAMPLE 6 Personnel fraud or unauthorized actions.
g) Disaster-related risk
EXAMPLE 7 Security breakdowns that result from either man-made or natural disasters.
h) Security failure-related risk
EXAM
...
ISO 14298:2021, titled "Graphic technology - Management of security printing processes," is a pivotal standard that specifies the essential requirements for establishing a comprehensive security printing management system tailored for security printers. The scope of this document is particularly relevant as it outlines a minimum set of security printing management system requirements, ensuring that organizations can effectively meet the diverse security needs of their customers while adhering to these standardized protocols. One of the notable strengths of ISO 14298:2021 is its ability to guide security printers in maintaining a robust framework that addresses security threats and vulnerabilities inherent to the printing process. The standard emphasizes the importance of a systematic approach, which aids organizations in developing a security printing management system that is not only efficient but also compliant with international standards. This emphasis on a structured management system is crucial for enhancing operational reliability and client trust in security printing services. Another strength lies in the document's provision for organizations to adapt the security requirements to their specific circumstances, provided they do not contradict the established guidelines of the standard. This flexibility ensures that different security printers, regardless of size or specialization, can implement the requirements in a manner that best suits their operational needs while ensuring customer security needs are adequately addressed. Moreover, the relevance of ISO 14298:2021 cannot be overstated in an increasingly digital age where the risk of counterfeiting and security breaches in printed materials is ever-present. By advocating for standardized processes in security printing, the standard acts as a vital tool for organizations seeking to protect sensitive information and enhance the integrity of their printed products. In summary, ISO 14298:2021 serves as an essential framework for the management of security printing processes, reinforcing the significance of a standardized approach in ensuring that security printers can effectively safeguard customer interests while navigating the complexities of modern printing technologies. Its comprehensive coverage of security management requirements makes it an indispensable resource for practitioners in the field of security printing.
Die ISO 14298:2021 ist ein wichtiger Standard im Bereich der Grafik-Technologie, der sich mit dem Management von Sicherheitsdruckprozessen beschäftigt. Der Standard legt Anforderungen für ein Sicherheitsdruckmanagement-System fest, das speziell für Sicherheitsdruckereien konzipiert ist. Die Festlegung eines Mindestmaßes an Anforderungen ermöglicht es Unternehmen, ein effektives Managementsystem einzurichten, das sicherstellt, dass die Kundensicherheitsanforderungen in einem angemessenen Rahmen erfüllt werden. Ein wesentlicher Stärke des Dokuments liegt in seiner klaren Struktur und den präzisen Vorgaben, die es den Organisationen ermöglichen, notwendige Sicherheitsmaßnahmen zu implementieren, ohne dass dabei die zwischenstaatlichen oder internen Anforderungen der Druckerie vernachlässigt werden. Darüber hinaus ist die ISO 14298:2021 hochrelevant, da sie nicht nur für die Sicherheit von Druckaufforderungen sorgt, sondern auch das Vertrauen von Kunden in die Sicherheitsdruckindustrie stärkt. Der Standard ist somit ein fundamentales Instrument für Sicherheitsdruckereien, die durch die Implementierung dieser Vorgaben ihre Prozesse optimieren und gleichzeitig sicherstellen wollen, dass die spezifischen Sicherheitsanforderungen ihrer Kunden effizient erfüllt werden. Durch die Anwendung der Anforderungen aus der ISO 14298:2021 können Organisationen ihre Reputation im Bereich der Sicherheit und Qualität im Druck stärken, was wiederum zu einer Erhöhung der Marktanteile und Kundenzufriedenheit führt.
ISO 14298:2021은 그래픽 기술 분야에서 보안 인쇄 프로세스 관리를 위한 표준으로, 보안 인쇄 관리 시스템에 대한 요구 사항을 명확히 정의하고 있습니다. 이 표준은 보안 인쇄 관리 시스템의 최소 요구 사항 세트를 규정하며, 보안 프린터가 고객의 보안 요구 사항을 적절하게 충족하도록 보장합니다. 이는 조직이 보안 인쇄 과정에서 발생할 수 있는 다양한 위험을 효과적으로 관리할 수 있는 기반을 제공합니다. 이 표준의 강점 중 하나는 명확하게 정의된 요구 사항 덕분에 보안 인쇄 관리 시스템 구축 시 일관성과 신뢰성을 제공한다는 점입니다. ISO 14298:2021은 보안 인쇄 분야의 다양한 이해관계자에게 공통의 프레임워크를 제공하여, 서로 다른 조직 간의 상호운용성을 증진시키는 데 기여합니다. 또한, 최신 보안 인쇄 기술의 발전에 발맞춰 업데이트된 요구 사항이 포함되어 있어, 조직들이 변화하는 위험 환경에 신속하게 대응할 수 있도록 지원합니다. ISO 14298:2021의 관련성은 매우 높으며, 보안 인쇄가 중요한 산업에서의 필수 요건으로 자리 잡고 있습니다. 이 표준은 민감한 정보와 자산을 보호하기 위한 체계적 접근 방식을 채택함으로써, 고객의 신뢰를 구축하는 데 중요한 역할을 할 수 있습니다. 따라서 보안 인쇄 관리 시스템의 효과적인 운영을 위해 반드시 고려해야 할 표준이라 할 수 있습니다.
