2023 FSR AUDIT FORM

TAPA
MINIMUM SECURITY STANDARDS FOR FREIGHT SERVICES SUPPLIERS
FACILITY SECURITY AUDIT REPORT

Company Explanatory note:

Location Please note that all relevant requirements must be adhered to, to successfully obtain a FSR 2023 certification.
Contact Name The following three options are available when conducting your audit
Auditor(s)
Audit Date Yes = Requirements fully in place with no discrepancies
Tracking No.
Phone No. No = Not all the Requirements in place and does not meet the requirements
Fax No.
Email FSR FSR FSR Not Applicable (N/A) = this can be due to either the option choice or based on the risk assessment

Certification LEVEL LEVEL LEVEL In all cases evidence must be shown or given especially if considering a N/A item or requesting a Waiver
Result
A B C

Requirements fully in place with no

Requirement # A B C deficiencies?
7.0.1 All procedures or policies required by this Standard must be documented. ✓ ✓ ✓

Management must have formally appointed a person (AA) for security on site who is responsible for maintaining
TAPA FSR, SCARS closure, risk asessment, management report and company supply chain security requirements.
Another person (can be the same) will also be responsible for monitoring the FSR program. This includes scheduling
compliance checks, communications with AAs, recertification, changes to the FSR Standard, etc.
7.0.2 ✓ ✓ ✓
Note: These persons can be an employee or outsourced person under contract to perform this role.

Internal audits (by a cross-fucntional team) on the security management system, self assessment reports by the
7.0.3 internal AA and SCARS closure must be completed and documented. ✓ ✓ ✓
A procedure, log and/or key-plan is required for physical locks, access cards and/or keys that manage and control
7.0.4 the physical and electronic keys. ✓ ✓ ✓
The procedure should include processes for duplication, storage, and responding to missing / lost keys.
A risk assessment that recognizes the likelihood and impact of security related events must be conducted and
updated at least annually. Management must acknowledge that the identified risks have been evaluated and
appropriate controls have been implemented to mitigate or eliminate the risks to an acceptable level.

At a minimum, the following common internal/external events must be assessed: theft of cargo or information,
unauthorized access to facilities or cargo, tampering with/destruction of security systems, fictitious pickups of cargo,
security continuity during workforce shortages, or natural disasters, need for anti-ram barriers for ground level
7.0.5
accessible windows or dock doors, etc. ✓ ✓ ✓

Additional events may be considered based on local/country risks.

The person who performs internal or yearly audits for the applicant / LSP (called the LSP AA) must be trained. This
7.0.6 person can be the same person as mentioned under 7.6.3 or can be an outsourced person under contract to perform ✓ ✓ ✓
this role.
To understand the FSR and to be capable to implement all its requirements, all applicant / LSP AAs must have taken
7.0.7 and passed the applicable exam for the TAPA Standard and version they are required to audit against. ✓ ✓ ✓
CCTV / VSS able to view all traffic at external cargo handling, shipping and receiving yard (including entry and exit
7.1.1 point(s)) ensuring all vehicles and individuals are recognizable at all times unless temporary obstruction due to ✓ ✓
operational needs (i.e., truck loading and unloading in real time).
 Lighting adequate in loading and unloading areas.
7.1.2
Note: Lighting may be constant, activated by alarm, motion, sound detection, etc., with immediate illumination ✓ ✓ ✓
provided.

Procedure describing how unauthorized vehicles and persons are to be managed within the external cargo handling,
7.1.3 shipping and receiving yard. Instruction on procedure must be delivered to relevant members of workforce, including ✓ ✓ ✓
guards.

7.1.4 Cargo handling, shipping and receiving yard is adequately controlled to prevent unauthorized access. ✓ ✓
For ground level accessible windows or dock doors, the annual Risk Assessment must evaluate the need for anti-
7.1.5 ram barriers. Additionally, should include evaluating use of window covers prevent unauthorized viewing of the ✓
interior spaces (See Risk Assessment, Section 7.6.5.).
7.1.6 Physical barrier encloses cargo handling, shipping and receiving yard. ✓
Physical barrier around the cargo handling, shipping and receiving yard has a minimum height of 6 feet / 1.8 meters.
7.1.7
Note: The physical barrier, designed to prevent unauthorized access, must be a height of 6 feet / 1.8 meters along ✓
its entire length, including areas where ground level changes, i.e., is lower.

7.1.8 Physical barrier around the cargo handling, shipping and receiving yard maintained in good condition. ✓
7.1.9 Gate(s) within the cargo handling, shipping and receiving yard barriers manned or electronically controlled. ✓
Physical barrier around cargo handling, shipping and receiving yard is inspected for integrity and damage at least
7.1.10
weekly. ✓
7.1.11 External Dock areas covered via color or “day/night” exterior CCTV / VSS cameras. ✓ ✓ ✓
CCTV / VSS Cameras mounted to be able to view all operations and movement around external dock area at all
7.1.12
times unless temporary obstruction due to operational needs (i.e. truck loading and unloading in real time). ✓ ✓ ✓

All vehicles and individuals around external dock areas must be covered by CCTV / VSS cameras. which can clearly
show the vehicle identification information and able to discern facial features of personnel.
7.1.13
Note: TAPA will allow existing certification holders without the capability to upgrade to camera resolution, to continue with their
✓
current resolution until the 2026 revision. New certificate holders or new sites must meet the new requirement.

Vehicles and individuals around external dock areas must be covered and visible by CCTV / VSS cameras in most
7.1.14
cases. ✓ ✓
7.1.15
All external areas around dock doors fully illuminated. ✓ ✓ ✓
Personal vehicles only permitted to cargo handling, shipping and receiving areas if pre-approved and restricted to
7.1.16 signed/designated parking areas. No personal parking within 25m walking distance to external dock areas. The ✓ ✓ ✓
processes for the preapproval and restrictions in place.

