ISO 28000

ISO 28000 is an international standard that specifies the requirements for a security management system, particularly for the supply chain. It is designed to assist organizations in managing security risks, threats, and vulnerabilities in the supply chain, including logistics.

Definition and purpose

The primary purpose of ISO 28000 is to provide a framework for establishing, implementing, maintaining, and improving a security management system. This standard helps organizations to assess security situations, manage risks, implement effective security measures, and ensure the safety and security of their supply chain.

Governing Body

ISO 28000 is developed and published by the International Organization for Standardization (ISO).

Last updated

ISO 28000 was initially published in 2007. It was withdrawn and replaced with ISO 28000:2022. ISO 28000:2022 Amendment 1 is currently under development.

Applies to

ISO 28000 applies to all sizes of organizations within the supply chain, irrespective of the type of goods or services, including manufacturing, service, storage or transportation at any stage of the production or supply process.

Controls and requirements

The standard includes a wide range of controls and requirements, such as:

  • Security Policy and Objectives: Establishing a comprehensive security policy and setting clear objectives.
  • Risk Assessment: Conducting thorough risk assessments and identifying potential security threats.
  • Legal and Regulatory Compliance: Ensuring compliance with laws, regulations, and contractual obligations related to security.
  • Security Management: Implementing a structured approach to security management, including the allocation of responsibilities.
  • Performance Measurement and Improvement: Regularly reviewing performance and making improvements to the security management system.
  • Training and Awareness: Providing training to employees on security practices and raising awareness of security issues.
  • Incident Response and Continuity: Establishing procedures for responding to security incidents and maintaining business continuity.

Please refer to the official ISO 28000:2022 documentation for details on controls and requirements.

Audit type, frequency, and duration

Audits for ISO 28000 compliance typically involve an external certification body assessing the organization's security management system. Certification is usually valid for three years, with annual surveillance audits required to maintain certification.

The duration of the audit depends on the size and complexity of the organization's supply chain and the scope of the security management system.

Get compliant using Secureframe Custom Frameworks