BASC

INTERNATIONAL
SECURITY
STANDARD

6.0.1
COMPANIES WITH DIRECT RELATION TO THE
CARGO, CARGO UNITS OR CARGO
TRANSPORT UNITS

Version 6 - 2022
Approval: March 2, 2022

All rights reserved. No part of this publication may be reproduced, modified or used in any
form or by any means, electronic or mechanical, without the express written permission
ofWorld BASC Organization (WBO).
 TABLE OF CONTENTS
0.1 Cybersecurity and information techno

0. INTRODUCTION 3

1. BUSINESS PARTNER 4
1.1 Business Partner Requirements 4
1.2 Prevention of Money Laundering and Financing of Terrorism 4

2. SECURITY OF CARGO UNITS AND UNIT LOAD DEVICES 5

2.1 General 5
2.2 Inspection of the cargo units 5
2.3 Inspections of cargo transport units 6
2.4 Cross Contamination Prevention and Agricultural Safety 7
2.5 Traceability of Cargo Units and Cargo Transport Units 7
2.6 Security Seals 7
2.7 Route Control 8

3. SECURITY IN CARGO HANDLING PROCESSES 8

3.1 Parameters and Criteria 8
3.2 Raw Material, Packing and Packing Material Control 8
3.3 Chemical Precursors and Controlled Substances 8
3.4 Controls in the Cargo Handling Process 9
3.5 Information Processing and Cargo documents 9
3.6 Discrepancies in the Carga 9
3.7 Communication of Suspicious Activities or Critical Events 10
3.8 Controls in Operational Processes not related to Cargo 10

4. PERSONNEL SECURITY 10
4.1 Procedure for Personnel Management 10
4.2 Education, Training, and Awareness Program 12

5. ACCESS CONTROL AND PHYSICAL SECURITY 13

5.1 Access Control 13
5.2 Physical Security 14

6. INFORMATION TECHNOLOGY SECURITY 15

6.1 General
6.2 Cybersecurity and Information Technology 15
 Version: 06
02-MAR-2022
World BASC Organization
Business Alliance for Secure Commerce
BASC International Security Standard Page:
6.0.1 3 of 16

0. INTRODUCTION

The BASC International Security Standard, integrates operational controls which are
focused on the principal elements that can impact the security of the Supply Chain. Its
purpose is to assist companies in protecting their personnel, facilities, cargo, business
partners and other interested parties.

Three documents were issued with the intention of consolidating the requirements
corresponding to the company’s relationship with the cargo as defined in their CSMS
scope. The BASC International Security Standard 6.0.1 applies to companies that have
a direct relationship with cargo, cargo units or cargo transport units.

The BASC International Security Standard 6.0.2 applies to companies that have an
indirect relationship with cargo, cargo units or cargo transport units.

The BASC International Security Standard 6.0.3 is applicable to any company not
covered by International Standards 6.0.1 and 6.0.2 that wishes to implement the basic
controls to secure its operations.
This document is the result of the collaboration of many individuals at WBO organization
including:

WBO Board of Directors 2021-23: Emilio Aguiar (BASC Ecuador), President; Ricardo
Sanabria (BASC Colombia), Vice President; Patricia Siles (BASC Peru), Secretary;
Armando Rivas (BASC Dominican Republic), Treasurer; and Álvaro Alpízar, Vocal.

WBO Technical Committee 2021-23: Fermin Cuza, WBO International President;

Executive Directors: Giomar Gonzalez, BASC Panama; Luis Bernard Benjumea, BASC
Colombia; Omar Castellanos, BASC Dominican Republic; Fabrizio Muñoz, BASC
Guayaquil; Cesar Venegas, BASC Peru; Jorge Wellmann, BASC Guatemala; María
Andrea Caldas, WBO Certifications Coordinator, and Luis Renella, WBO Director of
Operations.

WBO English Homologation: Bradd Skinner and Luis Renella.

