RINA ASSESSMENT AND CERTIFICATION OF SECURITY · RINA MANAGEMENT SYSTEMSASSESSMENT AND CERTIFICATION OF SECURITY IS-CRT-SEC-00 Rev.1 Page 1/34 ... Informative questionnaire, document

RINA

ASSESSMENT AND CERTIFICATION OF SECURITY MANAGEMENT SYSTEMS

IS-CRT-SEC-00

Rev.1

Page 1/34

1 SCOPE AND FIELD OF APPLICATION

This instruction describes the methods for performing activities rel1established in the RINA document entitled “Rules for the certification of Security Management Systems”.

2 DEFINITIONS AND/OR ABBREVIATIONS

AC: Corrective action AOI: International Operative Area AON: National Operative Area Audit: a systematic, independent and documented process for obtaining evidence and objectively establishing to what extent the audit criteria (set of policies, procedures or requirements) are satisfied Auditor - SMS auditor, a technician possessing all the requirements indicated on the qualification sheet for Auditor (IS-DCI-AUD-01) CA: Area Manager Certificate of Conformity: Document certifying the conformity of the Organisation’s supply chain security management system with the reference standard (ISO 28000) CERTIFICATION TRANSFER: an existing and valid ISO 28000 certificate issued by an accredited certification body which has been recognised by RINA with a view to issuing its own certificate (Annex 3)

COD: Planning and operative control

CRT: Technical coordination and control CTSec: Security Technical Committee CU: Office Manager DO: Organisational Structure Document

EXTERNAL WORK: Activities performed by individuals or small groups belonging to an Organisation at a customer's premises or any other sites indicated by a customer, or when engaged in an activity that requires them to move around. GVI: Auditing Team IPR: Production Engineering Unit Lead Auditor – Audit team leader, auditor possessing all the requirements indicated on the Lead Auditor qualification sheet (IS-DCI--AUD-01).

MULTI-SITE ORGANISATION: Organisation with a well-defined central function (hereinafter called head office) where certain activities are planned, controlled or managed, and a network of local offices or branches (sites) where such activities are entirely or partially carried out. NC: Non-Conformity

PERMANENT SITES: Decentralised sites permanently manned by the organisation's employees for performing functions pertinent to the activities of the organisation. PVI: AUDIT PLAN, all the activities required to plan and organise audits (number and type) on the Organisation’s supply chain security management system and to provide the resources for performing them effectively and efficiently within the established deadlines. PVP: Three-year audit programme, general planning document, prepared by RPC in collaboration with Team Leader, indicating the audits to perform during the validity of the certificate. QI: Informative questionnaire, document completed by the Customer containing all the elements required to allow RINA to prepare an offer SMS: Security management systems RINA RULES: Rules for the certification of Security Management Systems RPC: File Manager, a technician possessing all the requirements of a Lead Auditor, with technical/managerial responsibility for the certification files he/she is given and responsibility for implementing the PVP for these certification files (appointed by CU). RVI: Audit report SCC: Certification and accreditation section SCHEME MANAGER: Responsible for managing the specific scheme SEG: AOC technical secretarial office SGT: CRT and SCC technical secretarial office

RINA


IS-CRT-SEC-00

Rev.1

Page 2/34

TEMPORARY SITES: Decentralised sites manned by an organisation for a specific project, e.g.:

• complex or long-term building/installation sites,

• long-term complex service activities (e.g.: management of canteens or management of health, social or welfare services awarded on the basis of competitive bidding)

TEC: Expert technician possessing all the requirements indicated on the TEC qualification sheet (IS-DCI-AUD-01) TL: Team Leader, a technician possessing all the requirements indicated on the Lead Auditor (IS-DCI-AUD-01) qualification sheet, who has been given responsibility for the audit

3 MAIN REFERENCE DOCUMENTS AND REFERENCES TO OTHER DOCUMENTS

- ISO 28000 series - Security management systems for the supply chain

- ISO 9001:2008 – Quality management systems – Requirements

- ISO 9000:2005 – Quality management systems – Fundamentals and vocabulary

- ISO 9004:2000 – Quality management systems – Guidelines for improving performance

- ISO 17021 – “Conformity assessment – Requirements for bodies providing audit and certification of management systems”

- ISO 19011:2003 “Guidelines for auditing quality and/or environmental management systems”

- Annex 3 to Guide 62:1996

- Regulations/Technical documents of Accreditation Bodies,

- RINA Regulations/Guides for the certification of Management Systems

- Rules for the certification of Security Management Systems

- Accreditation certificates issued by Accreditation bodies or RINA accreditations table

- ISTAT – Classification of Economic activities – Methods and Standards series C – n° 11

- DCI organisational provisions

- DCI Quality Manual

- DCI procedures

- IS-SCC-CER-01 – Issuing, suspending, reinstating and withdrawing certificates and attestations of conformity

- IS-SCC-FCT-01 – Technical committee operating methods

- IS-DCI-AUD-01 – Auditor qualification and relative maintenance and specific quality annex

- Report by “NEW AGE”

- RINA price list

4 DESCRIPTION OF THE MAIN PROCESS PHASES

The main phases of the SMS certification process are the ones closely connected with implementing the service, the ones focussing on achieving the final result. They take place sequentially or depend on the outcome of a previous phase or a customer request and are schematically represented in the two functional flow charts shown below.

RINA


IS-CRT-SEC-00

Rev.1

Page 3/34

4.1 REPRESENTATION OF THE CERTIFICATION, SURVEILLAN CE AND RECERTIFICATION PROCESSES

The two flow charts graphically represent the entire SMS certification process and relative maintenance. Flow chart n° 1 shows the phases focussed on SMS ce rtification and recertification. Flow chart n° 2 sh ows the phases focussed on SMS certification maintenance by means of surveillance audits. The phases shown in flow chart n° 2 are generally r epeated in the same way every year, except for some special phases (marked on the flow chart) which are generally performed every 3 years (complete review). For recognition by RINA of SMS Certificates issued by other accredited bodies, with a view to issuing its own certificate, please refer to Annex 3.

4.2 THREE-YEAR AUDIT PROGRAMME

The Three-year audit programme, drawn up by the relative RPC, comprises the phases/activities indicated in the following table and described in the 2 flow charts. RPC may allocate certain activities in the audit programme to other qualified technicians within or outside the Structure (stage 1 or part of it, stage 2), making the information available to them by adding their names in the computer programme ASCESI.

Opening of process Preparation of initial certification audit Appointment and communication of GVI for stages 1 and 2

Examination of documents (manual, procedures, management review, internal audits, ..) evaluate the applicant organization's location and site-specific conditions and to undertake discussions with the client organization's personnel to determine the preparedness for the stage 2 audit; review the client organization’s status and understanding regarding requirements of the standard, in particular with respect to the identification of key performance or significant aspects, processes, objectives and operation of the supply chain security management system; collect and review necessary information regarding the scope of the supply chain security management system, information about the risk assessment performed, processes and location(s) of the client organization, and related statutory, regulatory aspects and compliance, e.g., legal aspects of the applicant organization's operation, identified risks, etc. review the allocation of resources for stage 2 and agree with the client organization on the details of the stage 2 audit; provide a focus for planning the stage 2 audit by gaining a sufficient understanding of the organization's supply chain security management system and site operations in the context of possible significant aspects;

Stage 1 audit (generally at clients’ premises)

evaluate if the internal audits and management review are being planned and performed and that the level of implementation of the supply chain security management system substantiates that the client organization is ready for the stage 2 audit. Opening meeting Check implementation of effective actions related to outcome of stage 1 Collection of evidence Internal closing meeting Classification of findings Preparation of the audit report Closing meeting

Stage 2 audit (on site)

Deliver copy of stage 2 audit report to the Organisation Action subsequent to the audit Control and confirmation of the Audit report

