Pas 1085

PAS 1085:2018
Manufacturing – Establishing and

implementing a security-minded
approach – Specification
Publishing and copyright information
The BSI copyright notice displayed in this document indicates when the document
was last issued.
© The British Standards Institution 2018. Published by BSI Standards Limited 2018.
ISBN 978 0 580 52421 9
ICS 03.100.50, 25.040.40, 35.030
No copying without BSI permission except as permitted by copyright law.
Publication history
First published May 2018
PAS 1085:2018
Contents
Foreword...................................................................................................... ii
0 Introduction .............................................................................................. iv
1 Scope.......................................................................................................... 1
2 Normative references............................................................................... 1
3 Terms, definitions and abbreviations...................................................... 2
4 Manufacturing organization’s environment........................................... 8
5 Security governance................................................................................. 13
6 Assessing and managing security risks................................................... 17
7 Implementing the organization’s security strategy............................... 22
8 Assessing security of the supply chain.................................................... 26
9 Working with suppliers and customers.................................................. 29
10 Security of a manufactured item........................................................... 32
11 Data and information management...................................................... 33
12 Security-minded approach in relation to compliance with legislation

and other standards.................................................................................... 46
Bibliography ................................................................................................ 49
List of figures
Figure 1 – The manufacturing organization and its digital ecosystem.... iv
Figure 2 – Illustrative manufacturing organization with a supply chain.. v
Figure 3 – The manufacturing value chain................................................. vi
Figure 4 – Overview of security-minded manufacturing........................... vii
Figure 5 – Holistic approach to security...................................................... 9
Figure 6 – Establishing the organization’s context.................................... 14
Figure 7 – Security concepts and relationships........................................... 17
Figure 8 – Risk management approach...................................................... 20
Figure 9 – Supplier security triage process................................................. 27
Figure 10 – Generic data and information lifecycle................................... 34
Figure 11 – Security goals for the organization’s data and information.. 39
Figure 12 – Data and information security triage process......................... 41
Figure 13 – Personally identifiable information test................................. 42
© The British Standards Institution 2018 i

PAS 1085:2018
Foreword
This PAS (Publicly Available Specification) was sponsored by Innovate UK.
Its development was facilitated by BSI Standards Limited and it was published
under licence from The British Standards Institution. It came into effect on
31 May 2018.
Acknowledgement is given to Hugh Boyes of Bodvoc This PAS is not to be regarded as a British Standard.
Ltd., as the technical author and the following It will be withdrawn upon publication of its content in,
organizations that were involved in the development or as, a British Standard.
of this PAS as members of the steering group:
• Arup The PAS process enables a specification to be rapidly
developed in order to fulfil an immediate need
• B.H. Development
in industry. A PAS can be considered for further
• Bodvoc Ltd development as a British Standard, or constitute part
• BuroHappold Engineering of the UK input into the development of a European
• Centre for Process Innovation (CPI) or International Standard.
• Co-opted member
• Costain Group plc Use of this document
• Cranfield University
It has been assumed in the preparation of this PAS
• Digital Catapult that the execution of its provisions will be entrusted
• High Value Manufacturing Catapult (HVMC) to appropriately qualified and experienced people, for
• Innovate UK whose use it has been produced.
• The Manufacturing Technologies Association (MTA)
• National Cyber Security Centre (NCSC)
Presentational conventions
• Rockwell Automation
The provisions of this PAS are presented in roman
• Warwick Manufacturing Group (WMG)
(i.e. upright) type. Its requirements are expressed in
sentences in which the principal auxiliary verb is “shall”.
Acknowledgement is also given to the members of
a wider review panel who were consulted in the
Commentary, explanation and general informative
development of this PAS.
material is presented in italic type, and does not
constitute a normative element.
The British Standards Institution retains ownership
and copyright of this PAS. BSI Standards Limited as the
Where words have alternative spellings, the preferred
publisher of the PAS reserves the right to withdraw
spelling of the Shorter Oxford English Dictionary is used
or amend this PAS on receipt of authoritative advice
(e.g. “organization” rather than “organisation”).
that it is appropriate to do so. This PAS will be
reviewed at intervals not exceeding two years, and
Requirements in this PAS are drafted in accordance with
any amendments arising from the review will be
Rules for the structure and drafting of UK standards,
published as an amended PAS and publicized in Update
subclause G.1.1, which states, “Requirements should
Standards.
be expressed using wording such as: ‘When tested as
described in Annex A, the product shall ...’”. This means
that only those products that are capable of passing the
specified test will be deemed to conform to this PAS.
ii © The British Standards Institution 2018

PAS 1085:2018
Contractual and legal considerations

This publication does not purport to include all the
necessary provisions of a contract. Users are responsible
for its correct application.
Compliance with a PAS cannot confer immunity from

legal obligations.
Particular attention is drawn to the following specific

regulations:
• Data Protection Act 1998 [1]
• Regulation (EU) 2016/679 of the European Parliament
and of the Council on the protection of natural
persons with regard to the processing of personal
data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection
Regulation) [2]
• Trade Union and Labour Relations (Consolidation) Act
1992 [3]
• Environmental Information Regulations 2004 [4]
• Freedom of Information Act 2000 [5]
• Freedom of Information (Scotland) Act 2002 [6]
• Computer Misuse Act 1990 [7]
• Control of Major Accident Hazards Regulations 2015 [8]
• Official Secrets Act 1989 [9]
• Re-use of Public Sector Information Regulations 2005 [10]
© The British Standards Institution 2018 iii

PAS 1085:2018
0 Introduction
An increasing use of digital technologies in the design,
manufacture, delivery, operation and disposal of
products, systems, assets and services has led to the
use of the terms digital manufacturing and industrial
digitalization. As a consequence, manufacturing
organizations typically exist within a complex digital
ecosystem as illustrated in Figure 1.
Figure 1 – The manufacturing organization and its digital ecosystem
The manufacturing organization exchanges increasing digital interaction introduces a number of

information, much of it in digital form, with a diverse threats and opportunities to both an organization and
range of organizations in addition to handling its stakeholders, including suppliers, customers and its
physical items. Such exchanges can occur using a personnel.
variety of technologies including email, electronic data
interchange (EDI), collaboration portals, digital object For the purposes of this PAS the term digital also
libraries and direct connectivity between systems. Many encompasses processing of data and/or information
of these exchanges are achieved using information using machine learning, artificial intelligence
and communications technologies (ICT), which can be techniques and the adoption of technology that
referred to as the Internet or the Internet of Things enables smarter and more autonomous manufacturing
(IoT). It is also important to consider the interactions processes.
between these ICT and operational technologies (OT),
including the Industrial Internet of Things (IIoT). This
iv © The British Standards Institution 2018

PAS 1085:2018
All organizations are dependent to some degree on Within a manufacturing organization there is a
a supply chain and unless they sell directly to their value chain, which is based on a process view of
customers or end users are part of a wider supply the organization’s operations and comprises a
chain as illustrated in Figure 2. For manufacturing set of activities that are performed to deliver its
organizations, their supply chain is likely to include manufactured outputs. Whilst an organization might
organizations that provide: engage in hundreds of activities in the process of
• supplies or consumables, raw materials and any converting inputs and resources into the manufactured
equipment or systems and software used in the outputs, these activities can be classified generally as
manufacturing process; either primary or support. Figure 3 illustrates a generic
value chain that comprises:
• professional services, e.g. technical, financial and legal
services; and • primary activities, i.e. inbound logistics,
manufacturing operations, outbound logistics
• resourcing services, e.g. recruitment of personnel or
and any product related service delivered to the
provision of temporary labour, sourcing of supplies,
organization’s customers; and
raw materials, etc.
• supporting activities, i.e. enterprise ICT equipment
The manufacturing organization therefore needs to be and systems, OT, sales and marketing, resource
aware of and manage security risks relating to it and management and procurement, financial and legal
those that might arise through its supply chain. activities.
Figure 2 – Illustrative manufacturing organization with a supply chain
© The British Standards Institution 2018 v

PAS 1085:2018
Figure 3 – The manufacturing value chain
NOTE 1 The organization’s supply chain forms part of The principles upon which drafting of this PAS was
the organization’s overall value chain, e.g. through undertaken were that:
supplies delivered via its inbound logistics processes and a) the manufacturing organization’s security is
the wider digital ecosystem. owned, governed and promoted at board-level;
NOTE 2 Organizations should consider the impact b) security risks to the manufacturing organization,
of risks both downstream and upstream of their its assets, manufacturing processes and outputs
operations and the potential need for additional are assessed and managed appropriately and
testing and/or verification of automated updates to proportionately, including those specific to its
systems, software data and/or information. supply chain;
c) the manufacturing organization appreciates the
The security issues that might affect a manufacturing
value of data and/or information it processes,
organization include:
whether owned by itself or a third-party, and takes
• loss or theft of intellectual property (IP) and/or steps to protect it across its lifetime;
commercially sensitive information;
d) where a manufactured item embodies digital
• criminal acts, for example computer misuse, fraud, technology or information the manufacturer
sabotage, theft and vandalism; ensures that the item is secure-by-design and
• counterfeit supplies, including the potential effects of provides aftercare and incident response to ensure
counterfeiting when the organization’s products are that the item remains secure over its lifetime; and
deployed or operated; NOTE It is the responsibility of the manufacturer
• cyber security incidents affecting all aspects of the to provide information and communicate to the
organization’s operations; customer and/or end user the lifetime support of the
• accidental or deliberate alteration or corruption of products and/or systems, and any associated services.
manufacturing information and/or software; and e) the manufacturing organization works with its
• loss of sensitive customer or personal information. supply chain to implement an appropriate and
proportionate level of security in the delivery of
In the past, many of these issues would have required the digitally manufactured items and any related
physical access to the manufacturing process or its services and/or information.
inputs and outputs, but with the increasing digital NOTE In determining what is appropriate and
connectivity of both manufacturers and their systems, proportionate, the organization’s board-level
the threats now emanate from both local sources, and management should ensure that consideration
those around the globe. is given to the nature, likelihood and severity of
security threats and the potential impact(s) on the
organization and its stakeholders in the event that
the risk(s) occur.
vi © The British Standards Institution 2018
PAS 1085:2018
An overview of the PAS’s security-minded approach to

manufacturing is provided in Figure 4, cross-referenced
to the relevant clauses.
Figure 4 – Overview of security-minded manufacturing
© The British Standards Institution 2018 vii

PAS 1085:2018
This page is deliberately left blank.
viii © The British Standards Institution 2018

PAS 1085:2018
1 Scope
This PAS specifies requirements for the security-minded a manufacturing value chain to deliver a holistic
management of manufacturing organizations and the approach encompassing: safety; authenticity;
associated value chain utilizing information, digital availability (including reliability); confidentiality;
technologies and associated control systems for the integrity; possession; resilience; and utility.
design, production, operation, maintenance and
disposal of products and systems. These requirements This PAS addresses the steps required to create and
aim to protect organizational reputation and cultivate an appropriate security mind-set and culture
liability, intellectual property, safety and security of within a manufacturing organization and across its
manufacturing assets, and the integrity and value of supply chain, including the need to monitor, audit and
the manufactured items. evaluate effectiveness.
It covers how to identify security threats throughout The approach outlined in this PAS is applicable to any
the manufacturing value chain and product lifecycle: manufacturing organization and its ecosystem where
design; manufacture (including processing and manufacturing information is processed and used in
mixing); commissioning and handover; operation and digital form.
maintenance; performance management; change NOTE This PAS also aligns with the approach
of use/modification; and disposal. It also addresses advocated by the Centre for the Protection of National
security issues within the digital ecosystem that the Infrastructure (CPNI) for raising security-mindedness
organization and its supporting supply chain operate. across sectors.1)
This PAS covers the following elements of security: The PAS is for use by senior executive managers,
people, physical, process and technological. operational managers, engineers, and operatives
in manufacturers of products and systems and their
It explains the need for, and application of, associated supply chains and its ecosystem. It might also
trustworthiness and security controls throughout be of use to insurers and trainers.
2 Normative references
The following documents, in whole or in part, are Other publications

normatively referenced in this document and are
indispensable for its application. For dated references, [NR1] NATIONAL CYBER SECURITY CENTRE (NCSC).
only the edition cited applies. For undated references, Digital service security – Guidance. October 2016.
the latest edition of the referenced document Available from: www.ncsc.gov.uk/guidance/digital-
(including any amendments) applies. service-security [viewed April 2018]
[NR2] CABINET OFFICE. Government Security

Classifications. Available from: www.gov.uk/
Standards publications
government/publications/government-security-
BS ISO 55000:2014, Asset management – Overview, classifications [viewed April 2018]
principles and terminology
PAS 1192-5:2015, Specification for security-minded

building information modelling, digital built
environments and smart asset management
1)
Further information is available from CPNI’s website:
https://www.cpni.gov.uk.
© The British Standards Institution 2018 1

PAS 1085:2018
3 Terms, definitions and abbreviations
3.1 Terms and definitions 3.1.5 cyber hygiene

conditions and practices that serve to promote or
For the purposes of this PAS, the following terms and
preserve cyber safety and security by individual system
definitions apply.
users
3.1.1 asset NOTE Good cyber safety and security practices are not
dissimilar to good health practices related to infection
item, thing or entity that has potential or actual value
and disease control, i.e. taking appropriate steps to
to an organization
prevent infection (e.g. malware), seeking advice in
NOTE 1 An asset can be fixed, mobile or movable. It the case of a suspected infection, and when infection
can be an individual item, plant, a system of connected occurs, isolating it or taking steps to prevent further
equipment, a space within a structure, a piece of land, spread.
an entire piece of infrastructure, an entire building, or
a portfolio of assets. 3.1.6 data
NOTE 2 An asset might also comprise data, information series of marks, digital or analogue signals or encoded
in digital or in printed form, as well as an organization’s characters stored or transmitted electronically
internal processes.
NOTE 1 Marks can include writing, printed characters or
NOTE 3 Digital information can be localized (i.e. based graphics.
on a single data source) or distributed (i.e. derived from
NOTE 2 There are alternative definitions of data;
multiple data sources and/or locations).
this specific definition builds on that contained in
NOTE 4 The value of an asset might vary throughout PAS 183:2017 and is being used in the context of
its life and an asset might still have value at the end of security-mindedness.
its life. Value can be tangible, intangible, financial and
NOTE 3 Analogue data varies continuously and
non-financial.
relates to natural phenomena such as sounds, natural
[SOURCE: BS ISO 55000:2014, 3.2.1] light, river levels, waves and time. It can also include
images such as sketches, drawings and text which
have been produced by hand rather than using digital
3.1.2 asset data
technologies.
data relating to the specification, design, construction
NOTE 4 Digital data is represented as binary digits (bits)
or acquisition, operation and maintenance, and
that have only two states, 0 and 1. These data can be
disposal or decommissioning of an item, thing or entity
a digital representation of analogue data, captured
that has potential or actual value to an organization
through a quantization process, or data that was
created in digital form, for example as a result of a
[SOURCE: PAS 1192-5:2015, 3.1.2, modified]
computer process or by entry using a human interface
device (keyboard, touchscreen, stylus, etc.).
3.1.3 asset information
NOTE 5 The distinction between data and information
information relating to the specification, design, is that data does not need to have any meaning
construction or acquisition, operation and maintenance, attached to it; data becomes information via context.
and disposal or decommissioning of an item, thing
or entity that has potential or actual value to an
3.1.7 data controller
organization
person who (either alone or jointly or in common with
NOTE Asset information can include design information
other persons) determines the purposes for which and
and models, documents, images, software, spatial
the manner in which any personal data are, or are to
information and task or activity-related information.
be, processed
[SOURCE: PAS 1192-5:2015, 3.1.2, modified] NOTE 1 The wording of the definition given in the Data
Protection Act 1998 [1] (DPA) is due to be amended
3.1.4 context by the General Data Protection Regulation (GDPR) [2]
Article 4(7).
circumstances that form the setting for an asset, event,
data and/or information, which allow its significance
and/or meaning to be better understood
2 © The British Standards Institution 2018

