The International Shippers and Freight Forwarders Security Code (Draft)

CEFACT/2003/IT016

Page 1

2

RESTRICTED

CEFACT/2003/IT016

1 September 2003

United Nations

Centre for Trade Facilitation and Electronic Business

(UN/CEFACT)

International Trade Procedures Working Group (ITPWG) – TBG 15

The International Shippers and Freight Forwarders Security Code – DRAFT Rev .4

(Security-management Systems for the supply chain)

SOURCE:DNV

STATUS:Draft Rev.4

ACTION:For discussion at the 29-30 September 2003, ITPWG agenda, item 3

1

CEFACT/2003/IT016

Page 1

2

Contents

1.Scope......

1.1.General

1.2.Application

1.3.Exclusion

2.Normative Reference......

3.Terms and definitions......

4.Security-management system

4.1.General system requirements

4.2.Documentation requirements

4.2.1.General

4.2.2.Security Manual

4.2.3.Control of documents

4.2.4.Control of Records

4.3.Management responsibility

4.3.1.Management commitment

4.3.2.Security levels

4.3.3.Security Policy

4.3.4.Security Assessment

4.4.Organization and communication

4.4.1.Responsibility and authority

4.4.2.Company Security Officer

4.4.2.1.Internal communication

4.4.2.2.External Communication

5.Security-management

5.1.General requirements

5.1.1.Procedural security

5.1.2.Human Resources

5.1.3.Physical Security

5.1.4.Information Security

5.2.Specific Requirements to Stuffers and Packers

5.2.1.Procedural security

5.2.1.4.Emergency response measures are defined

5.2.2.Physical security

5.2.3.Access Controls

5.3.Specific Requirements to Warehouses, Storage Areas and Terminals

5.3.1.Procedural security

5.3.2.Physical security

5.3.3.Access Controls

5.4.Specific Requirements to Forwarders and Transporters

5.4.1.Procedural security

5.4.2.Physical security

5.5.Specific Requirements to Information Processors

5.5.1.Procedural security

5.5.2.Access Controls

6.Measurement, analyses and improvement

6.1.General

6.2.Internal Audits

6.3.Measuring and Monitoring

6.4.Corrective and preventive action

6.4.1.Corrective action

6.4.2.Preventive action

6.5.Security Records

6.6.Management Reviews

6.6.1.General

6.6.2.Review of the Security-management System

6.7.Continual improvement

Introduction

0.1Overview

As concern grows that combating security threats is becoming more and more important to countries, the logistic world is gaining an increasing awareness that:

• not only elements of the logistic chain can be used by terrorists to cause direct harm to life, property or the environment,
• also direct terrorist intervention in the international supply chain could create serious delays in the supply chain and hence cause considerable economic damage,
• and increased security in the supply chain will reduce other losses like theft and damage.

Whereas a number of unilateral or sectoral initiatives have been implemented or are under development to improve the security of (parts of) the supply chain this Code intends to provide a more holistic approach to supply chain security whilst maintaining the efficiency of world trade and the achievements in trade facilitation.

This Code defines auditable requirements to security-management and the security of an organisation’s premises, and is applicable to each step of the supply chain. . The Code covers on a generic basis current national regulations and guidelines like C-TPAT, StairSec® etc.

Port facilities and ships, as defined in the International Ships and Port Facilities Code (ISPS-Code), part A and B, together with the revised and amended Chapter XI of the SOLAS 74 convention, are excluded since security requirements for these steps of the supply chain are already well defined herein.

Achieving sound security performance requires organisational commitment to a systematic approach and to the continuous improvement of the Security-management System.

The general purpose of this Code is to provide assistance to organizations implementing or improving a Security-management System. In addition this Code is a document, open for public distribution, which contains requirements to which an organization may be audited for certification/authorization purposes or for self assessment purposes.

In addition this Code contains in Annex A examples, descriptions, options and checklists that aid in the assessment of an SMS, which is a document that is to be treated as confidential at all times and shall not be distributed outside the organisation of customs, other national authorities charged with supply chain security or other recognised independent 3rd party certification bodies.