7.2.1 Color or “day/night” exterior CCTV / VSS camera in place covering all exterior sides of the facility. ✓
Color or “day/night” exterior CCTV / VSS camera in place covering exterior sides of facility with doors, windows or
7.2.2
other openings. ✓
All views of exterior CCTV / VSS camera clear at all times unless temporary obstruction due to operational needs
7.2.3
(i.e. truck loading and unloading in real time). ✓
All vehicles and individuals around exterior sides of the facilities be covered by CCTV / VSS cameras, which can
7.2.4
clearly show the vehicle identification information and able to discern facial features of personnel. ✓
7.2.5 Vehicles and individuals visible in most cases by the exterior CCTV / VSS cameras. ✓
Exterior walls and roof designed and maintained to resist penetration (Example: brick, block, tilt up concrete slab,
7.2.6
sandwich panel walls). ✓ ✓ ✓
Any openable window, vent or other aperture in the facility exterior walls, or any sealed window installed lower than 3
7.2.7 meters from the working floor in the facility exterior walls, must have a physical barrier or be alarmed and linked to ✓ ✓
the main alarm system.
Any openable window, skylight, vent, access hatch or other aperture in the facility roof, must have a physical barrier
7.2.8
or be alarmed and linked to the main alarm system. ✓
External access to roof (ladder or stairs) must be:
Physically locked and covered by CCTV / VSS (Color or “day/night” cameras).
7.2.9
or ✓
Physically locked and alarmed.

7.2.10 External access to roof (ladder or stairs) physically locked. ✓ ✓

 All facility external warehouse doors and office doors alarmed to detect unauthorized opening and linked to main
alarm system.
7.2.11 ✓ ✓ ✓
Note: Dock doors are not covered by this requirement, see section 7.2.17 for dock door alarm requirements.
Each facility external warehouse door, office door or other opening must be uniquely identified per door or per zone
7.2.12
within main alarm system. ✓
All external warehouse doors always closed and secured when not in active use. Where applicable Keys/Codes
7.2.13
Controlled. ✓ ✓

Warehouse pedestrian doors and frames cannot be easily penetrated. If hinges on outside they must be pinned or
spot-welded.
7.2.14
Glass doors are unacceptable unless glass break detectors are fitted, or other local detection device is providing ✓ ✓ ✓
cover (e.g. PIR) and alarmed directly to the monitoring center or glass is protected by bars/mesh.

Emergency exits that are used for emergency purposes only (e.g: Fire exits), are alarmed at all times with an
7.2.15
individual or zoned audible sounder. ✓ ✓ ✓
All dock doors of sufficient strength so the doors will deter and/or delay forced entry by use of small portable hand
7.2.16
tools. ✓ ✓ ✓

Dock Doors
Non-operational hours:
Dock doors closed, secured (i.e. electronically disabled or physically locked).

Dock doors alarmed to detect unauthorized intrusion and generate an alarm linked to the main alarm system.
7.2.17 ✓ ✓ ✓
Operational hours:
Dock doors must be closed when not in active use.

Scissor gates, if used, must be secured by mechanical slide / latch lock and be a minimum of 8 feet / 2.4 meters
high.

Visitor entry point(s) are controlled by an employee / guard / receptionist that has been trained on badge issuance,
7.3.1
controls, logging, visitors, escort requirement, etc. (process in place for visits outside operational hours). ✓ ✓ ✓

Office area visitor entry point(s) covered by CCTV; (Color or “day/night” cameras) individuals clearly recognizable at
7.3.2
all times. ✓ ✓

7.3.3 Duress alarm present in office area visitor entry point(s) and tested weekly. ✓ ✓

All visitors to the office area identified using government-issued photo-ID (e.g. driver’s license; passport or national
7.3.4
ID card, etc.). ✓ ✓ ✓

7.3.5 All visitors to the office area registered and log maintained for minimum of 30 days. ✓ ✓ ✓

7.3.6 All visitor badges must be reconciled as the visitor leaves the premises and the full log checked daily. ✓ ✓

7.3.7 All visitors visibly display badges or passes and are escorted by company personnel. ✓ ✓

7.3.8 Workforce entry point(s) access controlled 24/7. ✓ ✓

7.3.9 Workforce entry point(s) controlled through electronic access control device 24/7. Access logged. ✓

7.3.10 Workforce entry point(s) covered by CCTV. (Color or “day/night” cameras). ✓ ✓

7.3.11 After vetting, all employees must be issued with company photo–ID badges. ✓ ✓

7.3.12 All other workforce must be provided with a company ID badge to make them recognizable within the facility. ✓ ✓

7.3.13 All workforce’s badges clearly displayed. ✓ ✓

7.3.14 Workforce Badges must not be shared under any circumstances and a badge issuance policy must be in place. ✓ ✓

All drivers identified using government-issued photo-ID (e.g. driver’s license; passport or national ID card, etc.) and a
7.3.15
driver log maintained. ✓ ✓ ✓

7.3.16 Verification that the driver’s license is valid, the driver photo-ID has not expired, and matches the driver. ✓ ✓ ✓

Vehicle identifiers are logged manually (i.e. written) or with cameras. Include at a minimum license plate and vehicle
7.3.17
type. ✓
Interior floor to ceiling multi-tenant walls and roof constructed/designed and maintained to resist penetration
7.4.1
(Example: brick, block, tilt up concrete slab, sandwich panel walls). ✓ ✓ ✓
If interior floor to ceiling multi-tenant walls are constructed of security grade wire mesh or other industry recognized
7.4.2 secure barrier, then it is also to be alarmed to detect intrusion. Note: Netting, low-grade fencing or non-security ✓ ✓ ✓
grade mesh is not acceptable.

Intrusion detection (e.g. infrared, motion, sound, or vibration detection), is required to monitor the internal warehouse
areas. The alarms must be activated and linked to the main alarm system during non-operational hours (I.e. when
warehouse is closed).

7.4.3 Note: If the warehouse is a true 24/7/366 operation, this requirement may be N/A if the risks and mitigations are ✓
documented in the local Risk Assessment (See Section 7.0.5)

Regardless of operational hours, perimeter intrusion detection or physical barriers are always required on external
doors and ground-floor windows in office and warehouse. (See section 7.2.11).