PAS 1085:2018
NOTE 2 Whilst few manufacturers may fall within the 3.1.12 information
scope of the Security of Network and Information one or more data items that have a context and
Systems Directive (also known as the NIS Directive) therefore convey a message or meaning
[11], data controllers should be aware of its objective
NOTE 1 A string of characters might be referred
regarding managing security risks, protecting against
to generally as data; but if these characters are
cyber attacks, detecting cyber security events and
understood by a person or a computer program (for
minimizing the impact of cyber security incidents.
example, as someone’s name), then the characters
convey information. Information always involves the
{SOURCE: Data Protection Act 1998 [1], Section 1(1)}
presence of data in some format, on some medium,
which could be, for example, a physical document, a
3.1.8 data sharing document image on a screen, or the contents of an
provision of data from one or more organizations electronic file.
to a third-party organization or organizations, the NOTE 2 There are alternative definitions of
reciprocal exchange of data between organizations, information, but from a security-mindedness
or the sharing of data between different parts and/or perspective the information’s context can increase the
systems of the same organization sensitivity of the information.
NOTE 1 There are two main types of data sharing:
a) systematic, routine data sharing where the 3.1.13 information management
same data sets are shared between the same policies, processes, procedures and tasks applied to
organizations, or parts of an organization, for an the data and/or information across its lifecycle to
established purpose; and ensure its accuracy, authenticity, confidentiality,
b) exceptional, one-off decisions to share data, for integrity and utility
example, in unexpected or emergency situations, NOTE See also Figure 9 which illustrates the generic
the provision of medical or social care data to data and information lifecycle.
emergency service first responders when they are
responding to an incident. [SOURCE: PAS 1192-5:2015, 3.1.17, modified]
NOTE 2 Data sharing might take place implicitly as well
as explicitly with outsourced services via the use of 3.1.14 information sharing
cloud services where appropriate security measures are
provision of information from one or more organizations
not in place.
to a third-party organization or organizations,
the reciprocal exchange of information between
{SOURCE: ICO’s Data Sharing Code of Practice [12],
organizations, or the sharing of information between
May 2011, modified}
different parts and/or systems of the same organization
NOTE 1 There are two main types of information
3.1.9 data and information sharing agreement (DISA)
sharing:
set of rules to be adopted by the various organizations
a) systematic, routine information sharing where the
involved in a data and/or information sharing operation
same information sets are shared between the
same organizations, or parts of an organization,
3.1.10 disclosure for an established purpose; and
action of making sensitive, classified or private data b) exceptional, one-off decisions to share information,
and/or information known for example, in unexpected or emergency
situations, the provision of medical or social care
3.1.11 hostile reconnaissance data to emergency service first responders when
activity of acquiring information about a target with they are responding to an incident.
the view to planning to attack, compromise, disrupt or NOTE 2 Information sharing might take place implicitly,
destroy that target as well as, explicitly with outsourced services via the use
NOTE 1 The target might be an individual, organization, of cloud services where appropriate security measures
enterprise or built asset, in whole or in part. are not in place.
NOTE 2 The planned hostile action might be physical or
cyber in nature. {SOURCE: ICO’s Data Sharing Code of Practice [12],
May 2011, modified}
NOTE 3 Reputational damage might result from such
physical or cyber hostile actions.
[SOURCE: PAS 1192-5:2015, 3.1.15]

PAS 1085:2018
3.1.15 near-miss 3.1.21 personal data

incident in which a security incident is narrowly data which relates to a living individual who can be
avoided, either by chance or through deliberate action identified:
a) from those data; or
3.1.16 need-to-know b) from those data and other information which is
grant of access to data and/or information relating to in the possession of, or is likely to come into the
assets for an individual or organization where such possession of, the data controller,
access is necessary in order for them to perform their and includes any expression of opinion about the
role satisfactorily and safely individual and any indication of the intentions of the
data controller or any other person in respect of the
[SOURCE: PAS 1192-5:2015, 3.1.18, modified] individual
NOTE Under GDPR [2], Article 4(1), personal data
3.1.17 operational technology (OT)
means “any information relating to an identified
hardware and software that detects or causes a change or identifiable natural person (‘data subject’); an
through the direct monitoring and/or control of physical identifiable person is one who can be identified,
devices, processes and events in the organization directly or indirectly, in particular by reference to an
identifier such as name, an identification number,
3.1.18 organization location data, an online identifier or to one or more
person or group of persons that has its own function factors specific to the physical, physiological, genetic,
with responsibilities, authorities and relationships to mental, economic, cultural or social identity or that
achieve its objectives natural person”. This definition comes into force from
25 May 2018.
[SOURCE: BS ISO 55000:2014, 3.1.13]
{SOURCE: Data Protection Act 1998 [1], Section 1(1)}
3.1.19 pattern-of-life
3.1.22 personally identifiable information
identification of habits, routines and preferences
of individual(s) or group(s) that enable prediction also known as personal data
of future actions and/or behaviour
3.1.23 personnel
[SOURCE: PAS 185:2017, 3.1.31, modified] individual(s) employed by an organization, including
contractors or temporary staff used to fulfil roles that
3.1.20 pattern-of-use are undertaken by that organization
identification of routine actions in the handling,
operation and management of assets [SOURCE: PAS 1192-5:2015, 3.1.22]
NOTE The pattern-of-use of assets could facilitate
malicious pattern-of-life analysis by increasing the 3.1.24 personnel security
number of data and information sources that can system of policies, processes and procedures that seek
be combined. to mitigate the risk of workers (inside an organization)
exploiting their legitimate access to that organization’s
[SOURCE: PAS 185:2017, 3.1.32] assets for unauthorized purposes
NOTE These measures might be applied to all personnel
that have access to, or use, the asset over its lifecycle,
including personnel employed within the supply chain
used to design, create, operate, decommission or
dispose of the asset.
3.1.25 physical security

multi-layering of different physical measures designed
to deter, detect or delay an attack

PAS 1085:2018
3.1.26 processing 3.1.29 risk appetite

obtaining, recording or holding information or data or amount of risk that an organization is willing to seek or
carrying out any operation or set of operations on the accept in the pursuit of its long-term objectives
information or data, including: NOTE 1 Risk appetite might be set in relation to the
a) organization, adaptation or alteration of the organization as a whole, for different groups of risks,
information or data; or at an individual risk level.
b) retrieval, consultation or use of the information NOTE 2 In the manufacturing context, when
or data; determining the risk appetite, the needs and
c) disclosure of the information or data by perspectives of all of the organizations involved should
transmission, dissemination or otherwise making be taken into account.
available; or
{SOURCE: Chartered Institute of Internal Auditors [13]}
d) alignment, combination, blocking, erasure or
destruction of the information or data
3.1.30 risk capacity
NOTE Under GDPR [2], Article 4(2), processing
means “any operation or set of operations which is resource(s), including financial, intangible and human,
performed on personal data or on sets of personal which an organization is able to deploy in managing risk
data, whether or not by automated means, such as NOTE The organization’s risk capacity is generally wider
collection, recording, organization, structuring, storage, in scope than the risk appetite of the organization as
adaptation or alteration, retrieval, consultation, it represents the limits beyond which the organization
use, disclosure by transmission, dissemination or could not cope in the event that the risk(s) occur(s).
otherwise making available, alignment or combination, For example, when seeking insurance cover, the
restriction, erasure or destruction”. This definition organization assesses what residual risk it is prepared
comes into force from 25 May 2018. to accept, i.e. its risk appetite which might be reflected
in the excess payable if an insured event occurs, whilst
{SOURCE: Data Protection Act 1998 [1], Section 1(1)} the level of cover purchased reflects the risk capacity
in respect of the insured risk(s). In assessing its risk
3.1.27 referential master data appetite and risk capacity an organization considers
both the gross risk and residual risk exposures, its
set of permissible values to be used by other data fields
reliance on controls and other mitigations, and the
in shared data and/or shared information sets
cost of implementing them in comparison to the
NOTE Shared data is data that is subject to formal or consequences of the risk materializing.
informal data sharing (see 3.1.8). Shared information
is information that is subject to formal or informal {Source: Chartered Institute of Internal Auditors [13]}
information sharing (see 3.1.14).
3.1.31 risk universe
3.1.28 related services
full range of risks which could impact, either positively
services provided in support of the specification, or negatively, on the ability of the organization to
procurement, configuration, installation, operation and achieve its long-term aims
maintenance of a manufactured product and/or system
NOTE The services could be digital, physical or hybrid in {SOURCE: Chartered Institute of Internal Auditors [13]}
nature, for example:
a) physical service – the physical installation and 3.1.32 sabotage
maintenance of the product or system; deliberate, malicious action carried out with the aim
b) digital – digital artefacts such as manuals or of weakening, obstructing, disrupting, damaging or
websites providing information about the destroying an asset, activity, service, organization or
products(s) and/or system(s) and/or service(s); or other entity
c) hybrid – remote condition monitoring and fault NOTE Sabotage might also be conducted with the aim
diagnostics for the product(s) and/or system(s). of enabling the targeting of a secondary event that
occurs as a result of the original action for example, the
evacuation of a building arising from the sabotage of a
fire alarm.

PAS 1085:2018
3.1.33 security 3.1.37 sensitive information

state of relative freedom from threat or harm caused information, the loss, misuse or modification of which,
by deliberate, unwanted, hostile or malicious acts, or unauthorized access to, could adversely affect the
including sabotage privacy, welfare or safety of an individual or individuals;
compromise intellectual property or trade secrets of an
{SOURCE: Engineering Council, 2016 [14]} organization; cause commercial or economic harm to an
organization or country; and/or jeopardize the security,
3.1.34 security incident internal and foreign affairs of a nation, depending on
event or events during which the security of an asset, the level of sensitivity and nature of the information
organization or person is, or might be, compromised,
either accidentally or deliberately
NOTE 1 Security incidents can take a number of forms
3.1.38 sensitive personal data
including:
personal data consisting of information as to:
a) unauthorized harmful modification to, damage to
or destruction of a physical asset; a) racial or ethnic origin of the data subject;
b) supply of counterfeit raw materials, ingredients, b) his political opinions;
physical and/or digital components, assemblies or c) his religious beliefs or other beliefs of a similar
sub-systems; nature;
c) loss or theft of documents, storage media, IT d) whether he is a member of a trade union;
equipment, attractive or valuable items; NOTE Within the meaning of the Trade Union and
d) loss, theft or unauthorized access to information Labour Relations (Consolidation) Act 1992 [3].
or data; e) his physical or mental health or condition;
e) loss, compromise, unauthorized manipulation or f) his sexual life;
change of project or asset information;
g) the commission or alleged commission by him of
f) unauthorized access to the built asset, or a any offence; or
restricted access area within the built asset;
h) any proceedings for any offence committed or
g) loss of keys, access control tokens, passes, etc.; alleged to have been committed by him, the
h) planting of bugs or other surveillance devices; and disposal of such proceedings or the sentence of any
i) unauthorized access to, misuse of, or fraudulent court in such proceedings
use of ICT equipment or systems. NOTE Sensitive personal data under the DPA [1] will
NOTE 2 A near-miss is an event in which a security be defined as special categories of personal data
incident is narrowly avoided either accidentally or under GDPR [2] and this will extend the range of
through deliberate action. personal data within this category. Under Article
9, the definition encompasses data which reveals
“racial or ethnic origin, political opinions, religious or
3.1.35 security-minded
philosophical beliefs, or trade union membership, and
understanding and routine application of appropriate the processing of genetic data, biometric data for the
and proportionate security measures in any business purpose of uniquely identifying a natural person, data
situation so as to deter and/or disrupt hostile, malicious, concerning health or data concerning a natural person’s
fraudulent and criminal behaviours or activities and sex life or sexual orientation”. This definition comes
reduce the risk of security incidents into force from 25 May 2018.
[SOURCE: PAS 1192-5:2015, 3.1.26, modified] {SOURCE: Data Protection Act 1998 [1], Section 2}
3.1.36 sensitive data

data, the loss, misuse or modification of which, or
unauthorized access to, could adversely affect the
privacy, welfare or safety of an individual or individuals;
compromise intellectual property or trade secrets of an
organization; cause commercial or economic harm to an
organization or country; and/or jeopardize the security,
internal and foreign affairs of a nation, depending on
the level of sensitivity and nature of the data

PAS 1085:2018
3.1.39 service 3.1.42 supply chain

work done to meet some administrative, general, network of organizations, directly or indirectly
or user or customer need interlinked and interdependent, resources, activities
NOTE Within the manufacturing context, a system and technology involved in the creation and sale of
supplying a user or customer need includes logistics, products and/or systems, and any related services, from
communications, utilities and product or system the delivery of source material(s) from the supplier(s) to
support. the manufacturing organization, through to eventual
delivery to the end user
3.1.40 stakeholder
3.1.43 system
third parties such as persons, personnel, or
organizations that have a legitimate interest in the group of interacting, interrelated, or interdependent
organization’s manufacturing activities, and/or the elements forming a complex whole
products, systems and any related services it delivers NOTE A system can include physical, digital, process and
NOTE The reference to persons encompasses people human elements.
affected by the manufacturing operations, customers
of the manufacturer, and any users or people affected 3.1.44 threat
by use of the manufacturer’s products, systems and any potential cause of an incident which might result in
related services. harm to an asset(s), individual(s), and/or organization(s)
3.1.41 suitably qualified and experienced person 3.1.45 threat actor

person who can demonstrate that they have: person or organization that can adversely act on assets
a) sufficient evidence, from education, training and/or
experience, to demonstrate: 3.1.46 vulnerability
1) knowledge and understanding of the security weakness that can be exploited by one or more threats
threats and vulnerabilities affecting the
organization, its products and/or services, and
any related services; 3.2 Abbreviations
2) a detailed understanding of appropriate
For the purposes of this PAS the following
and proportionate security controls and
abbreviations apply.
countermeasures; and
DISA data and information sharing agreement
3) practical experience of specifying and
managing the implementation of security EDI electronic data interchange
controls and countermeasures; GDPR General Data Protection Regulation
b) sound knowledge of security risk identification, ICO Information Commissioner’s Office
analysis, evaluation and treatment; and ICT information and communications technology
c) the ability to advise management on the OT operational technology/technologies
implementation of security requirements and SaaS software as a service
security practices for assets that might be subject
SCSMP supply chain security management plan
to significant and enduring security threats,
opportunities and vulnerabilities SIMP security incident management plan
NOTE The organization should undertake appropriate SMP security management plan
due diligence to verify the qualifications, training and/ SyOpPs security operating procedures
or experience of individuals to ascertain their suitability
for the role, for example, looking for evidence that
the individual has relevant experience. Membership of
a relevant professional body, supported by evidence
of up-to-date risk and security-related continuing
professional development might be appropriate
indications of relevant qualifications and experience.

PAS 1085:2018
4 Manufacturing organization’s environment
4.1 Understanding the need for security 4.2 Holistic approach to digital
in manufacturing manufacturing security
The organization’s board-level management shall 4.2.1 The organization’s board-level management shall
research, document and demonstrate an understanding appreciate that effective security requires a holistic
of the range of potential security issues that are approach, as illustrated in Figure 5 that addresses
applicable to its business, assets, personnel and security in respect of the following aspects as a
the environments and ecosystems in which its minimum:
manufactured products, systems and/or related services a) people, i.e. the personnel that have access to the
are or might be used. organization’s assets;
NOTE 1 Security operates on a number of levels ranging b) physical, i.e. the physical environment in which the
from national security issues (e.g. the protection against organization’s assets are designed, created, used,
terrorism, tackling organized crime and detecting stored, and transported;
hostile acts by nation states), to preserving the value,
c) processes, i.e. the business processes used to:
longevity and ongoing use of an enterprise’s assets,
whether tangible (e.g. a factory or physical stock), or 1) acquire, transport, store, manage, maintain,
intangible (e.g. preventing the loss or disclosure of and dispose of the organization’s assets;
intellectual property and nationally or commercially 2) design the product(s) and/or system(s) and any
sensitive information). It also includes the handling related service(s);
of privacy issues (e.g. the protection of personally 3) manage the classification and sharing of data
identifiable information). and information, both within the organization
NOTE 2 Good security can offer competitive advantage and with its supply chain, professional advisers,
to the manufacturing organization by protecting their customers and potential customers; and
key assets and engendering trust by their stakeholders d) technology, i.e. the design, operation, maintenance
and owners or users in the products, systems and or support, decommissioning and disposal of
related services that are provided. For those involved electronic storage media, ICT equipment and
in the design and delivery of new or modified systems, and the OT used by the organization.
products or services or the systems that use them, it
NOTE Effective security reduces security risks to the
can also provide competitive global positioning in an
lowest reasonably practicable level having due regard
international market.
for the severity and likelihood of risks both individually
NOTE 3 Good security requires holistic risk assessment and in combination and their impact on both the
and applying the principles of proportionality to organization and its stakeholders. When assessing and
achieve an appropriate balance of the costs and treating risks, organizations should focus on developing
constraints associated with protecting an asset versus and adopting appropriate and proportionate controls
the impact that its loss, compromise or failure can or countermeasures rather than focusing primarily on
have on the organization and the organization’s adopting specific physical or technological measures.
stakeholders.
NOTE 4 It is important to recognize that once data
and information has been published on the internet,
or otherwise made publicly available, it is virtually
impossible to delete, destroy, remove or secure all
copies of the released data and information. In
addition, the release of aggregated, apparently
innocuous data and information can result in
exposing sensitive or security information. Therefore,
appropriate checks should be made before any data
and/or information is made widely available.

PAS 1085:2018
Figure 5 – Holistic approach to security

!

!

!

!

NOTE The eight security goals (confidentiality, availability, safety, resilience, possession, authenticity, utility and
integrity) are applicable across the four security domains (people, physical, process and technical). For example,
the physical composition of a digital processing system can affect the integrity of the data and/or information
it processes, which can result in a loss of availability of a safety critical process leading to potential harm to the
vehicle’s user or to a pedestrian.
4.2.2 The organization’s board-level management shall 4.3 Digital manufacturing security issues
be aware of the cyber-physical security risks that arise
where digital assets and processes have an impact on 4.3.1 Loss or disclosure of intellectual property
the physical characteristics of a manufactured asset The organization’s board-level management shall
associated with a product or service. research, document and demonstrate an understanding
of the need to protect its own and others’ intellectual
property, which it holds, or which might be developed,
and shall assess and record the potential consequences
of the loss of, unauthorized access to, or improper use
or re-use of that information.
NOTE 1 Intellectual property encompasses a range of
material, including trade secrets, proprietary processes,
technical specifications and detailed calculations or
methodologies. Organizations often invest heavily in
the development of intellectual property and through
its use, licensing and sale can deliver significant
commercial and economic benefits. The piracy, theft
or unauthorized use of intellectual property can be
damaging to the organization and a country’s economy
as a whole.