A Security-management System provides order and consistency for organizations to address security concerns through the allocation of resources, assignment of responsibilities, ongoing evaluation of practices, procedures and processes, and active utilisation of inputs from security authorities and other stakeholders in the supply chain. Therefore the development and maintenance of a Security-management System is an ongoing and interactive process.

Security-management is an integral part of an organisation’s overall management system. The structure, responsibilities, practices, procedures, processes, practical measures and resources for implementing security policies, objectives and targets can be coordinated with existing efforts in other areas (e.g. operations, finance, quality, occupational health and safety, environmental care)

Key principles for managers implementing or enhancing a Security-management System include, but are not limited to, the following.

• Recognise that security-management is among the highest corporate priorities.
• Establish and maintain communication with internal and external interested parties
• Determining and meeting the legislative requirements towards security further down the supply chain.
• Develop management and employee commitment to security, with clear assignments of accountability and responsibility.
• Provide appropriate and sufficient resources, including training, to achieve the required security levels.
• Establish a management process to audit and review the Security-management System and to identify opportunities for improvement of the system.
• Encourage contractors and suppliers to establish their own Security-management System.

Organizations can consider the following different uses of this Code.

• To obtain authorization, through certification by its national custom organisation, to supervise its own security activities as part of their trusted trader agreement, upon which cargo, processed by such organisation is considered cargo with a reduced risk by customs.
• To obtain authorization, through certification by an independent third party which has been duly authorised by its custom organisation or other authority, designated with security enforcement, to supervise its own security activities as part of their trusted trader agreement, through which cargo, processed by such organisation is considered cargo with a reduced risk by customs;
• Use this Code in contractual agreements with partners, contactors or suppliers to achieve a supply secure chain from door to door.
• To initiate or improve its Security-management System

This Code can be used by organizations of any size and dealing with any part of the supply chain.

Where it is recognised that there are significant differences between the different actors in the supply chain this Code is defining generic requirements to the handing and transportation of closed Cargo Transportation Units (CTU’s) only and is explicitly excluding port facilities and vessels, which are covered already by the ISPS-Code.

The Code defines:

i.General requirements,

applicable to all companies. In addition it defines

ii.Specific requirements to Stuffers and Packers,

applicable to companies which are engaged in the stuffing, stowing or packing of CTU’s or the (re)consolidation of LCL-cargo into one CTU.

iii.Specific requirements to Warehouses, Storage Areas and Terminals,

applicable to companies which are engaged in the storage of cargo or CTU’s in warehouses, stores, depots, terminals etc.

iv.Specific requirements to Forwarders and Transporters,

applicable to companies which are engaged in the transportation of CTU’s by road, rail or inland waterway.

v.Specific requirements to Information Processors,

applicable to companies which are engaged in generating, processing, forwarding and storage of documents and data about cargo moving along the supply chain.

It is possible that specialised companies, due to their type of operation, only need to meet one specific set of requirements. However, most companies need to meet two or more of these specific sets of requirements, depending the type of their operation.

•Manufacturers would typically need to comply with specific requirements under i., ii. and iv. above.

•Integrated operators with i., ii. iii. and iv. above,

•Whilst e.g. agents and brokers would only need to comply to the requirements under iv above.

0.2Compatibility with other management systems

This Code has been aligned as nearly as possible with ISO 9001: 2000 and ISO 14001:1996 in order to enhance the compatibility of the Code with these two standards for the benefit of the user community.

This Code is also aligned with the requirements from the ISPS-Code to create a seamless interface between the different steps in the supply chain.

