Foreword

Introduction

1Scope

2Normative references

3Terms and definitions

4Field of application

4.1Statement of application

4.2Business partners

4.3Internationally accepted certificates or approvals

4.4Business partners exempt from security declaration requirement

4.5Security reviews of business partners

5Supply chain security process

5.1General

5.2Identification of the scope of the security assessment

5.3Conduction of the security assessment

5.3.1Assessment personnel

5.3.2Assessment process

5.4Development of the supply chain security plan

5.5Execution of the supply chain security plan

5.6Documentation and monitoring of the supply chain security process

5.6.1General

5.6.2Continual improvement

5.7Actions required after a security incident

5.8Protection of the security information

Annex ASupply chain security process (informative)

A.1General

A.2Identification of the scope of the security assessment

A.3Conduction of the security assessment

A.3.1General

A.3.2Performance review list

A.3.3Performance review

A.3.4Security threat scenarios

A.4Development of the security plan

A.4.1General

A.4.2Documentation

A.4.3Communication

A.5Execution of the security plan

A.6Documentation and monitoring of the security process

A.7Continual improvement

Annex BMethodology for security risk assessment and development of countermeasures (informative)

B.1General

B.2Step one – Consideration of the security threat scenarios

B.3Step two – Classification of consequences

B.4Step three – Classification of likelihood of security incidents

B.5Step four – Security incident scoring

B.6Step five – Development of countermeasures

B.7Step six – Implementation of countermeasures

B.8Step seven – Evaluation of countermeasures

B.9Step eight – Repetition of the process

B.10Continuation of the process

Annex CGuidance for obtaining advice and certification (informative)

C.1General

C.2Demonstrating conformance with by audit

C.3Certification of by third party certification bodies

Bibliography