PAS 1085:2018
NOTE 2 Some intellectual property is sensitive b) operations.

information that can be used to manifest a physical NOTE 1 The increasing use of email, EDI,
result in a manufactured object, in which case it collaborative platforms, websites and supplier
irretrievably crosses the cyber-physical boundary. This portals to share information, place and track
behaviour has some, but not all, of the characteristics orders and/or deliveries, submit invoices, manage
of disclosure, and should be taken into account when enquiries, and to monitor, manage and/or
considering the protection of intellectual property. maintain deployed products or systems can provide
The sensitive data and/or information might include opportunities for malicious use of these channels
or reflect: to commit fraud, gain unauthorized access to
a) the composition or treatment of materials used in information and/or allow the spread of malware.
its manufacture; There is increased business risk arising from loss,
b) proprietary aspects of the manufacturing process; misuse or incorrect allocation of user credentials
and (for example through failure to verify the identity
of a new user).
c) where the object contains digital elements, the
design and operation of those elements. NOTE 2 Widespread use of digital and information
technologies and the outsourcing of business
NOTE 3 Consideration should be given to the protection
operations creates increased business risks which
of intellectual property from loss, unauthorized access,
could manifest themselves as loss of availability,
or improper use or re-use. Scenarios to be considered
functionality or performance, or the loss or
might include:
corruption of digital artefacts, and the physical
a) development and use of intellectual property products that directly depend on them, including
within the organization; those manufactured using them.
b) collaboration with third-parties, including
universities and research institutes, through the 4.3.3 Counterfeit and contaminated supplies
lifecycle of the intellectual property;
The organization’s board-level management shall
c) disclosure of intellectual property to third- research, document and demonstrate an understanding
parties, including professional advisers and the of the need to apply due diligence to reduce the risk of
organization’s supply chain; obtaining counterfeit, maliciously or fraudulently sub-
d) publication or presentation of data and/or standard, or contaminated items when purchasing assets,
information relating to the intellectual property, including raw materials, ingredients or manufactured
for example in white papers, conference or trade items that are used in its own manufactured products or
publications; and systems and any related services.
e) disclosure of intellectual property due to accessible NOTE 1 The provenance of raw materials, ingredients,
characteristics of a product, system or service itself. manufactured supplies and assets, and the integrity of
the supply chain and logistics services used to handle
4.3.2 Criminal and malicious acts them are both important if an organization is to reduce
the risk of inferior, counterfeit or contaminated items
entering their supply chain or facility. This might be as
research, document and demonstrate an understanding
a result of the actions or inaction of a supplier or as a
of the need to protect from criminal acts its own
result of substitution in the sales and supply chain, for
personnel and others’:
example where supplies are purchased as grey imports,
a) assets; and i.e. outside of the authorized supply and distribution
NOTE 1 Potential threats to the organization’s channels used by the original manufacturer or
assets include theft, damage and sabotage. The material supplier.
physical security of the assets should be considered NOTE 2 Counterfeit and contaminated supplies
throughout their lifecycle. are those which are deliberately and fraudulently
NOTE 2 Where the assets are digital (for example, mislabelled or described with respect to their identity,
electronic files, designs, databases, etc.) or composition and/or source. Counterfeiting can apply
where the assets are systems that depend on ICT to both branded and generic materials or products and
equipment and systems and/or the OT, there are the counterfeit might include elements:
increased business risks arising from malicious acts • with the correct or incorrect ingredients/components;
caused by a range of external and insider threats,
• with or without insufficient key ingredients/
such as damage caused by malware, hackers or
components; or
disaffected personnel.
• with fake packaging.

PAS 1085:2018
4.3.4 Loss or disclosure of commercially sensitive • customers or end users of directly purchased items; and
information • customer/user data and/or information relating to
The organization’s board-level management shall warranty or support enquiries.
research, document and demonstrate an understanding NOTE 2 Unauthorized access to personally identifiable
of the need to protect pricing, price sensitive or market information can enable more targeted social
sensitive data and/or information, especially during engineering and phishing attacks.
a tender, procurement or merger and acquisition
NOTE 3 Increasingly manufactured products, systems
processes, and shall understand the potential
and related services handle personal data and/or
consequences of the loss of, or unauthorized access to,
information, so should be designed with the privacy
that information.
requirements and responsibilities of their users/owners
NOTE 1 In competitive markets, there is a need to and operators in mind.
address the risks of commercial espionage, including
NOTE 4 The objectives of the Security of Network
measures to prevent the loss of, or unauthorized access
and Information Systems Directive (also known as the
to, pricing or price sensitive data. Failure to provide
NIS Directive) [11] and its supporting principles are
adequate protection of sensitive information during
relevant when considering the protection of data and
tendering processes can damage both purchasers
information, and/or seeking to reduce the risk and
and suppliers.
impact of cyber-attacks.
NOTE 2 During preliminary discussions, negotiations
and due diligence phases of a merger or acquisition,
4.3.6 Pattern-of-use information
the organization might be required to disclose
sensitive information relating to its business and The organization’s board-level management shall
manufacturing operations and its intellectual property. research, document and demonstrate the need to
The organization’s board-level management should safeguard pattern-of-use information, which might be
be aware of the risk of this information being used as a source of intelligence regarding the:
compromised or issued, particularly in the event a) use of its manufacturing equipment;
that the merger or acquisition does not proceed NOTE The move towards servitization of assets,
to completion. e.g. power-by-the-hour rental of generators, and
NOTE 3 In situations where professional advisers the use of remote monitoring to support predictive
(for example lenders, financial advisers, accountants, maintenance, remote diagnostics and reactive
legal advisers, patent agents, etc.) are involved in a support contracts might result in significant
transaction, for example supporting the negotiation volumes of sensitive pattern-of-use data being
of a major sale or acquisition, appropriate and collected, processed and stored by third-parties.
proportionate protection of any sensitive information b) operation of its supply chain; and
held or accessed by the advisers should be addressed NOTE Analysis of delivery patterns, volumes, etc.
in the advisers’ contracts, including remedies available can reveal commercially sensitive information
in the event of loss or compromise of the information about the operation of a plant, or the preparations
whilst in the possession or control of the advisers. for launch of a new product, etc.
c) location and use of manufactured artefacts once
4.3.5 Release of personally identifiable information
deployed and in operation.
NOTE The presence or absence of telemetry data
research, document and demonstrate an understanding
from industrial systems, plant and machinery
of the need to safeguard personally identifiable
can provide market sensitive information about
information, in particular when responding to requests
the state of a plant or site and its readiness for
for information under Environmental Information
production.
Regulations [4] or where applicable the Freedom of
Information Act [5 and 6]. NOTE Pattern-of-use information can assist a hostile
or malicious party when they are performing hostile
NOTE 1 At a minimum, all manufacturing organizations
reconnaissance by revealing data and information
are likely to hold personally identifiable information
about how a process, system or manufactured artefact
about their current, former and potential new
operates, frequency and duration of use, and in some
personnel. Depending on the nature of the products
cases the location at which it is being used.
or systems manufactured by the organization, it might
also hold personally identifiable information about
stakeholders, for example information about:
• suppliers, professional advisers;

PAS 1085:2018
4.3.7 Aggregation of data and/or information

For sensitive or potentially sensitive assets, the
organization’s board-level management shall require
that advice is sought to gain an understanding of
the increased risks and sensitivity that occur through
aggregation of data and/or information.
NOTE 1 Sources of advice can include suitably qualified
and experienced persons within the organization and/
or specialist security advisers outside the organization.
NOTE 2 Aggregation can occur through manual
or automated processes and refers to where data
is collected and collated, and possibly analysed
to allow meaningful and useful interpretation of
initially isolated or independent facts or data. It has
the potential to increase the business impact of any
compromise, whether accidental or intentional. The
data aggregation risks can arise from:
a) aggregation by accumulation, where the volume
of data and/or information stored together
increases the level of impact that would occur if
it was compromised;
b) aggregation by association, where the association
of different types of data and/or information,
which in themselves have little or no impact when
compromised, when associated together, have a
higher level of impact;
c) a combination of accumulation and association; or
d) disclosure of too much data and/or information,
e.g. in response to a public access request or media
enquiry, allowing a third-party to draw inferences
from the disclosed material or create unplanned
associations.
NOTE 3 Individual facts, data or information items
might not create a harmful situation, but through
aggregation could allow a hostile party to develop a
better understanding and more comprehensive picture
regarding the operation of the organization, its supply
chain, customer, professional advisers and the use of
items it manufactures.
NOTE 4 The increased connectivity and servitization
of products and systems, contribute to the potential
security issues arising from aggregation of data and/or
information regarding the use, location, deployment,
etc. of products and systems. Particular care is required
with complex products and/or systems where there
might be multiple feeds of data and/or information to
both the organization and some of it suppliers.

PAS 1085:2018
5 Security governance
5.1 Establishing context 2) threat landscape, based on the organization’s

scope as determined in accordance with 5.2
5.1.1 The organization’s board-level management and taking into account known and potential
shall own, manage and govern security within the security risks, vulnerabilities and threat actors;
organization and in relation to its supply chain,
NOTE Depending on the scope of the
by adopting a security-minded approach that is
organization’s activities the above factors
documented in a security strategy. It shall apply to
might need to be addressed at international,
its business and manufacturing operations, including
national, regional and/or local levels.
manufacturing systems-related assets, and to the
products, systems and/or related services that it delivers. c) identifying, assessing and documenting the
needs and expectations of its stakeholders
5.1.2 To fulfil the requirements set out in 5.1.1, the regarding the security of the organization and
organization’s board-level management shall establish its manufactured items;
the organization’s context, as illustrated in Figure 6 by: d) identifying, assessing and documenting the
a) identifying, assessing and documenting security organization’s plans and objectives, the key
requirements arising from legislation, regulations drivers and trends having impact on them, and
and standards applicable to its operations and the the potential security implications;
products and/or systems that it manufactures, and e) establishing, documenting and maintaining a
any related services provided; record of the organization’s:
NOTE 1 Some security requirements can arise 1) scope (see 5.2);
from the organization’s role within a supply chain, NOTE The organization’s scope encompasses
for example where an organization is regularly the nature and scale of its past, present
shipping substantial volumes of air cargo it can and planned or foreseeable business and
apply to become a regulated agent, providing manufacturing activities. The scope also
its operations meet specific security criteria. This determines its current and future security
eliminates the need for further searching or liabilities. Past business activities are relevant
screening on receipt of the cargo at the airport, as they might result in latent liabilities,
thus facilitating the smooth passage of cargo to for example:
its destination.
i) security liabilities arising from known or
NOTE 2 If the organization operates in, and/or emergent vulnerabilities;
its manufactured products are used in, multiple
ii) product liabilities arising from defects in
jurisdictions, there might be a complex portfolio
the manufacturing process, including any
of requirements that need to be satisfied.
associated digital artefacts;
b) researching and documenting the:
iii) service liabilities arising from failures,
1) operating and business environments within including non-availability of any
which its business, supply chain, manufacturing manufacturing related services; and
facilities operate, and in which its products,
iv) professional indemnity liabilities arising
systems and related services are and might be
from negligent or defective delivery of
used in future;
design or advisory services.
NOTE This should consider the political,
2) governance approach (see 5.3);
economic (both financial and competitive),
social, technological, legal (including 3) security context; and
jurisdiction, legislation and regulatory) and NOTE The security context is determined by:
environmental factors that affect or could i) external factors such as legislation,
affect the organization, but specifically focus regulation and standards, the
on security-related aspects. organization’s operating and business
environments, the threat landscape, and
stakeholder needs;

PAS 1085:2018
ii) internal factors such as the organization’s 5.1.3 The organization’s security strategy shall:
plans and objective, its scope of a) be aligned with the organization’s broader mission
operations; and and objectives;
iii) the nature and use to which its b) be consistent with and supportive of the
manufactured items are put, the organization’s context as determined in 5.1.2;
security threats to which it and similar
c) establish the security goals in respect of:
organizations are exposed, and the nature
of vulnerabilities in the products or systems 1) the business architecture and its through-life
it manufactures. management of the organization, its data,
information, products, systems, services,
4) risk appetite (see 5.4).
processes and structures;
NOTE Where an organization has existing
2) capability development through security
products, systems or services in use the
awareness initiatives, training and development
security context relates to historic, current
so that personnel can acquire and maintain
and emergent security issues. For example,
awareness and competence to fulfil their roles in
where a legacy product is still in use and
a security-minded fashion and contribute to an
a security vulnerability emerges, which
effective security culture; and
if exploited would have serious safety or
security consequences, the organization might 3) management of security risks across the
have a legal responsibility to mitigate the organization, its supply chain, customers and
vulnerability. the users or operators of its products, systems
and/or related services;
Figure 6 – Establishing the organization’s context
NOTE The concept of a holistic security-minded approach is described in 4.2.

PAS 1085:2018
d) establish the need for and scope of a reporting 2) the organization’s ICT equipment and systems,
system used to inform the organization’s board- including any outsourced or externally hosted
level management of the effectiveness of security components;
measures, including handling of security incidents 3) the organization’s OT;
and any subsequent mitigation activities or
NOTE The organization’s OT, at a minimum,
improvement initiatives;
comprises the organization’s manufacturing
e) set out the process that is to be regularly used to systems and might also include systems used to
review and maintain the organization’s security to secure and control the manufacturing and/or
reflect changes in the security context through: storage environments.
1) implementation of new or amended c) type of items manufactured, encompassing:
legislation, regulation and standards;
1) items likely to still be in use, but no longer
2) developments in: and manufactured;
i) the organization’s structure, processes, 2) currently manufactured items and services
business plans and objectives; associated with them;
ii) its data, information, products, systems, 3) planned new manufactured items and services
services; associated with them; and
iii) the operating environment for the 4) any services offered in support of 5.2.1c) 1)
business and its products and/or systems, and 2).
and any related services; and
NOTE The purpose of this activity is for the
iv) stakeholder needs; business to make decisions about what markets
3) changes to the security threat landscape, for it wishes to operate in. Depending on the nature
example emerging threat actors, threats, of the manufacturer’s products, systems and any
opportunities and vulnerabilities; related services moving into different markets or
f) be reviewed at least annually or earlier if there are: territories may change the security threats that the
organization is exposed to.
1) significant changes to any of the items listed in
5.1.3e); or d) organization’s supply chain, to include suppliers of:
2) following a security incident, or a near miss 1) raw materials or ingredients;
(i.e. a narrow avoidance of a security incident). 2) physical products (e.g. components, sub-
assemblies, systems and equipment) which are:
5.1.4 The organization’s board-level management shall i) incorporated in the manufactured items;
ensure that its business plans and strategies are aligned
ii) used during the manufacture, storage,
to the organization’s security strategy.
shipping and maintenance of the
NOTE For example, if the organization’s human manufactured items; and
resource strategy involves employment of contractors
NOTE An appropriate and proportionate
to fill certain roles or give flexibility to meet varying
approach is required, for example, the
demand, then the security strategy should address
arrangements for storage or shipping
the need to have appropriate policies, processes and
may not be an issue unless they involve
procedures in place to manage security vetting of
specific handling conditions and packaging
contractors employed in sensitive roles.
to: protect very fragile items; prevent
contamination; deter, prevent and/or detect
any interference with the shipped items.
5.2 Determining the organization’s scope
iii) used to manage the manufacturing
5.2.1 The organization’s board-level management processes;
shall establish, document and maintain a record of
3) digital products/artefacts that are used by or to
the organization’s scope, which as a minimum shall
manufacture, shipped with or incorporated in
comprise an overview of the:
the items listed in 5.2.1d) 2).
a) organization’s assets, both physical and digital;
NOTE See 8.2 regarding understanding the
b) organization’s current operations, to include: organization’s supply chain
1) the locations at which it operates;

PAS 1085:2018
5.3 Security governance and 5.4 Determining the risk appetite

management The organization’s board-level management shall
5.3.1 The organization’s board-level management shall establish, document and maintain a record of the
establish a structure to manage the organization’s organization’s risk appetite in a statement that:
security-related requirements, which is commensurate a) establishes direct links to the organization’s plans
with the documentation specified in 5.1.2b). and objectives;
b) recognizes the organization has a portfolio of
5.3.2 The security management responsibilities within objectives, manufactured items, services and
the organization’s board-level management shall: projects;
a) set out the personal accountability of board-level c) establishes a risk management strategy through
managers for the ownership and management of allocation of resources, including people, the use of
security risks; processes and the architecture and operation of the
b) where applicable, the arrangements for delegation organization’s physical and technical infrastructure;
within the organization of responsibility, but not d) provides clarity and precision to enable
accountability, for security of specific processes, communication of its risk appetite throughout the
assets, products, systems and services; and organization;
c) establish the arrangements for the periodic e) sets acceptable tolerances and parameters for risk;
review and, where necessary, updating of security
f) specifies the frequency of regular reviews and
management responsibilities to reflect changes to
updates to the statement to address changes in
the organization, its business processes, operations
the risk universe and the organization’s risk
and assets.
capacity; and
NOTE The organization’s board-level management
g) establishes the monitoring and assurance policies,
might consider that an annual or biennial review
processes and procedures required to ensure
is appropriate and proportionate, but with the
effective and consistent application of the risk
option to conduct ad hoc reviews in the event
management strategy.
of serious security incidents and/or prior to
any significant changes to the organization, its
operations, products and/or services, and any
related services.
5.3.3 Where the organization’s board-level management

agrees to delegate specific security responsibilities,
this shall be documented however, accountability shall
remain with the board-level managers.

