verified_user
Standardful
Homechevron_rightStandardschevron_rightISO 28000:2022
ActiveInternational Standardupdate Standard Updated: Mar 2022fact_check Fact checked: Jun 28, 2026

ISO 28000:2022

Security and resilience — Security management systems — Requirements

apartmentPublishing Organization:International Organization for Standardization (ISO)

Standard Introduction

ISO 28000:2022 is the international standard for security management systems with a focus on supply chain security. Published in March 2022 as the second edition, it specifies requirements for establishing, implementing, maintaining, and continually improving a security management system. The standard addresses contemporary threats including cyber attacks, terrorism, organized crime, natural disasters, pandemics, and geopolitical instability.

The 2022 revision adopts the ISO Harmonized Structure (HLS), enabling integration with other management system standards such as ISO 9001, ISO 14001, and ISO 27001. ISO 28000 is applicable to organizations of all sizes involved in manufacturing, service, storage, and transportation at any stage of the supply chain. Certification supports participation in trusted trader programs such as the US C-TPAT and EU AEO schemes, providing expedited customs clearance and reduced inspections.

local_shipping

Supply Chain Security

Provides a comprehensive framework for managing security threats across the entire supply chain, from procurement through manufacturing to final delivery and distribution.

sync

HLS Aligned

The 2022 revision adopts the ISO Harmonized Structure (HLS), enabling seamless integration with ISO 9001, ISO 14001, ISO 27001, and other management system standards.

gpp_maybe

Multi-Threat Coverage

Addresses modern security threats including cyber attacks, terrorism, organized crime, natural disasters, pandemics, and geopolitical instability affecting supply chains.

list_alt Security Management Elements

  • Security threat and risk assessment
  • Security management policy and objectives
  • Organizational context and interested parties
  • Leadership commitment and security roles
  • Operational planning and control
  • Supply chain partner security requirements
  • Incident management and business continuity
  • Performance evaluation and continual improvement

Who Needs to Comply?

groups

Organizations involved in supply chain management — manufacturers, logistics providers, freight forwarders, port operators, warehousing companies, and any organization seeking to protect its supply chain from security threats.

Key Requirements

1

Security Threat Assessment

Identify, analyze, and evaluate security threats and vulnerabilities across the supply chain. Consider physical, cyber, personnel, and information security risks relevant to the organization's operations.

2

Security Management Plan

Develop and implement security management plans that address identified threats, define response procedures, assign responsibilities, and establish communication protocols for security incidents.

3

Supply Chain Partner Management

Establish security requirements for supply chain partners, contractors, and service providers. Verify partner compliance and maintain oversight of outsourced security-relevant activities.

4

Incident Response and Recovery

Establish procedures for detecting, reporting, and responding to security incidents. Implement business continuity plans to minimize disruption and recover from security events.

Implementation Roadmap

1
Phase 1schedule Duration: 2-4 weeks

Prepare scope, ownership and obligations

Define the security management system for the supply chain scope across supply-chain operations, logistics nodes, transport partners, facilities, cargo flows, contractors, security threats, legal obligations, and continuity dependencies. Assign accountable owners, identify applicable legal, customer, certification, or regulatory drivers, and agree how evidence will be governed.

2
Phase 2schedule Duration: 4-8 weeks

Gap analysis and risk prioritisation

Assess current practices against ISO 28000 expectations and risk context. Review security risk assessment, supply-chain context, security objectives, threat controls, access control, cargo integrity, incident response, supplier controls, emergency preparedness, monitoring, and continual improvement, then prioritize gaps by legal exposure, safety or consumer impact, customer impact, operational dependency, and review readiness.

3
Phase 3schedule Duration: 8-20 weeks

Implement controls, records and reporting

Deploy required controls, operating processes, documentation, supplier or partner workflows, testing, reporting, and escalation paths. Build traceable evidence around security risk assessments, supply-chain maps, access records, cargo integrity checks, incident logs, supplier assessments, emergency exercises, monitoring results, corrective actions, and management reviews.

4
Phase 4schedule Duration: Ongoing

Review, audit and keep current

Complete readiness reviews, internal checks, and corrective actions before the certification audit or customer security review. Refresh the program after product, service, supplier, technology, legal, market, incident, or regulator changes.

Compliance Checklist

0 / 12

checklist Scope and accountability

checklist Controls and evidence

checklist Monitoring and improvement

Penalties & Enforcement

warning

No direct legal penalties — ISO 28000 is a voluntary standard. However, certification can be required by customs authorities for trusted trader programs (e.g., C-TPAT, AEO) and by business partners in high-security supply chains. Loss of certification may affect trade facilitation benefits.

Frequently Asked Questions

Who needs ISO 28000?

expand_more

ISO 28000 is relevant for organizations whose products, services, systems, or regulated activities fall within supply-chain operations, logistics nodes, transport partners, facilities, cargo flows, contractors, security threats, legal obligations, and continuity dependencies. It is commonly driven by regulation, customers, certification, market access, or assurance needs.

What is the main purpose of ISO 28000?

expand_more

The practical purpose is to create a repeatable program for security risk assessment, supply-chain context, security objectives, threat controls, access control, cargo integrity, incident response, supplier controls, emergency preparedness, monitoring, and continual improvement. The program should make obligations visible, define accountable owners, operate controls, and keep evidence current.

What should be done first?

expand_more

Start by confirming scope, ownership, and applicable obligations. This prevents teams from building documents or controls that do not match the actual product, service, system, or regulated activity.

How long does implementation take?

expand_more

A focused implementation can take several weeks or months. Timing depends on maturity, number of sites or systems, supplier involvement, technical complexity, testing needs, and external review depth.

What evidence is most useful?

expand_more

Useful evidence includes security risk assessments, supply-chain maps, access records, cargo integrity checks, incident logs, supplier assessments, emergency exercises, monitoring results, corrective actions, and management reviews. Reviewers usually expect traceable evidence that connects obligations to decisions, controls, tests, reports, and corrective actions.

How should suppliers or partners be managed?

expand_more

Supplier and partner duties should be documented through contracts, onboarding requirements, data or evidence requests, performance monitoring, and escalation routes for findings, incidents, or changes.

When should the program be updated?

expand_more

Update the program after legal changes, product or service changes, supplier changes, new markets, incidents, complaints, regulator feedback, or audit findings. Stale evidence is a common compliance failure.

Can this be integrated with other programs?

expand_more

Yes. ISO 28000 can usually share governance, document control, training, supplier management, issue tracking, risk management, internal review, and corrective-action workflows with adjacent compliance programs.

Official Documentation

View All

Implementation Timeline

description
2007
ISO 28000:2007 first edition published for supply chain security management
fact_check
2008
ISO 28001:2007 published with best practices for supply chain security assessments
update
Mar 2022
ISO 28000:2022 revised edition published with HLS structure and expanded scope
trending_up
2022-2023
Adoption grows with increasing supply chain disruptions and geopolitical tensions
schedule
Mar 2025
Three-year transition deadline from ISO 28000:2007 to 2022 edition

Related Categories