7.4.4 All internal dock doors and dock areas covered by CCTV. (Color or “day/night” cameras). ✓ ✓ ✓
Views of freight being loaded/unloaded at all internal dock doors and dock areas, clear at all times unless temporary
7.4.5
obstruction due to operational needs (i.e. truck loading and unloading in real time). ✓ ✓ ✓
Buyer assets under 100% CCTV surveillance in cargo movement or staging areas (i.e. pallet breakdown/build up
7.4.6 areas, routes to and from storage racks, dock, transit corridors). ✓ ✓
7.4.7 Access controlled between office and dock/warehouse. ✓ ✓
Card access or intercom door alarms, for doors between office and dock/warehouse, are locally audible and
7.4.8
generate an alarm for response when held open for more than 60 seconds or immediately if forced open. ✓
Door alarms for doors between office and dock/warehouse are locally audible or send alarm for response when held
7.4.9
open for more than 60 seconds or forced open. ✓
LSP’s/Applicant’s authorized workforce and escorted visitors permitted access to dock/warehouse areas based on a
7.4.10
business need and restricted. ✓ ✓ ✓
Access list to dock/warehouse areas reviewed at least quarterly to limit/verify that access permission is only granted
7.4.11
to designated/ authorized personnel. ✓ ✓
The size and use of HVC may be dictated by Buyer/LSP/Applicant agreement. If an agreement is not present, then
7.4.12
the HVC must be able to store a minimum of 6 cubic meters of product. ✓ ✓
7.4.13 HVC/Area perimeter caged or hard walled on all sides, including top/roof. ✓ ✓
7.4.14 HVC/Area locking device on door/gate. ✓ ✓
Complete CCTV / VSS (Color or “day/night” cameras) coverage on HVC entrance and internal area.
7.4.15 ✓
Note: If the HVC is too small to locate a camera inside, camera coverage of the entrance is sufficient.

7.4.16 CCTV (Color or “day/night” cameras) coverage on HVC entrance. ✓

If access to the HVC is needed by more than 10 persons, then access is to be controlled electronically by card/fob. If
access is required by 10 or less persons, heavy-duty lock or padlock system supported by a controlled key issuing
7.4.17
system. Keys can be signed out to individuals to cover a shift but must not be transferred without approval and ✓
recorded in the key log. All keys to be returned and accounted for when not in use.

HVC doors/gates are alarmed to detect forced entry. Alarms can be generated by door contacts and/or use of CCTV
7.4.18
/ VSS motion detection to detect unauthorized access. ✓

7.4.19 Perimeter of HVC maintained in good condition and inspected monthly for integrity and damage. ✓
LSP/Applicant to ensure that access to the HVC is only granted to designated/authorized personnel.
Approved access list to HVC reviewed monthly and updated in real time when employee leaves employment or no
7.4.20
longer requires access. ✓ ✓
Procedure for HVC access in place.
7.4.21 Internal and/or external warehouse main trash collecting bins/ compacting areas are monitored by CCTV / VSS ✓
7.4.22 Where utilized, trash bags used inside the warehouse are transparent. ✓ ✓
No pre-loading or parking of FTL/dedicated Buyer’s trucks externally of the warehouse facility during non -
operational hours, unless mutually agreed between Buyer and LSP/Applicant.
Alternative security measures must be implemented (e.g. additional security devices on container).
7.4.23 ✓ ✓ ✓
Note: “Externally of the warehouse facility” are those areas separate, away from, the facility, but still inside the
LSP’s/Applicant’s yard / perimeter fence.

Written security procedures define how ‘personal containers’ are controlled inside the warehouse. Personal
7.4.24
containers include lunch boxes, backpacks, coolers, purses, etc. ✓ ✓

If allowed by local law, LSP/Applicant must develop and maintain a documented procedure for exit searches.
Activation of the procedure is at the discretion of the LSP/Applicant and/or as per Buyer/LSP/Applicant agreement.
7.4.25
At a minimum, the procedure must address the LSP's/Applicant’s right to search criteria should a need arise to ✓
introduce searches when they are normally not required (e.g. when workforce pilferage is suspected).

Procedure requiring all forklift and other powered cargo-handling equipment being disabled during non-operational
hours.
7.4.26 ✓ ✓
Note: This does not include hand-jacks / pallet-jacks.

7-point physical inspection performed on all outbound dedicated Buyer’s containers or trailers: Front Wall, Left Side,
Right Side, Floor, Ceiling/Roof, Inside/Outside Doors and Locking Mechanism, Outside/Undercarriage.
7.4.27 ✓ ✓ ✓
Note: This applies to all types of trailers & containers under lock and/or seal (I.e. Not limited to ocean freight
containers).

Unless specifically exempt by Buyer, tamper evident security seals, are used on all direct, non-stop shipments. Seals
shall be certified to ISO 17712 (I, S or H classification).
7.4.28 ✓ ✓ ✓
Note: Seals are not required on multiple stop shipments, due to the complexity and risk associated with drivers
carrying multiple seals.
LSP/Applicant must have documented procedures in place for management and control of security seals, trailer
7.4.29
(container) door locks, pin locks, and other security equipment. ✓ ✓ ✓
Security seals are only affixed or removed by authorized personnel, i.e. warehouse staff, who are instructed to
7.4.30 recognize, and report compromised seals. Seals must never be affixed or removed by the driver unless on Buyer ✓ ✓ ✓
exemption.

7.4.31 Procedures in place for recognizing and reporting compromised security seals. ✓ ✓ ✓

Robust procedures in place ensuring that all Buyer assets shipped and received are validated at point of handover
by conducting a manual and/or electronic piece count. Process must ensure abnormalities are consistently
recognized, documented and reported to the LSP/Applicant and/or Buyer.
Manual and/or electronic records must be of evidential quality. If drivers are not present to witness this activity,
7.4.32 Buyer/LSP/Applicant must ensure alternative count verification such as scans and/or CCTV / VSS images, collected ✓ ✓ ✓
and retained specifically for this purpose.

Note: In addition to missing pieces, abnormalities may include damage, missing straps or tape, cuts, or other
obvious openings, indicating a possible theft or pilfering.

Truck driver ID, cargo pickup documentation, and applicable Buyer-specified pre-alert details are validated prior to
7.4.33
loading. Procedure must be in place. ✓ ✓ ✓

Monitoring of alarm events 24x7x366 via an internal or 3rd party external monitoring post, protected from
unauthorized access.
7.5.1
Note: Monitoring posts may be located on or off site, and can be company owned, or third party. In all cases, ✓ ✓ ✓
access must be controlled through the use of an electronic access control system (badges), locks, or biometric
scanners.

