STANDARD

INTERNATIONAL OF
BASC SECURITY

6.0.2
COMPANIES WITH INDIRECT RELATIONSHIP TO THE
LOAD, THE LOAD UNITS AND THE
Freight Transport Units

Version 6 - 2022
Approval date: March 2, 2022

All rights reserved. Unless otherwise specified, no part of

this publication can be reproduced, modified or used in any form or by
any means, electronic or mechanical, without the written permission of World BASC
Organization, Business Alliance for Secure Commerce, BASC.
 TABLE OF CONTENTS

0. INTRODUCTION 3

1. BUSINESS PARTNER REQUIREMENTS 4

1.1 Business Partner Management 4
1.2 Prevention of Money Laundering and Terrorism Financing 4

2. SECURITY IN THE INFORMATION HANDLING PROCESSES OF THE LOAD

AND OTHER PROCESSES DEFINED IN THE SCOPE OF THE SGCS 5

2.1 Parameters and Criteria 5

2.2 Information and Document Processing of the Cargo 5
2.3 News about the Load 5
2.4 Communication of Suspicious Activities or Critical Events 6
2.5 Controls in Operational Processes Not Related to Cargo 6

3. SECURITY IN PROCESSES RELATED TO PERSONNEL 6

3.1 Procedure for Personnel Management 6
3.2 Training, Capacity Building and Awareness Program 8

4. ACCESS CONTROL AND PHYSICAL SECURITY 8

4.1 Access Control and Presence in the Facilities 8
4.2 Physical Security 9

5. INFORMATION SECURITY 10
5.1 Generalities 10
5.2 Cybersecurity and Information Technologies 11
 Version: 06
Approved:
World BASC Organization 02-MAR-2022
Business Alliance for Secure Commerce
International Safety Standard
6.0.2 Page:
3 of 12

0 INTRODUCTION

The International Security Standard BASC contains the control measures.

operational for the main elements related to supply chain security
of supply and complementary with the International BASC Standard. Its objective is
contribute to the companies so that their activities are developed through a culture
integral security and trust generation, in order to protect the parties
interested parties, facilities, and loading, among others.

Three documents were issued with the intention of consolidating the requirements.
corresponding to the interaction with the load defined in the scope of the SGCS. The
International Safety Standard BASC 6.0.1 applies to companies that have
direct relationship with the load, with the load units or the transport units of
load.

The International Security Standard BASC 6.0.2 applies to companies that have
an indirect relationship with the load, with the loading units or the transport units
of charge.

The International Security Standard BASC 6.0.3 is applicable to all types of companies.
that wish to manage the risks and minimum operational controls that allow them a
secure operation of products and provision of services, that do not apply to the Standard
International 6.0.1 and 6.0.2.

This document is the result of the management of:

WBO Board of Directors 2021-23: Emilio Aguiar (BASC Ecuador), President; Ricardo
Sanabria (BASC Colombia), Vice President; Patricia Siles (BASC Peru), Secretary;
Armando Rivas (BASC Dominican Republic), Treasurer; Álvaro Alpízar (BASC Costa
Rich), Vocal.

WBO Technical Committee 2021-23: Fermín Cuza, WBO International President; Directors
Executives: Giomar González, BASC Panama; Luis Bernardo Benjumea, BASC Colombia;
Omar Castellanos, BASC Dominican Republic; Fabricio Muñoz, BASC Guayaquil; César
Venegas, BASC Peru; Jorge Wellmann, BASC Guatemala; María Andrea Caldas,
WBO Certifications Coordinator and Luis Renella, WBO Operations Director.
 Version: 06
Approved:
World BASC Organization 02-MAR-2022
Business Alliance for Secure Commerce
International Safety Standard
6.0.2 Page:
4 out of 12

1 BUSINESS PARTNER REQUIREMENTS

1.1 Business Partner Management

1.1.1 The company must establish a documented procedure for selection,

evaluation, hiring, and awareness of business associates regarding the
SGCS BASC, based on risk management, due diligence, and legislation
in force. It must include:

a) The level of criticality based on risk management.

b) Evidence of compliance with the legal requirements of its business associates.
c) Evidence of BASC certification (authenticity of the certificate). In case of not
count on this, maintain evidence of other certifications or initiatives of
security measures in effect and internationally recognized by a customs authority
(CTPAT, Authorized Economic Operator) and other entities that constitute evidence
compliance with acceptable security criteria. In case of not having
for these security certifications or initiatives, the company must enter into agreements.
of security.
d) Compliance with security agreements through verification, at least one
once a year.
e) Updated list of business associates.
f) Training guidelines that include crime prevention practices in the
international trade and corruption and bribery.
g) Evidence of data of the final beneficiaries, in accordance with current legislation.