 Version: 06
02-MAR-2022
World BASC Organization
Business Alliance for Secure Commerce
BASC International Security Standard Page:
6.0.1 4 of 16

1 BUSINESS PARTNER

1.1 Business Partner Requirements

1.1.1 The company must establish a documented procedure for the selection,
evaluation, contracting and awareness of its business partners regarding the
BASC CSMS, based on risk management, due diligence, and local legislation.
This must include:

a) Assigning a risk level based on an established risk management process.

b) Obtaining evidence of legal status of its business partners.
c) Obtaining evidence of BASC certification (certificate of authenticity). If not
obtainable, evidence of other internationally recognized security certifications
by a customs authority (C-TPAT, Authorized Economic Operator) or other
entities, that constitutes evidence of compliance with acceptable security
criteria. Otherwise, the company must sign a security agreement.
d) Verifying compliance with the security agreement, at least yearly.
e) Maintaining and monitoring current business partners.
f) Training guidelines that include crime prevention practices in international
trade, corruption and bribery.
g) Obtaining evidence of the identity of the final recipient in accordance with
current legislation.

1.2 Prevention of money laundering and financing of terrorism

1.2.1 The company must establish a documented procedure, in accordance with current
legislation, to prevent money laundering, financing of terrorism and other crimes
related to international trade. The company must appoint a person responsible for
compliance with these procedures. This procedure must include:

a) Screening of its business partners to include verifying the identity and legal
status of the company and its stakeholders.
b) Conducting legal, criminal and financial background checks taking into
account national and international lists.
c) Timely notifying the relevant authority when suspicious transactions are
identified (see 3.7).
d) Verifying membership in business or trade associations.

1.2.2 The documented procedure for the selection of business partners (see 1.1) must,
based on risk management, consider at least the following warning signs to identify
suspicious transactions:
 Version: 06
02-MAR-2022
World BASC Organization
Business Alliance for Secure Commerce
BASC International Security Standard Page:
6.0.1 5 of 16

a) Origin and destination of business operations.

b) Frequency of operations.
c) Value and type of merchandise.
d) Method of transportation.
e) Form of payment.
f) Inconsistencies in the information provided by the business partner.
g) Unusual requirements.

2 SECURITY OF CARGO UNITS AND CARGO TRANSPORT UNITS

2.1 General

The company must establish documented procedures, based on risk management and its
role in the supply chain, to protect cargo units and cargo transport units from the introduction
of unauthorized persons and materials. The company must:

a) Identify secure areas to conduct inspections.

b) Define criteria to inspect units and reject them when appropriate.
c) Inspect units when entering and exiting the facilities and before carrying out
the loading process.
d) Establish the necessary controls to maintain the integrity of the unit.
e) Maintain inspection records to include the personnel involved.
f) Notify relevant business partners and authorities in case of incidents (see 3.7).

2.2 Inspection of the cargo units

The inspection must include at least, for containers, both inside and outside:

• Front wall.
• Left side.
• Right side.
• Floor.
• Ceiling/Roof.
• Doors (locking mechanism).
• Exterior and frame (beams from the front wall to the doors).
• Cooling system (if applicable).

For trailers, additionally inspect:

 Version: 06
02-MAR-2022
World BASC Organization
Business Alliance for Secure Commerce
BASC International Security Standard Page:
6.0.1 6 of 16

• Trailer landing gear.

• Tires, bumpers and lights.
• Skid plate (pin fixing structure which engages the fifth wheel).

For other loading units (e.g. air cargo units), carry out an inspection which includes the
previous points and anyother identified risk elements.

2.3 Inspections of cargo transport units

This inspection must include at least the following points:

For flatbeds, chassis and similar:

• Landing gear.
• Tires, bumpers and lights.
• Skid plate (pin fixing structure which engages the fifth wheel).
• Check anchor points (4 pins) or twist lock
• Generator inspection for refrigerated load (if applicable).

For Tractors:

• Bumpers, lights and tires.