PAS 1085:2018
6 Assessing and managing security risks
NOTE When identifying security risks, it is appropriate • legal, arising from non-compliance with legislation or
to consider them from a number of perspectives, regulations, e.g. data protection; and
including: • third-parties, arising from harm caused to one or
• operational, i.e. the potential impact on the business more third-parties, for example spreading malware
through disruption of business and/or manufacturing to third-party products or systems, provision of
activities, reputational damage; inaccurate or misleading data and/or information
• confidentiality and privacy, i.e. the loss of or leading to corruption of databases, etc.
unauthorized access to sensitive information and/or
personally identifiable information;
• safety, i.e. the potential harm to individuals, assets or
6.1 Security risk management approach
the environment arising from the failure, in whole or 6.1.1 The organization’s board-level management shall
in part, or misuse of manufacturing-related systems establish, document and operate an appropriate and
or the manufactured products and/or systems and any proportionate approach to security risk management.
related services;
• financial, i.e. the costs associate with managing and 6.1.2 The organization’s risk management processes
responding to a security incident, any subsequent shall encompass identification, categorization,
legal costs, fines, etc., and the potential loss of prioritization and treatment of security risks.
income or profit as a result of diverting resources
during a security incident response; 6.1.3 The organization shall acquire knowledge of the
concepts and relationships illustrated in Figure 7 as
they relate to the organization’s assets, particularly its
manufacturing-related assets, and the manufactured
products and/or systems, and any related services.
Figure 7 – Security concepts and relationships

PAS 1085:2018
6.1.4 The security risks to be considered shall include 6.2.2 The asset-based risk register, shall be developed
those to the organization’s: using the approach outlined in Figure 8, where the key
a) business operations, critical assets and functions; steps are:
b) manufacturing assets; a) to identify and decompose organization’s assets to
an appropriate level;
c) manufactured products and/or systems and any
related services; NOTE 1 In a similar manner to techniques such as
Failure Mode Effects Analysis (FMEA) there is likely
d) supply chain, considering both the suppliers and
to be a need to decompose complex or hybrid
the materials or services they supply; and
assets into their constituent parts. For example, in
e) to others arising from a failure to implement a cyber-physical system there is a need to consider
appropriate and proportionate security measures in the risks associated with the physical elements, the
respect of 6.1.4a) to d). cyber (digital elements) and their combination. The
NOTE 1 There is a complex relationship between safety decomposition might therefore consider the risk
(hazards) and security (threats) in all cyber-physical of vandalism or malicious damage to key physical
products and systems. Both can result in adversity. components as well as the threats arising from hackers
Products and/or systems, and any related services, are or malware that affect the digital control systems.
unlikely to be safe if not appropriately secured. The NOTE 2 When considering what is an appropriate
organization should aim to reduce the risk of a threat level to decompose the assets to, the objective is to
actor exploiting a vulnerability that could result in identify the lowest level at which risk is going to be
damage to the manufactured products and/or systems, managed. For example, when considering an office
other assets or the environment, or result in serious injury computer, the minimum decomposition might be
or death as a consequence of the failure or misuse of the applications, operating system, processing hardware
manufactured items or manufacturing-related assets. and any networking or communications connectivity.
NOTE 2 In December 2014, the German government Depending on the nature of its use and the sensitivity
released an annual report, in which they noted that of any data and/or information processed on it,
a threat actor had infiltrated a steel manufacturing additional decomposition might be required to cover
facility by using a spear phishing email to gain access to data storage and any access control mechanisms.
the corporate network and then moved into the plant b) to asses and identify for each asset:
network. According to the report, the threat actor was
1) its criticality and the impact of:
able to cause multiple components of the system to
fail. This security incident specifically impacted critical i) its loss, corruption or compromise;
process components to become unregulated, which ii) its failure, either partially or as a whole;
resulted in massive physical damage to the asset.2) iii) its misuse or abuse (whether unintentional
or malicious); and
iv) its incorrect operation on the
6.2 Asset-based risk register manufactured item;
6.2.1 The organization’s board-level management shall 2) its vulnerabilities;
develop, document and maintain an asset-based risk 3) its hazards; and
register, which encompasses the known security risks
4) potential threats and opportunities;
to an organization’s assets as defined in 6.1.4, and
where the scope of the risk assessment for the assets is c) to assess and determine the attractiveness of each
consistent with: asset to specific threat actors by considering their
motivation and capability;
a) the security context of the organization; and
d) to use the information gathered in 6.2.2a) to c),
b) the security strategy that has been approved by
to synthesize and prioritize the potential risks to
organization’s board-level management.
the organization, its manufacturing processes, its
NOTE In considering known risks this should be manufactured products and/or systems, and any
interpreted as encompassing the security risks which it related services;
could reasonably be judged to affect the items listed
e) to consider the security risks that arise through
in 6.1.4. For example, if the organization is delivering
the composition, integration and/or interaction of
a web-based customer support service, it would be
components, sub-systems and systems, and where
reasonable to expect that the website has addressed
appropriate their interaction as systems-of-systems;
known technical vulnerabilities including, for example,
the OWASP 3) top 10 web application vulnerabilities. NOTE The composition, integration and/
or interaction risks arise from the selection
of elements and how they are integrated.
Complementary weaknesses in two or more
products that are being integrated can significantly
2)
For further information on this incident see: https://ics.sans.org/ increase the risks of exposure of the combined
media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf [15]. vulnerability and subsequent exploitation.
3)
See: www.owasp.org [16].

PAS 1085:2018
f) to consider risks arising from data and/or NOTE 2 It is important that risks are not
information aggregation: considered in isolation. In a complex
1) within the organization; and manufacturing process or environment there
might be considerable interaction between
2) through the data and/or information
risks. For example, a manufacturing system
generated and/or processed by its products
might include a digital component that has
and/or systems, and any related services;
a known vulnerability. A risk assessment
NOTE See 4.3.7 for further information on concludes this to be of low risk as the system is
aggregation of data and/or information, and behind the enterprise’s firewall. However, the
11.2 regarding aggregation of public/published risk of the known vulnerability being exploited
data and/or information. is likely also to be contingent on the protection
g) to take each of the risks in turn, as part of an of any remote diagnostic capability with the
iterative process considering the acceptability of factory, the policies regarding the use of
the risk, taking into account: removable media, bring your own devices and
1) the available risk capacity of the organization; the handling of email attachments.
NOTE The organization’s risk appetite h) where a risk is considered to be acceptable, review
is determined when considering the and update the organization’s risk capacity to
organization’s context. reflect the risk being carried;
2) the combinational effects of risks; and i) where a risk is considered unacceptable:
NOTE Combinational effects occur where 1) identify and assess potential mitigation
there is a linear path of negative events. In measures;
the context of a cyber incident, this is often 2) select and apply as appropriate;
called an “attack path”. For example, in the 3) record the risk treatment; and
security incident involving loss of customer
4) return the residual risk to the identification
card data from Target stores,4) the supplier’s
and analysis stage;
use of a home anti-virus product failed to
detect password logging malware attached j) to consider for the portfolio of risks: and
to an email, which allowed capture of the 1) the nature of the threat environment(s);
login credentials for Target’s supplier portal, 2) an appropriate and proportionate frequency
and the poor configuration, use of default for the scheduling of risk reviews to re-
passwords and failure to apply security patches evaluate the risk portfolio; and
allowed the criminals to install malware
NOTE The organization’s board-level
on the company’s point of sale systems,
management might consider that annual
thus harvesting information on some 40
or biennial reviews are sufficient, however
million consumer credit and debit cards. This
the frequency should be determined by how
combination of risks created the environment
dynamic the threat environment is.
that made the attack possible.
3) the triggers that would prompt an ad hoc
3) the cascading effects of risks;
review of some or all of the risk portfolio;
NOTE 1 Cascading effects occur where there is
NOTE Triggers can include: the emergence of a
a non-linear path of events occurring, including
new threat actor; changes in the security context;
amplification and subsidiary negative events
identification of new/emerging vulnerabilities;
or outcomes. The cascade effect is particularly
and identification or publication of new exploits
likely to occur in complex systems, i.e. systems
enabling easier access to vulnerabilities or
of systems, where there is not a simple linear
increasing their impact.
relationship between systems or sub-systems.
In these cases, rather than the effect of k) to maintain situational awareness by monitoring:
the risk spreading in a simple longitudinal 1) risks and opportunities;
fashion, instead the effect spreads like a ripple 2) emerging threats and vulnerabilities; and
affecting multiple assets that might not be
3) the organization’s scope and security context.
directly connected to each other.
4)
US Senate Report on the incident. Available from: www.
commerce.senate.gov/public/_cache/files/24d3c229-4f2f-405d-
b8db-a3a67f183883/23E30AA955B5C00FE57CFD70962159
2C.2014-0325-target-kill-chain-analysis.pdf [17].

PAS 1085:2018
Figure 8 – Risk management approach

PAS 1085:2018
6.2.3 The asset-based risk register shall contain: e) the stakeholders, both internal and external,
a) a list of the organization’s: and their expectations in the event that a risk
event occurs;
1) business assets; and
f) the risk evaluation, including the likelihood of an
2) manufacturing-related assets;
event occurring and its magnitude, and potential
NOTE The use of the term asset in Clause 6 includes impact or consequence should the risk materialize
asset data and asset information and inventory or at the assessed level;
stock items that are available but not yet in use.
g) any loss experienced, for example information from
b) appropriate and proportionate decomposition of previous incidents and any prior experience of loss
the assets listed in 6.2.2a) to the level at which they events related to this risk;
are supplied to, purchased, licensed or created by
h) risk tolerance or limit for the risk, i.e. the
the organization;
acceptable loss potential or financial impact in the
c) contain the risks related to: and event that a risk event occurs, and any targets for
1) the organization; controlling the risk or limiting performance impact;
2) its supply chain; i) the risk response, treatment and controls, i.e. the
3) its manufacturing-related assets; and mechanisms to be used to manage the risk and
control its impact and the mechanisms to be used
4) its manufactured products and/or systems, and
to monitor and review their performance;
any related services;
j) the potential optimizing of risk management
d) allow separation and analysis of the risks by:
across the portfolio of risks, i.e. the potential
1) the categories listed in 6.2.2a), taking into for cost-effective risk reduction or modification,
account the decomposition required in 6.2.2b); timescales and responsibility for implementation; and
2) individual suppliers in its supply chain; k) the ownership of the risk, i.e. who is responsible for
3) where known, the products, systems or services monitoring compliance with any controls and the
in which the manufactured items, and any risk management strategy.
related services, are used or installed; and NOTE Unless explicitly delegated as part of the
4) customers, where the organization is not security strategy, the risk owner should be a
selling its products, systems or services to the board-level manager.
end consumer. NOTE The consequences or impact of a risk materializing
NOTE Where the organization is selling its can be negative (i.e. hazard risks), positive (i.e.
products, systems or services to a systems opportunity risks) or might result in further uncertainty.
integrator, manufacturer or assembler, it is
the identity of this third-party that should be 6.2.5 The information contained in the asset-based
recorded so that they can be notified of any risk register, either in whole or in part, is sensitive
future security issues. information and access to it shall be managed on a
need-to-know basis, with security measures implemented
6.2.4 For each risk in the asset-based risk register, the that are appropriate to the level of risk, with regard to
following shall be recorded: its creation, storage, distribution and use.
a) a unique risk identifier;
b) a name or title for the risk;
c) the asset(s) affected by the risk;
d) the scope of the risk, including details of the possible
risk event(s) and their size, type and number;
NOTE The scope of the risk determines the
boundaries of the impact, for example whether
the risks affects multiple items as it arises from
a component within them, for example a defect
in an integrated circuit, circuit board or piece
of software.

PAS 1085:2018
7 Implementing the organization’s security strategy
7.1 General e) the mechanisms for reviewing and updating the

SMP and related documents;
To give effect to the organization’s security strategy
f) a security incident management plan (see 7.3); and
(see 5.1), the organization’s board-level management
shall develop, document, implement and maintain a g) a supply chain security management plan (see 7.4).
security management plan that addresses the specific NOTE Depending on the size and/or nature of the
security objectives in the organization’s security organization the SMP might be a single document
strategy and the controls required to treat the risks containing all of the elements listed above or it might
identified in the organization’s asset-based risk register. be an overarching document that references a suite of
documents covering the elements.
7.2 Security management plan (SMP)

7.2.1 The SMP shall apply across all of the organization’s
7.3 Security Incident Management Plan
activities, in particular in respect of: (SIMP)
a) management and sharing of data and information 7.3.1 The SIMP is intended to enable an effective and
(see Clause 11); coordinated response to incidents and shall include:
b) the development and delivery of new a) a summary of the risk assessment of potential risks
manufacturing assets or processes; in the event of a security incident;
c) the operation of existing business and NOTE The risks should be recorded in the asset-based
manufacturing assets and processes in the risk register, and only a brief summary provided in
organization’s digital ecosystem; this plan.
d) the organization’s manufactured products, systems b) the policy, processes and procedures to be followed
and/or related services; and in the event of an actual or suspected security
e) the decommissioning, and transfer or disposal incident, which shall include:
of manufacturing-related assets when no longer 1) the forensic readiness measures required to
required by the organization. enable, when required, the capture of forensic
information about an incident for use by law
7.2.2 The SMP shall cover the people, processes, enforcement, and/or detailed analysis of the
physical and technological aspects of the organization’s root causes of the incidents;
operations by addressing the following elements: 2) the process to be followed on the discovery or
a) policies which set out the security-related business suspicion of an incident;
rules derived from the security strategy; 3) the process to be followed on identification of
b) processes which: a near-miss;
1) are derived from the security policies; 4) business continuity measures required in the event
2) provide or enable the controls required in the of failure, impairment or non-availability of:
asset-based risk register; and i) the manufacturing-related assets; and
3) provide guidance on their consistent ii) any systems providing or supporting
implementation throughout the lifecycle of the services associated with the manufactured
asset; products and/or systems;
c) procedures that comprise the detailed work
instructions relating to repeatable and consistent
mechanisms for the implementation and
operational delivery of the processes and controls;
d) the monitoring and auditing requirements that are
to be used to measure effectiveness of the plan and
compliance with policy, processes and procedures;

PAS 1085:2018
5) any manufactured products and/or systems e) the review process to be followed after a security
outside of the organization’s premises that are incident, or near miss, including:
affected by a security incident; 1) the process for assessing the ongoing risk;
NOTE The extent to which the manufacturer 2) the process for evaluating the incident and
might be required to provide this depends on the response;
the nature of the manufactured items, the
3) a review of any hosting or cloud service
warranty and contractual provisions and might
provider’s, or other outsourced service
also be determined by legislation or regulation
provider’s incident management plan where
applicable in the jurisdiction in which the
applicable;
manufactured items are located and/or used.
4) the need for changes to the contractual
6) notification by a third-party of a security
provisions to handle security incidents caused
incident concerning the organization’s
by a professional advisor, contractor or
manufactured products and/or systems, or
supplier; and
related services;
5) the mechanisms for reviewing and updating
NOTE Examples of potential third-parties
the SIMP.
include: a supplier to the organization; or
a customer of the organization (where the
7.3.2 Access to any part of the SIMP which
manufactured items or related services are not
details sensitive information (for example, risks
supplied directly to an end user); or the end
to the organization, its function, processes,
user(s) of the organization’s manufactured
manufacturing-related assets, personnel and
products and/or systems, or related services.
third-parties) shall be managed on a strict
7) the disaster/incident recovery actions required need-to-know basis, with the information contained
in the event of serious failure scenarios within it subject to security measures with regard to
affecting or likely to affect; and its creation, storage, distribution and use.
i) the manufacturing-related assets; and
ii) any systems providing or supporting 7.3.3 For those elements of the SIMP which address
services associated with the manufactured policies, processes and procedures relating to incidents
products and/or systems; the initial business continuity actions shall be:
8) steps to be taken to contain and recover from a) written so that, as far as is practicable, they do not
the event. contain sensitive information;
c) the arrangements where applicable to access b) made available to all relevant personnel; and
data and logs on affected or potentially affected c) periodically rehearsed, to maintain awareness and
manufacturing-related systems used by the to test their effectiveness.
organization, including:
1) what can be accessed and why;
7.4 Supply Chain Security Management
2) how the data and/or logs are to be used;
Plan (SCSMP)
3) under what circumstances they can be
accessed; 7.4.1 The organization’s board-level management shall
4) who is authorized to access the data and/or logs; develop, document, implement and maintain a SCSMP
that defines the contractual and operational measures
5) how the data and/or logs are to be protected;
required for the adoption of an appropriate and
and
proportionate security-minded approach throughout
6) the arrangements for the secure deletion of the organization’s supply chain.
the data and/or logs when no longer required.
d) where, in accordance with 7.3.1b) 4), the
organization is required to assist the owner and/
or user of a manufactured product and/or system,
and any related service, the arrangements where
applicable to access data and logs as specified in
7.3.1c); and

PAS 1085:2018
7.4.2 The SCSMP shall address the through-life security g) requirements for additional or further security
management of suppliers (i.e. professional advisers, awareness training and the right to audit to
contractors, service providers and OEMs) including: confirm that the training is being delivered; and
a) the processes and procedures based on the h) identification of high-risk roles or positions.
requirements set out in Clause 8 for:
1) mapping of the organization’s supply chain to
the level of individual contracts; 7.5 Organization’s security program
2) security risk profiling each contract to assess 7.5.1 To facilitate a consistent organization-wide
the potential level of risk; and approach to security, the organization’s board-level
3) identification of the baseline security measures management shall establish and maintain a security
expected for a supplier with a given security program, that:
risk profile; a) is aligned to the security strategy (see 5.1);
NOTE The organization’s baseline security b) supports the SMP (see 7.2);
measures for suppliers with differing security c) develops and periodically reviews the
risk profiles should be specified at a high-level organization’s security objectives;
in the organization’s security strategy and
d) plans and implements the steps to achieve these
specified in detail in its SMP. The approach set
objectives;
out in Annex A of DEF STAN 05-138 [18] might
inform the organization’s development of their e) monitors the implementation of the plan and
own measures. fulfilment of the objectives;
b) the pre-contract due diligence/accreditation/ f) assigns and manages ownership of the objectives and
assurance requirements regarding the security any implementation plans to achieve them; and
culture and security management strategy of g) monitors the threat landscape.
suppliers and potential suppliers;
c) the security requirements that are to be addressed
in suppliers’ contracts; 7.6 Organization’s security culture
NOTE 1 Legal advice should be sought regarding 7.6.1 The organization’s board-level management
the wording used to address the security shall embed a security culture within its personnel and
requirements in suppliers’ contracts. suppliers in accordance with 7.6.2 to 7.6.6.
NOTE 2 For example:
7.6.2 The organization’s board-level management
1) adoption of appropriate and proportionate
shall provide general security awareness training to
measures to mitigate risk; and
all personnel, which as a minimum addresses the
2) the provision, where relevant, of risk following topics:
management information regarding the
a) cyber hygiene;
supplier’s products, systems or services.
b) protection of data and information, including
d) the audit and compliance monitoring arrangements,
policies, processes and procedures related to
including handling of security incidents;
sharing with third-parties or publication of data
e) contract exit and termination arrangements; and/or information about manufacturing-related
f) guidance on the use of Data and Information systems; and
Sharing Agreements (DISA) (see 11.7) relating to c) the organization’s policies, processes and
the exchange or supply of data and/or information: procedures regarding the security of its ICT
1) relating to manufacturing-related assets, equipment and systems and the OT.
manufacturing processes and intellectual
property; 7.6.3 The organization’s board-level management
2) individual manufactured products and/or shall identify roles with a high security risk profile
systems, and any related services; and in the lifecycle of its manufacturing-related processes
and systems, and any additional security measures
3) the organization’s structure, business plans
training that might be required by personnel occupying
and personnel;
these roles.
NOTE The use of DISAs is applicable to suppliers,
NOTE This relates to the manufacturing of the
potential suppliers and other third-parties in
organization’s products and/or systems. Any ongoing
respect of both information supplied and received
services related to the products and/or systems are
by the organization.
addressed in 7.6.4.