1.2 Prevention of money laundering and terrorist financing

1.2.1 The company must establish a procedure, in accordance with current legislation,
to prevent money laundering, financing of terrorism, and other crimes
related to international trade. The company must appoint a
responsible for complying with these procedures. This procedure must
include:

a) Knowledge of its business associates, which includes: identity and legality of the
company, partners, and representatives.
b) Legal, criminal, and financial background taking into account national lists
and international.
c) Timely report to the competent authorities when identified
suspicious operations (see 2.4).
d) Verification of membership in recognized guilds or associations.

1.2.2 The documented procedure for the selection of business associates (see
1.1) must, based on risk management, consider at least the following
 Version: 06
Approved:
World BASC Organization 02-MAR-2022
Business Alliance for Secure Commerce
International Safety Standard
6.0.2 Page:
5 out of 12

factors (warning signs) for the identification of suspicious activities:

a) Origin and destination of the trade operation.

b) Frequency of operations.
c) Value and type of goods.
d) Mode of transportation operation.
e) Payment method of the transaction.
f) Inconsistencies in the information provided by business partners.
g) Requirements that arise from what is established.

2 SECURITY IN THE INFORMATION MANAGEMENT PROCESSES OF THE

LOAD AND OTHER PROCESSES DEFINED IN THE SCOPE OF THE SGCS

2.1 Parameters and criteria

The company must have documented procedures that include the

parameters and safety criteria applied in information management processes
of the load and other identified processes, according to the scope established in the
SGCS BASC, risk management, and its role in the supply chain.

2.2 Processing of information and documents of the cargo

2.2.1 A documented procedure for the management and control of must be established.
loading documentation.

2.2.2 The company must:

a) Verify the consistency of the information transmitted to the authorities, according to

with that recorded in the cargo operation documents.
b) Ensure that the documented information related to load management is
legible, complete, accurate and protected against modifications, loss or introduction
of erroneous data.
c) Timely inform the relevant stakeholders about the handling of the load
during their custody.
d) Maintain records that demonstrate the traceability of the load according to its
responsibility in the chain of custody.

2.3 News with the load

You must establish a documented procedure to manage all cases

related to discrepancies related to the load, the packaging material,
 Version: 06
Approved:
World BASC Organization 02-MAR-2022
Business Alliance for Secure Commerce
International Safety Standard
6.0.2 Page:
6 of 12

packaging, waste, debris, and leftovers that affect the safety of operations
the company.

2.4 Communication of suspicious activities or critical events

You must establish a documented procedure to timely communicate to the

competent authorities and stakeholders involved when activities occur
suspicious or critical events that may affect the integrity of operations
defined within the scope of the BASC SGCS, ensuring compliance with legislation
in force. The company must:

a) Document the information related to the actions taken.

b) Carry out an evaluation and subsequent analysis in order to generate actions
relevant for your treatment.
c) To continuously train and empower personnel to identify or recognize
suspicious activities related to their functions.

2.5 Controls in operational processes not related to the loading

You must establish a documented procedure for all operational processes.

identified in the scope of the BASC SGCS. These must include:

a) Appropriate criteria to mitigate risks and their impact on those processes.

b) All the necessary evidence for traceability in processes, in order to be able to
Identify the potential deviations in case they arise.

3 SECURITY IN PROCESSES RELATED TO PERSONNEL

3.1 Procedure for personnel management

The company must establish a documented procedure based on management of the

risk and the current legislation, which regulates the following activities:

3.1.1 Staff Selection

The company must verify and analyze in the selection process:

a) Information provided by the candidate.

b) Work and personal references.
c) Background of the candidates who will occupy critical positions.
d) The competencies required for the position as determined by the company.
 Version: 06
Approved:
World BASC Organization 02-MAR-2022
Business Alliance for Secure Commerce
International Safety Standard
6.0.2 Page:
7 out of 12

e) The results of:

i. Reliability testing.
ii. Tests to detect the consumption of alcohol and illegal drugs.
iii. Home visits.

