ISO 28002:2011

INTERNATIONAL ISO
STANDARD 28002
First edition
2011-08-01
Security management systems for the
supply chain — Development of
resilience in the supply chain —
Requirements with guidance for use
Systèmes de management de la sécurité pour la chaîne
d'approvisionnement — Développement de la résilience dans la chaîne
d'approvisionnement — Exigences avec mode d'emploi

Reference number
©
ISO 2011
©  ISO 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2011 – All rights reserved

Contents Page
Foreword .iv
Introduction.v
0.1 General .v
0.2 Supply Chain Environment.v
0.3 Process Approach.vi
0.4 “Plan-Do-Check-Act” (PDCA) model .viii
1 Scope.1
2 Normative references.2
3 Terms and definitions .2
4 Requirements of Management System containing Resilience Policy .12
4.1 General .12
4.2 Understanding the Organization and its Context .13
4.3 Scope of Resilience Management Policy.14
4.4 Provision of Resources for the Resilience Management Policy .14
4.5 Resilience Management Policy .14
4.6 Resilience Policy Statement.14
Annex A (informative) Informative guidance on the incorporation of this International Standard
into a management standard .16
Annex B (informative) Informative Guidance on the Use of this International Standard .30
Annex C (informative) Terminology Conventions .53
Annex D (informative) Qualifiers to Application .54
Bibliography.55

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 28002 was prepared by Technical Committee ISO/TC 8, Ships and marine technology, in collaboration
with other relevant technical committees responsible for specific nodes of the supply chain.
This first edition cancels and replaces ISO/PAS 28002:2010.

iv © ISO 2011 – All rights reserved

Introduction
0.1 General
Organizations across the globe are rapidly developing risk management and resilience programs to address
uncertainty in achieving their objectives. There is a strong demand for standards and best practices, as
organizations are seeking assurance that their suppliers and the extended supply chain have planned for, and
taken steps to prevent and mitigate the threats and hazards to which they are exposed. To assure resilience
in the supply chain, organizations must engage in a comprehensive and systematic process of prevention,
protection, preparedness, mitigation, response, continuity and recovery.
The survivability of organizations within a supply chain depends largely on the resilience of their suppliers and
customers. As a result, incorporating resilience, and improving the resilience of an organization within the
supply chain, must be focused both within the organization and externally on its suppliers and customers.
During a supply chain disruption it must be emphasized that the exact nature of the disruption will probably not
be fully understood at first and may only become fully understood over time. As a result resilience plans and
policies developed should stress adaptation and continual evaluation of new information to ensure actions
being taken are appropriate. Supply chain disruptions of sufficient magnitude will most likely attract the news
media. Failure to properly manage news media relations can negatively impact resiliency response operations,
resulting in a loss of stakeholder confidence. This loss of confidence can result in loss of customers, increased
demand for information by government or financial organizations, and restrictions imposed by external
organizations. This International Standard has applicability in the private, not-for-profit, non-governmental, and
public sector environments. It is a management framework for action planning and decision making needed to
anticipate, prevent if possible, and prepare for and respond to a disruptive incident (emergency, crisis, or
disaster). When implemented within a management system it enhances an organization's capacity to manage
and survive the event, and take all appropriate actions to help ensure the organization's continued viability.
Regardless of the organization, its leadership has a duty to stakeholders to plan for its survival. The body of
this International Standard provides generic auditable criteria to establish, check, maintain, and improve
resilience policy when implemented in a management system to enhance prevention, preparedness
(readiness), mitigation, response, continuity, and recovery from disruptive incidents.
This International Standard is designed to be integral to ISO 28000. It also might possibly be integrated into
other management systems within an organization that follow the Plan-Do-Check-Act model. If third-party
independent certification is chosen, the certification will be applied to the overall management system
standard that incorporates this International Standard.
The integrated adaptive, proactive, and reactive resilience approach can leverage the perspectives,
knowledge, and capabilities of divisions and individuals within an organization. Because of the relatively low
probability and yet potentially high consequence nature of many natural, intentional, or unintentional threats
and hazards that an organization may face, an integrated approach allows an organization to establish
priorities that address its individual needs for risk management within an economically sound context.
0.2 Supply Chain Environment
Managing risks in the supply chain requires an understanding of the organization's environment as well as the
context of the global environment of the entire supply chain. Each node of the organization's supply chain
involves a set of risks and management processes of plan, source, make, deliver and return. All of these
management processes should be included in an organization's overall resilience policy. With this
understanding, an organization will define to which level or tier in their supply chain to include their resilience
program.
Global Environment
Organizations’ Environment
Suppliers’
Customers’
Environment
Environment
Organization
Supplier
Customer
Facing
Facing
Suppliers
(and outsource
Customers
manufacturing)
Internal Facing
Figure 1 — Resilience Management Policy in the Supply Chain (Source: Supply Chain Council 2007)
0.3 Process Approach
The management systems approach encourages organizations to analyse organizational and stakeholder
requirements and define processes that contribute to success. A management system can provide the
framework for continual improvement to increase the likelihood of enhancing security, preparedness,
response, continuity, and resilience. It provides confidence to the organization and its customers that the
organization is able to provide a safe and secure environment which fulfils organizational and stakeholder
requirements.
This International Standard adopts a process approach for establishing, implementing, operating, monitoring,
reviewing, maintaining, and improving an organization's resiliency to supply chain disruptions. An organization
needs to identify and manage many activities in order to function effectively. Any activity using resources and
managed in order to enable the transformation of inputs into outputs can be considered to be a process. Often
the output from one process directly forms the input to the next process.
The application of a system of processes within an organization, together with the identification and
interactions of these processes and their management, can be referred to as a “process approach”.
Figure 2 depicts the process approach for resilience management in the supply chain presented in this
International Standard which encourages its users to emphasize the importance of
a) understanding an organization's risk, security, preparedness, response, continuity, and recovery
requirements,
b) establishing a policy and objectives to manage risks,
c) implementing and operating controls to manage an organization's risks within the context of the
organization's objectives,
vi © ISO 2011 – All rights reserved