RINA


IS-CRT-SEC-00

Rev.1

Page 4/34

Acceptance of corrective action proposals Preparation of the three-yearly audit plan Certification proposal Printing and despatch of certificate and three-yearly audit plan Check that documentation is complete, closure of process Opening of process Appointment of GVI for the audit Preparation of surveillance audit Despatch surveillance audit programme to the Organisation Opening meeting Check implementation of corrective actions related to previous audit, complaints, Collection of evidence Internal closing meeting Classification of findings Preparation of the audit report Closing meeting

Surveillance audit

Deliver copy of audit report to the Organisation Control and confirmation of the audit report Acceptance of corrective action proposals Any changes to the three-yearly audit plan and despatch to the Organisation Send confirmation of certificate validity to the Organisation

Actions following the audit

Check documentation complete, close process

Opening of process Appointment and communication of GVI for the audit Preparation of recertification audit Despatch recertification audit programme to the Organisation Opening meeting Document review Check implementation of corrective actions related to previous audit, complaints, Collection of evidence Internal closing meeting Classification of findings Preparation of the audit report Closing meeting

Recertification audit

Deliver copy of audit report to the Organisation Control and confirmation of the audit report Acceptance of corrective action proposals Preparation of the three-yearly audit plan Recertification proposal Print and send the certificate and three-yearly audit plan

Actions following the audit

Check documentation complete, close process

RINA


IS-CRT-SEC-00

Rev.1

Page 5/34

4.3 KEY TO FLOW CHARTS

The column headings indicate the operative responsibilities of the phases shown in each column. Each phase is placed in the right column depending on the relative responsibility. Each phase or decision shown on the two flow charts is numbered in order to relate them to the following tables giving a detailed description of each single phase, showing inputs, outputs, critical factors and the relative electronic and/or hard copy records. Flow charts 1 and 2 refer to Tables 1 and 2 respectively.

ADDITIONAL PHASES

PHASES

Additional phases (performed on request of the customer) that are not an integral part of auditing activities

Moving from one phase to another

Decisions are represented by rhombuses. The rhombus divides the original flow into 2. The main one focuses on achieving the final result while the secondary one comprises one or more phases that must be completed before returning to the main flow.

Sequential phases

RINA


IS-CRT-SEC-00

Rev.1

Page 6/34

WARNING: for the differences during RECERTIFICATION, see notes at page 17

RINA


IS-CRT-SEC-00

Rev.1

Page 7/34

FLOW CHART N° 2 - MAIN CERTIFICATION PROCESS PHASES: SURVEILLANCEOFFICE MANAGER

(CU)SECRETARY (SEG)

CTQDCI MANAGER

AUDITING TEAM (GVI)JOB MANAGER(RPC)CUSTOMER/

ORGANISATION

1OPENING OF UPCOMING

SURVEILLANCE AUDIT PROCESS

3APPOINTMENT OF

GV AND COMMUNICATION OF AUDIT DATA

2PVP REVIEW

4ON-SITE AUDIT (SURVEILLANCE)

5CONTROL AND CONFIRMATION

OF RVI

QMS COMPLIANT?

YES

NO

9CHECKING

DOCUMENTS FOR COMPLETENESS/TERMINATION OF

PROCESS

6ACCEPTANCE OF CA PROPOSALS

AND COMMUNICATION

OF POSITIVE OUTCOME

CURRENT CONTRACT

8SUSPENSION PROPOSAL/APPROVAL OF PROPOSAL

NO

YES

7PLANNING AND PERFORMING

SUPPLEMENTARY AUDITS

QMS COMPLIANT?

RINA


IS-CRT-SEC-00

Rev. 1

Page 8/32

4.3 DESCRIPTION OF THE MAIN CERTIFICATION, SURVEILL ANCE AND RECERTIFICATION PROCESSES

Table 1 – DESCRIPTION OF THE MAIN CERTIFICATION AND RECERTIFICATION PROCESS PHASES PHASES INPUT1 DESCRIPTION OF ACTIVITY OUTPUT/OBJECTIV

E2 CRITICAL FACTORS3

ELECTRONIC RECORDS HARD-COPY RECORDS

1 DEFINITION OF OFFER

QI completed by customer

CU, or who for him/her, performs the following activities: -makes sure the resources needed to carry out the audit process within the deadlines are available; -defines whether to carry out stage 1 audits in the office and/or at the organization -defines the audit times for stage 1 and stage 2 audits -calculates the cost of certification and relative maintenance on the basis of the price list, bearing in mind the effective time required to perform the service in man days (see Annex 1) -checks that all activities are included in certification -for multi-site organisations, prepares the sampling plan (see Annex 2) -records the data required to prepare the offer in the form SGS CONTRACT REVIEW -records all the non documented information from the client (for example information acquired over the phone) in the informative questionnaire

-Definition of the data to include in the offer -Definition of sampling plan for permanent sites

-Check carefully who provided the consultancy service so as to manage the risk of conflict of interest and independence (see PR-DCI-RIS-01) - No exclusion is permited.

-QUAINFS completed by customer -SMS CONTRACT REVIEW filled in by RINA

2 PREPARATION OF OFFER

Form SGS CONTRACT REVIEW filled in

SEG prepares the offer inclusive of the sampling plan (if required for multi-site organisations) and man/days.

Basic company information means the official name of the Organisation subject to certification (Registered name and address) and the operative units (Sites) where the activities subject to certification are performed (temporary sites are also included).

-Offer prepared (inclusive of the Sampling plan if necessary and the man/days)

- Production site (if different from company headquarters) - Type of accreditation

-Registration of potential customer's data on ANACLI, CAI-C -Registration of the name of the person who drew up the offer

Offer printed by CAI-C

3 CONTROL/SIGNING OF OFFER

Completed offer CU checks and signs the offer. SEG despatches it. Offer signed by CU and sent to the Organisation

- - Offer printed by CAI-C and signed by CU

1 Input: Initial event of a phase 2 Output/Objective: Result of the phase, reason why the phase was performed 3 Particularly critical aspects to consider

RINA


IS-CRT-SEC-00

Rev. 1

Page 9/32

PHASES INPUT1 DESCRIPTION OF ACTIVITY OUTPUT/OBJECTIV



4 CONTROL OF ORDER/ APPOINTMENT OF RPC

-Customer order, or -Certification application on RINA form

CU: A) examines the Application/Order to ensure it is complete and consistent with the offer B) allocates job responsibility to an RPC and informs SEG accordingly

-Application/Order complete and consistent with the offer Allocation of job responsibility to an RPC

- Workload of RPC - Competence of RPC

- -Customer order, or -Application for certification (RICCER) filled in and signed by the customer and initialled by CU

5 OPENING OF JOB/SIGNING OF CONTRACT

-Application/Order complete and consistent with the offer -Job responsibility allocated to RPC

SEG registers acceptance of the offer on CAI-C, enters the name of the RPC and prints the “Confirmation of acceptance” which is automatically generated by CAI-C. CU checks and signs the “Confirmation of acceptance”. SEG sends the “Confirmation of acceptance” to the customer.

-Contract between RINA and customer stipulated -SMS Documents request for review

“Field of application of SMS” entered in CAI-C in Italian and English by SEG

-Opening of contract on CAI-C -Allocation of job to an RPC

- “Confirmation of acceptance” form printed by CAI-C and signed by CU - Customer documents file

6 PLANNING/PERFORMING PREAUDIT (ON REQUEST)

Preaudit application by Customer

RPC defines with suitable advance (generally at least 3 days before the date of the visit): A) audit times to agree with the Organisation B) the members of the GVI (New Age REPORT for auditor qualifications). The preaudit must be performed by a GVI the members of which must be qualified as Auditor, LEAD AUDITOR or TEC. At least one member must be a LEAD AUDITOR as Team Leader. During the preaudit, the GVI checks that the SMS of the Organisation complies with the requirements of the reference standard and the RINA Rules for the specific activity applied for on the QI and on the application for certification.

