What is ISO 28000?

ISO 28000 is an international standard which addresses the requirements of a Security Management Systems (SMS) for the supply chain. It specifies the aspects to help the organization to assess security threats and to manage them as they arise in their supply chain security management is related to other aspects of business management.  With ISO 28000, organizations can determine if appropriate security measures are in place and can protect their properties from various threats.

ISO 28000:2022 is a management system standard which has been developed specifically for logistics companies and organisations that manage supply chain operations. Published as a Publicly Available Specification by the International Standards Organisation in 2005, this was replaced in 2022 by the full standard, ISO 28000:2022.

ISO 28000:2022 is a management system specification for the protection of people, property, information and infrastructure; in companies and organisations participating in local, national and international supply chain operations.

ISO 28000:2022 is suitable for all sizes and types of organisations that are involved in the production of goods, manufacturing, services, storage or transportation at any stage of the products development or movement in the supply chain.

Supply chain security is an essential requirement for companies involved in the international supply chain, especially those having to comply with stronger security demands from Customs and/or their business partners.

For organisations working within, or relying on, the logistics industry, certification to the ISO 28000:2022 supply chain management standard provides a valuable framework. It will help minimise the risk of security incidents and so help provide problem-free ‘just in time’ delivery of goods and supplies.

Why is Supply Chain Security Management Systems important for you?

An ISO 28000 certification demonstrates that you are an asset to your organization and that you are a trustworthy expert. It enables you to help the organization in establishing a Security Management Systems (SMS) that ensures the sufficient management and control of security and threats, coming from logistical operations and supply chain partners. With an ISO 28000 certification, you will gain visibility in the market and you will help your organization to improve their profitability and quality.

Benefits of ISO 28000 Supply Chain Security Management Systems

An ISO 28000 certificate brings you many benefits:

  • Global recognition
  • Competitive advantage in the market
  • Enhanced reliability
  • Enhanced customer satisfaction
  • Opportunity to gain new businesses
  • The ability to control and manage threats within an organization

Requirements of ISO 28000

ISO 28000:2022 is a risk-based standard, similar to other management systems, integrating the management system process-based approach of Plan-Do-Check-Act (PDCA) and the requirement for continual improvement.
 

ClauseNameCoverage / Requirements
4.1General requirementsEstablishment of system structure, continual improvement,
4.2Security management policyDeveloped / acknowledged by top management
4.3Security Risk Assessment and Planning 
4.3.1Security Risk AssessmentPhysical, operational, environmental threats and risks
4.3.2Legal, statutory and other security regulatory requirementsIdentify legal and other requirements related to organization
4.3.3Security management objectivesEstablish and document management objectives
4.3.4Security management targetsEstablish measurable, relevant targets communicated to the organization
4.3.5Security management programmesEstablishment, documented programs
4.4Implementation and operation 
4.4.1Structure, authority and responsibilities for security managementEstablish / appoint, organization roles, responsibilities authorities
4.4.2Competence, training and awarenessSystem to ensure qualified competent personnel
4.4.3CommunicationSystem to communicate information to the organization
4.4.4DocumentationPolicy objectives, scopes, references, records,
4.4.5Document and data controlLocation and access, review, currency, archival
4.4.6Operational controlDocumented procedures, threat evaluation,
4.4.7Emergency preparedness, response and security recoveryId potential threats, develop plans, responses,
4.5Checking and Corrective action 
4.5.1Security performance measurement and monitoringQualitative, quantitative, monitoring objectives & targets, non-conformances
4.5.2System evaluationReview plans, procedures, incidents reports, performance evaluations
4.5.3Security related failures, incidents, non-conformances and corrective and preventative actionEvaluating system failures, incidents, near misses, false alarms, near misses
4.5.4Control of recordsIdentification, storage, protection, retrieval, retention disposal of records
4.5.5AuditDevelop an audit program
4.6Management review and continual improvementReview of system by top management.


Integrate ISO 28000 with other management systems standards

ISO 28000 is designed to be compatible with other management systems standards and specifications, such as ISO 9001, ISO 14001, ISO 45001, ISO 22000, ISO 17025, ISO 27001, and other ISO standards. They can be integrated seamlessly through integrated management systems approach. They share many principles so choosing an integrated management system can offer excellent value for money and an easier approach to implement, manage and improve multiple standards simultaneously.

How Can BSCS Help?

We provide ISO 28000 standard training and consultancy services. We offer specialized expertise and extensive practical experience to assist client in developing management systems from the initial concept to establishment and successful implementation of the management systems.

We use the following consultation approach to assist you in achieving certification:

  1. Identify areas requiring improvement or development within your current Management System
  2. Prepare a strategic action plan, in conjunction with your company personnel, to address those improvement areas and assist with the communication of these requirements to key personnel at all levels
  3. Provide system-related trainings for your company personnel to create awareness and provide them with the necessary knowledge and skills in the implementation of systems
  4. Provide assistance and advice on the development and implementation of systems, including preparation of documentation
  5. Advise and assist, if required, with the preparation and submission of applications to your certification body
  6. Assist with the development of internal auditing procedures and training
  7. Conduct internal audit to ensure the effective implementation of the management system prior to final audit by your certification body
  8. Conduct Management Review Meeting to review performance of management system and identify areas for improvement prior to final audit by your certification body