ISO/PAS 28004-4:2012

PUBLICLY ISO/PAS
AVAILABLE 28004-4
SPECIFICATION
First edition
2012-07-10

Security management systems for the
supply chain — Guidelines for the
implementation of ISO 28000 —
Part 4:
Additional specific guidance on
implementing ISO 28000 if compliance
with ISO 28001 is a management
objective
Systèmes de management de la sûreté pour la chaîne
d'approvisionnement — Lignes directrices pour la mise en application
de l'ISO 28000 —
Partie 4: Lignes directrices spécifiques supplémentaires concernant la
mise en oeuvre de l'ISO 28000 si la conformité à l'ISO 28001 est un
objectif de management




Reference number
ISO/PAS 28004-4:2012(E)
©
ISO 2012

---------------------- Page: 1 ----------------------
ISO/PAS 28004-4:2012(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO 2012
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2012 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/PAS 28004-4:2012(E)
Contents Page
Foreword . iv
Introduction . v
1 Scope . 1
2 Normative references . 2
3 General information . 2
4 Organization of this document . 3
5 Synergy between the World Customs Organization SAFE Framework Authorized
Economic Operator requirements . 3
6 Practical guidance as to where the various requirements of ISO 28001 would plug into
ISO 28000 as inputs, processes or outputs . 5
7 Notes on terminology . 6

© ISO 2012 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/PAS 28004-4:2012(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
In other circumstances, particularly when there is an urgent market requirement for such documents, a
technical committee may decide to publish other types of document:
 an ISO Publicly Available Specification (ISO/PAS) represents an agreement between technical experts in
an ISO working group and is accepted for publication if it is approved by more than 50 % of the members
of the parent committee casting a vote;
 an ISO Technical Specification (ISO/TS) represents an agreement between the members of a technical
committee and is accepted for publication if it is approved by 2/3 of the members of the committee casting
a vote.
An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for a
further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or ISO/TS is
confirmed, it is reviewed again after a further three years, at which time it must either be transformed into an
International Standard or be withdrawn.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/PAS 28004-4 was prepared by Technical Committee ISO/TC 8, Ships and marine technology.
ISO/PAS 28004 consists of the following parts, under the general title Security management systems for the
supply chain ― Guidelines for the implementation of ISO 28000:
 Part 2: Guidelines for adopting ISO 28000 for use in medium and small seaport operations
 Part 3: Additional specific guidance for adopting ISO 28000 for use by medium and small businesses
(other than marine ports)
 Part 4: Additional specific guidance on implementing ISO 28000 if compliance with ISO 28001 is a
management objective
iv © ISO 2012 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/PAS 28004-4:2012(E)
Introduction
This part of ISO/PAS 28004 has been developed to supplement ISO 28004-1. The additional guidance in this
part of ISO/PAS 28004, while amplifying the general guidance provided in the main body of ISO 28004-1,
does not conflict with the general guidance. While ISO 28000 is less specific than ISO 28001 on certain
technical security requirements, they do not conflict. This part of ISO/PAS 28004 helps to meet the Authorized
Economic Operator security criteria.

© ISO 2012 – All rights reserved v

---------------------- Page: 5 ----------------------
PUBLICLY AVAILABLE SPECIFICATION ISO/PAS 28004-4:2012(E)

Security management systems for the supply chain —
Guidelines for the implementation of ISO 28000 —
Part 4:
Additional specific guidance on implementing ISO 28000 if
compliance with ISO 28001 is a management objective
1 Scope
This part of ISO/PAS 28004 provides additional guidance for organizations adopting ISO 28000 that also wish
to incorporate the Best Practices identified in ISO 28001 as a management objective on their international
supply chains. The Best Practices in ISO 28001 both help organizations establish and document levels of
security within an international supply chain and facilitate validation in national Authorized Economic Operator
(AEO) programmes that are designed in accordance with the World Customs Organization (WCO) Framework
of Standards.
This part of ISO/PAS 28004 is not designed as a standalone document. The main body of ISO 28004-1
provides significant guidance pertaining to required inputs, processes, outputs and other elements required by
ISO 28000. This part of ISO/PAS 28004 provides additional specific guidance on implementing ISO 28000 if
compliance with ISO 28001 is a management objective.
Some requirements specified in the WCO AEO programme are government functions and are not addressed
in the ISO standards. These include:
 Demonstrated Compliance with Customs Requirements
Customs are to take into account the demonstrated compliance history of a prospective AEO when
considering the request for AEO status.
 Satisfactory System for Management of Commercial Records
The AEO is to maintain timely, accurate, complete and verifiable records relating to import and export.
Maintenance of verifiable commercial records is an essential element in the security of the international
trade supply chain.
 Financial Viability
Financial viability of the AEO is an important indicator of an ability to maintain and improve upon
measures to secure the supply chain.
 Consultation, Co-operation and Communication
Customs, other competent authorities and the AEO at all levels ― international, national and local ―
should consult regularly on matters of mutual interest, including supply chain security and facilitation
measures, in a manner which will not jeopardize enforcement activities. The results of this consultation
should contribute to Customs development and maintenance of its risk management strategy.
© ISO 2012 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/PAS 28004-4:2012(E)
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO 20858, Ships and marine technology ― Maritime port facility security assessments and security plan
development
ISO 28000, Specification for security management systems for the supply chain
ISO 28001, Security management systems for the supply chain ― Best practices for implementing supply
chain security, assessments and plans ― Requirements and guidance
ISO 28004-1, Security management systems for the supply chain ― Guidelines for the implementation of
ISO 28000
3 General information
The diagram in Figure 1 provides an illustration of how compliance and possible certification to ISO 28000
incorporating the best practices of ISO 28001 complements the requirements of national, regional or
economic Authorized Economic Operator programs and as well as those of certain industry programs and
facilitates the validations of such programs. Organizations may also choose to adopt ISO 28000/28001 to
improve and document supply chain security management without the goal of achieving AEO certification.


Figure 1 — Complementary Security Standards to Secure Supply Chain
2 © ISO 2012 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/PAS 28004-4:2012(E)
4 Organization of this document
a) A series of charts showing the synergy between the World Customs Organization SAFE Framework
Authorized Economic Operator requirements and the clauses in ISO 28000 and ISO 28001 that address
the AEO requirements.
b) Practical guidance as to where the various requirements of ISO 28001 would plug into ISO 28000 as
inputs, processes or outputs.
c) Notes, to clarify slight differences in terminology used in ISO 28000 and ISO 28001.
5 Synergy between the World Customs Organization SAFE Framework Authorized
Economic Operator requirements
In the charts A-I that follow the AEO requirement section are listed first in Bold type. This is followed by a brief
summary of that requirement. In the boxes below each summary are the clauses of ISO 28000 and ISO 28001
that address those requirements. Majority of the WCO AEO requirements are addressed
...