3.1.2 Hiring of Personnel

The company must:

a) Maintain an updated photographic file of the staff and include a record of

fingerprints and signature.
b) Issue and control the delivery and use of identification cards with access areas
specific and uniform with the company's insignia, if applicable.
c) Document the delivery of the security resources provided by the company,
associated with job performance.
d) Register the delivery of the code of ethics, conduct, and social commitment policy
from the company to the collaborator.
e) Include the commitment to the BASC SGCS in the induction process.
f) Define security requirements associated with the job profile for all positions.
critics determined by the company and when changes occur.

3.1.3 Personnel Management

The company must:

a) Update staff data at least once a year.

b) Verify the background of personnel holding critical positions, at least one.
once a year.
c) Apply tests to detect the consumption of alcohol and drugs to the staff who occupy
critical positions, at least every two years or when suspicions arise.
d) Conduct a home visit to personnel holding critical positions, based on the
risk management and local regulations, at least every two years.
e) Issue and update the photographic identification card, in accordance with the
company procedures.
f) Highlight the proper use of the security resources available to the company,
associated with job performance.
g) Evidence the compliance with the code of ethics, conduct, and commitment policy
company social.

3.1.4 Termination of employment relationship

The company must:

 Version: 06
Approved:
World BASC Organization 02-MAR-2022
Business Alliance for Secure Commerce
International Safety Standard
6.0.2 Page:
8 out of 12

a) Remove access to the company's facilities and information technologies.

b) Retrieve the identification card, uniforms, and other security resources with
based on the records generated in the delivery of these.
c) Inform the relevant stakeholders about the collaborator's termination,
based on risk management.

3.2 Training, Capacity Building and Awareness Program

3.2.1 The company must document and annually evaluate the effectiveness of programs
related to:

a) Prevention of crimes related to international trade.

b) Prevention of addictions that include visible notices and/or reading material.
c) Corporate social responsibility.
d) Prevention of the risk of corruption and bribery.

3.2.2 It must establish and maintain a documented annual training program for
raise awareness among staff about their responsibility to recognize vulnerabilities in
the companies related to the SGCS BASC, which should include at least:

a) Policies related to the BASC SGCS.

b) Compliance with social commitment.
c) Risk management, operational controls, preparedness and response to events.
d) Compliance with the legal requirements related to the company.
e) Evaluation of management indicators related to the processes of the
company.
f) Access controls and physical security of the facilities (see 4).
g) Prevention of crimes related to cybercrime. (See 5).

4 ACCESS CONTROL AND PHYSICAL SECURITY

4.1 Access control and presence in the facilities

The company must establish a documented procedure for access controls.

of collaborators, visitors, and third parties, which includes the following activities:

4.1.1 Access for collaborators:

a) Positive identification.
b) Control their access to the facilities.
c) Restrict access to the critical areas determined by the company.
 Version: 06
Approved:
World BASC Organization 02-MAR-2022
Business Alliance for Secure Commerce
International Safety Standard
6.0.2 Page:
9 out of 12

4.1.2 Access for visitors, contractors, and third parties:

a) Request authorization for entry.
b) Present a valid official identification with a photograph.
c) Keep a record of the entry and exit of people.
d) Register, based on risk management, the elements that enter into the
installations.
e) Deliver and control a temporary identification.
f) Ensure that they are accompanied or monitored by company personnel.
g) Limit access to authorized areas for your visit.

4.1.3 Inspect the mail and packages received before distributing them, maintaining a
a record that includes the identification of who receives it and to whom it is intended.

4.1.4 Inspect the vehicles entering and exiting your facility, maintaining
the corresponding records.

4.1.5 Access to authorities and emergency response vehicles according to the plan
and event response preparation or when necessary.

4.1.6 Maintain operational control in the facilities, which includes:

a) Display the ID card or temporary identification in a visible place, under the rules of
applicable industrial safety. Applies to employees, visitors, contractors and
third parties.
b) Control the locker areas of the collaborators and these should
to be separated from the loading and storage handling area.
c) Identify and remove unauthorized persons.
d) Ensure that the security personnel are monitoring the entry doors
and exit from the facilities.