Preaudit RVI (identified with the job number followed by /P) making observations on the conformity of the system and any other considerations

The preliminary audit results must not be considered for certification purposes

Completion of steps on ASCESI: -Fax “Communication of preaudit date” -RVI

-Print from ASCESI of the “Communication of preaudit date” fax signed by RPC -Print from ASCESI of the RVI signed by TL and countersigned by the customer (the original is kept by RINA while the photocopy is kept by

the customer)4

4 In the event of a malfunction in ASCESI, the report may be completed using the forms in the Forms database on Lotus; subsequently, either RPC or members of the GVI will be responsible for adding in the Notes field in ASCESI that “the report has been filled in on paper and filed”, including also the date and author.

RINA


IS-CRT-SEC-00

Rev. 1

Page 10/32




7 APPOINTMENT OF GVI

Contract between RINA and customer

RPC defines the members of the GVI and the Team Leader. RPC must define suitable GVI's for the audit (stages 1

+ 2 - see New Age REPORT for auditor qualifications):5

The names of the GVI members must be communicated to the Organisation (the Organisation may reject any of these members if it so desires). The following conditions must be satisfied for the (stage 1 + stage 2) audits: - the stage 1 audit shall be performed at the customer’s premises. In exceptional case stage 1 could be carried out without a visit - stage 2 must be undertaken at the customer’s premises - the members of the GVI must be qualified as Security

Auditors, LEAD AUDITOR or TEC6 and one member

must be qualified as LEAD AUDITOR as Team Leader - the person who performs stage 1 should also participate in stage 2. The RPC will inform the Scheme responsible at least 2 weeks before about the planning of the audit

- Appointment of GVI to perform stage 1 audit - Appointment of GVI to perform stage 2 - Email to scheme responsible

The appointment of the GVI and Team Leader must consider the specific competence and personal characteristics required for the type of Organisation. Moreover, check carefully that the members of the GVI were not involved in providing the consultancy service for the organisation’s SMS. Check admissibility of any audit time reduction. In the document “Communication of stage 1 audit data”, remember to eliminate the non applicable part depending on whether stage 1 was performed in the office or at the Organisation’s premises.

- Names of GVI members in ASCESI - Compilation of step in ASCESI (“Receipt stage 1 documents for document review” – “Communication of stage 1 audit data”)

- Print from ASCESI of the fax “Communication of stage 1 audit data” signed by RPC/TL and send to the Organisation

5 To ensure the audit is performed on an independent basis, each qualified auditor/technician must inform RPC of any relationship existing, or that has existed in the last three years, with an organisation under audit, before accepting an appointment.

RINA


IS-CRT-SEC-00

Rev. 1

Page 11/32




8 STAGE 1 AUDIT • SMS documents sent by customer: - Security Management Documentation, including the list of security procedures and instructions - Chamber of Commerce registration/equivalent document - Management System organisation chart - Site(s) map - Last Management Review - Internal audit planning - List of laws and/or rules applicable to the product/service supplied - List of sites under way with description of activities performed externally - Name of GVI responsible for stage 1 audit

The appointed GVI checks that the documentation complies with the requirements of the standard and the RINA rules for the specific activity requested in the QI and the certification application, fills in the stage 1 audit report and sends a copy of the report to the Organisation. From an examination of the documents requested, customer status and understanding must be evident concerning the requirements of the standard with particular reference to the identification of key performance or of significant SMS aspects, processes, objectives and functioning. In particular, from the “Management Review” the following are checked: - whether the internal audits have been performed; - whether suitable measurable indicators have been identified for each relevant process; - whether SMS improvement objectives have been identified Examination of the site plan and of the SMS documentation enable an assessment to be made of the location to correctly plan stage 2. From a review of the documentation, information is collected concerning the organizational structure of roles, responsibilities and authorities, consistent with the achievement of its security management policy, targets, objectives and programmes.

- Stage 1 audit report (identified by the file number followed by /STG1 OFF or ON depending on whether the audit was performed ON or OFF site)

Structural organization for security management not adequate.

Completion of step in ASCESI: - “stage 1 audit”

-Print stage 1 audit report from ASCESI

6 For the purpose of calculating man days, TEC is not taken into account. For the “Health and social services” sector, in cases where an increase of the audit times specified by Table 1 (Annex 1) is

foreseen, the said increase can also include the man days of TEC.

RINA


IS-CRT-SEC-00

Rev. 1

Page 12/32




9 PREPARATION AND DESPATCH OF STAGE 2 AUDIT

Stage 1 audit report

RPC performs the following activities (at least 3 days before the audit date): A) checks the audit times according to annex 1 B) agrees on the audit date with the customer C) defines the sites according to annex 2 D) prepares the stage 2 audit plan (PVI) in collaboration with TL and sends it to the Customer Any mobile activities and/or activities at customers' facilities included in the field of application of the certified SMS must also be checked (e.g.. cleaning contractors, security guards, waste collection, goods transport, building sites, management of canteens, management of health, social or welfare services).

“Audit plan – PVI” and “Despatch of stage 2 audit plan” sent to customer

-The SMS must have been operative for at least 3 months when the audit is performed (see “RINA Rules”). -Production/ service provision processes are audited by the GVI member who is qualified in the relative EA sector. -An audit day consists of at least 8 hours, excluding travelling time. -Audit times of less than half a day are unacceptable.

Completion of steps in ASCESI: -“Audit plan – PVI” -“Despatch of stage 2 audit plan”

Print following documents from ASCESI: -“Audit plan – PVI” -“Despatch of stage 2 audit plan”

10 ON-SITE AUDIT (CERTIFICATION)

- Audit plan - PVI - Stage 1 audit report - Customer’s SMS documents

The GVI checks that the Customer's SMS complies with the requirements of the standard and the RINA Rules for the specific activity applied for on the QI and on the application for certification. Checklists may be used during on-site audits and the forms for recording observations must be filled in (QUASQA08V).

As regards legally-binding requirements, the GVI must limit the audit to legally-binding requirements applicable to the products and services covered in the field of application of the certificate. If it is found that requirements not directly connected with the products and services are not observed (e.g.: staff safety

Stage 2 audit report (identified by the file number) countersigned by customer

During the initial meeting, the Organisation is to confirm no. of personnel.

Completion of step “Stage 2 audit” in ASCESI for the RVI

-Print from ASCESI of the RVI signed by Team Leader d countersigned by the customer (the original is kept by RINA while the photocopy is kept

by the customer)7

-Checklist may be completed by GVI (ISO 28000 specific checklists available in FORMS)

7 In the event of a malfunction of ASCESI, the report may be completed using the forms in the Forms database in Lotus; subsequently, either RPC or members of the GVI will be responsible for adding in the Notes field in ASCESI that “the report has been filled in on paper and filed”, including also the date and author.

RINA


IS-CRT-SEC-00

Rev. 1

Page 13/32




requirements) the Team Leader must report such breaches to the audited Organisation and officially inform RINA.

In the space “strong points of the system”, an opinion is to be given on compliance of the SMS with the requirements of the reference standard, with particular attention to personnel competency and suitability of the procedures.

-Observation Forms completed by GVI (Form QUASQA08V available on FORMS)

11 CONTROL AND CONFIRMATION OF RVI

“Stage 2 audit” report countersigned by customer

After three working days have elapsed from the date the audit finished, the Customer may consider the contents of the RVI as confirmed. If RPC decides to make variations to the RVI issued by Team Leader to the Organisation, such as a change in the classification of a finding or the need for an audit before the planned date, the Organisation must be informed accordingly. The lead auditor or the RPC will the inform the Scheme Responsible of the results of the audit.

“Stage 2 audit” report countersigned by customer and signed by the auditor qualified for the scheme

If RPC is not a member of the GVI, it is advisable that he/she checks the content of the RVI.

Completion of any steps in ASCESI confirming the contents of the RVI

-RVI initialled -Possible print out from ASCESI of Confirmation of the contents of the RVI signed by RPC

12 ACCEPTANCE OF CA PROPOSALS

Treatment, analysis of causes, CA proposals and implementation times

RPC or Team Leader checks that the corrective action and implementation times proposed by the Customer are sufficient. If the outcome of the control is positive, RPC confirms this acceptance in writing. This activity may also be done through the software programme ASCESI.