This Code does not include requirements specific to other management systems, such as those particular to quality management, environmental management, occupational health and safety management, financial management or risk management. However, this International Standard enables an organization to harmonize or integrate its own quality management system with related management system requirements. It is possible for an organization to adapt its existing management system(s) in order to establish a Security-management System that complies with the requirements of this Code

0.3Appendixes to this Code

To this International Shippers and Freight Forwarders Security Code (ISFFS-Code) the following appendixes are attached:

Appendix A:ISFFS-Code: Guidelines and Checklists (confidential)To be developed

Appendix B:General requirements for bodies operating assessment and certification of Security-management Systems which comply with the ISFFS-Code

Appendix C:Requirements to ISFFS-Code auditors.

1

CEFACT/2003/IT016

Page 1

2

1.Scope

1.1.General

This Code specifies requirements for the development and implementation of security-management systems, where an organization, being an integrated part of the supply chain, possibly in coordination with other management systems:

• wishes to demonstrate through certification to its clients, its supply chain partners or to the authorities, responsible for supply chain security, its ability to keep the supply chain free from security breach
• wishes to obtain authorization from its customs organization, or other authorities, responsible for supply chain security, where needed through certification by an authorized independent third party, to perform verifications, checks and other measures which ensure that its cargo is free and remains free from security breach, as part of a trusted trader partnership
• wishes to use the requirements from the Code as a voluntary, internal management tool to develop, implement or improve its Security-management System.

1.2.Application

This Code contains requirements to the security of cargo, being it general cargo, dry or wet bulk, which is entered into and transported along the supply chain in closed Cargo Transportation Units (CTU;s) such as containers and closed road- or rail vehicles, which are transported by road, rail or inland waterways1).

Security of cargo includes the security of data about that cargo.

The first part of chapter 5 of this Code defines requirements which are generic and are intended to be applicable to all organizations, regardless of type, size and services provided.

The second part of chapter 5 of this Code contains specific requirements for the security of each of the four fundamental process steps of the supply chain i.e.:

1. Stuffers and Packers
2. Wharehouses, Storage Areas and Terminals.
3. Forwardes and Transportes T
4. Information Processors.,

1.3.Exclusion

Although this Code describes requirements to security management of all steps in the supply chain, from original shipper to final addressee, the Code does not apply to storage and handling of CTU’s in the perimeter of port facilities and on board passenger vessels, cargo vessels > 500 gross ton, high speed craft and mobile offshore rigs, since the security-management of these parts of the supply chain are adequately covered through the compulsory implementation of the International Ships and Port Facilities Code (ISPS-Code), part A and B, together with a revision and amendment of Chapter XI of the SOLAS 74 convention.

1) Transportationof closed CTU’s by inland waterways may also cover (short-) sea transport of closed CTU’s by vessels, not covered by Chapter XI of the SOLAS 74 convention and the ISPS-Code.

2.Normative Reference

Although this Code addresses supply chain security as a separate issue, it is based on the same management system fundamentals as described in ISO 9000:2000 and on which, ISO 9001:2000 and ISO 14001:1996 are based.

The Code complies with the principles set out in the “High level guidelines for co-operative arrangements between WCO Members and the private sector” to increase supply chain security, as adopted by the WCO council in its general assembly in June 2003 and serves to define more detailed requirements to specific business levels.

National standards and guidelines on supply chain security, like C-TPAT and StairSec® are incorporated in full in this Code.

The requirements of this Code are formulated such that port facilities, which comply with the ISPS Code can be confident that cargo, entering their perimeter from a supply chain which is officially confirmed to comply with this Code, is free from security breach.

3.Terms and definitions

The following terms and definitions are applicable to this Code:

3.1.Re. the Security-management System

3.1.1.Security-management System

Set of interrelated or interacting elements to establish a security policy, objectives and measures to achieve those objectives

3.1.2.Top management

A person or a group of persons who directs and controls an organization at the highest level

3.1.3.Organization

Group of people, premises and facilities with an arrangement of responsibilities, authorities and relationships

3.1.4.Supplier

Organization or person that provides a product or service, including sub-contractors

3.1.5.Process

Set of interrelated or interacting activities which transforms inputs into outputs