PAS 1085:2018
7.6.4 Where applicable, the organization’s board-level

management shall identify roles with a high security
risk profile in in the lifecycle of its manufactured
products and/or systems, and any related services, and
any additional security measures and training that
might be required by personnel occupying these roles.
NOTE The applicability of 7.6.4 should be determined
by the nature of the manufactured items and their
use. For example, where the organization is providing
a service related to one of its products or systems and
that service stores or processes sensitive information,
such as personally identifiable information, the system
administrators would be high-risk roles as they have
access to personal data.
7.6.5 The organization’s board-level management shall

ensure that personnel occupying high-risk roles, as
identified in 7.6.3 and 7.6.4 are:
a) aware of their security responsibilities;
b) have access to and been trained in the use of the
Security Operating Procedures (SyOpPs) required
to fulfil their role and responsibilities;
NOTE The use of SyOpPs can help to define the
security context and facilitate the security training
and awareness of personnel in high-risk roles.
c) accountable for their security-related behaviour;
and
d) in receipt of any additional briefing or training so
that they can fulfil their role in a security-minded
manner.

establish, document and operate policies, processes and
procedures such that all new designs are conceived and
implemented using a product and/or service lifecycle
that is secure-by-default.

PAS 1085:2018
8 Assessing security of the supply chain
8.1 Treatment of supply chain security 8.2.3 The organization’s board-level management shall
risks adopt an appropriate and proportionate approach to
the mapping of its supply chains taking into account
The organization’s board-level management shall treat the nature of the materials or services being supplied
supply chain security risks as being an extension of and their criticality to the security of the:
existing arrangements to mitigate security risks within
a) organization and its operations; and
the organization itself.
b) organization’s products and/or systems and any
related services.
8.2 Understanding organization’s supply
8.2.4 Depending on the nature of each upstream
chain contract, i.e. the supply to the organization, it might be
8.2.1 The organization’s board-level management shall necessary to obtain information from the supplier, or
research, document, demonstrate and maintain an potential supplier, to allow decomposition and security
understanding of its supply chain taking into its own risk assessment of the supplier’s own inputs into the
position within the multi-tiered value chain that exists contracts, including organizations that support the
between raw materials or ingredients and the delivery supplier’s operations.
to an end user or customer of manufactured products NOTE For example, if the organization is supplying
and/or systems, and any related services. sensitive data and/or information to a supplier who
NOTE Most supply chains are multi-tiered in nature is processing it in a cloud-based software-as-a-service
where a manufacturer has an upstream element (SaaS), the organization should consider applying the
(suppliers providing raw materials, products, systems NCSC’s Guidance on Cloud Security [19] to assess the
or services to support its business and manufacturing level of risk this processing might pose in respect of
operations) and downstream element (the demand for the sensitive data and/or information. This assessment
the organization’s manufactured products or systems requires information about the SaaS provider’s
and any related services from its customers). technology, hosting and security arrangements.
8.2.2 When undertaking the analysis specified in 8.2, 8.2.5 The organization’s approach to supplier security
the organization’s board-level management shall as risk assessment shall as a minimum apply the security
a minimum cover its existing suppliers of, and when triage process outlined in Figure 9 to identify whether
undertaking new procurements, the potential there is a need for further risk assessment of each
suppliers of: current supplier and any prospective suppliers.
a) security or security-related systems and/or security NOTE The objective of this triage process is to identify
services; suppliers that might create vulnerabilities that affect
b) ICT equipment and systems, and related services the organization, its manufacturing operations and its
that process, or might in future, process sensitive products and/or systems and any related services.
data and/or information;
c) manufacturing and manufacturing-related systems
that currently, or might in future, process sensitive
information and/or are used in the production of
sensitive components, products and/or systems, or
the delivery of any related services;
d) raw materials or ingredients, physical products
(e.g. components, sub-assemblies, systems and
equipment) and digital products/artefacts; and
e) professional, business and support services used by
the organization.

PAS 1085:2018
Figure 9 – Supplier security triage process
8.2.6 If the outcome of the security triage process b) whether the fact that a supplier has a relationship
in 8.2.5 is a requirement for further risk assessment of with the organization might increase the risk of
the supplier or prospective supplier, the organization’s the supplier being targeted by an adversary so as
board-level management shall: to obtain information about the organization, its
a) apply the risk management approach outlined in products and/or systems and any related services,
accordance with Clause 6 to any affected assets; or about its customers;
b) record the outcome of the assessment(s) in the c) the impact to the organization and its customers
asset-based risk register; and if the availability, integrity, provenance or quality
of sensitive raw materials or ingredients, physical
c) apply any controls or countermeasures required to
products (e.g. components, sub-assemblies, systems
reduce the risk to an acceptable level.
and equipment) and digital products/artefact were
NOTE 1 When assessing the supplier-related risks the compromised either accidentally or deliberately;
organization should take account of:
d) whether the supplier has administrative or similar
a) the nature of any sensitive data and/or information privileged access to the organization’s enterprise
provided or processes by the supplier and the ICT or manufacturing systems, either on-site,
impact to the organization and its stakeholders if it remotely or as part of a hosted or cloud-based
were compromised; service;

PAS 1085:2018
e) whether the supplier has unsupervised physical

access to the organization’s site(s), premises,
enterprise ICT or manufacturing systems; and
f) whether the supplier has electronic access to
systems when on-site or working remotely, and the
nature of such access.
NOTE 2 The security measures should encompass
personnel, physical, process and technological aspects,
the details of which should be informed by the level
of the risk profile and the specifics of the risks that are
being mitigated.
NOTE 3 The UK Ministry of Defence operates a supplier
risk assessment process, where the cyber security
requirements for various risk profiles are set out in
Annex A of DEF STAN 05-138 [18]. The approach set
out in this Annex might inform the organization’s
development of its own supplier security requirements.
8.3 Reviewing supply chain security risks

periodically review the supplier security risks in light of
changes in:
a) the overall threat landscape;
b) its suppliers;
c) its operations, including its manufacturing
systems; and
d) its manufactured products and/or systems, and
any related services.
NOTE The frequency of the periodic review should be
determined by how rapidly the items listed in 8.3a)
to d) are changing. For example, a dynamic threat
landscape, and/or frequent changes of suppliers
and/or addition of new suppliers, and/or changes to
operation and/or manufactured items would require
more frequent reviews. The organization’s board-level
management should consider the frequency of such
changes when setting the periodicity of reviews.

PAS 1085:2018
9 Working with suppliers and customers
9.1 Working outside formal contracts NOTE 1 This separation and protection exercise might
include: redaction or removal of space, room, product
The organization’s board-level management shall take or system labels; removal of information regarding
a security-minded approach when working outside sensitive features, uses of protective measures; and
formal contracts (for example, in pre-contract dealings provision of aggregated data rather than providing
with a potential supplier or customer) in relation to access to detailed information.
the access given to data and information relating to
NOTE 2 The organization should ensure that tender
the organization, its manufacturing operations and
agreements include appropriate confidentiality and
its manufactured products, and/or systems and any
security requirements that cover all parties, including
related services.
sub-contractors and suppliers of a bidding supplier,
associated in the preparation of a tender.
9.2 Bidding to supply products and/or 9.3.2 The requirements in 9.3.1 shall apply when
systems and any related service tendering or re-tendering contracts relating to the
9.2.1 The organization’s board-level management shall procurement of:
apply a security-minded approach in responding to a) advisory, business support, or consultancy services;
pre-qualification processes, requests for quotations b) raw materials, ingredients, consumables,
or tenders so as to protect sensitive information and components, digital artefacts, and any equipment,
prevent disclosure of information that might be used to systems or software used in manufacturing and
infer sensitive information. logistics processes;
NOTE The systems used in manufacturing and
9.2.2 Where a procurement process requires submission
logistics processes generally involve the use
of sensitive information, the organization’s board-level
of OT, for example the cyber elements in
management shall consider the risks associated with
cyber-physical systems. Particular care should be
disclosing such information and formally evaluate and
taken with regards to OT and any equipment
record this risk assessment.
that provides connectivity between the OT and
9.2.3 Depending on the potential impact of the risk on the organization’s enterprise ICT systems and any
the organization, its existing customer base and the remote systems, such as those used for monitoring
products and/or systems and any related services, the of plant and machinery by suppliers.
organization’s board-level management shall determine c) the organization’s ICT equipment and systems used
what controls or countermeasures are required to for the management of its operations, including
manage the risks identified in 9.2.2. any cloud-based applications and/or storage;
NOTE Measures can include requiring the third-party d) facilities management (FM); or
to enter into binding non-disclosure or confidentiality e) maintenance/management.
undertakings, limiting access to specific intellectual
property, requiring the return or certified destruction 9.3.3 Where the tender documentation contains
of material, data and/or information supplied, etc. sensitive information relating to the use of a
manufacturing or business asset, or high-level
information about the level of protection the asset
9.3 Procurement requires, the organization’s board-level management
shall require them to be subject to appropriate security
9.3.1 When tendering or re-tendering contracts and the
measures. These measures shall be sufficient to:
tender process requires sharing or disclosure of sensitive
data and/or information, the organization’s board-level a) limit access to this information to identified key
management shall require that the sensitive data roles;
and/or information is separated and suitably protected b) exclude this information from any published tender
while ensuring sufficient data and/or information is documentation;
available to facilitate the transaction.

PAS 1085:2018
c) exclude detailed requirements for any such 9.5 Contractual measures

physical asset security provisions from the tender
documentation to be used by general contractors; NOTE Legal advice should be sought regarding the
and wording used to address the security requirements in
suppliers’ contracts.
d) enable general contractors to provide the correct
infrastructure (for example, conduit and cable
trays, etc.), for the installation of sensitive assets or
manage its supply chain security risks by having in
systems by specialist security-cleared contractors.
place contractual provisions which support the security
NOTE For example, an organization might be planning policies, processes and procedures contained within the
to extend an existing manufacturing facility that SCSMP (see 7.4).
produces sensitive items or use sensitive proprietary
NOTE 1 The contractual terms should address the
processes as part of the manufacturing process. In
security requirements in a holistic manner by addressing
this situation the organization might wish to protect
people, process, physical and technological matters.
information about the items or processes from
These terms might include measures such as providing
contractors involved in the construction of the new
a document setting out the security aspects of the
facility by limiting the detail provided for the execution
contract (e.g. a ‘security aspects letter’), requiring
of the relevant construction tasks and applying
the contractor to work in accordance with a security
appropriate security measures, including but not
management plan supplied by the organization,
limited to those listed in 9.3.3.
or requiring the supplier to develop a security
management plan for approval by the organization.
require that, as part of the supplier selection process, NOTE 2 Contractual provisions should be supported by
all tender documentation is assessed to establish how the organization’s ability to review the effectiveness
the prospective supplier(s) intend to meet any security of the supplier’s security systems on a periodic basis.
requirements specified by the organization. Organizations with a greater security sensitivity should
have developed standards and self-assessment systems
9.3.5 The organization’s board-level management shall which enable a supplier’s capability and practice to be
require an assessment of the security understanding, assessed on a regular basis.
capability, competence and experience of the potential
suppliers bidding for a contract, as well the prospective 9.5.2 Where appropriate, the provisions shall include
supplier(s) need for any security training, coaching the flow down of contractual obligations from the
and support. primary suppliers (including professional advisors
and contractors), who are in direct contract with the
organization, through any layers of sub-contracts.
9.4 Unsuccessful bidders NOTE It is not an acceptable security practice, at any
level in the contract hierarchy, for the contracting party
The organization’s board-level management shall to pass, or to try to pass, all security responsibility to its
require that all relevant data and/or information sub-contractors or suppliers.
is returned or destroyed. Where appropriate, the
organization’s board-level management shall require 9.5.3 The organization’s board-level management shall,
the unsuccessful bidder(s) to verify that defined where appropriate and proportionate, require insertion
procedures have been completed. of a clause within the contractual documentation
to enable adjustments in response to changes in the
political, legislation or regulatory environment to
be implemented, where these obligations extend
throughout the lifecycle of the organization’s products
and/or systems, and any related services.
NOTE 1 The need for this contractual provision depends
on the nature of the item, system or service covered by
the contract. For example, if the contract relates to the
processing of sensitive data and/or information there
might be a need for the contract to accommodate
legislative and/or regulatory changes.
NOTE 2 The organization should be aware of the
potential cost implications of any such changes.

PAS 1085:2018
9.5.4 Where compliance with specific security 9.5.9 The organization’s board-level management shall
standards is required (e.g. the provision of physical and require that the contracts specify the secure processing
technological protection for ICT and OT equipment and and storage of, secure access to, and ultimately secure
systems to a defined standard, the implementation of disposal of, all sensitive information shared with or
appropriate security regimes, etc.), these shall be clearly provided by the supplier, and that such data and
identified in the contract along with any expected information is retained for no longer than the period
independent, third-party inspection or verification. required to comply with legal or other regulatory
requirements, together with any specific warranty
9.5.5 The organization’s board-level management requirements of the organization, whichever is longer.
shall impose, through its contractual arrangements, NOTE Guidance on secure disposal of digital and
a general obligation on all individuals relating to physical assets can be found on the NCSC 5) and CPNI 6)
acceptable use of models, data and information websites.
provided by the organization.
9.5.6 To handle security incidents caused by a supplier

9.6 End of contract
(including professional advisors and contractors) there
shall be clear contractual provision for the reporting 9.6.1 On completion or termination of a contract,
of the incident to the organization, and for provision where some or all data and/or information is sensitive
of assistance by the supplier in the investigation and or there is a general contractual provision for all data
follow up actions. and/or information to be disposed of securely, the
9.5.7 The contractual measures shall include provisions that all relevant data and/or information is returned,
that allow the organization to review security measures destroyed or stored securely in accordance with
and compliance with the relevant security policies, contractual requirements. Where appropriate, the
processes and procedures at any level in the contract organization’s board-level management shall require
chain. the supplier to verify that defined procedures have
NOTE Depending on the sensitivity of the asset, been completed.
products, services and/or related services, and the NOTE In some industrial sectors or specific situations
potential security threats, there might be a need for there might be a requirement that some data
systems and personnel used by the suppliers (including and/or information be retained for a specified
professional advisors and contractors) to satisfy specific period to comply with legal, regulatory or insurance
security requirements. requirements. The data and/or information can be held
in digital or hard copy formats. In such circumstances
9.5.8 The organization’s board-level management the data and/or information should be appropriately
shall require monitoring and enforcement of all stored and protected so as to prevent unauthorized
security-related contractual provisions relating to access, to maintain availability, utility, integrity and
its suppliers (including professional advisors and authenticity. Where the data and/or information is
contractors) in order that they adopt an acceptable held in digital format, consideration should be given as
security-minded approach to the fulfilment of their to how it is accessed, if required, during the required
contractual obligations. retention period, particularly if stored in a proprietary
NOTE A balance should be struck between formal format; and such access requires use of specific
verification involving supplier audits and an honour/ software.
trust-based system of verification. Those suppliers
handling sensitive information, or with access to 9.6.2 The organization’s board-level management shall
sensitive parts of the organization’s premises, sites require decommissioning and demobilization processes
or systems, should be subject to greater scrutiny to be put in place to maintain the security of sensitive
than those involved in less sensitive roles. As part data and/or information.
of this balance the organization might consider it
appropriate to advise suppliers that making false claims
or statements about their security capability and/or
adherence to required security controls can be treated
5)
as fraud. For information from NCSC on destruction and disposal, see:
www.ncsc.gov.uk/topics/destruction-and-disposal [20].
6)
For information from CPNI on secure destruction of sensitive
items, see: www.cpni.gov.uk/system/files/documents/c5/
e1/2017_01_20_CPNI_Secure_Destruction_Standard.pdf [21].