Treatment, analysis of causes, CA proposals and implementation times accepted

- Stage 2 report in ASCESI

Non-conformity forms initialled by Team Leader or RPC

13 CERTIFICATION PROPOSAL

-RVI (SMS COMPLIANT) -CA proposals and accepted implementation deadlines

RPC, assisted by SEG, prepares the documentation to send to CTSec and signs the certification proposal. He/she draws up the PVP in collaboration with Team Leader.

The date of the first surveillance audit following the initial audit corresponds to the date proposed by the GVI on the last page of the certification RVI. This will be subsequently accepted by CTSec and must not be fixed more than 12 months after the end of stage 2 of the initial audit.

In all cases, the PVP must involve at least one audit every 12 months, on the basis of a programme which ensures that all the points of the reference standard and every process are audited at least once during the three years of validity of the Certificate.

-Certification/ extension proposal -PVP

-Completeness of documents -A 10-22-33 months audit programming is recommended in order to observe the compulsory expiry dates; for the contracts that foresee semestrial audits, schedule audits at 6-12-18-24-30-33

Completion of step in ASCESI "Three-yearly audit programme-PVP" -Completion of “Procedure/proposal” icon in ASCESI

Print from ASCESI of documents signed by RPC: PVP “Certification procedure and certification/ extension proposal” document

14 PLANNING AND -RVI (SMS NON- RPC defines (at least 1 week before the date of the -RVI countersigned Membership of Completion of steps in -Print from ASCESI

RINA


IS-CRT-SEC-00

Rev. 1

Page 14/32




PERFORMING SUPPLEMENTARY AUDITS

CONFORMING) -CA proposals and accepted implementation deadlines

visit): A) the audit date B) members of the GVI The GVI must include at least one member who has performed the previous on-site audit (stages 1 and 2), chosen depending on the type of findings that made it necessary to perform a supplementary audit and who is qualified as a LEAD AUDITOR.

The extent of the supplementary audit is assessed by RPC, together with Team Leader, on a case by case basis, depending on the number and type of major NCs found.

a) If there is a small number of findings (type A) and these are precise, just suitable CA is implemented (within 3 months of the audit that caused the supplementary audit to be performed)

b) If there is a large number of findings (type A) (>5), or in overall terms the System seems insufficient, an audit will be made on all the requirements/processes of the standard (within 3 months of the audit which necessitated a supplementary audit). For alternative a), the audit may be limited to a documents review.

by Customer (identified by the job number followed by

/S)8

GVI according to NC and previous GVI audit

ASCESI: -“Communication of need for supplementary audit” fax -RVI

of the RVI signed by Team Leader and countersigned by the customer (the original is kept by RINA while the photocopy is kept

by the customer)9

-Findings forms of the previous RVI with evidence that NCs have been eliminated

15a APPROVAL OF PROPOSAL BY CTSec

-SGS CONTRACT REVIEW form -RVI stages 1 and 2 (+ supplementary audit report, where applicable) -Certification procedure and certification/ extension proposal - Organisation’s

CTSec checks and approves (see IS-SCC-CER-01) the certification proposal and allocates the certificate number to the Organisation in question. As regards the members of CTSec, in addition to the contents of document IS-SCC-FCT-01, CTs generally consist of experts qualified as auditing team leaders or auditors, either RINA employees or external staff, who have specific experience in the security sectors, in compliance with the qualification requirements for auditors established in instruction IS-DCI-AUD-01. If CTSec decides to make variations to the RVI issued by Team Leader to the Organisation, such as a change in the classification of a finding or the need for an audit before the planned date, the Organisation must be

- Certified customer (Assigned certificate number at the date of the CTSec approval) - Communication to customer that certification has been issued (SEG)

The competence of the person reviewing the job (see above) and the independence between the person participating in the audit process (RPC, who did document review and GVI) and the person checking the certification

-Generation of certificate number by ASCESI (CERTIFY) -Outcome of the control of the files registered in the checklists available in ASCESI -“Certification/validation communication” in ASCESI

-“Certification procedures and certification/ extension proposal” document stamped and signed for approval by CTSec chairman. -Communication to customer of certification (Print from ASCESI of “Communication of certification”

8 If further SMS A-type NCs are found during the supplementary audit, a complete on-site audit must be performed. 9 In the event of a malfunction of ASCESI, the report may be completed using the forms in the Forms database in Lotus; subsequently, either RPC or members of the GVI will be responsible for adding in the Notes field in ASCESI that “the report has been filled in on paper and filed”, including also the date and author.

RINA


IS-CRT-SEC-00

Rev. 1

Page 15/32




list of security processes, field of application of the SMS and justification of any exclusions - CC records (or equivalent document) not more than six months old -Informative questionnaire -Observation sheets (QUASQA08V) filled in by the members of the GVI -PVP

informed accordingly, using the letter formats available in ASCESI. SEG prints from ASCESI the “certification/validation communication” and sends it to the customer.

proposal must always be ensured.

document) -Technical quality committee report

15b APPROVAL OF PROPOSAL BY CA/CU

SGS CONTRACT REVIEW form -RVI stages 1 and 2 (+ supplementary audit report, where applicable) -Certification procedure and certification/ extension proposal - the Organisation’s list of security procedures, field of application of the SMS and justification of any exclusions - CC records (or equivalent

The review is performed using the same criteria adopted by members of CTSec, with the help of a special checklist prepared by particularly well-trained auditors appointed by CTSec itself (see document “Delegation of checking activities regarding certification/extension/recertification files and of certificate number assignment”, available in Instructions to technicians). On the basis of the controls made, CA/CU signs the proposal for approval and, if necessary, adds a short note about the decision taken and allocates the certificate number to the Organisation in question. If the auditor who did the review decides to make variations to the RVI issued by Team Leader to the Organisation, such as a change in the classification of a finding or the need for an audit before the planned date, the Organisation must be informed (using the letter formats available in ASCESI). SEG prints from ASCESI the “certification/validation communication” and sends it to the customer.

- Certified customer (Assigned certificate number at the date of CA/CU approval) - Communication to customer that certification has been issued (SEG)

The competence of the person reviewing the job (see above) and the independence between the person participating in the audit process (RPC, who did document review and GVI) and the person checking the certification proposal must always be ensured.

-Generation of certificate number by ASCESI (CERTIFY) - Outcome of the control of the files registered in the checklists available in ASCESI -“Certification/validation communication” in ASCESI.

-“Certification procedures and certification/extension proposal” document signed for approval by CA/CU. -Communication to customer of certification (Print from ASCESI of “Communication of certification” document) -Technical security committee report

RINA


IS-CRT-SEC-00

Rev. 1

Page 16/32




document) not more than six months old -Informative questionnaire -Observation sheets (QUASQA08V) filled in by the members of the GVI -PVP

16 SIGNING THE CERTIFICATE

Printed certificate with expiry date at 36 months from the proposal approval date

The Scheme Manager checks the text of the certificate. Following the successful outcome of this control, the DCI manager electronically signs the certificate.

Certificate signed by DCI Manager

- Typing errors - English translation - Presence of operative work-sites - Possible logo of accreditation bodies10

-Print from ASCESI (PRINT from CERTIFY PROCESS) -Electronic signature via ASCESI (SIGNATURE)

17 PUBLICATION OF CERTIFICATE

Signed certificate

If the payment conditions have been met, ASCESI makes the customer’s certificate automatically available in the “Member Area” and a copy on the RINA internet site for the public. SEG prints from ASCESI the “certificate/validation and PVP publication in the Member Area communication” and sends it to the customer. Process closed.

- The certificate of conformity and the PVP are made available to the customer via the “Member Area” reserved for him/her on the RINA portal. - A copy of the certificate is available to the public on the RINA site.

