BS EN 17483-1-2021 私人保安服務(wù) 關(guān)鍵基礎(chǔ)設(shè)施的保護 第1部分：一般要求

ofcriticalinfrastructure requesttoitscommiThispublicationhasbeenrepresentation,warranty,assuranceorundertaking(expressoracceptedbyBSIinrelationtreasonablenessofthispublication.Allandanysuchresporecipient'sownrisk.respecttoitsuseofthispublication.responsibleforitscorrecThisBritishStandardwaspublisheAmendments/corrigendaissuedsincepublicationDateprotectiondesinfrastructurescritiquesPrivateSicherheitsSchutzkritischerInfrastrukturen-ThisEuropeanStandardwaCENmembersareboundtocomplywithththisEuropeanStandardthestatusofanationalstreferencesconcerningsuchThisEuropeanStandardexistsintmadebytranslationundertheresponsibilityofaCENmemberintoitsownlanguageandnotManagementCentrehasthesamestatusastheoCENmembersarethenationalstandardsbodiesofAustria,Belgium,Bulgaria,Croatia,Cyprus,CzechRepublic,Denmark,Estonia,Finland,France,Germany,Greece,Hungary,Iceland,Ireland,Italy,Latvia,Lithuania,LuxemNetherlands,Norway,Poland,Portugal,RepublicofNorthMacedonia,Romania,Serbia,Slovakia,Slovenia,Spain,Sweden,EUROP?ISCHESKOMITEEFURNORMUNG2Contents 5 5 6 7 7 84.2.1Management 84.2.2Humanresourcesmanagem 9 4.6Businesscontinuitymanag 4.8Corporategoverna 5.5Customerrespo 5.7Cooperationwithotherrel 5.9Leasedworkers/agency 6.1.4Identificationofstaff 6.2.2Criteriat 7.4Operationalplanandros 7.6Contractterminationandcessationofservices 21 EuropeanforewordThisdocument(EN17483-1:2021)hasbeenpreparedbysecurityservices",tThisEuropeanStandardshallbegiventhestatusofanationalstandard,eitherbidenticaltextorbyendorsement,apossibilitythatsomeoftheelementsoffAccordingtotheCEN-CENELECInternalRegulations,thenationalstandardsorgfollowingcountriesareboundtoimplemeCroatia,Cyprus,CzechRepublic,Denmark,Estonia,Finland,France,Germany,Greece,Hungary,IcelIreland,Italy,Latvia,Lithuania,Luxembourg,Malta,Netherlands,Norway,Poland,PorofNorthMacedonia,Romania,Serbia,Slovakia,Slovenia,Spain,Sweden,Switzerland,Turkeyandthe5ThisdocumentincludesthemainoverarchingrequirementsfortheprovisionoNOTE1Thisdocumentisthefirstpartofaseriesofstanrequirementsforrelatedsbalancebetweenqualityandprice.ThisdocumentsetsouttheminimumrequiItspecifiesservicerequirementsforqualityintheorganization,profasecurityserviceproviderand/oritsindependentbranchesandestablishmentsundThisdocumentissuitablefortheselection,attribution,aproviderofsecurityservices.Thefollowingdocumentsarereferredconstitutesrequirementsofthisdocument.Fordatedreferences,onlytheeditioncitedapplundatedreferences,thelatesteditionofthereferenceddocument(includEN15602,Securityserviceproviders-Termi6Forthepurposesofthisdocument—IECElectropedia:availableat/—ISOOnlinebrowsingplatform:availableathttps://wasset,system,orapartthereof,whichisessentialforthemaintenanceofvitalsocietalfunctisafety,security,economicorsocialwell-beingofpeople,wherethedisruptionordestructionofwhichthreatposedbyunauthorisedaccess,useordisclosureofprivilegedinformation,techniqtechnology,assetsorpremisesbyanindividualwithlegitimsystematicprocessfortheidentification,analysisandevaluationofthreatstodeterminetheimpactoftheconsequencesofhazardsandthreatsrelativetotheprobabilityofthetotalofdefinedorganizational,personnel,technicalandstructuralsecuritymeasuresfortheprevenand/oravertingofdangersthroughwrittenanalysisofpossibleattackanddamagescenarioswiththeaimofachievingadefinedlevelofprotec—analysisofthreats/damagescenarios/dangers;7staffperformancemanagementpolicysystematicprocessbywhichthinimprovingorganisationaleffectiveallotindividualaccountabilitytowardsthatgoalandtrackingoftheprogressintheachievementofthegoalsassignedandevaluatingtheirindividualperformance.Thestaffperformtheindividualperformanceortheaccomplishmentofanemployee,whichevaluatesandkeepstrackofallthesetofinterrelatedorinteractingelementsofanorganisationtoestablishpoliciesandobjectprocessestoachievetresponsibilities,planning,operation,policies,practices,rules,beliefs,objectivesandNote3toentry:Thescopeofamanaidentifiedfunctionsoftheorganization,specificandidentifieNote4toentry:Thisconstitutesoneofthecommontermbusinessstatisticswhichmeasureanorganisation'sperformancemonitoringactivitieswhich(ifnotproperlyperformed)wouldlikelycausedegradationoftheperformanceofforcriticalinfrastructureifthoseaaccordancewiththenationallegalframeworks.Aprovidershallonlyprovidethoseprivatesecurityservicproviderhasobtainedthenecessaryauthorizationfromthecompetentauthorit8e.g.notbeenconvictedforanyofthefollowingcrc)fraudand/ormoneylaunf)intentionalcrimesagainh)cyberandinformationsTheyneedtoholdtherequiredlicencefortheirfunctionwherelegallyofoperation;havecodeofconductdocumentsonethics,drresponsibilityandaboutoperationalprocedures6)operateunderconfidentialityproceduresforthemanagement8)haveanoperationalpresencewithprovidedforthedurationofthecontract,oratleastforthedurationoftheprovisionoftheservices;9)disclosethestructureofitsownmanagementfortheprovis10)discloseanyunspentcriminalconvictionsanlegislationregardingtheprotectionofenvironment;13)haveamanagement9Theprovidershallhavepoliciesinplace,whichshallincludetha)maintainingaccurateinformation/dataonstaffstrb)recruitmentincludingjc)retentionofstaff;h)disciplinaryandgrievance;k)staffsatisfactionmeasurement;n)abidebylawandregulationsTheprovidershallhaveapolicyformot-methodologies—motivationmeasuringsystem;—responsibilityonthejob;—self-management(shiftwork,measuresagainstboredom);TheprovidershallinforStaffperformancemanTheprovidershallimplementaclearlydefinedstaffperformancemanagement4.3HealthandSafeWorkshallbeplannedinamannerthatitcaTheprovidershallinvestigaand/orstaffifpresent,continuouslyassessrisksandtakeallprecautionsnecessTheprovidershalldocumenttheworkingconditionsandmeasuresworkingconditions.IncaseofahealthandsafetyincidenttheprovidersTheprovidershallinstallandmaintainTheprovidershalldemonstratethatithasthenecessarycapacityiprocedurestoguaranteethefullimplementationofalltermsandclausesTheprovidershalldiscloseinfdedicatedresponsiblemanagementifapplicable,theranTheprovidershalldisclosethefollowinginformationtothepotentialc-balancesheetsandprofiscompulsoryunderthelegislationorpracticeinthecountryiwhererelevant.Attherequestofthepotentialclient,theprovidershalfinancialplan,wheretherequestedsecurityservicesthelastclosedbusinessyearoftheprovider.Theprovidershallestablishadocumentedbusinesscontinuitypoliproceduresandthetechnologiesusedforthispurpose,e.g.onthebasisofENISO9001[4].Inparticular,thecriticalprocessesshallbeidentifiedandsuitablemeasuresfTheproviderisexpectedtocomplywithinternationaland/ornatagreementsregardinginsuranTheprovider'sinsuranceshallincludeco-loss,damageorinjurytothecustomerorthirdparti(aslongastheyhavebeencausedwhilstperformingthecontractualduties).TheprovidershallprovidetotheclientitsinsurancepolicyandsuppTheprovidershallensurTheprovidershalldemonstrateastructuredprovideevidenceofits:—internalandexternalcontrolproceduresand4.9IT-SecurityManagemeTheprovidershallestablishadocumentedIT-securAwrittencontractbetwshallstatetherightsandobligationsoftheprovideofsub-contractorsaswelTheclientshallproIftheclientisnotabletoprovideasecurityanalysis,thassessmenttogetherwperformanceofthecontractualdutie-assesstheprobabilityofasecuritybreachand/orthreatandtheconsequ-clarifythattheproposedcontractmeetstheriskassessment.Thesecurityanalysis/assessmeshouldincorporatetheoptimizationoftherequiredseworkforce.ThesecurityplanthedeploymentofmanagersonIfthecustomerneedsadditionalriTheprovider'sliabilityfordamagesarisinginthecourseoftheprovisionofservices,andforwhichhallbeagreedbetweentheprovifTheamountofliabilityrequestedbytheclientshallbelimited,atleastinthecaseofsassessmentandthecontTheprovidershallappointanominatedcoorganizationandoperationofthecontract.Thispersonshallhavetmanagershallbeappointed(e.g5.5CustomerTheclientshallensuretshallagreeuponthefrequencyandeactualandforthcomingofthesecurityrisksrelevanttotheprovisionofthecontrAllnecessaryequipment,systemsandvehiclesfortheprovisionofthecTheownerofequipment,systemsanthefullmaintenanceandproperoperationaluseofit.Internaaswellasmanufacturer'sbytheownertoanotherpInternational,nationalor5.7CooperationwithotherTheprovidershallcooperatewithotherrelevantparties(eauthorities,otherproviders)whenrequired.lnotsubcontractanyofitscontractedobligationswithoutthepriorwrittenconsentftheclient.Intheeventofsuchsubcontracting,theprovidershallremainfuloftheirobligationsundercoFurthersubcontractingofservicesbythesubcontractoroftheprovideractingdirectlyonbehalfoftheTheprovidershallinformtheclientinwritingaboutthepersonnel(specificallythenamesandIDsoftheinvolvedsecuritypersonnel)assignedbythesubcontractortotheassignmentpriortunderthecontractwitsubcontractor'sstaffreceivethesamepayment,insurancetheprovider'sownstaffrespectivesubcontractorfulfilstheservicescommissioneTheprovidershallnotuseanyleasedoftheclient.Iftheproviderisusingleasedworkersoragencyworkers,itistheprovider'sresponsibilitytoguaranteethatboththeworkagencyandtheirworkersmeetalltherequiremenTheprovidershallensurethattheworkagencyguaranteesreceivethesamepayment,insurance,socialsecurityandworkingconprovider'sownstaff.Theprovidershalldemonstratethatscreened,certifiedandtrainedstafftTheproviderandtheclientshouldagreeontheimplememanagementforthestaffing.Theprojectmanagementshouldincludetheidentificationofprojectrelatedrisksinstaffingandqualificationofthofthefollowingaslongasthesetermsarenotalreadystipula)identitiesofthepartiestothb)jobtitleandbriefspecificationordescriptionofthework;d)probationaryperiod,ifapplicable;f)trainingentitlementpg)hoursanddaysofwork;h)amountofpaidleavetowhichtheworkerisentitledor,i)pensionsandj)disciplinaryandgrievanceprk)termsofterminationofemployment;m)collectivelabouragreementsgoverningtheworkerAdditionallytheprovidershallincorporatetheirownprocessfortheapplicants.Thisprocessshouldincludethecheckingofthehistoryandbackground(e.gTheprocessofsecurityscreeningincludes,butisnotnecessarilylimitedto,establishingthattheindividualpossessesanddemonstratesanappropriatelevelofintegrityandisninfluenceorcoercion.IntegrityisdefinedasposTheprovidershallhaveaninsiderthreatpolicyinpl6.1.4IdentificationofstaffTheprovidershallensurethatallshallissueanidentificationvisibleway,wherenat一identificationdetailsof一identificationdetaTheproviderisexpectedtoensurethatalltheirstaffcomplywitlegislationrelatedtoidentificationofstaff.Theprovidershallhavestrictproceduresfkeepingrecords,anddisposingofbadgesandforkeepinTheproviderisexpectedtocomplywithnationalregulatiregardinguniforms.Whenonduty,securityoffishallincludeallvisibleitemsofclothing,includingpersonalprotectiveequipment(PPSecurityofficers'/securityguards'uniformsshallcshallbereadilydistinguishablefromthoseofthecivilemergencyservicTheprovidershallensureanappProvisionsofthisparagraphwillnotbeappliedtonon-unifTheprovidershallhavedocumeofpersonnel.Theprovidershalldevelopajobdescrbytheclient,theprovidershallinformoftheirpolicyforidentifyingpotentialcandidatesecPossiblerecruitmentandtrainingcriteriashallbeadapted—righttoworkinthecountry,ifrequired;-securityvetting,seeEN15602:2008,2.2.7;-securityscree-medicaldeclarationrequiredwhererelevanttothejobdescription;-necessaryinterpersonalskillsrelevanttotheactivitytobeundertak-languageskillsinthecontractualrelevantworkinglanguagTheprovidershallrequireeachcandidatesecurityodocumentcontaining—employmentandpersonalreferences;-detailsofworkandresidencepermits,ifapplicable;-statementofcriminalrecords,ifapplicable;-drivinglicensedetails,ifapplicable;一generalinformationonphysicaland/ormedicalco—possibilitiesofgeographicalmobilityshallbeconductedbyacompetentrecTheprovidershalldocumenttheresultsof-applicationformverification;-understandingofthejobanditsrequirements;-socialattitudes(e.g.equalrights,security,colleagues,superiors,customers—integrity;—informcandidateofwage,jcompany'scodeofconduct),companydetailsandapplicablenationThefileshallcontainalldocuments,e.g..2Psychometricandpsycho-technicaltestsPeer-reviewedpsychometricandpselectiontoolwhereappTrainingpolicyandmethodologyrequia)Trainingpolicy,planning,contentsandperformanceoftrainingareexpectedtob)Theprovidershallentraining)shallbereflc)Alltrainingsessionsshallbeplannedandjobassignment.thetraineehasperformedtothelevelde)Trainingshallbeperformtomeettheexpectedresultsandrequirementsofthecorrespondinglegislation(whenappliconsiblefortheassessmf—criticalinfrastructurespenvironmentmanagement,ifapplicable;Thestartupofthecontractshallbemutuallyagreeduponbytheclientandtheprincorporatesthedefinitionofaspecifiedtimeframe,responsibilitiesofbothpartiesandpointsofcontactofallprocessrelevantpersonnel.ThetimefAllrelevantdocumentation,maTheprocessshouldbedocumentedbybothparties.Theprovisionofthecontractedservicesisbaseduponthertimes,qualitiesandquantities.TheclientandtheprovidershallagreeinwritingonaconFurthermore,awrittenagreemethemaximummonthlydeploymenthobesignedoffbythecliTheprovidershallensure,bymeansofawrittendefinitionofresponsibilitiesatindividualmalevels,thatrecordsarekept,collected,checked,distributedifnecessary,transmittedtoRecordsshallprovethattherequirementsofthetaskshavebeenqualitativelyandquantitativelyfulfilled,thatprescribedtests/evaluationshavebeencarriedout,thatinitiatedmeasuresRegularcommunicationsbetween—provisionofdailyoperationalinformation;—provisionofenhancedreportsonincid-regularcommunicationonactualthreats,specialsituationsandnecess—regularcontractualandfinancialre7.4OperationalTheprovidershalldefineanob)standardoperatingproceduresincludingqualitymanagement;g)emergencypreparebemeasurablee.g.mutuallexpectationsaswellIfSLA'sareused,theprovidershallmaintain,documentandprovidethemeasurementsystemtoregularlyandperandtoimplementcorrectivemeasures,ifandwhennTheproceduresfortheterminationofthecontractshallbeorporatesthedefinitionofaspecifiedtimeframe,responsibilitiesofbothpartiesafAllrelevantdocumentation,bytheoutgoingprovider.Theprocessshouldbedocumentedbybothparties.Examplesofcriticalinf—centralnetworknodesandcontr—defenceindustrialresearch,p一powerstations(incl.hydro一pipelines,externalcompressorandpumpingstations.—foodstorage,logistic—foodchemicalandgeneticengineeri一governmentandpublicadministration(e.g.datacentres);一parliament;一courtsandprisons.—pharmaceuticalsandvaccinesresearch,production,stor—nuclearresearch,training,production,storageanddistribut—maritimeportsandterminals,maritimetraffi—inlandwaterwaysandterminals,locks—railandundergroundsystems,s