3.1.6.Procedure

Specified way to carry out an activity or a process

3.1.7.Requirement

Need or expectation that is stated, generally implied or obligatory

3.1.8.Nonconformity

Non-fulfilment of a requirement

3.1.9.Corrective action

Action to eliminate the cause of a detected nonconformity or other undesirable situation

3.1.10.Preventive action

Action to eliminate the cause of a potential nonconformity or other undesirable situation

3.1.11.Security manual

Document specifying the quality management system of an organization

3.1.12.Record

Document stating results achieved or providing evidence of activities performed

3.1.13.Verification

Confirmation, through the provision of objective evidence, that specified requirements have been fulfilled

3.1.14.Audit

Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extend to which audit criteria are fulfilled

3.1.15.Audit criteria

Set of policies, procedures or requirements used as a reference

3.1.16.Audit evidence

Records, statements of fact or other information which are relevant to the audit criteria and verifiable

3.1.17.Corrective action

Action to eliminate the cause of a detected nonconformity or other undesirable situation

3.1.18.Certification

A system leading to a written document issued by a party which is duly authorised to do so, confirming that assessments which comply to defined procedures, have revealed that a system is, or has remained, in conformance with a defined standard.

3.1.19.Authorised certification body

An independent third party organisation which has obtained authorization from a designated authority to verify and confirm, through certification, that an organisation complies with the requirements of this Code. Such authorization will only be issued upon verification and confirmation of compliance with appendix B to this Code

3.2.Re. the Supply Chain

3.2.1.Supply chain

the entirety of processes, process steps, organizations and suppliers to get a product moved across international borders from the manufacturer to the point of delivery, as defined by the purchaser

3.2.2.Closed Cargo Transportation Unit (CTU)

any container or closed means of conveyance intended for transport of cargo via road, rail or inland waterways, used in international traffic, of which the interior cannot be accessed other than by visibly damaging its bottom, sides, fronts, top, door or locks, or by breaking its seals..

3.2.3.Premises

Something that is built, installed, or established to serve as an area or location for the processing, storage or handling of cargo and/or CTU’s

3.2.4.Restricted area

An area which after a risk assessment of an organization’s processes and facilities is considered to contain a high risk to physical or information security

3.2.5.Prolonged stop

A period of time during which the means of conveyance is left unattended long enough for unauthorised persons to intrude the CTU.

3.2.6.Inland waterways

Waterways trafficked by barges or inland cargo vessels.

3.2.7.Inland Cargo Vessels

All cargo vessels, excluded by IMO’s International Ships and Port Facilities Code (ISPS-Code), part A and B, together with a revision and amendment of Chapter XI of the SOLAS 74 convention

3.3.Re. Security

3.3.1.Physical Security

absence of danger that the characteristics of cargo in a secure area or a CTU are illegally changed including measures taken to guard against sabotage, escape , attack, or other crime. This danger includes i.a.:

•infiltration with weapons or any other dangerous substances and devices intended to harm people, property or the environment and which are not authorized,

•infiltration with other unauthorised cargo or passengers or

•theft of or damage to cargo

3.3.2.Information Security

absence of danger that information in a document (paper or electronic) is accessed, distributed or changed without proper authorization including measures taken to guard against espionage, sabotage or other crime.

3.3.3.Tamper

any act, object, or practice that interferes with another's rights or interests by being offensive, annoying, dangerous, obstructive, or unhealthful

3.3.4.Security level 1

the level for which minimum appropriate protective security measures shall be maintained at all times.

3.3.5.Security level 2

the level for which appropriate protective security measures, additional to those required for security level 1, shall be maintained for a period of time as a result of heightened risk of a security incident.

3.3.6.Security level 3

the level for which further specific protective security measures shall be maintained, additional to those required for security level 1 and 2, for a limited period of time when a security incident is probable or imminent, although it may not be possible to identify the specific target.

3.3.7.Company security officer

the person designated by the organisation for ensuring that a security assessment is carried out; that a Security-management System is developed, where appropriate submitted for approval, and thereafter implemented and maintained and who liaises with the designated authorities.