- -“Certificate/validation and PVP publication in the Member Area communication” from ASCESI

-Copy of Certificates

18 CHECKING DOCUMENTS

Job documents Documentation checked for completeness and completed if necessary (according to QUASQA2).

Process closed - Check that all the Steps in ASCESI have been completed

Registration in QUASQA2

10 It is not possible to issue certificates without an ACCREDIA logotype for an EA sector for which RINA is accredited by ACCREDIA, unless the logotype of another accreditation body is used (e.g.: INMETRO).

RINA


IS-CRT-SEC-00

Rev. 1

Page 17/32




FOR COMPLETENESS

Check made that all the Steps in ASCESI have been completed (Completed).

(Completed). Process closed.

RECERTIFICATION NOTES:

The phases in table 1 also apply to the recertification process, taking into account the following differences: PHASE 1: in case of contracts without expiry date, the Office Manager, upon receiving the IQ during the recertification activity, checks for the existence of any changes that may entail a contract change; if the contract must be modified, a new offer must be prepared, otherwise the current contract remains valid PHASES 2, 3, 4, 5: applicable only if, during the PHASE 1, the Office Manager, while checking the IQ, deems it necessary to revise the current contract

PHASE 8: it is not mandatory to split the audit into stage 1+ stage2; it may be necessary in the case of significant changes PHASE 9: the reference document in ASCESI is DESPATCH RECERTIFICATION AUDIT PLAN PHASE 10: among the input documents, include the audit reports for the previous three years; the relevant step in ASCESI is RECERTIFICATION AUDIT PHASE 13: the contents of the CRITICAL FACTORS field cannot be applied to RECERTIFICATION: after the first recertification audit, the three-year program must foresee 12 - 24 - 36 months from the recertification audit PHASES 15a and 15b: the entire recertification process, including any additional audits, must be completed prior to expiry date of the certificate.

RINA


IS-CRT-SEC-00

Rev. 1

Page 18/32

Table 2 – DESCRIPTION OF THE MAIN SURVEILLANCE PROCESS PHASES PHASES INPUT

11

DESCRIPTION OF ACTIVITY OUTPUT/OBJECTIVE12

CRITICAL FACTORS13


1 OPENING OF UPCOMING SURVEILLANCE AUDIT PROCESS

PVP

RPC opens the upcoming surveillance audit process in ASCESI. Audits must be performed by the date indicated on the PVP; on receipt of a justified (lack of orders, staff layoffs, large-scale organisational changes, other,) written request by the organisation, RPC may postpone surveillance audits by no more than three months; taking into account, however, that in any case one surveillance audit a calendar year is to be performed. The first surveillance audit after the initial audi t is in any case to be performed not more than 12 months after the end of stage 2 of the initial audit.

Process opened

A postponed surveillance audit does not affect the dates of the subsequent visits.

Open process operation in ASCESI

-

2 PVP REVIEW -PVP -Previous audit documents

When preparing a surveillance audit, RPC, together with TEAM LEADER, decides whether or not to update the PVP as a result of any problems that may have emerged during previous audits.

PVP checked by RPC/ TEAM LEADER

- - -

3 APPOINTMENT OF GVI AND CIMMUNICATION OF AUDIT DATA

Customer contacts RPC or vice versa

RPC performs the following activities: A) checks audit times on PVP B) defines members of the GVI and LEAD AUDITOR. RPC must define suitable GVIs for the audit (see New

Age REPORT for auditor qualifications)14 The following conditions must be satisfied for the audit: - the members of the GVI must be qualified as Security

Auditor, LEAD AUDITOR or TEC15 and one member must be qualified as LEAD AUDITOR as a TEAM LEADER - in overall terms, the GVI must be composed by Security qualified auditors C) fixes the date of the audit with the customer D) checks sites to be verified based on the PVP E) prepares and sends to the Client, together with the TEAM LEADER, the communication “Despatch

Assignment of GVI for audit and preparation of audit plan - PVI

SEE PHASE 7 Table 1 Audit plan – PVI Despatch surveillance audit plan

Print from ASCESI the document “Despatch surveillance audit plan”, signed by RPC/TEAM LEADER and send to the Organisation

11 Input: Initial event of a phase 12 Output/Objective: Result of the phase, reason why the phase was performed 13 Particularly critical aspects to consider

RINA


IS-CRT-SEC-00

Rev. 1

Page 19/32

PHASES INPUT

11


CRITICAL FACTORS13


surveillance audit plan” (the Organisation may reject any of these members if it so desires) F) inform the scheme responsible about the audit plan.

4 SURVEILLANCE AUDIT

-Communication “Despatch surveillance audit plan” -PVP -RVI of previous audit

GVI checks that the Customer's SMS complies with the requirements of the reference standard and the RINA Rules for the specific certified activity.

The audit is performed on the items established in the PVP and may be extended to other areas if necessary (for example, a specific complaint by an interested party, extensions to activities, etc.).

The following must always be audited:

-internal audits and management review

-any changes to the SMS documents

- progress of planned activities aimed at continual improvement

- continuing operational control

-any complaints dealt with

-effectiveness of management system and progress of activities aimed at continuous improvement

-the CA taken as a result of the NC's discovered during the previous audit

-the preventive action taken as a result of the NC's discovered during the last audit

-use of the RINA logotype -publication of the SMS and the products/services supplied by the Organisation, also by checking any Internet sites.

RVI “surveillance audit”

SEE PHASE 10 Table 1

Completion of step “Surveillance audit” in ASCESI


Confirmation that the CA has been taken is indicated on the findings forms of the previous RVI complete with the CA proposal, indicating for each finding a brief description of the evidence found, the outcome of the audit and the date of the audit

5 CONTROL AND CONFIRMATION OF RVI

“Surveillance audit” report countersigned by the


“Surveillance audit” report countersign

SEE PHASE 11 Table 1 SEE PHASE 11 Table 1 SEE PHASE 11 Table 1

14 To ensure the audit is performed on an independent basis, each auditor, qualified as TEC/AUDITOR/LEAD AUDITOR, must inform RPC of any relationship existing, or that has existed in the last three years, with the Organization under audit, before accepting an appointment. 15 For the purpose of calculating the number of man/days, TEC is not taken into account. For the “Health and Social Services” sector, in cases where an increase of the audit times specified by Table 1 (Annex 1) is foreseen, the said increase can also include the man/days of TEC

RINA


IS-CRT-SEC-00

Rev. 1

Page 20/32

PHASES INPUT

11


CRITICAL FACTORS13


customer ed by the customer and signed by auditor qualified for the scheme

6 APPROVAL OF CA (if any NCs have been found) OR COMMUNICATION OF POSITIVE OUTCOME

Treatment, analysis of causes, CA proposals and implementation times

RPC or TEAM LEADER checks that the corrective action and implementation times proposed by the Customer are sufficient. If the outcome of the control is positive, RPC confirms this acceptance in writing. This activity may also be done through the software programme ASCESI. If no NCs have been found the Communication of positive audit outcome may be sent immediately. If necessary, a new PVP is also sent together with acceptance of the CA proposals.

-Treatment, analysis of causes, CA proposals and accepted implementation times

If the Organisation does not send its CA proposals within the agreed date, after 10 days have elapsed from that date, the RPC will send a written reminder to the organisation informing it that if the proposals are not sent within a further 5 working days, the RPC will prepare a suspension proposal (IS-SCC-CER-01).

Completion of steps in ASCESI: -“CA approval” or -“Communication of positive audit outcome” (if no NCs have been found)

-Non-conformity forms signed by TEAM LEADER or RPC -Print from ASCESI of documents signed by RPC

7 PLANNING AND PERFORMING SUPPLEMENTARY AUDITS




SEE PHASE 14 Table 1 SEE PHASE 14 Table 1 SEE PHASE 14 Table 1

8 SUSPENSION PROPOSAL/APPROVAL OF PROPOSAL

-Supplementary RVI (NON-CONFORMING SMS)

RPC prepares the suspension proposal and sends it to CTSec, specifying the reason. CTSec defines a deadline for the suspension period (see IS-SCC-CER-01)

Certificate suspended

- Suspension of certificate from ASCESI and relative communication

Suspension proposal signed by RPC and the CTSec chairman

9 CHECKING DOCUMENTS FOR COMPLETENESS/ CLOSURE OF PROCESS

Job documents Documentation checked for completeness and completed if necessary (according to QUASQA2). Check made that all the Steps in ASCESI have been completed (Completed). Process closed.