• Doors and tool compartments.
• Battery box.
• Air filter.
• Fuel, water and air tanks.
• Interior of cab compartments and sleeper.
• Passenger section and cabin roof.

For vans:

• Front wall.
• Left side.
• Right side.
• Floor.
• Roof.
• Doors (locking mechanism).
• Cooling system (if applicable).
• Exterior and frame (beams from the front wall to the doors).

For other cargo transport units, carry out an inspection which includes the previous points
 Version: 06
02-MAR-2022
World BASC Organization
Business Alliance for Secure Commerce
BASC International Security Standard Page:
6.0.1 7 of 16

and any other identified risk elements.

2.4 Cross contamination prevention and agricultural safety

The cargo units must be cleaned and washed before the loading process and ensure that
they are inspected to avoid visible contamination by plagues, debris, residues, and other
materials, including natural elements such as insects and rodents.

a) If contamination is found during the inspection, proceed according to current

regulations.
b) Maintain documented information on this process and its effectiveness.

2.5 Traceability of cargo units and cargo transport units

The company must establish a documented procedure to evidence the traceability of the
cargo unit or cargo transport unit during custody and maintain the corresponding records.

2.6 Security seals

The company must:

a) Establish a documented procedure to record, control, and handle security seals for
the cargo units and cargo transport units in its operations. This procedure must be
based on risk management and include at least the necessary controls to maintain
the integrity and traceability of the seal throughout the chain of custody.
b) Authorize the handling of seals to only trained and designated personnel.
c) Store seals in safe, secure places with limited access control.
d) Install a high security seal that at least meets the requirements of ISO17712
standard on all cargo units with international destination whenever necessary
during their operations or route.
e) For local destinations use an indicative type of seal (or better).
f) Have photographic or video records that show the manipulation of the seals before,
during, and after their operations.
g) Verify seal inventory according to the company’s operations.
h) Mantain records and report to pertinent authorities and interested parties, when
these seals have been compromised, replaced or before any incident that
compromises their integrity, following the established guidelines for the
communication of suspicious activities and critical events (see 3.7).
 Version: 06
02-MAR-2022
World BASC Organization
Business Alliance for Secure Commerce
BASC International Security Standard Page:
6.0.1 8 of 16

2.7 Route control

The company, based on risk management, must:

a) Establish the necessary route controls to maintain the integrity of cargo units and
cargo transport units, whether owned or subcontracted, with appropriate record
keeping.
b) Establish predetermined routes that include the estimated transit time, critical
zones, border crossings, and authorized rest areas.
c) Keep a geolocation system or GPS, that allows traceability and monitoring during
route.
d) Document and report any incident or suspicious activity detected to the relevant
authorities and interested parties, following the established guidelines for the
communication of suspicious activities or critical events (see 3.7).
e) Identify cargo transport units and authorized company drivers before they receive
or deliver cargo.

3 SECURITY IN CARGO HANDLING PROCESSES AND OTHER PROCESSES

DEFINED IN THE SCOPE OF THE CSMS

3.1 Parameters and criteria

In accordance with the scope established in the BASC CSMS, risk management, and its
role in the supply chain, the company must have documented procedures that address
the parameters and security criteria applied in cargo handling processes and other
identified processes.

3.2 Raw material, packing and packaging material control

The company must establish a documented procedure for the handling, custody, storage,
control, disposal, and inspection of:

a) Raw materials.
b) Packing and packaging material, including pallets (skids and the like).
c) Residues, waste, and leftovers that affect the safety of the company’s operations.

3.3 Chemical Precursors and controlled substances

The company must establish a documented procedure for the handling and control of

chemicals precursors and controlled substances, in accordance with legal requirements

 Version: 06
02-MAR-2022
World BASC Organization
Business Alliance for Secure Commerce
BASC International Security Standard Page:
6.0.1 9 of 16

and risk management. It must include:

a) Control, handling, and storage during custody.

b) Records of its usage and inventory
c) Person responsible of its handling.