7.5.2 Monitoring post to respond on all security system alarms in real-time 24x7x366. ✓ ✓ ✓

7.5.3 Monitoring post acknowledges alarm-activation and escalates in less than 3 minutes. ✓ ✓ ✓

7.5.4 Alarm monitoring reports available. ✓ ✓ ✓

7.5.5 Monitor post response procedures in place. ✓ ✓ ✓

7.5.6 All IDS activated during non-operational hours and linked to the main alarm system. ✓ ✓ ✓

7.5.7 60 days of IDS alarm records maintained. ✓ ✓

7.5.8 IDS alarm records securely stored and backed up. ✓

7.5.9 ✓
IDS alarm records securely stored
Procedure to ensure IDS access is restricted to authorized individuals or system administrators. This includes
servers, consoles, controllers, panels, networks, and data.
7.5.10
Access privileges must be promptly updated when individuals depart the organization, or change roles, no longer ✓ ✓ ✓
requiring access.

Alarm transmitted on power failure/loss of the IDS.

7.5.11 ✓ ✓ ✓
Note: For systems with Uninterrupted Power Supply (UPS), the alarm is transmitted when the UPS battery fails.

IDS alarm set verification in place.

7.5.12 ✓ ✓ ✓
Note: Procedures validating that alarms are armed during non-operational hours.

7.5.13
IDS alarm transmitted via fixed line or wireless and/or communications mode failure. ✓ ✓

7.5.14 Back-up communication system in place on IDS device and/or line failure. ✓ ✓

7.5.15 90 days of AACS transaction records available. Records securely stored; backed up. ✓ ✓

Procedure to ensure AACS access is restricted to authorized individuals or system administrators.

7.5.16 Access privileges must be promptly updated when individuals depart the organization, or change roles, no longer ✓ ✓
requiring access.
Access system reports reviewed at least quarterly to identify irregularities or misuse (i.e. multiple unsuccessful
7.5.17 attempts, false readings (i.e. disabled card), evidence of card sharing to allow unauthorized access, etc.). Process in ✓ ✓
place.

7.5.18 Digital recording of CCTV / VSS in place. ✓ ✓ ✓

7.5.19 Recording speed for CCTV / VSS is set as a minimum for 8 frames per second (fps) per camera. ✓ ✓ ✓

7.5.20 Digital recording functionality checked daily on operational days via procedure. Records available. ✓ ✓ ✓

CCTV / VSS recordings stored for a minimum of 30 days where allowed by local law. LSP/Applicant must provide
7.5.21
evidence of any local laws that prohibit the use of CCTV and/or limit the video data storage to less than 30 days. ✓ ✓ ✓

Access tightly controlled to CCTV / VSS system, including hardware, software, and data/video storage. This room
7.5.22 must be locked if the CCTV / VSS storage system is on premise with access controls in place. ✓ ✓ ✓

7.5.23 CCTV / VSS images, for security purposes, are only viewed by authorized personnel. ✓ ✓ ✓

Procedures in place detailing CCTV / VSS data protection policy regarding use of real time and archive images in
7.5.24
accordance with local law. ✓ ✓

Exterior and interior lighting levels are sufficient to support CCTV / VSS images that allow investigation and
7.5.25
evidential quality image recording. ✓ ✓

7.5.26 Exterior and interior lighting levels are sufficient to clearly recognize all vehicles and individuals. ✓
 Local procedures in place for handling Buyer’s assets including process for timely reporting of lost, missing or stolen
7.6.1 Buyer’s assets. Incidents to be reported by the LSP/Applicant to the Buyer within 24 hours. Obvious thefts reported ✓ ✓ ✓
immediately. Process consistently followed.
Emergency Buyer and LSP/Applicant facility management contacts for security incidents listed and available. Listing
7.6.2
updated every 6 months and includes law enforcement emergency contacts ✓ ✓ ✓
Management must develop, communicate, and maintain a security policy to ensure all relevant persons (i.e.
7.6.3
employees and contractors) are clearly aware of the provider’s security expectations. ✓ ✓ ✓
Security / Threat Awareness training to be provided to all members of the work force in the first 60 days of
7.6.4
employment and thereafter every 2 years. ✓ ✓ ✓
Information security awareness training focused on protecting Buyer’s electronic and physical shipping data provided
7.6.5
to workforce having access to Buyer’s information. ✓ ✓ ✓

7.6.6 Procedure(s) in place to protect Buyer's assets (i.e. cargo) from unauthorized access by the workforce, visitors, etc. ✓ ✓
7.6.7 Access to shipping documents and information on Buyer’s assets controlled based on “need to know”. ✓ ✓ ✓
7.6.8 Access to shipping documents and information on Buyer’s assets monitored and recorded. ✓ ✓ ✓
7.6.9 Shipping Documents and information on Buyer’s assets safeguarded until destruction. ✓ ✓ ✓
7.6.10 Security incident reporting and tracking system in place, used to implement proactive measures. ✓ ✓
Maintenance programs in place for all technical (physical) security installations/systems to ensure functionality at all
7.6.11
times (e.g. CCTV / VSS. Access Controls, Intruder Detection, and Lighting). ✓ ✓ ✓
7.6.12 Preventative maintenance conducted once a year, or in accordance with manufacturer’s specifications. ✓ ✓ ✓
Functionality verifications of all systems once per week and documented, unless system failure is immediately /
7.6.13
automatically reported or alarmed. ✓ ✓
A repair order must be initiated within 48 hours of when the fault is discovered. For any repairs expected to exceed
7.6.14
24 hours, alternative mitigations must be implemented. ✓ ✓
LSP/Applicant to ensure all subcontractors/vendors are aware of and comply with LSP/Applicant relevant security
7.6.15
programs. ✓ ✓ ✓
Shipping and Receiving Documents legible, complete and accurate (i.e. time, date, signatures, driver, shipping and
7.6.16
receiving personnel, shipment details and quantity, etc.). ✓ ✓ ✓
LSP/ Applicant must maintain records of all collections and proof of deliveries for a period of not less than two years
7.6.17
and make them available for loss investigations as necessary. ✓ ✓ ✓
Proof of delivery must be provided in accordance with written agreement between the Buyer and the LSP/ Applicant,
7.6.18 where the Buyer requires the destination to notify the origin within the agreed timeframe of receipt of shipment, ✓ ✓ ✓
reconciling pre-alert shipment details.
LSP/Applicant must maintain records of all collections and proof of deliveries, for a period of not less than two years,
7.6.19
and make them available to loss investigations as necessary. ✓ ✓ ✓
Proof of delivery must be provided in accordance with written agreement between the Buyer and the LSP/Applicant,
7.6.20 where Buyer requires, destination to notify origin within the agreed timeframe of receipt of shipment, reconciling pre- ✓ ✓ ✓
alert shipment details.