Process closed

- Check that all the Steps in ASCESI have been completed (Completed). Process closed.

Registration in QUASQA2

16 If a supplementary audit on a certified Customer is unsuccessful, the certificate must be suspended.

RINA


IS-CRT-SEC-00

Rev. 1

Page 21/32

5 INVOICING

Depending on the contract, invoices are issued at various phases of the certification process by the Administrative secretary of the office, using the CAI-C software application.

6 AMENDMENTS TO CERTIFICATION

A client who asks for a change to be made to the certificate (for example, modify the scope of the certificate, extension to another site, change in the operational unit, etc.) is to send RINA the informative questionnaire, duly filled in, and the File Manager (RPC) will assess the situation on a case by case basis.

RPC may consider the request as though it were an application for a new certificate or he/she may have the modification checked during a check extra or during the surveillance audit. CASE A

If the requested modification involves a change in the number of man days required for the audit, the situation must be handled as though it were an application for a new certificate (new offer, documents review, on-site audit, proposal to extend certification), assessing, during contract review, the possibility of performing also stage 1 (i.e. in the case of an extension to another site or sites).

CASE B

If the requested modification does NOT involve a change in the number of man days required for the audit, the modification to the certificate may simply be checked during a check extra or during the surveillance audit. In this case, as well as the points already indicated in the periodic audit plan, other points or departments of the Organisation involved in the modifications due to the variations in the system are also examined.

Please refer to Annex 1 for audit times.

In both cases, a new certificate will be issued.

In case B, in order to keep trace of the modification, RPC, assisted by SEG, makes all the necessary variations in ASCESI, adds a note in ASCESI describing the author of the modification, the type of modification made, the date and the reasons

17 and sends an e-mail to QMA and SEC asking to have the DCI

manager sign the new version of the document, explaining the relative reasons.

7 PROCESS MEASUREMENT

The SMS certification process is controlled from the economic, operative and technical point of view by the various operative units, as indicated in the organisational structure documents.

The management and technical aspects of processes are monitored by the IPR Manager who defines performance indicators for pertinent levels and functions, in collaboration with the Scheme Manager (e.g.: a performance indicator for RPCs is the respect of the deadlines defined in the audit programme).

The economic aspects of processes are measured by the COD manager who checks turnover, costs, the services rendered by the Operative Network and budget variations.

8 PRESERVATION OF RECORDS

The hard-copy and electronic records relative to certified Organisations are kept by ROC as follows: audit files with relative records must be kept for the current three year period as well as for the previous three year period the list of security procedures/instructions must be kept for the time required for its review until the certificate is issued copies of issued certificates must be kept indefinitely. CTSec meeting minutes are kept for at least 10 years.

17 If this modification involves more than one organisation, the note in ASCESI must be added to the files of all the organisations involved

RINA


IS-CRT-SEC-00

Rev. 1

Page 22/32

9 ANNEXES

Annex 1 – Definition of audit times Annex 2 – Sampling plans for sites Annex 3 – Transfer of certification

RINA


IS-CRT-SEC-00

Rev. 1

Page 23/32

ANNEX 1 – DEFINITION OF AUDIT TIMES

1 DEFINITION OF AUDIT TIMES

The overall time, in man days, taken to audit an Organisation includes the time taken to plan the audit, review the documents, perform the stage 1 and stage 2 audits, write the report and manage the general aspects of the job.

RPC must suitably calculate the time to spend on each audit, depending on the complexity and size of the organisation in question. Particular attention must be paid when calculating the man days for the on-site audit as this is the most critical phase in the entire certification process. The use of fewer man days than necessary for the on-site audit, in fact, may make the audit results totally unreliable.

The following “Table of certification audit times” defines the average, minimum and typical time in man days

18 required for the certification audit of organisations of medium, low and high complexity, depending

on the number of employees. At least 80% of the times indicated in the table are to be used for the on-site audit.

Audit times may be increased or reduced depending on the complexity and size of the organisation.

The following paragraphs illustrate the criteria for defining:

• the number of employees indicated in the table

• the conditions for increasing or reducing the times indicated in the “Table of certification audit times”.

Any reduction or increase in on-site audit times with respect to those indicated in the table must be suitably justified by RPC in the "Certification procedure and certification/extension proposal" document.

The time required for the annual surveillance and recertification audits is 1/3 and 2/3 respectively of the time required for the certification audit, bearing in mind the complexity and size of the organisation in question.

TABLE OF CERTIFICATION AUDIT TIMES

N° employees Average

man/days (medium

complexity and/or risk)

Minimum

man/days (low complexity and/or risk)

Typical

man/days (high

complexity and/or risk)

Reduction if organization is certified to another management system (MS) standard or security code which is integrated with the security MS

1 1 1 1 0 10 3 3 3 0 30 6 4 8 <20%

100 8 5 11 <20% 500 12 9 15 <20%

2000 15 10 20 <20%

Details about calculation are defined in the offer calculation form.

NOTE 1 The number of employees is calculated according to the next paragraph 2. NOTE 2 The total audit time indicated in the table may be reduced according to the column 5 in the table. NOTE 3 The time required for the on-site audit activities (including possible on-site document review) is to be at least 90% of the total audit time indicated in the table.

18 A work day is understood to contain 8 hours, excluding travelling time. No more than 8 hours must be considered when calculating work days. The minimum audit time is 1 man/day.

RINA


IS-CRT-SEC-00

Rev. 1

Page 24/32

NOTE 4 The time required for the annual surveillance and recertification audits is 1/3 and 2/3 respectively of the time required for the certification audit, bearing in mind the complexity and size of the organisation in question. NOTE 5 When calculating the audit time, it is necessary to round up to the next half day (i.e. 1,1→1,5; 1,6→2). NOTE 6 One man/day is to be understood as 8 hours, excluding travelling time; daily time spent in excess of 8 hours is not to be considered in terms of calculating man/days; the minimum audit time is 1 man/day; audit times of less than half a day are unacceptable. NOTE 8 Time to be spent on stage 1: if performed in the office: 0,5 man/days, to be added to the on-site audit time if performed at the Organisation’s premises: 1-30 staff 0,5 man/days (included in the on-site audit time) from 31 staff: 1 man/day > 100 staff: min 1 man/day; max 33% audit time

2 CALCULATING THE EFFECTIVE NUMBER OF EMPLOYEES

The number of staff in the organisation to use when consulting the “Table of total time required for certification audit” is calculated by considering the number of employees (also including seasonal, part-time and temporary workers) and subcontractors whose work has the potential to affect security in the organization being audited.. Of course, for staff who are not employed full-time (considered as 40 hours a week) and work on a non-continuous basis, an estimate of the time they actually dedicate to the Organisation must be made (i.e. total employees 100, of whom 50 working 20 hours a week and 50 working 40 hours a week, the calculation of the actual number of employees is = (100-50) + 50/2 = 75).

The consideration about the number of employees to consider could include season, month and day/date as appropriate.

2.1 WORK SHIFTS

For activities based on shifts for the same type of work, no reduction are applicable.

3 CONDITIONS FOR INCREASING AND REDUCING AUDIT TIM ES COMPARED WITH THOSE INDICATED IN THE TABLE

The time spent on each on-site audit activity can be reduced or increased compared with that shown in the “Table of total time required for certification audit”, depending on the nature and characteristics of the Organisation in question. In all cases where adjustments are made to the time provided in the previous table, sufficient evidence and records shall be maintained to justify the variation.

Generally speaking, this kind of modification to audit times may not exceed 30% of the man days indicated in the table for that category of staff.