3.4 Controls in the cargo handling process

The company must establish a documented procedure to:

a) Mantain records as evidence of the personnel involved in the cargo handling

process.
b) Isolate and protect the unloading, storage and loading areas.
c) Verify that the cargo corresponds to what is indicated on the packing lists and
commercial invoices, and other applicable international documentation.
d) Maintain photographic or video records of the entire process (before, during and
after). These must remain available based on risk management and current local
legislation.
e) Secure cargo by appropriate physical means that allow its traceability to be
maintained before, during, and after the loading process and while it is kept in
custody.

3.5 Information processing and cargo documents

3.5.1 The company must establish a documented procedure for the handling and control
of the cargo and its documentation at the facility’s entrances or exits.

3.5.2 The company must:

a) Verify the accuracy and consistency of the information transmitted to the

authorities, in accordance with that registered in the cargo operation documents.
b) Ensure that the information used in the final cargo release is legible, complete,
accurate and protected against modifications, loss, or introduction of erroneous
data.
c) Timely inform the relevant interested parties regarding the documentation
corresponding to the handling of the cargo during custody.
d) Maintain records that evidence the traceability of the cargo in accordance with its
responsibility in the chain of custody.

3.6 Discrepancies in the cargo

The company must establish a documented procedure to manage all cases related to
 Version: 06
02-MAR-2022
World BASC Organization
Business Alliance for Secure Commerce
BASC International Security Standard Page:
6.0.1 10 of 16

cargo related discrepancies, packing and packaging material, waste and leftovers that
affect the company’s operations.

3.7 Communication of suspicious activities or critical events

The company must establish a documented procedure to timely notify the competent
authorities and interested parties involved when suspicious activities or critical events
occur that may affect the integrity of the operations defined in the scope of the BASC
CSMS, ensuring compliance with current legislation. The company must:

a) Document information related to the steps taken.

b) Perform a post-incident evaluation and analysis in order to identify necessary
corrective actions.
c) Educate and train their staff to identify or recognize suspicious activity related to
their duties.

3.8 Controls in operational processes not related to cargo

The company must establish a documented procedure for all operational processes
identified in the scope of the BASC CSMS. These must include:

a) Appropriate criteria to mitigate risks and their impact on these processes.

b) All the necessary evidence for traceability in the processes, in order to be able to
identify potential discrepancies if they occur.

4 PERSONNEL SECURITY

4.1 Procedure for personnel management

The company must establish a documented procedure, based on risk management and
local legislation,that includes the following activities:

4.1.1 Personnel selection

The company must verify and analyze during the selection process:

a) Information provided by the candidate.

b) Professional and personal references.
c) Background checks of the personnel who will occupy critical positions.
 Version: 06
02-MAR-2022
World BASC Organization
Business Alliance for Secure Commerce
BASC International Security Standard Page:
6.0.1 11 of 16

d) Verify the required competencies for the specific positions determined by the
company.
e) The results from:
1. Reliability tests.
2. Alcohol and illicit drug use detection tests.
3. Home visits.

4.1.2 Personnel hiring

The company must:

a) Maintain a current photograph in the personnel file and include a record of

fingerprints and signature.
b) Issue and control the delivery and use of the company’s Identification (ID)
credentials with access to certain areas, and uniforms that contain the company'
logo, if applicable.
c) Document the provisioning of the company’s security resources associated with
the position.
d) Register the delivery of the company’s code of ethics, conduct and social
compliance policy to the employee.
e) Include the commitment to the BASC CSMS in the orientation process.
f) Define security requirements associated with the position profile for all critical
positions determined by the company and when changes occur.