Where Buyer requires, pre-alert process applied to inbound and/or outbound shipments is in place. Pre-alert details
must be agreed by Buyer and LSP/Applicant.
7.6.21 ✓ ✓ ✓
Suggested details include: departure time, expected arrival time, trucking company, driver name, license plate
details, shipment info (piece count, weight, bill-of-lading number, etc.) and trailer seal numbers.

The LSP/Applicant must have a screening / vetting / background process that includes at a minimum, past
employment and criminal history checks. Screening / vetting applies to all applicants, including employees and
7.7.1
contractors. The LSP/Applicant will also require an equivalent process be applied at contracting companies ✓ ✓ ✓
supplying TAS workers.
TAS worker is required to sign declaration that they have no current criminal convictions and will comply with
7.7.2
LSP’s/Applicant’s security procedures. ✓ ✓ ✓
LSP/Applicant will have agreements in place to have required screening / vetting / background information supplied
7.7.3 by the agency and/or subcontractor providing TAS workers or shall conduct such screening themselves. Screening ✓ ✓ ✓
must include criminal history check and employment checks.

7.7.4 Procedure for dealing with applicant’s/workforce’s false declaration pre & post hiring. ✓ ✓ ✓

Recover physical assets from terminated workforce to include company IDs, access badges, keys, equipment, IT
7.7.5
assets and sensitive information. Documented procedure required. ✓ ✓ ✓
 Protect Buyer’s data: Terminate access for terminated workforce to physical or electronic systems including those
7.7.6
that contain Buyer’s data (inventory or schedules) Procedure required. ✓ ✓ ✓

7.7.7 Workforce checklist for onboarding and off boarding in place for verification. ✓ ✓ ✓

Re-hiring: Procedures are in place to prevent LSP/Applicant from re-hiring workforce if denial / termination criteria
are still valid.
7.7.8 ✓ ✓ ✓
Note: Records are reviewed prior to re-hiring (Ex: background of previously terminated personnel or – rejected
applicants (previously denied employment).
 2023 FSR AUDIT FORM

TAPA
INIMUM SECURITY STANDARDS FOR FREIGHT SERVICES SUPPLIERS
FACILITY SECURITY AUDIT REPORT

Please note that all relevant requirements must be adhered to, to successfully obtain a FSR 2023 certification.

Not Applicable (N/A) = this can be due to either the option choice or based on the risk assessment

In all cases evidence must be shown or given especially if considering a N/A item or requesting a Waiver

Evidence/ Documentation
 2023 FSR AUDIT FORM

TAPA
MINIMUM SECURITY STANDARDS FOR FREIGHT SERVICES SUPPLIERS
FACILITY SECURITY AUDIT REPORT

Company Explanatory note:

Location Please note that all relevant requirements must be adhered to, to successfully obtain a FSR 2023 certification.
Contact Name The following three options are available when conducting your audit
Auditor(s)
Audit Date Yes = Requirements fully in place with no discrepancies
Tracking No.
Phone No. No = Not all the Requirements in place and does not meet the requirements
Fax No.
Email FSR FSR FSR Not Applicable (N/A) = this can be due to either the option choice or based on the risk assessment

Certification LEVEL LEVEL LEVEL In all cases evidence must be shown or given especially if considering a N/A item or requesting a Waiver
Result
A B C

8. Central Function Requirements (Only applicable for Multi-site certification)

Requirements fully in place with no
Requirement # A B C deficiencies?
Evidence/ Documentation

There is a central function to manage the security management system for all sites as defined in the scope of the
8.1.1
Multi-site certification. ✓ ✓ ✓
8.1.2 All sites shall have a legal or contractual relationship with the central function. ✓ ✓ ✓
A single security management system is established to ensure that all its sites within the system are meeting the
8.1.3
requirements of the applicable TAPA Security Standard. ✓ ✓ ✓
The central function and its management system shall be subject to internal audits to ensure continued compliance
8.1.4
to TAPA Standards. ✓ ✓ ✓
The central function shall carry out audits of in scope sites to ensure that each site meets the applicable TAPA FSR
requirements. The audits must be done with the appropriate TAPA audit templates.
8.1.5
All the individual yearly site audits must be completed and must be available to the auditor prior to the certification ✓ ✓ ✓
process.

The central function shall have the authority and rights to require all sites comply to TAPA Security Standards and to
implement corrective and preventative actions as needed.
8.1.6 ✓ ✓ ✓
Note: Where applicable this should be set out in the formal agreement between the central function and the sites.

The central function shall maintain documented policies and procedures for its security management systems that
8.2.1
are applicable for all its sites. ✓ ✓ ✓
The central function shall ensure that appropriately policies and procedures are updated, communicated, deployed
8.2.2
and implemented by all sites as required. ✓ ✓ ✓
8.2.3 The policies and procedures shall be maintained and are easily accessible by all sites as required. ✓ ✓ ✓
The central function shall mandate all sites to carry out self-assessment and all self-assessment reports shall be
8.3.1
submitted to the central function for records and reviews. Records should be maintained for at least two (2) years. ✓ ✓ ✓

The central function shall ensure that all SCARs from the self-assessment and audits are appropriately closed to
8.3.2
improve its security management systems. Records should be maintained for at least two (2) years. ✓ ✓ ✓
All sites shall submit progress updates and reports on all outstanding SCARs to the central function. The central
8.3.3 function shall escalate to the LSP’s/Applicant’s management if SCARs are not completed before its due dates. ✓ ✓ ✓
Records should be maintained for at least two (2) years.