PAS 1085:2018
10 Security of a manufactured item
10.1 The organization’s board-level management shall 10.3 Where the organization’s products and/or systems,
consider the security risks across the lifecycle of its and any related services are being procured by a
products and/or systems, and any related services. third-party who incorporates them in a larger
NOTE 1 From the lifecycle organization’s perspective product and/or system, and any related services, the
the lifecycle depends on the organization’s role, i.e. organization’s board-level management shall ensure
whether it is responsible for the specification, design, that the organization works with its customer and/or
manufacture, assembly and delivery of the products end user to mitigate any security risks arising from the
and/or systems, and any related services or whether use of the goods or services it supplies.
it is only responsible for manufacture, assembly and
delivery and/or operation. 10.4 Where the organization’s products and/or systems,
and any related services are supplied, either directly
NOTE 2 Where the organization is assembling and/
or via a sales channel, to an end user, or class of end
or configuring a product or system that includes
users, the organization’s board-level management
components, sub-assemblies and digital artefacts (for
shall provide appropriate and proportionate support
example, software, data and/or information) that is
to the end user to mitigate any security risks arising
sourced from its supply chain, it should consider and
from their use of the products and/or systems, and
manage the risks arising from its suppliers.
any related services.
10.2 The organization’s board-level management shall
10.5 Where the organization is responsible for
document and inform customers and/or end users
the design of the manufactured products and/or
the security risks that might arise in respect of their
systems, and any related services, to the extent that is
products and/or systems, and any related services,
practicable, the organization’s board-level management
in the event of:
shall ensure that the design is secure-by-default.
a) the sale or transfer of ownership of a product or
system; 10.6 Where the organization is only responsible for the
b) relocation of the product or system at the end of manufacture of a product or system, or the support
a hire period or lease; of any related services, and it becomes aware of a
c) changes in delivery or termination of any related security vulnerability in the design, the organization’s
service; or board-level management shall require that the relevant
design authority is informed of the vulnerability in a
d) relocation of a product or system at the end of
timely and security-minded manner.
a hire period or lease.
NOTE Immediately prior to any of the events listed
in 10.2a) to d) occurring, the customer or end user
should be able to permanently delete any data and/or
information stored in a product, system or associated
service, that allows or might allow inferences to be
drawn about the use of the asset, its location or users.

PAS 1085:2018
11 Data and information management
11.1 Data and information security 11.1.3 The policies, processes and procedures set out
in 11.1.1 shall be applicable across the generic data and
11.1.1 The organization’s board-level management shall information lifecycle, shown in Figure 10, and which
develop, record, implement and manage appropriate comprises:
and proportionate policies, processes and procedures
a) capture – the activity associated with the creation
relating to security-minded data and information
and initial storage of a data value or piece of
management which are based on an understanding
information, including its metadata;
of the security implications associated with the loss,
compromise, unauthorized manipulation or change of b) maintenance – the activities that serve to deliver
data and/or information, as set out in Clause 4. the data and/or information ready for synthesis or
usage in a form and manner that is appropriate
NOTE Principle 7 of the ICO’s Data sharing code of
for these purposes and include: validation and
practice [12] provides information on fulfilling the
verification; cleansing; reformatting; enrichment;
requirements of the DPA in respect of personal data.
movement; integration from multiple systems; and
11.1.2 The policies, processes and procedures set out updating of published data and/or information;
in 11.1.1 shall address the security risks (identified in c) synthesis – the creation of derived data and/or
accordance with the process in Clause 6) associated information through the use of inductive logic
with the potential impact of: using other data and/or information as inputs;
a) the loss or disclosure of intellectual property and/or NOTE For example use of expert opinion or
commercially sensitive data and/or information; judgement or automatic decision making to create
b) the loss or disclosure of personal data; the additional data and/or information.
c) the corruption of, or loss of access or unauthorized d) usage – the application of data and/or information
changes to, metadata; and to activities, functions or tasks;
d) the corruption of, or loss of access or unauthorized e) archival – the replication or placement of data
changes to, referential master data. and/or information in an archive where it is stored
but where no maintenance, usage or publication
11.1.3 The policies, processes and procedures set out occurs;
in 11.1.1 shall also include: f) publication – the process of making the data
a) the security features required for the organization’s and/or information available outside the
data and information architecture (see 11.2); organization; and
b) the security-minded approach to managing g) purging – the removal of every known copy of an
data and information to ensure its accuracy and individual data item or piece of information from
authenticity and preserve its long-term utility an organization.
(see 11.3); and
c) the security-minded approach to be implemented
in relation to data and information that could
be used to cause harm to assets, services and/or
individuals in respect of:
1) data and/or information sharing (see 11.5); and
2) publication of data and/or information.

PAS 1085:2018
Figure 10 – Generic data and information lifecycle
11.1.4 The policies, processes and procedures related NOTE 2 The frequency of vulnerability assessment
to purging data and/or information shall include and penetration testing can be determined by
measures for the identification and secure removal considering the nature of the system, its criticality to
of any potential unofficial copies of the data and/or the smooth and safe operation of the organization
information or versions, including those that have been and the sensitivity of the data and/or information it
shared with external parties. contains or processes. It is prudent for the frequency
of the penetration testing to be at least annually and
11.1.5 The policies, processes and procedures set more frequently if the system is subject to changes or
out in 11.1.1 shall be embedded within the software upgrades.
non-security-related activities of the organization. NOTE 3 Processes used for maintaining situational
awareness include, monitoring of security alerts,
software patches, etc.
11.2 The organization’s data and NOTE 4 Particular attention should be paid to known
information architecture technical vulnerabilities including, for example, the
11.2.1 The organization’s board-level management shall OWASP top 10 web application vulnerabilities.7)
ensure that any service using data and/or information
that identifies individuals or groups: 11.2.2 The organization’s board-level management
shall identify and undertake an audit of the existing
a) is designed, built and operated using the NCSC
channels that are used in support of its products and/or
guidance on digital service security [NR1]; and
systems to provide data and/or information.
b) is subject to regular vulnerability assessment and
NOTE Examples of such channels include websites,
penetration testing, determined by the processes
smartphone applications, SMS, telephone and
used for maintaining situational awareness.
face-to-face.
NOTE 1 Individuals and other organizations should
be able to trust the manufacturing organization to
protect their privacy and identity if trust in any services
delivered by the manufacturing organization is to
be maintained. 7)
See: www.owasp.org [16].

PAS 1085:2018
11.2.3 The audit required in 11.2.2 shall: 1) degraded network performance due to high
a) collect information about the security measures usage or system failures;
employed by each channel to secure access to the 2) damage to network infrastructure, whether
organization’s data and/or information; caused by human or natural causes, leading to
b) use the information collected in 11.2.3a) and a risk loss of connectivity;
assessment based on the data and/or information 3) malware and denial of service attacks on
being handled to establish whether the security network and server systems; and
of individual channels is consistent with best 4) failure of the platforms hosting the data
practice; and and/or information, due to software or
c) where there is a shortfall in the security of a hardware faults, or human error.
channel, put in place an action plan to either: NOTE 2 Where manufacturing systems are being
1) raise the security standard of the channel to designed and implemented that are reliant on
an acceptable level; or remote processing of data and/or information,
2) engineer out the current service through its for example, use of cloud-based monitoring
replacement with a service providing secure and or control, consideration should be given
connectivity between the organization’s digital to the impact of loss of availability or degraded
assets and the service users’ digital devices. performance of the remote processing.
b) maintain the quality of the organization’s data
11.2.4 Where appropriate, technical safeguards shall and information by ensuring that changing and
be included in the architecture to reduce the risk of emergent systems and data and information
inadvertent release of sensitive data and information. architecture are managed to:
NOTE 1 Safeguards might include: 1) ensure appropriate provenance for all data and
a) the use of data loss prevention tools to monitor information; and
and enforce rules regarding email attachments and NOTE This should include data streaming from
web uploads; IoT and other distributed technologies.
b) multi-step authorization of a release, similar to 2) maintain the integrity of the data and
measures used in online banking to authorize new information repositories across the lifecycle of
transactions; and individual data and information sets;
c) introduction of an independent checking step NOTE 1 It is good practice to ensure that an
prior to the actual disclosure or release of the data unmodified version of the shared data and
and/or information. information remains available in order to
NOTE 2 The technical safeguards included should preserve its provenance.
be consistent with, and supported by, the policies, NOTE 2 Loss of integrity of data and
processes and procedures the organization has in place information or disputes about its authenticity
relating to people, physical, data and information and could have significant financial and
technological security. reputational impact on organizations. In
these circumstances, inaccurate or incomplete
records, or the inability to prove their
11.3 Managing accuracy, authenticity and authenticity, could impact on the outcome of
long-term utility of data and information warranty claims and any legal proceedings.
c) maintain the value and medium- to long-term
usefulness of the organization’s data and
take appropriate and proportionate measures to:
information by:
a) ensure the resilience of the data and information
1) maintaining the data and information;
infrastructure and the availability of all of the
organization’s data and information; 2) monitoring and recording changes to:
NOTE 1 Using the internet to share data and/or i) the data and information capture,
information does not provide any guarantee of its maintenance and usage; and
availability when it is required, or the timeliness of ii) the manufacturing environment, including
access. Performance of and access to internet-based processes, systems and sensors;
systems can be affected by a range of technical and 3) understanding and regularly assessing the
environmental factors outside of the control of the effect of changes in the algorithms, logic or
organization, for example: rules used in data synthesis.

PAS 1085:2018
NOTE 1 As organizations evolve, changes organizations’ handling, processing or storing the

occur in the systems used to capture, store organization’s data and/or information, taking into
and process the organization’s data and account its nature, volume and sensitivity from
information. If not monitored and assessed, both security and privacy perspectives;
the impact of these changes might lead to NOTE 1 A risk-based approach to the management
data and/or information being unusable, or of all systems storing, processing and sharing data
to unpredictable outcomes due to changes in and/or information should be taken.
the fidelity, timeliness or encoding of data. For
NOTE 2 Depending on the nature and volume
example, if a sensor is changed and replaced
of data and information being handled, the
with a more sensitive one, this could create
organization’s board-level management might
data artefacts when the output is compared
require evidence of the supplier or service
to the outputs from other adjacent or related
provider’s implementation of Cyber Essentials 8)
sensors, resulting in unnecessary time and
or Cyber Essentials Plus,9) the 10 Steps to Cyber
effort being expended.
Security,10) or that the contractors and suppliers are
NOTE 2 The use of smart systems is still at a appropriately BS ISO/IEC 27001 certified for all parts
relatively immature stage. Where a system of the organization that have access to its data
includes machine learning or artificial and/or information.
intelligence, the outcomes should be
NOTE 3 Sensitive data and/or information about
monitored to ensure that:
the organization’s physical assets (i.e. buildings,
• the desired results are being consistently plant, machinery, etc.), services, and the processes
achieved; relating to security of the organization and the
• the level of false positive or negative results items it manufactures should be regarded as
is acceptable; controlled data and/or information, with access
• the algorithms are not being ‘gamed’ or limited to those who need to know, in order to
influenced by those with malicious or criminal fulfil their official duties.
intent; and NOTE 4 Consideration should be given to the
• appropriate consideration has been given to separation of sensitive data and/or information
digital ethics issues. sets to reduce the risk of unauthorized access or
disclosure, and to limit the impact in the event of a
d) maintain the integrity and utility of assets when
security breach or incident.
applying patches or updated to digital systems or
sub-systems, including verifying the authenticity of b) the security of interconnections and interactions
the patches/updates and adopting appropriate and between systems processing and storing the
proportionate testing and verification processes organization’s data and/or information;
and procedures. c) the security around systems controlling physical
NOTE Some suppliers are adopting fully automated assets within the organization, in particular its
patch/update mechanisms where the update or manufacturing assets;
patch is pushed directly into operational systems. d) interoperability of systems;
Organizations should consider the impact of failure NOTE 1 Interoperability of systems can introduce
of the automated approaches and where necessary risks associated with cascade effects leading to
the ability to roll back such updates to a known the failure of multiple services. Services should
good state. therefore be designed with the aim of reducing
the risk of common mode failure by incorporating
sufficient resilience.
11.4 Technological security NOTE 2 Common mode failure is the engineering
11.4.1 The organization’s board-level management shall term that refers to events which are not statistically
develop, record, implement and manage appropriate independent. For example, failures in multiple
and proportionate policies, processes and procedures
relating to technological aspects which shall include, as
a minimum: 8)
For Cyber Essentials, see: www.ncsc.gov.uk/scheme/cyber-
a) measures related to the cyber security of systems essentials [22].
9)
processing, storing and sharing the organization’s For Cyber Essentials website, see: www.cyberessentials.ncsc.
gov.uk/ [23].
data and/or information, including the level of 10)
For 10 Steps to Cyber Security, see: www.ncsc.gov.uk/
cyber security to be evidenced by supply chain
guidance/10-steps-cyber-security [24].

PAS 1085:2018
parts of a system caused by a single fault, NOTE 1 An application or system is secure-by-default

particularly random failures due to environmental if it is configured so that the default configuration
conditions or the loss/degradation of inter-system settings are the most secure settings possible, for
connectivity. example, the use of default usernames and password
e) configuration management and change control on IT equipment makes them vulnerable to hacking
policies, processes and procedures for the systems via the internet or unauthorized access within an
that process the organization’s data and/or organization’s premises.
information; NOTE 2 An application that is secure-by-default should
NOTE Effective system, software and hardware be configured so that the default settings prevent
configuration management is important for the disclosure of user, product and/or system data and/or
efficient and effective operation of business information or metadata without explicit customer/user
continuity and disaster recovery plans, and for the consent. For example, by not revealing information
rapid identification and assessment of potential about the location of the user, product or system, its
security vulnerabilities. pattern-of-use, etc.
f) the required level of software trustworthiness; a) confidentiality – controlling, and preventing of
unauthorized access, to data and/or information
NOTE Software trustworthiness is based on
which might be sensitive or breach privacy, in
the principles of safety, reliability, availability,
isolation or in aggregate;  
resilience and security which, along with software
trustworthiness levels and implementation NOTE The need for confidentiality applies to
framework, are described in PAS 754:2014. all sensitive data and information, irrespective
of whether it is stored or processed in the
g) demobilization of organizations who are leaving
manufacturer’s systems or its manufactured
the organization’s supply chain, including the
items. The degree of confidentiality required is
secure deletion and/or destruction of sensitive
determined by the sensitivity of the data and/or
data and information held by those organizations,
information, and the impact of its unauthorized
and/or removal of access to that data and
disclosure or use.
information; and
b) availability (including reliability) – ensuring that
NOTE Appropriate policies, processes and
the data, information, systems, and associated
procedures are required to manage the technical
processes are consistently discoverable, accessible,
security consequences of events such as changes in
usable and, where appropriate, disclosable in an
ownership of organizations, mergers, demergers
appropriate and timely fashion;
and insolvencies.
NOTE 1 Achieving the required availability
h) policies regarding the retention of different types
depends on the ability to maintain access to data,
of data and/or information, so as to minimize the
information or services in instances of systems
period for which it is retained and to require secure
failure and planned maintenance and upgrades.
deletion, destruction and/or removal of access to it
The relevant contract or service-level agreement
once the specified period(s) have elapsed.
might specify availability in terms of a percentage
NOTE There might be a variety of legitimate (e.g. 99.9999% per annum) with a specified
reasons why data has to be retained for significant maximum time for restoration of a normal service
periods, for example to comply with legal or other (e.g. 30 minutes).
regulatory requirements, or for warranty and
NOTE 2 The concept of data and information
product liability purposes. However, the aim should
being accessible includes, where appropriate,
be to avoid unnecessary retention, thus reducing
discoverability (for example, through data or
the overall impact in the event of a security
service catalogues) and disclosure (for example, in
incident involving unauthorized access to sensitive
response to a request for information).
data and/or information.
NOTE 3 Malware, particularly ransomware, has
11.4.2 The organization’s systems and its manufactured become an increasingly serious problem in complex
products and/or systems, and any related services, shall enterprise environments. A ransomware incident
be secure by default (i.e. full functionality is available does not generally involve loss of confidentiality,
without compromising security), addressing each of but does impact on data, information, service and
aspects shown in Figure 11 and described as follows: system availability through loss of access and results
in loss of possession if the incident affects the ability
to control a system or service. Recent examples of
ransomware have led to disruption of the shipping

PAS 1085:2018
container handling by Maersk, costing the business NOTE 1 Loss of possession could arise from a physical
an estimated $200 – 300m in lost business.11) incident of natural or human origin, that affects a
NOTE 4 Where wireless technologies are used for data centre or control room, preventing the system
the transport of data and/or information there are operators from managing the system or online
potential availability, reliability and resilience issues service. It could also arise due to interference with
due to the ease with which radio signals can be the operation of the system(s) through software bugs
jammed or be subject to interferences. This should or crashes, hacking (external or internal), malware or
be taken into account where services are critical to denial of service attacks.
the safe and secure operation of the organization. NOTE 2 Loss of possession, whatever the cause, is
c) safety – products, systems and related processes are especially critical for safety- and/or security-critical
designed, implemented, operated and maintained systems.
so as to prevent the creation of harmful states NOTE 3 oss of possession can also cause economic
which might lead to injury or loss of life, or and/or reputational damage to the data owner and
unintentional environmental damage, or damage data controller.
to assets; NOTE 4 Limiting the risk of inappropriate use of
NOTE 1 The safety of the individuals, including the shared data and/or information is described in
organization’s personnel, should be of paramount Clause 9.
concern when developing and implementing f) authenticity – ensuring that the data and
manufacturing systems and processes and in information input to, and output from products,
the design, manufacture and operation of the systems and any related processes or services,
organization’s products and/or systems and any and that the state of the products and/or system
related services. and any related processes, services, data and/or
NOTE 2 The organization should also consider the information are genuine;
relationship between safety and security of its NOTE Authenticity issues arise if it is not possible
products and/or systems, as security vulnerabilities to establish that data and/or information is
might create hazards affecting the user(s), what it portrays itself to be, for example, that
environment or other assets. data originated from a specific device, from the
d) resilience – the ability of data, information, particular location where that device is sited, and
products, systems and any related services to at a specific point in time. As such, authenticity is
transform, renew and recover in a timely way in heavily dependent on the ability of the data and/or
response to adverse events;   information source to assert its identity and for this
NOTE The increasing dependence on complex to be reliably captured in any associated metadata.
interactions between different organizational g) utility – ensuring that data, information and
components, data and information sets, services systems remain usable and useful across the
and systems can significantly detract from lifecycle of the data and/or information and any
the overall resilience of an organization. The associated asset, individual or organization; and
organization should have rehearsed the handling NOTE 1 Changes to systems, including sensors and
of incidents and to have workable plans to enable processing, asset configuration, referential master
business continuity and disaster recovery based data, etc. should be tracked and managed through
on fall-back service provision, which is either formal change control mechanisms to reduce
predominantly manual or less IT and data intensive. the risk of divergence between the real, physical
e) possession – products, systems and any related world and that which is captured in the data
processes or services are designed, implemented, and/or information. For example, changes to a
operated and maintained so as to prevent system’s sensors might introduce metrology artefacts
unauthorized control, manipulation or interference, such as changes in baseline readings, or increases in
and to ensure that data and/or information are used granularity, which make it more complex to compare
only in accordance with the terms of the compliance readings taken before and after the change.
and contractual rights and obligations;
11)
Interim report from Maersk CEO: http://investor.maersk.
com/releasedetail.cfm?ReleaseID=1037421 [25].