Examples of factors that may reduce the number of man days are:

- process with very low security risks

- previous knowledge of the organisation’s system (i.e. already certified for another standard by the same body)

- very simple supply chain

- premises very small for number of employees (i.e. only one office complex)

- the fact that the client is prepared for certification (i.e. already certified or recognised in another third party scheme)

- the processes concern only one general activity (i.e. only one service)

- maturity of management system

RINA


IS-CRT-SEC-00

Rev. 1

Page 25/32

- high percentage of employees performing the same simple tasks

- same activities performed during all shifts, with adequate evidence of same performance during all shifts based on previous audits (internal audits and audits by the certification body)

Examples of factors which could lead to an increase in the number of man days are:

- complicated logistics involving more than one building or location where work is carried out, e.g. a separate design centre must be audited

- staff speaking in more than one language (requiring interpreter(s) or preventing individual auditors from working independently). In this case, if the audit team requires the help of translators with understanding written material, the time should be increased by 10% and further 10% if verbal translators are required.

- very large site for number of employees (e.g. a timberland)

- highly regulated sector (food, aerospace, nuclear energy, …)

- the system concerns highly complex processes or a high number of single activities (not repeated)

- the processes concern a combination of hardware, software, processes and services

- activities that require visiting temporary sites to confirm the activities of the permanent site(s) whose management system is subject to certification (see Note 1).

4 ORGANISATIONS WITH MANAGEMENT SYSTEM ALREADY CER TIFIED BY ANOTHER CERTIFICATION BODY

For Organisations with SMS already certified by another Certification Body accredited by an organisation associated with MLA IAF, EA, the contents of Annex 3 apply.

5 GROUPS OF ORGANISATIONS

If audits are performed on Organisations belonging to the same owner, consortia or associations supplying the same product or service, featuring similar organisational structures, and adopting the same SMS, the times indicated in the table may be reduced, for each Organisation, by 30% (maximum reduction possible).

6 MULTI-SITE ORGANISATIONS

See Annex 2.

7 INTEGRATED SYSTEMS

In the event that audits are performed simultaneously on more than one Management System in an organisation (Integrated Systems), the times calculated by adding up the values shown for audits of the single Systems in the above table can be reduced, considering the organisation and the level of system integration on a case-by-case basis, as indicated in the time in Annex 1, § 1.

8 EXTENSION OF CERTIFICATION TO ANOTHER MANAGEMENT SYSTEM

In the event that certification is extended to another Management System, times are established by the RPC on a case-by-case basis, considering the Organisation and the level of integration of the systems. Generally speaking, a 20% reduction in the values indicated in the table for the system for which certification extension is required may be considered.

9 EXTENSION OF A SITE OR AN ACTIVITY

If an Organisation makes a request to modify certification that affects the SMS, for example, extension of activity, change in address or extension to another site, audit times can change from those indicated

RINA


IS-CRT-SEC-00

Rev. 1

Page 26/32

for an annual surveillance audit to those indicated for a complete review depending on the impact of the requested modification. If the modification requires a new job to be opened, the times used are those of a complete review, if the modification can be checked during the planned surveillance audit or during an especially planned extra audit, the times used are those of an annual surveillance audit.

RINA


IS-CRT-SEC-00

Rev. 1

Page 27/32

ANNEX 2 – SAMPLING PLANS FOR SITES

1 FIELD OF APPLICATION

As regards the possibility of sampling, applicability is based on the conditions indicated below. If these conditions are not satisfied, each individual site must be audited applying the usual RINA procedures and be issued with individual certificates.

Generally, security threats are unique to each operational site, so all operational sites included in the organization’s scope o f certification shall be subject to audit. The organization shall have carried out a threat and risk assessment for each site and shall implement operational controls accordingly. Similarly, security threats applicable to non operational sites, such as those providing administrative services, are also unique but by the nature of the activities undertaken may present a lower risk to supply chain security.

If the supply chain services provided by all the sites must be substantially of the same type and obtained using substantially the same methods and procedures, then the man days could be reduced, but for all sites the specific threats shall have identified and subject to a risk assessment by the organization and audited by RINA during an on site audit.

The Organisation’s supply chain security management must be centrally managed and operated according to a centrally control process for carrying out security assessments and developing security plans. The following activities must be managed by the head office of the Organisation (or the head office must at least show it is able to collect and examine the data concerning the activities from all the sites and that it has the authority and capacity to introduce changes to the organisation if necessary):

− contract review (local acceptance of standard orders is permitted)

− supplier qualification

− assessment of training requirements

− control and modification of documents

− management review

− assessment of the effectiveness of corrective and preventive actions

− improvement objectives, targets and management programmes

− evaluation of complaints and incidents

− planning/execution of internal audits and assessment of results

− before the initial audit, the Organisation must perform an internal audit on each site and, following the completion of any corrective actions, assess its conformity with the reference standard

− slight variations in operative instructions are permitted from site to site due to differences in equipment and site dimensions

− as a general rule, not more than 100 employees should be assigned to each site.

Holdings come under this case provided they are registered in the register of companies and that the companies which belong to them have a legal or contractual connection with them.

Any deviations applied by RINA shall be documented and justified, applying a procedure which apply a risk management approach, based on:

• scope sectors or activities;

• type and size of sites eligible for multisite assessment;

• variation in the local implementation of the supply chain security management system such as the need for consideration of local regulations, behavioural characteristic, threats from terrorist

RINA


IS-CRT-SEC-00

Rev. 1

Page 28/32

and crime statistic, the use of supply chain security plans within the supply chain security management system to address different activities or different contractual or regulatory systems;

• use of temporary sites which operate under the supply chain security management system of the organization.

2 CONTRACT REVIEW

The complexity, type and location of the activities covered by the SMS and the differences between sites must be verified on the basis of the QI and the preliminary contacts with the organisation in order to determine the sampling level.

In all cases, the extent to which the sites produce and provide substantially the same type of supply chain services using the same procedures and methods must be verified.

The organisation must also inform RINA beforehand which sites are not ready at the moment of the initial assessment and therefore not subject to certification.

The methods for applying the sampling plan for permanent sites must form part of the documentation provided to the Organisation as the latter must be aware of the assessment and surveillance criteria used by RINA for the initial and surveillance audits.

Audit visits to temporary sites must be indicated in the offer.

3 AUDIT METHODS

3.1 AUDIT TIMES

The man/days to be used to audit the headquarters and any other site involved in the audit are shown below in relation to the sampling plan used.

For the headquarters, the time spent on the on-site audit can be calculated from the “Table of total time required for certification audit”, considering the number of staff working in the headquarters, fully using the corresponding man/days.

For the other sites, the time spent can be calculated from the “Table of total time required for certification audit”, considering the number of staff working in the site and reducing by up to 50% the corresponding man/days. The total number of man/days thus obtained for the headquarters and for the sampled sites is not to be less than the number of man/days corresponding to the staff of the whole organisation concentrated as if they were working in a single site.

Example:

Organisation with headquarters = 20 employees and 9 operational sites with 100 employees per site, for a total of 920 employees.

Applying the sampling plan and the above-mentioned rule, for 1st certification audit one obtains:

Headquarters (20 employees) = 3 man/days

Operational sites (100 employees for each sampled site) = 3,5 man/days (50% reduction for each site) x 3 sites = 10,5 man/days.

The total number of man/days for the 1st certification audit of the whole multi-site Organisation is 13,5, higher than the 13 man/days foreseen if the 920 employees were considered as being in the same site.

The above considerations apply also to the surveillance and complete review audits (1/3 and 2/3 respectively of the man/days used in the 1st certification audit).

3.2 PRELIMINARY ACTIVITIES

Before carrying out on-site audits, the GVI assesses the supply chain services activities carried out by the head office, paying particular attention to assessing the results of internal audits and the risk

RINA


IS-CRT-SEC-00

Rev. 1

Page 29/32

assessment performed, ensuring that all the sites and documentation relative to the activities performed on these sites have been covered and are compliant.