The central function shall have procedures in place to ensure all sites maintain records of inspections, visitor logs,
8.4.1
driver logs and 7-point inspection etc. ✓ ✓ ✓
The central function shall have procedures in place to ensure that appropriate risk assessments and management
8.5.1
are done on all the sites and its records are maintained for at least two (2) years ✓ ✓ ✓
The central function shall have procedures in place that ensures that all sites review and maintain documents on all
8.6.1
physical security systems like CCTV/ VSS and alarm layout. ✓ ✓ ✓
The central function shall have procedures in place that ensure that all alarm and access control systems are
8.7.1
maintained and tested to ensure their operational effectiveness. ✓ ✓ ✓
The central function shall have procedures in place that all sites maintain records of all intrusion detection and
8.7.2
access control testing and incidents. ✓ ✓ ✓
 The central function shall have procedures in place to ensure that all sites maintain proper training records on
8.8.1
security management training of its employees. ✓ ✓ ✓

The central function shall have procedures in place to ensure all sites maintain security training records of all site
8.8.2
personnel. Records should be maintained for at least two (2) years. ✓ ✓ ✓

The central function shall have procedures in place to ensure that all sites perform the screening and vetting of
8.9.1
records at regular intervals to ensure the integrity and effectiveness of the security management systems. ✓ ✓ ✓
The central function shall have procedures in place to ensure records of reviews including its findings and
8.9.2
corrective/preventive 8.1.6 actions are maintained. Records will be maintained for at least two (2) years. ✓ ✓ ✓
The central function shall conduct regular management review to ensure the compliance, effectiveness and
8.10.1
improvement to its security management systems. ✓ ✓ ✓

The management reviews shall, at a minimum, cover effectiveness of self-audits, SCARs closures, risk
8.10.2
assessments, incidents and improvement actions. ✓ ✓ ✓

8.10.3 The central function shall maintain records of all management reviews for at least two (2) years. ✓ ✓ ✓
 2023 FSR AUDIT FORM

TAPA
MINIMUM SECURITY STANDARDS FOR FREIGHT SERVICES SUPPLIERS
FACILITY SECURITY AUDIT REPORT

Company Explanatory note:

Location Please note that all relevant requirements must be adhered to, to successfully obtain a FSR 2023 certification.
Contact Name The following three options are available when conducting your audit
Auditor(s)
Audit Date FS FS FS Yes = Requirements fully in place with no discrepancies

R R R
Phone No. No = Not all the Requirements in place and does not meet the requirements
Fax No. Not Applicable (N/A) = this can be due to either the option choice or based on the risk assessment

LE LE LE
Email
Certification In all cases evidence must be shown or given especially if considering a N/A item or requesting a Waiver

VE VE
Result

VE
L A LB LC
9.0. IT and Cyber Security Threat– Enhanced Option

FSR includes optional Cyber Security Threat enhancements that are deemed a higher level of
protection and can be used in addition to the modules. This optional enhancement is intended to
be selected by the LSP/Applicant and/or their Buyer as additional requirements for their operational
security needs. When this optional enhancement is selected in the pre-certification assessment to
be part of the certification audit, all requirements become mandatory.

9. IT and Cyber Security Threat– Enhanced Option

Requirement # A B C Requirements fully in place with no deficiencies? Evidence/ Documentation

The LSP/Applicant must have security policies for IT and cyber threat. The policies can be separate or in a combined document. The
policies must explain: -
1. The actions of the LSP/Applicant to identify and respond to threats.
9.1 2. The policies and procedures in place to protect, detect, test, and respond to security events. ✓ ✓ ✓
3. The methods for the recovery of IT systems and/or data.
4. The communications protocol to Buyers/Clients to mitigate supply chain impact within 24 hours of knowledge of incident.
5. How the policies are reviewed annually and updated as appropriate.

The LSP / Applicant must deliver information awareness training to all employees.
This training must: -
9.2
1. Cover the roles and responsibilities that computer users have in maintaining security and the associated benefits. ✓ ✓ ✓
2. Have a system in place that ensures records of persons receiving training are maintained and retained for a minimum of 2 years.

The LSP/Applicant must have a written policy in place for ensuring Cyber Security measures are in place with sub-contractors and /or
vendors that ensure:
9.3 1. LSP’s/Applicant’s Cyber Security requirements are communicated to subcontractors and /or vendors and embedded in agreements. ✓ ✓ ✓
2. Where subcontractors and /or vendors do not recognise or refuse to adopt LSP’s/Applicant’s Cyber Security requirements,
measures are documented and in place that mitigate the risks to the LSP’s/Applicant’s Cyber Security requirements and their customers.

The LSP/Applicant must have a Power Interruption Mitigation plan (e.g. alternative power supply or backup generator), that ensures
9.4
power is routed to critical IT systems (identified in the local risk assessment) for a minimum of 48 hours. ✓ ✓ ✓

LSP’s / Applicant's Information Systems must have licensed anti-virus and anti-malware software installed. The anti-virus and anti-
9.5
malware software must contain the latest updates. ✓ ✓ ✓

LSP / Applicant must have appropriate IT Disaster Recovery Plan (DRP) for recovering from compromised system attacks, including but
9.6
not limited to, all necessary data and software back-up and recovery arrangements. ✓ ✓ ✓

LSP’s / Applicant's Information Systems must be backed up. Such backups must be tested regularly, and backup data must be
9.7
encrypted and transferred to a secondary, off site location. ✓ ✓ ✓

LSP / Applicant must implement a policy for all user accounts to manage and control access to Information Systems by using unique
individual identifiers and strong passwords. Procedures in place to ensure:
1. Password compliance audit program in place.
2. An initial unique password must be assigned to each new account at the time of creation.
9.8 3. Initial passwords cannot contain the user’s name, identification number or otherwise follow a standard pattern based on user ✓ ✓ ✓
information.
4. Passwords will be communicated to users in a secure manner, and only after validating the identity of the user.
5. Users must be required to change passwords on initial login.
6. Passwords must be changed at least every 90 days.
 Security Corrective Action Requirements

