ISO/TS 22318:2021 pdf – Security and resilience — Business continuity management systems — Guidelines for supply chain continuity management.
1 Scope This document gives guidance on methods for understanding and extending the principles of business continuity embodied in ISO 22301 and ISO 22313 to the management of supplier relationships. It enables an organization to develop and document the strategy to be better prepared to manage supply chain continuity. This document is generic and applicable to all organizations. It is applicable to suppliers of products, services and resources, both upstream and downstream. Supply chain continuity management (SCCM) specifically considers the issues faced by an organization which relies on the continuity of supply of resources as well as the ability to continue delivery of its products and services. The objective of SCCM is to protect the organization’s business activities from supply chain disruption. 2 Normative references The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO 22300, Security and resilience — Vocabulary ISO 22301, Security and resilience — Business continuity management systems — Requirements ISO 22313, Security and resilience — Business continuity management systems — Guidance on the use of ISO 22301 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO 22300, ISO 22301 and ISO 22313 apply. ISO and IEC maintain terminology databases for use in standardization at the following addresses: — ISO Online browsing platform: available at https://www.iso .org/obp — IEC Electropedia: available at https://www.electropedia .org/
Supply chains extend beyond the organization’s direct control, with many factors determining the degree of control including relative size and leverage, geography and the number and type of suppliers. Besides direct disruptions in the supply chain, the organization should also consider impacts on supply and demand based on global or local events as well as market dynamics which can result in: — excessive demand over supply which can cause resource constraints; — widespread excess of supply which can cause a collapse in demand for the products and services that the organization provides. Supply chains have extended due to: — global access at relatively low cost provided by evolving technology; — cost-effective international transport; — changing international trade barriers and the free movement of capital; — availability of educated and relatively low-cost skilled workers across the world. Organizations have become more interdependent due to the focus on core value-adding activities and the trend is to outsource activities, such as logistics, distribution, payroll, catering, cleaning, security and IT. 4.1.2 Supply chain model A broad view of a supply chain includes the provision of resources by suppliers to the organization (upstream), and the delivery of products and services of the organization to its customers (downstream). It applies to organizations of all types and sizes. Figure 1 illustrates a simple supply chain model and also shows the relationships and direct influence of the organization, which is within the scope of this document.
It is possible that the end user is not the immediate customer of the products and services. In some circumstances, the organization needs to consider that post-delivery use and consequences of the provision of their products and services, beyond the immediate customer, can impact brand and reputation. The organization can consider contracts to control subsequent use or implement end-user agreements to limit further downstream transfer. A supply chain exists where the provision of resources depends on other organizations that are not under the direct management or control of the organization. There are different types of relationships that an organization can have: — upstream relationships: — long term for recurring resources such as raw material, workspace, professional services; — one time for infrequent resource acquisition such as special projects; — professional association such as franchises, supplier associations; — downstream relationships: — business-to-business (wholesalers and retailers); — business-to-customer. The basis for all these relationships is commitments to meet interested parties ’ expectations. These commitments can either be explicit (e.g. contract or purchase order) or implicit (e.g. what can be reasonably expected). Organizations in the supply chain should take into account that the degree of flexibility and the related control on essential services and heavily regulated suppliers can be constrained, e.g. national electric companies, telecommunications, internet providers. NOTE The above relationship types provide examples only and are not intended to be complete.