3.3 PERMANENT SITES

If the permanent sites, the resources at their disposal (number of employees) and the activities carried out are similar, the same SMS is applied and the requirements indicated in the previous points are satisfied, the above-mentioned sampling plan can be applied in order to reduce the number of sites to be audited and subject to evaluation. Otherwise, each site will be subject to audit (see Annex 2, §1). The choice of sites to audit both during the certification audit and surveillance audits must be based on the following criteria:

• variability of the size of the site,

• type of supply chain services provided,

• precedence given to auditing sites featuring greater management complexity,

• 25% of the sample sites, chosen as indicated in point 5, must be chosen at random, while the remainder must be selected so that as many different sites as possible are visited during the validity of the certificate. Six-monthly audits instead of annual ones can be agreed with the Organisation, if necessary.

Any sampling plans containing relevant differences from those shown in this document must be submitted by ROC to Scheme Manager for assessment and, in the case of substantial variations, an opinion may be requested from the Accreditation Body.

3.4 TEMPORARY SITES AND EXTERNAL WORK

3.4.1 GENERAL As regards sampling the sites in which activities are performed outside the permanent sites of the Organisation, the criteria shown in the following points are applied, bearing in mind that such sites must in all cases be subject to assessment if the purpose of certification also includes external activities (i.e. maintenance activities, civil and industrial cleaning, supervision of construction, etc.).

If no external sites are operative when the initial assessment is performed, certification relative to external activities may not be issued to the Organisation.

In some cases, for certain activities indicated in the field of application of the organization, it may be acceptable for the Organisation to demonstrate its competence in the external activity by producing documentation relative to the work performed in these sectors in a sufficiently recent period. In this case, the document review performed at the Organisation's headquarters in order to evaluate whether the activities have been successfully executed may be acceptable.

In all cases, the Auditing team must indicate the audited sites, the type of activity performed and any activities audited on the basis of documents in the Report.

3.4.2 METHOD OF VERIFICATION

Regardless of the document assessments performed at the head office, an audit must be performed at the sites that were operative at the moment of the assessment as per the following criteria:

• initial audit At least one operative site must be visited for each type of activity carried out by the Organisation.

If the activities for which certification is requested refer to more than one activity, the document assessment may be accepted, for one activity, in lieu of the audit; this assessment must be made at the head office of the Organisation and must demonstrate that the activities were performed correctly, as long as such activities were not terminated more than three years before.

• Surveillance/recertification audits

In the period between the initial and recertification audits (first surveillance audit + second surveillance audit + recertification) all the activities mentioned on the certificate are to be audited on site. At least one operative site must be checked during each audit (surveillance or recertification).

RINA


IS-CRT-SEC-00

Rev. 1

Page 30/32

3.5 PERMANENT AND TEMPORARY SITES

If the Organisation has both permanent and temporary sites (for example, a Sea Carriers company with several branches in Italy or abroad and several operative work-sites), the contents of either of the previous points are applied, as the case may be.

3.6 SHIPPING COMPANIES

In the particular case of shipping companies, during the certification and recertification audits, at least one audit is made for each type of ship, identified on the basis of the Ship Classification Rules, for every lot or part lot of 10 ships; (for example, in the case of an organisation that manages 7 RO-ROs, 11 OBOs, 1 chemical carrier, 2 tankers and 21 freighters, at least 8 ships must be audited).

As regards surveillance audits, during a period of 3 years, at least one ship per typology managed by the Organisation must be audited, with a minimum of one ship for each surveillance audit.

4 NON-CONFORMITY MANAGEMENT

If a non-conformity is found at the head office or on an operative site, corrective action must be applied to all certified sites. The result of corrective actions may also be audited by the Auditing team on a different site from the one where the non-conformity was found, subject to the audit of the documentation presented by the Organisation. RINA shall receive evidence of these actions and increase its sampling frequency until it is satisfied that control is re-established.

If marginal non-conformities are found on a regular basis, the GVI may require the Organisation to appropriately increase the frequency of its audits (at first, just internal audits and later, if non-conformities persist, RINA audits, too).

5 SAMPLING PLAN

The minimum number of sample sites on which initial and surveillance audits must be carried out is based on the following criteria: a) Initial audit: - the sample is given by the square root of the total number of sites ( )XY = rounded up to the whole number

b) Surveillance audits: - the sample of sites to subject to annual audits is given by the square root of the total number of sites multiplied by a coefficient of 0.6 ( )Y X= 0 6, * rounded up to the whole number.

c) Recertification: - The sample of sites to be audited for recertification should generally be equal to the number examined during the initial audit; however, if the Management System has proved to be efficient during the last three years, the sample of sites to audit may be reduced by 20%, ( )Y X= 0 8, * rounded up to the whole

number.

The head office, as defined in point 4, is not considered in the above criteria as it must always be audited.

If the organisation intends to add a further series of sites to the previously certified sites, the new series must be considered regardless of the previously certified ones. The formula ( )Y X= , therefore, applies

to these. The total number of sites is considered for subsequent surveillance audits.

RINA


IS-CRT-SEC-00

Rev. 1

Page 31/32

Annex 3 – TRANSFER OF CERTIFICATION

1 CONDITIONS

RINA may recognise the certification of an Organisation’s supply chain security management system, issued by another body by following the procedure shown below only if the following conditions are satisfied:

- organisations interested in obtaining certification recognition by RINA must send the relative application according to the normal RINA procedures

- the certificate of the Organisation was issued by a Body accredited by an Accreditation Body that is a signatory of the Mutual Recognition Agreements (MLA EA and IAF Agreements)19

- the certificate must still be valid

- the certificate must not be suspended

- the Body must not be suspended

- the certified activities belong to the sectors that RINA has been accredited for.

Organisations with certificates that are not covered by these accreditations must be treated like new customers.

2 TRANSFER PROCEDURE

A qualified technician in the sector reviews the following documents:

- application for certification;

- informative questionnaire;

- controlled copy of its Quality Manual and list of Security Operative Procedures and risk assessment analysis;

- copy of the valid certificate issued to the Organisation;

- preliminary audit report and periodic audit reports relative to all the subsequent surveillance operations;

- evidence of the corrective action taken to eliminate any non-conformities found during the previous audits or evidence that another Body has audited their elimination;

- complaints received and action taken:

- PVP.

If the document review is unsuccessful, the technician decides if, in order to assess conformity of the SMS, it is necessary to request additional documentation and/or perform an on-site audit of the Organisation (times and costs are normally those indicated for a check extra).

The review is successful if the documentation examined proves the suitability and level of reliability of the Organisation’s supply chain security management system.

For this activity a document review report showing the results of the review must be prepared: the field of application of the Organization to certify must be identical to that defined by the other Body.

If only the documents are assessed, the date of the next surveillance audit must be identical (or brought forward) to that planned by the other Body.

3 CERTIFICATION

After the document audit and in order to continue the certification process, RPC prepares the following documentation which must be sent to CTSec for approval:

- certification procedure and certification/ extension proposal; 19 The list of Accreditation Bodies participating in the above agreement can be viewed at www.ACCREDIA.it

RINA


IS-CRT-SEC-00

Rev. 1

Page 32/32

- document review report and/or on-site audit report;

- copy of the certificate issued by the other Body an related PVP.

If the certification process continues with an on-site audit of the Organisation, a complete audit will be carried out, applying the recertification times, in view of the fact that the Organisation’s supply chain security management system had already been certified and a new PVP will be issued.

4 POSTPONEMENTS

RPC may grant, following justified reasons and a written request from the Organisation (lack of orders, staff layoffs, large-scale organisational changes, other,) a postponement not exceeding three months from the date of the surveillance audit, taking into account, however, that in any case one surveillance audit a calendar year is to be performed.

The first surveillance audit after the initial audit is in any case to be performed not more than 12 months after the end of stage 2 of the initial audit made by the other Body.

The entire recertification process, including any additional audits, must be completed prior to expiry date of the certificate.