PAS 1085:2018
NOTE 2 Where multiple versions of a specific

data and/or information set are used within the
organization, consideration should be given to
the risks of holding multiple sets of versioned data
and/or information, including the dependencies
between the sets and those between the sets and
their associated versioned metadata.
h) integrity – maintaining the completeness, accuracy,
consistency, coherence and configuration of the
data, information, products, systems and any
related processes or services.
NOTE Examples of losses of integrity include out of
tolerance sensors, gaps in data sets, timing errors
(e.g. loss of synchronization between systems or
incorrect system clocks), or configuration issues that
prevent processing or result in incorrect attribution
of data values to sensor locations. Loss of integrity
might also occur as a result of malicious injection of
data and/or information.
Figure 11 – Security goals for the organization’s data and information

!

!

!

!


PAS 1085:2018
11.4.3 When considering the reuse of existing 11.5 Managed sharing of data and
technology and digital assets, the organization’s information
board-level management shall seek appropriate
professional advice about the ability of the systems and 11.5.1 Prior to the sharing and/or publication of a new,
software to deliver the level of cyber security required. or modified, data and/or information set about the
organization, its assets, and its manufactured products
NOTE 1 Where an operating system or application
or systems, and any related services, the organization’s
is close to, or has passed, the end of its support life,
board-level management shall require the application
or there is a significant shortfall in the installation
of the data and information security triage process
of software patches, it is likely to have a number of
shown in Figure 12 to identify the need for a
significant security vulnerabilities that could result in a
security-minded approach to be applied.
security breach or incident.
NOTE A modified data set is one where the scope of
NOTE 2 Depending on the nature of the advice
the data has changed significantly or additional data
required and the technology or digital assets
elements (fields rather than records) are included.
involved, sources of security advice might include
the organization’s own internal security personnel,
11.5.2 In order to identify whether there are any
specialist security consultants and government security
personal data in the data set that the triage process
advisers (e.g. CPNI and NCSC).
is being applied to, the personal data test shown in
Figure 13 shall be applied.
11.4.4 Prior to the implementation of any product,
system or service based on IoT or other distributed NOTE 1 Figure 12 is based on the ICO’s guidance on
technologies, the organization’s board-level ‘Determining what is personal data’ [26] which contains
management shall: an explanation of the individual questions and a
number of examples.
a) commission the production of a detailed security
architecture for the proposed implementation; NOTE 2 The implementation of GDPR [2] could impact
the approach outlined. Some overarching guidance is
b) determine the extent to which the architecture
available in the ICO guidance document ‘Preparing for
meets the security requirements of the
the General Data Protection Regulation (GDPR) – 12
organization and its stakeholders, taking into
steps to take now’ [27].
account personnel, physical and technological
aspects; and
c) assess any security risks against the collective risk
appetite of the organization and the benefits
which it is anticipated can be gained.
NOTE The requirements set out in 11.4.4 apply to both
the organization’s systems and to its manufactured
products and/or systems, and any related services.

PAS 1085:2018
Figure 12 – Data and information security triage process

PAS 1085:2018
Figure 13 – Personally identifiable information test

PAS 1085:2018
11.6 Security, privacy impact and/or data 3) whether it was provided in confidence to the
and information aggregation assessment organization.
NOTE More detailed guidance on legal and data
11.6.1 Where identified as being required by the
protection aspects of data sharing is given in the ICO’s
data and information security triage process, the
Data Sharing Code of Practice [12].
the preparation of a security, privacy impact and/or 11.6.3 Where there is uncertainty as to whether the
data and information aggregation assessment by a data and/or information set contains sensitive data
suitably qualified and experienced person. and/or information, or whether there are security or
privacy issues arising from data and/or information
11.6.2 Each security, privacy impact and/or data and
aggregation, the data owner shall seek advice from
information aggregation assessment shall record:
appropriate security advisers.
a) the composition of the data and/or information
NOTE Sources of advice can include suitably qualified
set or layer;
and experienced persons within the organization
b) who has access to the data and/or information and/or specialist security advisers outside the
being shared, disclosed or published; organization.
c) whether the relevant asset, data, information,
product or system owners are to be consulted 11.6.4 Each security, privacy impact and/or data and
before the data and/or information is shared, information aggregation assessment shall, by following
disclosed or published; the risk management process in accordance with
NOTE This applies to the organization’s own Clause 6:
data and information and to any data and/or a) identify any data protection issues;
information collected from, stored or processes NOTE Data protection is a complex area, with
for customers or end users. detailed interpretation required of what
d) whether the data and/or information set includes constitutes personal data. Data and information
any sensitive data and/or information, or sensitive should be carefully analysed before being made
personal data; available to ensure compliance with the relevant
e) the justification for sharing, disclosing or publishing legislation.
the data and/or information, in particular: b) identify the security risks associated with sharing or
1) the objective of publishing or sharing it; publishing the contents of a specified data and/or
information set;
2) the potential benefits and how they are
captured; c) identify and assess potential appropriate and
proportionate risk mitigation measures to manage
3) the risks to assets and organization if it is not
any unacceptable risks and any data protection
shared disclosed or published;
issues; and
4) demonstration that the proposed sharing
NOTE 1 Risk mitigation measures that might be
is proportionate to the objective and the
appropriate to adopt across a wide range of data
potential benefits; and
and information sets include:
5) whether or not the objective could be
a) removing a sub-set of the data and/or
achieved, or the benefits delivered, without
information from the published data and/or
sharing, disclosing or publishing it;
information set where only that sub-set creates
f) the authority to share or publish the data and/or a risk;
information, in particular:
b) removing outliers, i.e. small number of records
1) whether the organization is the data controller that make it easier to identify assets, groups or
and/or has the right, legal authority and power individuals;
to do so;
c) reducing the precision of the data and/or
2) whether there are any legal obligations to information where the precision of location or
share, disclose or publish (e.g. legislation or a timing increases the risk;
court order); and
d) providing the data and/or information in
summary form to reduce the level of detail
available where the granularity increases the risk;

PAS 1085:2018
e) releasing statistical data and/or information b) provides clear examples how these inferences could
rather than underlying data and/or be drawn.
information;
f) anonymization of data and/or information sets; 11.6.6 Where potential harm is identified, sharing,
publication or further/additional disclosure shall
g) modifying key variables to prevent
be prohibited until appropriate and proportionate
re-identification;
measures are implemented to remove the sensitivity or
h) publishing the data and/or information set reduce the associated risks to a level that is acceptable
without the metadata, or remove the sensitive to the organization.
fields, where the metadata creates a risk;
i) reducing the level of detail and/or removing 11.6.7 Access to any part of the security, privacy
some layers of mapped data and/or impact and/or data and information aggregation
information as a user zooms in to view a assessments which details sensitive information shall
locality where the granularity increases the be managed on a strict need-to-know basis, with the
risk; and information contained within it subject to appropriate
j) monitoring access by requiring user security measures with regard to its creation, storage,
registration/login to access specific data distribution and use.
and/or information sets.
NOTE 2 Where the contents of a specified data
and/or information set contains sensitive personal
11.7 Data and information sharing
data, additional controls might be required. agreements
NOTE 3 Where a data and/or information set is NOTE The information in this clause does not constitute
manipulated to reduce the risk of identification legal advice. Users of this PAS should take appropriate
or re-identification, processing should be legal advice regarding the data and information sharing.
independently verified to ensure the effectiveness
of the approach used. 11.7.1 A data and information sharing agreement
d) list any residual risks and remaining data protection (DISA) shall be put in place prior to sharing or
issues. processing of any sensitive or potentially sensitive data
and/or information regarding manufacturing-related
11.6.5 A data and information aggregation assessment systems and the manufactured products and/or systems,
shall, in addition: and any related services.
a) take proportionate steps to identify any data NOTE The term process data should be interpreted as
and/or information sets that have already been encompassing the various aspects of data processing
shared or published, whether intentionally or covered by the UK Data Protection Act [1] and the
unintentionally that, when aggregated with General Data Protection Regulation (GDPR) [2], i.e. the
the specified data, allow a third-party to draw creation or collection, processing, storage, retrieval and
inferences from the disclosed material or create deletion of data and/or information.
unplanned associations, including those which:
11.7.2 A DISA shall detail, as a minimum:
1) identify a specific individual(s) or group(s);
a) the purpose, or purposes, of the sharing;
2) reveal sensitive personal data;
b) the potential recipients, or types of recipient, and
3) establish a pattern-of-life for a specific
the circumstances in which they have access;
individual(s) or group(s);
c) the type of data and/or information to be shared;
4) identify a sensitive asset;
d) the quality of the data and/or information to be
5) reveal sensitive information about an asset;
shared, in particular its authenticity, coverage,
6) establish a pattern-of-use for specific asset(s) or accuracy, relevance and usability;
group(s) of assets; or
7) compromise the safety or security of an asset,
individual(s), group(s) or service; and

PAS 1085:2018
e) the requirements in relation to; 11.7.4 The organization’s board-level management shall
1) where relevant, data protection; require the periodic review of all DISAs, to confirm that:
2) permitted and prohibited rights of use of a) there is still a legitimate purpose for the continued
the data; sharing of data and/or information;
3) obligations to notify the data owner b) the recipients of the data and/or information still
and/or data controller in the event of a security need access to it, and where they do not, that
incident or compromise, or any complaints access has been withdrawn;
regarding the quality of the data and/or c) the data and information quality and maintenance
information; are to the agreed standards; and
NOTE The obligations should reference the relevant d) the data security arrangements remain appropriate
security incident management policies, processes and proportionate, and that any complaints have
and procedures (see 7.3). been satisfactorily resolved.
f) data and/or information maintenance, including NOTE The frequency of the periodic reviews should
responding to notification of requests for erasure be determined by the nature and sensitivity of the
or correction; data and/or information that is being shared, and the
g) data and information security, including the impact on the organization in the event that the shared
handling of security incidents and investigations data and/or shared information were compromised or
undertaken by data protection authorities; misused. The frequency might therefore vary between
different data and information sets. The organization’s
h) the arrangements for retention and/or purging of
board-level management might also wish to take into
shared data and/or information;
account the behaviour of the recipient parties with
i) where applicable, i.e. when handling personal whom that data and/or information has been shared.
data, the procedures dealing with data subjects’ For example, if there have been a number of security
rights, including access requests, queries and incidents, the organization’s board-level management
complaints; might decide to increase the frequency of reviews.
a) monitoring and auditing of the
implementation of the sharing agreement; and
b) sanctions for failure to comply with the
agreement and/or a security incident caused by
an individual member of staff.
11.7.3 In the event of a security incident, or if there

is evidence that data and/or information is not being
managed and handled in accordance with the DISA, the
organization’s board-level management shall have the
authority to:
a) suspend the sharing agreement until the event or
concerns have been investigated and any remedial
measures have been agreed and implemented: or
b) terminate the sharing agreement and require
purging of the shared data and/or information if
the matter cannot be satisfactorily remedied.

PAS 1085:2018
12 Security-minded approach in relation to compliance

with legislation and other standards
NOTE 1 The information in this clause does not environment regulator. The Regulations require that
constitute legal advice. Users of this PAS should take some of the submitted information is made publicly
appropriate legal advice where any of the legislation available and searchable.
or regulations in Clause 12 applies to data and/or
information under their control.
NOTE 2 The legislation listed in Clause 12 is set out in 12.3 Data Protection Act 1998 [1]
alphabetical order and is not intended to be exhaustive. The organization’s board-level management shall
require application of a security-minded approach to
handling, storage and use of personal data.
12.1 Computer Misuse Act 1990 [7] NOTE 1 The Data Protection Act 1998 [1] regulates
The organization’s board-level management shall the use of personal data and may apply to asset
require the application of a security-minded approach information, whether held in electronic or paper form,
in the specification, design, operation and maintenance where it includes any set of information relating to
of manufacturing-related systems and the systems individuals. The need for identification and protection
providing services to or in support of manufactured of personal data is addressed in 11.6.
items, so as to ensure that personnel, professional NOTE 2 The provisions of the Data Protection Act
advisors, contractors, suppliers and system users do not 1998 [1] will be affected by the introduction of GDPR
inadvertently commit offences when fulfilling their (Directive 95/46/EC) [2].
contracted duties.
NOTE Offences can arise where an individual accesses
data and/or information where they lack the requisite 12.4 Environmental Information
privileges or authorization. The access might include Regulations 2004 [4]
viewing, printing, moving data and/or information or
altering files or database records. Where a manufacturing organization shares data
and/or information with an organization that falls
within the scope of the Environmental Information
12.2 Control of Major Accident Hazards Regulations 2004 [4], it shall, on a risk-based,
security-minded basis, consider what sensitive
(COMAH) Regulations 2015 [8] information might be released, as part of the public
The organization’s board-level management shall authority’s publication scheme and on request, and
require adoption of a security-minded approach in its where necessary agree with the public authority
disclosure of information that shall be publicly available what sensitive information needs to be protected and
regarding the hazardous substances it employs in its how the protection is to be applied, for example by
manufacturing processes and where there might be providing it in confidence or by identifying specific
security concerns to discuss these with the relevant exemptions that apply to it.
public authorities prior to publishing the information. NOTE 1 The Environmental Information Regulations
NOTE The Control of Major Accident Hazards [4] provides public access to information about the
Regulations 2015 (COMAH) [8] aims to prevent major environment held by public authorities by:
accidents involving dangerous substances and to a) obliging public authorities to proactively publish
mitigate the effects on people and the environment certain information about their activities in
of those that do occur. Depending on the location of accordance with their publication scheme, and
an organization’s site(s) in the UK it might be required
b) entitling members of the public to request
to provide specific details about hazardous substances
information from public authorities.
it uses to: the Health and Safety Executive (HSE), the
Environment Agency (EA), the Natural Resources Body
for Wales (NRW), the Scottish Environment Protection
Agency, and where COMAH applies to nuclear
licensed sites the regulations are enforced by the
Office of Nuclear Regulation (ONR) and the relevant

PAS 1085:2018
The Regulations cover any recorded information held NOTE 2 There is a risk that sensitive information
by the public authority that falls within the definition disclosed to a public authority might be released to
of “environmental information” and can also apply a competitor or a potentially hostile third-party. A
to environmental information that another person or manufacturing organization that wishes to protect
organization holds on behalf of the public authority. It sensitive information such as intellectual property,
typically covers information about land development, commercially sensitive information, etc. should be
pollution levels, energy production, and waste aware that there are a number of specific exemptions
management, and includes financial information regarding disclosure of information as part of a
where it relates to the costs of redeveloping land publication scheme or in response to a freedom of
and constructing a new built asset, e.g. a new information request. Areas covered by exemptions that
manufacturing facility. the public authority might apply include:
NOTE 2 There is a risk that sensitive information a) health and safety;
disclosed to a public authority might be released to b) environmental Information;
a competitor or a potentially hostile third-party. A
c) personal information;
manufacturing organization that wishes to protect
sensitive information such as intellectual property, d) information provided in confidence;
commercially sensitive information, etc. should be e) legal professional privilege; and
aware that there are a number of specific exemptions f) commercial interests.
regarding disclosure of information as part of a
This is a complex legal area and appropriate advice
publication scheme or in response to an environmental
should be sought with a manufacturing organization
information request.
before sharing it with the public authority.
12.5 Freedom of Information Act 2000 [5] 12.6 General Data Protection Regulation
and Freedom of Information (Scotland) (GDPR) (Directive 95/46/EC) [2]
Act 2002 [6] Organizations shall apply a security-minded approach
to the handling, processing, storage and use of
Where a manufacturing organization shares data
personal data and special categories of personal data
and/or information with an organization that is covered
(i.e. sensitive personal data) that are shared, published
by the Freedom of Information legislation it shall,
or processed as part of its business or manufacturing
on a risk-based, security-minded basis, consider what
operations.
sensitive information might be released as part of the
public authority’s publication scheme and on request, NOTE The government has confirmed that the
and where necessary agree with the public authority UK’s decision to leave the EU does not affect the
what sensitive information needs to be protected and commencement of the GDPR, which applies in the UK
how the protection shall be applied, for example by from 25 May 2018.
providing it in confidence or by identifying specific
exemptions that apply to it.
NOTE 1 The Freedom of Information Acts [5 and 6]
12.7 Government Security Classifications
provide public access to information held by public Where applicable, the organization’s board-level
authorities, by: management shall require application of and
a) obliging public authorities to proactively publish compliance with the Government Security
certain information about their activities in Classifications [NR2] policy with regards to:
accordance with their publication scheme, and   a) all data and information that it collects, stores,
b) entitling members of the public to request processes, generates or shares in order to own,
information from public authorities.   procure, operate or maintain its manufacturing
assets, including information received from, or
Together, the Freedom of Information Act 2000 [5] and
exchanged with, external parties both within and
the Freedom of Information (Scotland) Act 2002 [6]
outside its supply chain; and
cover any recorded information that is held by a public
authority in England, Wales and Northern Ireland, and b) any inventory of sensitive manufactured items
by UK-wide public authorities based in Scotland. or systems and their sensitive raw materials,
components, sub-systems, drawings, schematics,
bills of materials, or supply chain details.