4.2 Physical security

4.2.1 Generalities

The company, based on risk management and its role in the supply chain, must
establish documented procedures related to physical security that
include:

a) Structures and perimeter barriers that prevent unauthorized access.

b) Locks on doors and windows.
c) Lighting that allows for the control of installations in:
1. Inputs and outputs.
2. Storage and cargo or information handling areas.
 Version: 06
Approved:
World BASC Organization 02-MAR-2022
Business Alliance for Secure Commerce
International Safety Standard
6.0.2 Page:
10 out of 12

3. Perimeter fences.
4. Parking areas.
5. Other defined critical areas.
Having competent security service in accordance with the requirements
legal and that guarantees a timely response action, preferably
BASC certificate.
e) Parking areas for employees, visitors, and vehicles that deliver or
They collect cargo.
f) Operational and maintenance inspections with their respective records.
g) Use of security technologies:
Alarm operating system that identifies unauthorized access.
2. Video surveillance system that covers the identified critical areas and
monitored by qualified personnel.
3. Backup system for images and video (recording) with the capability of
sufficient storage to respond to possible events.
4. Others that the company considers for the BASC SGCS.

4.2.2 The company must establish, document, and keep updated:

a) Plans with the location of the critical areas of the facilities.

b) Control of keys, devices, and access codes.

4.2.3 The company must carry out inspections to assess the implementation,
operation and maintenance of physical security controls, preserving
record of findings.

5 INFORMATION SECURITY

5.1 Generalities

The company must establish a documented procedure based on management of

risk and its role in the supply chain, for:

a) Manage and protect the handling of information and IT resources of the

company, including the measures to be applied in case of non-compliance.
b) Safeguard the information and its confidentiality, integrity, and availability, in
its different forms and states.
c) Protect the infrastructure of information technologies.
 Version: 06
Approved:
World BASC Organization 02-MAR-2022
Business Alliance for Secure Commerce
International Safety Standard
6.0.2 Page:
11 out of 12

5.2 Cybersecurity and information technologies

The company must:

a) Establish, document, and maintain security criteria that allow for identification and
protect information technology systems and recover it
promptly if necessary.
b) Identify stakeholders and their level of criticality in the IT infrastructure
(hardware and software) of the company.
c) Timely communicate information about cybersecurity threats
identified the relevant stakeholders.
d) Classify the information according to current legislation, systems, and access
according to the level of criticality and establish access policies for it.
e) Use assigned accounts for each user accessing the system, with their
own access credentials through passwords or other means of
authentication that generates secure access. These must be updated.
periodically, when there are indications or reasonable suspicions that they are
committed.
f) Limit access and permissions for users according to their roles and tasks
assigned, reviewing them periodically.
g) Remove access to information for all collaborators, third parties, and users
externals upon completing their contract or agreement.
h) Prevent the installation of unauthorized software.
i) Use and maintain licensed and updated hardware and software to protect the
IT infrastructure against computer threats such as viruses, programs
spies, worms, trojans, malware, ransomware, among others.
j) Make backups of sensitive information, keeping a
backup outside the facilities (physical or virtual) with security measures
necessary to prevent third parties from accessing the information.
k) Maintain an updated record of users, their level of criticality, and access.
assigned.
l) Close/block the session on unattended devices.
m) Evaluate at least once a year the security of the IT infrastructure (hardware and
software), implementing relevant actions when detected
vulnerabilities.
n) Establish procedures and controls to identify and review unauthorized access.
authorized to information systems, websites, or the breach of the
policies and procedures (including the handling or alteration of data
commercials by collaborators or contractors.
o) Review the cybersecurity policies and procedures at least once a
year and update them when changes occur in the internal or external context,
or when a risk materializes.
 Version: 06
Approved:
World BASC Organization 02-MAR-2022
Business Alliance for Secure Commerce
International Safety Standard
6.0.2 Page:
12 out of 12

p) Use secure technologies, such as virtual private networks (VPN) or authentication

multifactor for secure access of employees and external users to the
company IT systems, including access for remote work or
telecommuting.
Establish procedures to prevent remote access by unauthorized users.
from personal devices or others.
r) Control through the execution of periodic inventories, the means or others
equipment that is part of the company's IT infrastructure.
The disposal or disposal of the same will be done according to current legislation.
s) Restrict the connection of personal devices and peripheral elements not
authorized for any device that is part of the infrastructure
company's IT.
Monitor the compliance with cybersecurity and security policies.
information established in the use of platforms and digital content, tools
of videoconferencing, e-commerce, among others.
u) Carry out practical exercises and/or drills related to security of the
information technologies that allow determining the effectiveness of actions
established (see Standard 6.1 e).
v) Establish controls for super users that allow for continuity of
credentials of active teams, if applicable.