ISO 14298:2021は、セキュリティプリンター向けのセキュリティ印刷管理システムに関する要件を明確に規定しています。この標準の範囲は、セキュリティ印刷プロセスの管理を行うために必要な最低限の要件を定めるものであり、印刷業界におけるセキュリティの強化を目的としています。 この標準の強みは、セキュリティ印刷管理システムに対する明確なガイドラインを提供している点であり、組織が顧客のセキュリティ要件を適切に満たすための方法を示しています。ISO 14298:2021は、特にセキュリティ印刷プロセスが重要な役割を果たす金融や政府機関などにおいて、その有用性を発揮します。 また、この標準は、組織がセキュリティ印刷システムの導入や運用を行う際に、発生しうるリスクを評価し、対策を講じるためのフレームワークを提供することにより、セキュリティを強固にする助けとなります。そのため、ISO 14298:2021は、印刷業界におけるセキュリティ管理の最前線で機能する必要不可欠な文書と言えます。 さらに、ISO 14298:2021は国際標準であるため、グローバルなビジネス環境においても一貫した品質とセキュリティ基準を確保することが可能です。これにより、企業は国際的な顧客にも対応できる信頼性をその手に入れることができ、結果として競争力を向上させることにつながります。このように、ISO 14298:2021はセキュリティ印刷の管理を効果的に行うための基盤を提供する重要な標準であり、業界全体においてその重要性はますます高まっています。
La norme ISO 14298:2021 définit avec précision les exigences d'un système de gestion de l'impression sécurisée destiné aux imprimeurs de sécurité. Ce document établit un ensemble minimal de critères qu'un système de gestion de l'impression sécurisée doit respecter, permettant ainsi aux organisations de garantir que les exigences de sécurité des clients sont satisfaites de manière appropriée tout en maintenant la conformité avec les exigences de la norme. Un des points forts de la norme réside dans sa portée, qui couvre divers aspects essentiels de la gestion des processus d'impression sécurisée. En fournissant un cadre clair, ISO 14298:2021 aide les imprimeurs de sécurité à structurer leur approche de manière efficace, ce qui renforce non seulement la sécurité des produits imprimés, mais aussi la confiance des clients. La pertinence de cette norme est indéniable dans un contexte mondial où les menaces liées à la contrefaçon et à la fraude sont en constante augmentation. En se conformant aux exigences décrites dans le document, les organisations peuvent non seulement protéger leurs produits, mais aussi s'assurer de la conformité avec les réglementations en vigueur, ce qui ajoute une valeur significative à leur offre. En somme, la norme ISO 14298:2021 constitue un atout majeur pour les imprimeurs de sécurité, en leur fournissant un cadre normatif qui non seulement standardise les processus, mais renforce également la sécurité et la confiance des parties prenantes dans le secteur de l'impression.
記事タイトル:ISO 14298:2021 - グラフィック技術-セキュリティ印刷プロセスの管理 記事内容:この文書は、セキュリティ印刷会社向けのセキュリティ印刷管理システムの要件を規定しています。この文書は、最低限のセキュリティ印刷管理システム要件を指定します。組織は、この文書の要件と競合しない限り、顧客のセキュリティ要件を適切に満たすことを保証します。
기사 제목: ISO 14298:2021 - 그래픽 기술 - 보안 인쇄 공정의 관리 기사 내용: 이 문서는 보안 프린터를 위한 보안 인쇄 관리 시스템의 요구 사항을 설명합니다. 이 문서는 최소한의 보안 인쇄 관리 시스템 요구 사항을 명시합니다. 조직은 이 문서의 요구 사항과 충돌하지 않는 한 적절하게 고객 보안 요구 사항을 충족시킴을 보장합니다.
この記事では、ISO 14298:2021について説明されています。これは、グラフィック技術の分野でセキュリティ印刷プロセスを管理するための要件を示しています。セキュリティプリンターのためのセキュリティ印刷管理システムの要件が明記されています。この規格では、必要な最小限の要件が示され、プリンティングプロセスのセキュリティが確保されるようになっています。ただし、顧客のセキュリティ要件との競合がない限り、組織は顧客のセキュリティ要件を満たすことを優先しなければなりません。
The article discusses ISO 14298:2021, which is a standard for managing security printing processes in the field of graphic technology. It sets out the requirements for a security printing management system for security printers. The standard outlines a minimum set of requirements that must be met to ensure the security of the printing processes. It emphasizes that organizations must prioritize meeting customer security requirements, as long as they do not conflict with the stipulations outlined in the document.
ISO 14298:2021 is a standard that outlines the requirements for a management system in security printing. It sets a minimum set of requirements for security printers to ensure customer security requirements are met, as long as they do not conflict with the standard.
이 문서는 보안 프린터를 위한 보안 프린팅 관리 시스템에 대한 요구 사항을 명시합니다. 이 문서는 최소한의 보안 프린팅 관리 시스템 요구 사항을 규정합니다. 조직은 이 문서의 요구 사항과 충돌하지 않는 한 적합하게 고객의 보안 요구 사항이 충족되도록 보장합니다.
ISO 14298:2021 is a standard that outlines the requirements for managing security printing processes in security printers. It sets the minimum requirements for the management system used in security printing. It emphasizes the need for organizations to meet customer security requirements while also complying with the guidelines specified in the standard.
記事のタイトル: ISO 14298:2021 - グラフィック技術-セキュリティ印刷プロセスの管理 記事の内容: この文書はセキュリティ印刷会社におけるセキュリティ印刷プロセスの管理システムの要件を定めています。この文書では、セキュリティ印刷管理システムの最低要件が記載されています。組織は、この文書の要件と相反しない限り、顧客のセキュリティ要求を適切に満たすことを保証します。
기사 제목: ISO 14298:2021 - 그래픽 기술 - 보안 인쇄 공정 관리 기사 내용: 이 문서는 보안 인쇄업체를 위한 보안 인쇄 관리 시스템 요구 사항을 명시합니다. 이 문서는 최소한의 보안 인쇄 관리 시스템 요구 사항을 정의합니다. 조직은 이 문서의 요구 사항과 충돌하지 않는 한 적절하게 고객의 보안 요구 사항을 충족시킵니다.
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...