PAS 1085:2018
NOTE 1 Compliance with this policy might require NOTE Organizations should carefully consider the
specific security measures to be imposed regarding security implications of making data available that
the access to, storage and processing of data and might be re-used. Whilst individual items might
information, particularly where there are significant not pose a threat, aggregation of data, including
volumes of official and/or sensitive data or where some correlation of data supplied to different public
of the data and/or information requires specific controls bodies, could reveal sensitive commercial or technical
and security measures. information and manufacturing capabilities. Where
NOTE 2 Government Security Classifications apply to security considerations might be applicable, the
all data and information that the government collects, organization should not identify the extent to which
stores, processes, generates or shares to deliver services information the information is or might be available
and conduct business, including information received for re-use and determine what, if any, measures can
from, or exchanged with, external partners. be legitimately used to reduce the risk of disclosing
sensitive information.
NOTE 3 Where central government information is not
processed or stored, it is considered to be good security
practice to apply BS 10010 to all data and information
that the organization collects, stores, processes,
12.10 Sensitive information in planning
generates or shares to design and manufacture items or applications
systems, deliver services and conduct business. Where a planning application relating to the design
or extension of manufacturing facilities contains
sensitive information, the organization’s board-level
12.8 Official Secrets Act 1989 [9] management shall apply a security-minded approach
Where official data and/or information is held in paper to the handling of the application using the principles
or electronic form or sensitive manufactured items, set out in PAS 1192-5 and the government’s published
systems and any related services are delivered, the guidance on sensitive information in planning
organization’s board-level management shall require applications.13) The manufacturing organization shall
application of protective measures in accordance work with their construction professional advisers
with the UK Government guidance on physical and and the planning authority to limit the information
information security 12). available on the open planning register, with sensitive
information being subject to special handling
NOTE The Official Secrets Act [9] applies to the
arrangements.
protection of official information and to sensitive
manufactured items, systems and any related NOTE Manufacturing organizations should be aware
services. Where the data and/or information is, or the that a planning application could contain sensitive
manufactured items, systems and any related services information such as:
are covered by the Official Secrets Act [9], additional a) data and/or information relating to a sensitive
protective measures might be required in accordance manufacturing process which reveals intellectual
with the Government’s guidance on physical and property related to the process;
information security. b) data and/or information relating to the capacity of
the manufacturing plant or its systems; and
c) descriptions of rooms or room layouts which
12.9 Re-use of Public Sector Information might assist a malicious party in conducting
Regulations 2005 [10] hostile reconnaissance, for example to identify the
The organization’s board-level management shall location of sensitive assets.
require application of a security-minded approach The organization should be aware that if such
when responding to requests for information from information is available on an open planning register it
public sector bodies as such information might be made might be accessed by organizations seeking competitive
available for re-use, and the extent to which the data intelligence or potentially hostile parties seeking
is exempt from re-use should be ascertained prior to sensitive information regarding the manufacturing
disclosing it. organization, its facilities and manufacturing assets.
13)
Further information can be found at: http://
planningguidance.planningportal.gov.uk/blog/guidance/
12)
See www.gov.uk/government/publications/government- crown-development/sensitive-information-in-planning-
security-classifications [29]. applications/ [28].

PAS 1085:2018
Bibliography
Standards publications [6] GREAT BRITAIN. Freedom of Information (Scotland)

Act 2002. Edinburgh: The Stationery Office.
For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced [7] GREAT BRITAIN. Computer Misuse Act 1990. London:
document (including any amendments) applies. The Stationery Office.
BS 10010:2017, Information classification, marking and [8] GREAT BRITAIN. Control of Major Accident Hazards
handling – Specification Regulations 2015. London: The Stationery Office.
BS ISO/IEC 27001, Information technology – Security [9] GREAT BRITAIN. Official Secrets Act 1989. London:
techniques – Information security management systems The Stationery Office.
– Requirements
[10] GREAT BRITAIN. Re-use of Public Sector Information
PAS 183:2017, Smart cities – Guide to establishing Regulations 2005. London: The Stationery Office.
a decision-making framework for sharing data and
information services [11] DIRECTIVE (EU) 2016/1148 OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL concerning
PAS 754:2014, Software Trustworthiness – Governance measures for a high common level of security of
and management – Specification network and information systems across the Union.
(NIS Directive) Available from: http://eur-lex.europa.eu/
PAS 1192-5:2015, Specification for security-minded legal-content/EN/TXT/PDF/?uri=CELEX:32016L1148&fro
building information modelling, digital built m=EN [April 2018].
environments and smart asset management
[12] INFORMATION COMMISSIONER’S OFFICE. Data
sharing code of practice. ICO: Cheshire, 2011. Available
Other publications and websites from: https://ico.org.uk/media/for-organisations/
[1] GREAT BRITAIN. Data Protection Act 1998. London: documents/1068/data_sharing_code_of_practice.pdf
The Stationery Office. [viewed April 2018].
[2] REGULATION (EU) 2016/679 OF THE EUROPEAN [13] CHARTERED INSTITUTE OF INTERNAL AUDITORS.
PARLIAMENT AND OF THE COUNCIL on the protection Risk appetite and internal audit. London. Available
of natural persons with regard to the processing of from: https://www.iia.org.uk/resources/risk-
personal data and on the free movement of such management/risk-appetite/ [viewed April 2018].
data, and repealing Directive 95/46/EC (General Data
Protection Regulation). Available from: http://eur-lex. [14] ENGINEERING COUNCIL. Available from: www.
europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:3201 engc.org.uk/security [viewed April 2018 2018].
6R0679&from=EN [viewed April 2018].
[15] INDUSTRIAL CONTROL SYSTEMS. ICS CP/PE
[3] GREAT BRITAIN. Trade Union and Labour Relations (Cyber-to-Physical or Process Effects) case study paper
(Consolidation) Act 1992. London: The Stationery Office. – German Steel Mill Cyber Attack. December 2014.
Available from: https://ics.sans.org/media/ICS-CPPE-case-
[4] GREAT BRITAIN. Environmental Information Study-2-German-Steelworks_Facility.pdf
Regulations 2004. London: The Stationery Office. [viewed April 2018].
[5] GREAT BRITAIN. Freedom of Information Act 2000. [16] OPEN WEB APPLICATION SECURITY PROJECT
London: The Stationery Office. (OWASP). Available from: www.owasp.org
[viewed April 2018].

PAS 1085:2018
[17] US SENATE REPORT. Available from: www. [28] Sensitive information in planning applications.
commerce.senate.gov/public/_cache/files/24d3c229-4f2f- Available from: http://planningguidance.
405d-b8db-a3a67f183883/23E30AA955B5C00FE57CFD planningportal.gov.uk/blog/guidance/crown-
709621592C.2014-0325-target-kill-chain-analysis.pdf development/sensitive-information-in-planning-
[viewed April 2018]. applications/ [viewed April 2018].
[18] GREAT BRITAIN. DEF STAN 05-138. Cyber security [29] Government security classifications. Available from:
for defence suppliers. Available from: www.gov.uk/ www.gov.uk/government/publications/government-
government/publications/cyber-security-for-defence- security-classifications [viewed April 2018].
suppliers-def-stan-05-138 [viewed April 2018].
[19] NATIONAL CYBER SECURITY CENTRE (NCSC). Further reading

Implementing the cloud security principles. Available
BS 7858, Security screening of individuals employed in a
from: www.ncsc.gov.uk/guidance/implementing-cloud-
security environment – Code of practice
security-principles [viewed April 2018].
BS ISO 55001:2014, Asset management – Management

[20] NATIONAL CYBER SECURITY CENTRE (NCSC).
systems – Requirements
Destruction and disposal. Available from: www.ncsc.
gov.uk/topics/destruction-and-disposal [viewed April
BS ISO 55002, Asset management – Management
2018].
systems – Guidelines for the application of ISO 55001
[21] CENTRE FOR THE PROTECTION OF NATIONAL
BS EN ISO/IEC 27001:2017, Information technology –
INFRASTRUCTURE (CPNI). Secure destruction. Available
Security techniques – Information security management
from: www.cpni.gov.uk/secure-destruction [viewed
systems – Requirements
April 2018].
BS ISO/IEC 29100, Information technology – Security
[22] NATIONAL CYBER SECURITY CENTRE (NCSC). Cyber
techniques – Privacy framework
essentials. Available from: www.ncsc.gov.uk/scheme/
cyber-essentials [viewed April 2018].
BS ISO/IEC 38500:2015, Information technology –
Governance of IT for the organization
[23] NATIONAL CYBER SECURITY CENTRE (NCSC).
Cyber essentials homepage. Available from: www.
BS ISO/IEC 38505-1:2017, Information technology –
cyberessentials.ncsc.gov.uk/ [viewed April 2018].
Governance of IT – Governance of data – Application of
ISO/IEC 38500 to the governance of data
[24] NATIONAL CYBER SECURITY CENTRE (NCSC). 10
steps to cyber security. Available from: www.ncsc.gov.
PAS 555, Cyber security risk – Governance and
uk/guidance/10-steps-cyber-security [viewed April 2018].
management – Specification
[25] MAERSK. Interim report Q2 2017. Available
IEC 62443 series, Industrial communication networks –
from: http://investor.maersk.com/releasedetail.
Network and system security
cfm?ReleaseID=1037421 [viewed April 2018].
ELLIOT, M., MACKEY, E., O’HARA, K. AND TUDOR,
[26] INFORMATION COMMISSIONER’S OFFICE.
C. The Anonymisation Decision-Making Framework.
Determining what is personal data. ICO. Available
Manchester: UKAN Publications, 2016.
from: https://ico.org.uk/media/for-organizations/
documents/1554/determining-what-is-personal-data.pdf
FLORIDI, L. Information – A Very Short Introduction.
2010. Oxford: Oxford University Press.
[27] INFORMATION COMMISSIONER’S OFFICE. Preparing

for the General Data Protection Regulation (GDPR) – 12
steps to take now. ICO. Available from: https://ico.org.
uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

PAS 1085:2018
British Standards Institution (BSI)

BSI is the national body responsible for preparing British Standards and other
standards-related publications, information and services.
BSI is incorporated by Royal Charter. British Standards and other
standardization products are published by BSI Standards Limited.
About us With a Multi-User Network Licence (MUNL) you are able to

host standards publications on your intranet. Licences can
We bring together business, industry, government, cover as few or as many users as you wish. With updates
consumers, innovators and others to shape their combined supplied as soon as they’re available, you can be sure your
experience and expertise into standards -based solutions. documentation is current. For further information, email
The knowledge embodied in our standards has been bsmusales@bsigroup.com.
carefully assembled in a dependable format and refined
through our open consultation process. Organizations of
all sizes and across all sectors choose standards to help Revisions
them achieve their goals. Our British Standards and other publications are updated
by amendment or revision.
Information on standards We continually improve the quality of our products and

services to benefit your business. If you find an inaccuracy or
We can provide you with the knowledge that your ambiguity within a British Standard or other BSI publication
organization needs to succeed. Find out more about please inform the Knowledge Centre.
British Standards by visiting our website at bsigroup.com/
standards or contacting our Customer Services team or
Knowledge Centre. Copyright
All the data, software and documentation set out in
Buying standards all British Standards and other BSI publications are the
property of and copyrighted by BSI, or some person or
You can buy and download PDF versions of BSI entity that owns copyright in the information used (such
publications, including British and adopted European and as the international standardization bodies) and has
international standards, through our website at bsigroup. formally licensed such information to BSI for commercial
com/shop, where hard copies can also be purchased. publication and use. Except as permitted under the
If you need international and foreign standards from other Copyright, Designs and Patents Act 1988 no extract may
Standards Development Organizations, hard copies can be be reproduced, stored in a retrieval system or transmitted
ordered from our Customer Services team. in any form or by any means – electronic, photocopying,
recording or otherwise – without prior written permission
from BSI. Details and advice can be obtained from the
Subscriptions Copyright & Licensing Department.
Our range of subscription services are designed to make
using standards easier for you. For further information
on our subscription products go to bsigroup.com/
Useful Contacts:
subscriptions. Customer Services
Tel: +44 845 086 9001
With British Standards Online (BSOL) you’ll have instant
Email (orders): orders@bsigroup.com
access to over 55,000 British and adopted European and
Email (enquiries): cservices@bsigroup.com
international standards from your desktop. It’s available
24/7 and is refreshed daily so you’ll always be up to date. Subscriptions
Tel: +44 845 086 9001
You can keep in touch with standards developments and
Email: subscriptions@bsigroup.com
receive substantial discounts on the purchase price of
standards, both in single copy and subscription format, Knowledge Centre
by becoming a BSI Subscribing Member. Tel: +44 20 8996 7004
PLUS is an updating service exclusive to BSI Subscribing Email: knowledgecentre@bsigroup.com
Members. You will automatically receive the latest hard Copyright & Licensing
copy of your standards when they’re revised or replaced. Tel: +44 20 8996 7070
To find out more about becoming a BSI Subscribing Email: copyright@bsigroup.com
Member and the benefits of membership, please visit
bsigroup.com/shop.

BSI, 389 Chiswick High Road
London W4 4AL
United Kingdom
www.bsigroup.com

Pas 1085

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pas 1085

Uploaded by

Copyright:

Available Formats

PAS 1085:2018

Manufacturing – Establishing and

3 Terms, definitions and abbreviations...................................................... 2

4 Manufacturing organization’s environment........................................... 8

6 Assessing and managing security risks................................................... 17

7 Implementing the organization’s security strategy............................... 22

8 Assessing security of the supply chain.................................................... 26

9 Working with suppliers and customers.................................................. 29

10 Security of a manufactured item........................................................... 32

11 Data and information management...................................................... 33

12 Security-minded approach in relation to compliance with legislation

© The British Standards Institution 2018 i

ii © The British Standards Institution 2018

Contractual and legal considerations

Compliance with a PAS cannot confer immunity from

Particular attention is drawn to the following specific

© The British Standards Institution 2018 iii

Figure 1 – The manufacturing organization and its digital ecosystem

The manufacturing organization exchanges increasing digital interaction introduces a number of

iv © The British Standards Institution 2018

Figure 2 – Illustrative manufacturing organization with a supply chain

© The British Standards Institution 2018 v

Figure 3 – The manufacturing value chain

An overview of the PAS’s security-minded approach to

Figure 4 – Overview of security-minded manufacturing

© The British Standards Institution 2018 vii

This page is deliberately left blank.

viii © The British Standards Institution 2018

The following documents, in whole or in part, are Other publications

[NR2] CABINET OFFICE. Government Security

PAS 1192-5:2015, Specification for security-minded

© The British Standards Institution 2018 1

3 Terms, definitions and abbreviations

3.1 Terms and definitions 3.1.5 cyber hygiene

2 © The British Standards Institution 2018

[SOURCE: PAS 1192-5:2015, 3.1.15]

© The British Standards Institution 2018 3

3.1.15 near-miss 3.1.21 personal data

3.1.25 physical security

4 © The British Standards Institution 2018

3.1.26 processing 3.1.29 risk appetite

© The British Standards Institution 2018 5

3.1.33 security 3.1.37 sensitive information

3.1.36 sensitive data

[SOURCE: PAS 1192-5:2015, 3.1.28, modified]

6 © The British Standards Institution 2018

3.1.39 service 3.1.42 supply chain

3.1.41 suitably qualified and experienced person 3.1.45 threat actor

© The British Standards Institution 2018 7

4 Manufacturing organization’s environment

8 © The British Standards Institution 2018

Figure 5 – Holistic approach to security

  

    !  

     

© The British Standards Institution 2018 9

NOTE 2 Some intellectual property is sensitive b) operations.

10 © The British Standards Institution 2018

© The British Standards Institution 2018 11

4.3.7 Aggregation of data and/or information

12 © The British Standards Institution 2018

5.1 Establishing context 2) threat landscape, based on the organization’s

© The British Standards Institution 2018 13

Figure 6 – Establishing the organization’s context

!