d) monitoring and reviewing the performance and effectiveness of the resilience management policy, and
e) continual improvement based on objective measurement.
Reassessment
Establish Program of risk program
and Apply Resources
Reassessment
of supply chain Define the Supply
Chain and Objectives
Reassessment
of risk sources
Identify Supply Chain
Risks
Quantify and Prioritize
Risks - Goals
Reassessment of
Reassessment
Execute Risk
management actions
of risk exposure
Treatment Programs
Monitor Supply Chain
Environment for Risks
Continuous risk
monitoring
Figure 2 — Process Approach for Resilience Management in the Supply Chain
0.3.1 Establish a Supply Chain Resilience Program and Apply Resources
⎯ Recognize supply chain risk management as a priority
⎯ Secure top management support for the program and
⎯ Secure resources necessary to execute the program
0.3.2 Define the Supply Chain and Resilience Objectives
⎯ Define the supply chain scope and map the supply chain
⎯ Define the objectives of managing risk in the subject supply chain
0.3.3 Identify Supply Chain Risks
⎯ Comprehensively review the supply chain to identify risks
⎯ Document identified risks to the extent possible
0.3.4 Quantify and Prioritize Risks
⎯ Quantify each risk in terms of likelihood of occurrence and potential impact
⎯ Use the quantification of the risks to prioritize the risks according to defined objectives
0.3.5 Execute Risk Treatment Programs
⎯ Develop risk management actions consistent with each risk's priority
⎯ Define each action's value in terms of reducing the likelihood and impact of the risk
⎯ Develop and execute an implementation plan for the identified actions
0.3.6 Monitor Supply Chain Environment for Risks
⎯ Continuously monitor the supply chain environment for risk events or precursors
⎯ When thresholds are triggered, execute applicable mitigation actions
⎯ Document results for after action review and program improvement
0.4 “Plan-Do-Check-Act” (PDCA) model
This International Standard is designed to be incorporated into a management system that uses the “Plan-Do-
Check-Act” (PDCA) model, which in turn will guide the implementation and execution of the resilience
management policy processes. Figure 3 illustrates how a management system can incorporate a
...