4.1.3 Personnel Administration

The company must:

a) Update personnel information at least once per year.

b) Perform background checks of personnel who hold critical positions at least once
per year.
c) Test personnel who hold critical positions to detect the consumption of alcohol
and illicit drugs, at least once every two years or when suspicion is identified.
d) Perform a home visit to personnel who hold critical positions, based on risk
management and local regulations at least once every two years.
e) Issue and update the company’s photo ID card, in accordance with company
procedures.
f) Evidence the proper use of the company’s security resources associated with the
position.
g) Evidence compliance with the company's code of ethics, conduct and social
responsibility policy.
 Version: 06
02-MAR-2022
World BASC Organization
Business Alliance for Secure Commerce
BASC International Security Standard Page:
6.0.1 12 of 16

4.1.4 Personnel termination procedures:

The company must:

a) Remove facility and Information Technology (IT) system access.

b) Remove the identification tags, uniforms and other company property based on
issuance records.
c) Communicate to the relevant interested parties the employment termination, based
on risk management.

4.2 Education, training, and awareness program

4.2.1 The company must annually document and evaluate the effectiveness of programs
related to:

a) Prevention of crimes related to international trade.

b) Addiction prevention, including posted signs and/or reading material.
c) Corporate social responsibility.
d) Prevention of the risk of corruption and bribery.

4.2.2 The company must establish and maintain a documented annual training program
to make personnel aware of their responsibility to recognize potential security
vulnerabilities related to the BASC CSMS, including at least:

a) Policies related to the BASC CSMS.

b) Fulfillment of social responsibility.
c) Risk management, operational controls, and emergency response plans.
d) Legal requirements related to the company.
e) Evaluation of the key performance indicators related to the company’s processes.
f) Inspection of cargo container units and cargo transport vehicles (see 2); and
security in cargo handling processes (see 3).
g) Access controls and physical security of the facility (see 5).
h) Management of security seals.
i) Prevention of cybercrimes.
 Version: 06
02-MAR-2022
World BASC Organization
Business Alliance for Secure Commerce
BASC International Security Standard Page:
6.0.1 13 of 16

5 ACCESS CONTROL AND PHYSICAL SECURITY

5.1 Access control and permanence in the facility

The company must establish a documented procedure for access control of employees,
visitors and third parties, which includes the following activities:

5.1.1 Personnel:

a) Positive Identification.
b) Facility access control.
c) Limit access to assigned areas, as determined by the company.

5.1.2 Visitors, contractors and third parties:

a) Request authorization for access.

b) Present valid government issued photo identification.
c) Register their entry and exit.
d) Based on risk management, register all elements that enter the facility.
e) Issue and control a temporary identification.
f) All visitors must be escorted.
g) Access must be restricted to authorized areas.

5.1.3 Inspection of mail and packages received prior to distribution which includes
mantaining records of who delivered it and to whom it was destined.

5.1.4 Inspect all vehicles that enter and exit the facilities, mantaining corresponding
records.

5.1.5 Establish access control for authorities and emergency response vehicles
inaccordance with response plans.

5.1.6 Operational controls which include:

a) All personnel, visitors, contractors and third parties must visibly display
identification in accordance with applicable safety regulations.
b) Control of locker areas which must be separate from cargo handling and
storage areas.
c) Identification and removal of unauthorized persons.
d) Ensuring that security personnel are controlling the entry and exit doors of
the facility.
 Version: 06
02-MAR-2022
World BASC Organization
Business Alliance for Secure Commerce
BASC International Security Standard Page:
6.0.1 14 of 16

5.2 Physical security

5.2.1 General

The company, based on risk management and its role in the supply chain, must establish
a documented procedure corresponding to physical security, which must include:

a) Structures and perimeter barriers that prevent unauthorized access.

b) Locks on doors and windows.
c) Lighting systems that allow control of the facility in:
1. Entrance and exit
2. Storage, cargo and information handling areas.
3. Parking areas.
4. Other determined critical areas.
d) A competent security service, preferably BASC certified, in accordance with
legal requirements that guarantee a timely response to events.
e) Parking areas for personnel, visitors and cargo delivery or pick up vehicles.
f) Operation and maintenance inspections with their respective records.
g) Use of security technology.
1. Operational alarm systems that detect unauthorized entry.
2. Video surveillance system covering critical areas and monitored by competent
personnel.
3. Backup systems for images and video (recording) with enough storage
capacity to respond to events.
4. Others that are deemed necessary by the company.