SCAR #

AUDITORS:

ADDRESS:

LOCATION AUDITED:

DATE:
MAJOR FINDINGS
TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:

TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:

TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:

TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:
 Security Corrective Action Requirements

SCAR #

AUDITORS:

ADDRESS:

LOCATION AUDITED:

DATE:
MAJOR FINDINGS
TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:

TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:

TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:

TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:
 Security Corrective Action Requirements

SCAR #

AUDITORS:

ADDRESS:

LOCATION AUDITED:

DATE:
MAJOR FINDINGS
TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:

TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:

TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:

TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:
 Security Corrective Action Requirements

SCAR #

AUDITORS:

ADDRESS:

LOCATION AUDITED:

DATE:
MAJOR FINDINGS
TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:

TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:

TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:

TAPA Requirements:

Finding:

Corrective Action (CA):

CA Validation:
 GLOSSARY
Term Acronym (if applicable)

Automatic Access Control

AACS
System
Adequately

Authorized Auditor AA

Applicant

Alarm Monitoring Center AMC

Backed Up

Buyer

Buyer Exemption

Central Function

Closed-Circuit Television CCTV

Code Division Multiple

CDMA
Access

Curtain-Sided Trailers

Days

Discern facial features

Documented Procedure

Facility Security
FSR
Requirements

Finding(s)

Freight
Full Container Load FCL
Full Truckload FTL
General Packet Radio
GPRS
Services
Global System for Mobile
GSM
Communications
Hard-Sided Trailers
High Value Theft-
HVTT
Targeted
Identifiable

Independent Audit Body IAB

Intrusion Detection

Jamming

Key Controls

Less Than Load LTL

Logistics Service Provider LSP

Memorandum of
MOU
Understanding

Mobile/Cellular 3G/4G/5G

Not Applicable N/A

Passive infrared PIR

Physical Barrier

Real Time
Recognizable
Reporting Rate
Security Corrective Action
SCAR
Requirement

Security mesh

Self-Audit

Self-Assessment

Self-Certification

TAPA FSR
Certified Company
TAPA FSR Audit Forms

TAPA Security Standards

TAPA TSR Audit Forms

TAPA TSR Certified

Company

Temporary

Temporary Agency Staff

Transport International de
Merchandises par la TIR Cable
Route
Tracking Number
Tractor
Trailer

Truck

Trucking Security
TSR
Requirements
TSR Vehicle Register

Video surveillance system VSS

Waiver
Workforce
GSR

CMR

Bill of Lading

SSMS

FSR CFD

SOP

SLA
 GLOSSARY
Definition
A controlled area entry system that permits entry of authorized persons. It must also detect and prevent unauthorized
persons entry.
In a satisfactory manner, so no or very minimal gaps exist in local procedures.
An Auditor working for an IAB who has passed TAPA-administered training and is authorized to conduct audits and
issue certifications with TAPA Standards at all levels (FSR A, B, C and TSR 1, 2, 3)
OR
An Auditor working for an LSP/Applicant or Buyer who has passed TAPA-administered training
Entity seeking TAPA certification.
While applicants are typically Logistics Service Providers (LSP), they can also be Buyers seeking certification for their
own warehouses or trucking fleets.
A facility that receives signals from electronic security systems and has personnel in attendance at all times to
respond to these signals. Commercial monitoring centers are owned and operated by third
parties.
Proprietary monitoring centers are owned and/or operated by LSP/Applicant or Buyer.
To have made a copy of a data file or document which is stored securely in a separate location accessible to security
staff for investigative purposes.
Purchaser of services and/or owner of transported and/or stored goods.
Where “unless on Buyer exemption” is specified within a requirement, this can be a justifiable reason to record an
N/A result or used to support a waiver request. The LSP/Applicant must have evidence supporting Buyer exemption
finding such as documented approval from all Buyers. This evidence must be referenced in the audit and shared with
the AA to allow them to validate the N/A
result or in support of a waiver request.

Unified command and control hierarchy responsible for the security management of sites and functions for the entire
organization
An internal or external color or “day/night” camera video surveillance system. Signals are transmitted to
monitors, recording and control equipment.
A communications standard developed for digital cellular networks. A competing service technology to
GSM.
These include trailers whose sides are constructed of fabric, either reinforced (anti-slash) or not, which are intended
to be rolled up for loading/unloading operations.
Unless otherwise defined in the requirement(s), “days” is defined as “calendar days” and include weekends and
holidays.
The ability to clearly see the facial features of the individuals captured in the CCTV/ VVS recordings for recognition
purposes.

A written description of a prescribed action or process. A single documented procedure may address multiple actions
or processes. Conversely, actions or processes may be documented across one or more procedures.

TAPA Standard that describes the security requirements for warehouse operations.

Observation(s) of non-compliance with a TAPA Standard requirement. Note: All findings will be documented in a
SCAR.
Goods, cargo, or merchandise being transported or stored.
Indicates that the cargo is dedicated for one Buyer.
Indicates that the cargo is dedicated for one Buyer.

A technology for radio transmission of small packets of data between mobile/cellular phones and the Internet.

A communications standard developed for digital cellular networks. A competing service technology to CDMA.

Includes trailers whose sides, floor, and top are constructed of metal or other solid material.

Cargo that is at an elevated risk for theft.

To be able to identify or establish as being a particular person or object.

An audit company approved by TAPA and contracted by the LSP/Applicant or Buyer seeking TAPA Certification.

A system (i.e., devices and software) that records information related to observed events, notifies security monitoring
stations, and produces reports. Example technologies include motion, sound, sonar, microwave, and infrared.

Devices that are radio-frequency transmitters that intentionally block, jam, or interfere with lawful communications
such as cell phone calls, text messages, GPS systems, and WIFI networks.
Restricts access to keys by using a key register and key plan that is fully documented and part of the training
program.

Usually refers to a consolidated load that may be in a truck or container and may contain cargo for multiple Buyers.

A forwarder, a carrier, a trucking company, a warehouse operator, or any other company that provides direct services
handling freight within the supply chain.
A written agreement between the Independent Audit Bodies and TAPA that specifies the procedures the audit body
shall follow to support the certification. A MOU expires 3 years from its inception.