5.2.2 The company must establish, document and update:

a) A floor plan detailing the location of the critical (security sensitive) areas of the
facility.
b) Control of access keys, devices and codes.

5.2.3 The company must carry out inspections to evaluate the implementation,
operation, and maintenance of physical security controls, keeping records of all
findings.
 Version: 06
02-MAR-2022
World BASC Organization
Business Alliance for Secure Commerce
BASC International Security Standard Page:
6.0.1 15 of 16

6 INFORMATION SECURITY

6.1 General

The company must establish a documented procedure, based on risk management and
its role in the supply chain, to:

a) Manage and protect the company’s use of information and computer resources,
including the measures to be applied in case of non-compliance.
b) Safeguard information and its confidentiality, integrity, and availability, in its
different forms and states.
c) Protect the IT infrastructure.

6.2 Cybersecurity and information technology

The company must:

a) Establish, document, and maintain security criteria that allow information

technology systems to be identified and protected, and timely recovery if
necessary.
b) Timely communicate information about identified cybersecurity threats with the
corresponding interested parties.
c) Identify interested parties and their level of criticality within the company’s IT
infrastructure (hardware and software).
d) Classify information, systems and accesses according to the level of criticality
and establish access policies for it according to current legislation.
e) Use individually assigned accounts with unique credentials for each user who
accesses the system, through passwords and other forms of authentication for
secure access. These must be updated periodically when there are indications
or reasonable suspicions that they are compromised.
f) Limit user access and permissions according to assigned functions and tasks,
periodically reviewing them.
g) Eliminate access for all personnel and external users upon termination of their
contract or agreement.
h) Prevent the installation of unauthorized software.
i) Use and maintain licensed and updated hardware and software to protect the IT
infrastructure against computer threats such as viruses, spyware, worms,
Trojans, malware, ransomware, among others.
j) Maintain backup copies of sensitive information and keep a copy safely stored
outsidethe facility (physically or virtually) with the necessary security measures
to prevent access from third parties.
k) Maintain an updated record of users, their criticality level, and assigned access.
l) Lock unattended computers.
 Version: 06
02-MAR-2022
World BASC Organization
Business Alliance for Secure Commerce
BASC International Security Standard Page:
6.0.1 16 of 16

m) Evaluate IT infrastructure (hardware and software) security at least yearly,

implementing pertinent actions when vulnerabilities are detected.
n) Establish procedures and controls to identify and review unauthorized access to
information systems, websites, or non-compliance with policies and procedures
(including the manipulation or alteration of commercial data by employees or
contractors.)
o) Review cybersecurity policies and procedures at least yearly and update them
when there are changes in the internal or external context, or when risks
materialize.
p) Use secure technologies, such as virtual private networks (VPN) or multifactor
authentication, for the collaborators and external users secure access to the
company's computer systems, including access for remote work or
telecommuting.
q) Establish procedures to prevent remote access by unauthorized users, from
personal or other devices.
r) Conduct periodic inventories of the media or other equipment that are part of the
company's IT infrastructure. The media or other equipment must be eliminated
or disposed of in accordance with current legislation.
s) Restrict connections of unauthorized personal devices and peripherals to any
device that is part of the company's computing infrastructure.
t) Monitor compliance with cybersecurity and information security policies
established in the use of platforms and digital content, video conferencing tools,
electronic commerce, among others.
u) Carry out practical exercises and/or drills related to the security of information
technologies, which allow determining the effectiveness of the established
actions (see BASC Norm 6.1 e).
v) If applicable, establish controls for system administrators or superusers to allow
user ID continuity for active systems.