The current main stream technology available for use in the cellular network. The higher the number the more
recently available. Associated technologies may include GSM, UMTS, LTE, LTE Advanced Pro etc.)

A condition that in certain circumstances can be accepted by the Authorized Auditor when conducting TAPA
certification audits. N/A can only be considered when the TAPA requirement response of “Yes or No” is truly not
appropriate and/or the requirement is not capable of being applied. N/A cannot be used to avoid compliance due to
cost or operational concerns. N/A(s) entered into the certification audit template, must contain, or refer to,
documented supporting details that describe and justify the N/A decision.

Examples of where N/A could be utilized: -

· Protection of doors, windows, or other openings, that do not exist.
· Securing of roof ladders that are not required to be installed at that facility (I.e. no external ladders present
at the facility).
· Warehouse is a true 24/7/366 operation such that intrusion detection in the interior spaces is not
applicable.
· Requiring subcontractors to comply with TAPA Standards, when the LSP/Applicant does not use
subcontractors.

Note: Use of N/A is not the same as a waiver. Waivers are considered when an applicable requirement cannot be
complied with and risks are adequately mitigated with alternative technical or process controls.
need to check if Framework document has this defined
Any physical element that deters penetration. May include items such as fences, walls, floors, roofs, grills, bars,
padlocks, chains, gates, or other structures.
Direct, without any delay.
To be able to recognize a person, place, or thing from knowledge of appearance or characteristics.
Identifies how often the tracking unit sends a signal/location update to the tracking system.

The documented observation of non-compliance with a TAPA Standard requirement.

A welded sheet of strong steel wire or bars held in place by secure fixings or welded to the vehicle. No access
through the mesh should be possible for people or goods.
Compliance verification conducted by the TAPA-certified entity (warehouse or trucking company) using the applicable
TAPA Audit form, as per the schedule specified in the FSR or TSR standard.
A process in TSR Levels 1-3 wherein the LSP/Applicant must self- assess each vehicle that is included in their TSR
Vehicle Register per the requirements in TSR Practice Sections 1 and 2.

A process by which an entity audits their own company to the TAPA FSR Level C or TSR Level 3. TAPA will be
issuing the actual certificate after the audit report and necessary evidence has been verified by TAPA.

An LSP/Applicant that has been found by an AA to have met the applicable FSR requirements.

Standard audit templates for the measurement of conformance to FSR.

Global logistics standards developed by TAPA to secure cargo during storage (FSR) and transport by road (TSR).

Standard audit templates for the measurement of conformance to TSR.

An LSP/Applicant that has been found by an AA to have met the applicable Policy and Procedure requirements and
has been found to have met the applicable Practice requirements via their own fleet or via contracted carriers with
their own validated TSR certification.
Non-permanent and/or short term.

Temporary workforce

TIR-cable is used to secure tarpaulins on open-top containers and Tamper evident protection for curtain side trailers.

Can be used as an internal tracking number if needed. Where applicable

Front section of a truck that contains the driver and engine and which is designed to pull a trailer.3
A cargo container which is designed to be pulled by a tractor.
A tractor/trailer rig, a tractor/container/chassis rig, a straight truck/rigid vehicle, or a delivery van where the driver and
cargo compartments are separated by a permanent bulkhead. Where necessary, “truck” is differentiated from a trailer
or container.

TAPA Standard describing the security requirements for surface transportation by truck and trailer/container.

A document listing the vehicles (with identifying details) which are subject to the TAPA TSR certification.

Another term for CCTV

Written approval to exempt an LSP/Applicant from a TAPA requirement or accept an alternative compliance solution.

Note: The TAPA Regional Waiver Committee reviews waiver requests, then grants or denies all waivers.
All employees, temporary agency staff, and subcontractors, unless individually identified.
Guarding Security Requirements APAC

Convention on the Contract for the International Carriage of Goods by Road) is a United Nations convention
that was signed in Geneva on 19 May 1956. It relates to requirements concerning transportation of cargo by road.

A document issued by a carrier/agent/LSP to acknowledge receipt of cargo for shipment.

Single Security Management System. LSP/Applicant internal requirements that specifies the management
system for achieving and maintaining the FSR requirements.
TAPA Facility Security Requirements Certification Framework Document
A standard operating procedure is a set of step-by-step instructions compiled by an organization to help the
organization follow routine operations.
A service-level agreement is a documented commitment between a service provider and their client. An SLA normally
lists the services that should be provided.
Waiver Form

Document
 Site Information Request

Partner Name:

Site:

Date of Audit:

Information Request Partner Information

Please provide answers here and / or embed a file

Schematic of facility (Internal)

This should clearly show:
1) Location of the IT Room
2) Location of the CCTV Room
3) Dock doors (Receiving / Shipping)
4) Location of HVC (if present)
5) Office area
6) Main entrance (visitor entrance
7) Employee entrance
8) Entry point on to warehouse floor (where personal check, i.e. metal detector located)
9) Driver cage
10: Location of motion detectors

Schematic of Facility (External)

This should clearly show:
1) The site boundaries
2) Entry point for truckers, including guard gate if present
3) Backup Generator (if present)
4) Fire suppression water tank (if present)
5) Parking area for employees

Square footage of the building

If facility only occupies a portion, the square footage for the facility operation

Number of dock doors - shipping / receiving (each)

Schematic of CCTV, both internal / external

Number of cameras - Total

Type of cameras in use

Pictures of the facility we ask that you prepare and have ready during the audit

Exterior:

If in a gated business park, or if your facility is individually gated facility, provide picture of the front of the park

Truck entrance to yard

Guard gate

Yard area, with dock doors

 Site Information Request

Partner Name:

Site:

Date of Audit:

Main entrance

Employee entrance

Fencing around the facility (both sides, back and front)

Interior:

Entrance from office area to warehouse

Picture of several dock doors in the shipping area

Driver cage

CCTV Monitor room

CCTV Screen shots - 1 current, 1 90 days back (will need to show date & time)

CCTV in yard area - Exterior

CCTV in dock area - Interior

Data center (exterior & interior)

CCTV Center (exterior & interior)

Truck entrance / exit

Shipping staging area

Name of Attendees Role