ISO 28000:2022
Security and resilience — Security management systems — Requirements
Standard Introduction
ISO 28000:2022 is the international standard for security management systems with a focus on supply chain security. Published in March 2022 as the second edition, it specifies requirements for establishing, implementing, maintaining, and continually improving a security management system. The standard addresses contemporary threats including cyber attacks, terrorism, organized crime, natural disasters, pandemics, and geopolitical instability.
The 2022 revision adopts the ISO Harmonized Structure (HLS), enabling integration with other management system standards such as ISO 9001, ISO 14001, and ISO 27001. ISO 28000 is applicable to organizations of all sizes involved in manufacturing, service, storage, and transportation at any stage of the supply chain. Certification supports participation in trusted trader programs such as the US C-TPAT and EU AEO schemes, providing expedited customs clearance and reduced inspections.
Supply Chain Security
Provides a comprehensive framework for managing security threats across the entire supply chain, from procurement through manufacturing to final delivery and distribution.
HLS Aligned
The 2022 revision adopts the ISO Harmonized Structure (HLS), enabling seamless integration with ISO 9001, ISO 14001, ISO 27001, and other management system standards.
Multi-Threat Coverage
Addresses modern security threats including cyber attacks, terrorism, organized crime, natural disasters, pandemics, and geopolitical instability affecting supply chains.
list_alt Security Management Elements
- Security threat and risk assessment
- Security management policy and objectives
- Organizational context and interested parties
- Leadership commitment and security roles
- Operational planning and control
- Supply chain partner security requirements
- Incident management and business continuity
- Performance evaluation and continual improvement
Who Needs to Comply?
Organizations involved in supply chain management — manufacturers, logistics providers, freight forwarders, port operators, warehousing companies, and any organization seeking to protect its supply chain from security threats.
Key Requirements
Security Threat Assessment
Identify, analyze, and evaluate security threats and vulnerabilities across the supply chain. Consider physical, cyber, personnel, and information security risks relevant to the organization's operations.
Security Management Plan
Develop and implement security management plans that address identified threats, define response procedures, assign responsibilities, and establish communication protocols for security incidents.
Supply Chain Partner Management
Establish security requirements for supply chain partners, contractors, and service providers. Verify partner compliance and maintain oversight of outsourced security-relevant activities.
Incident Response and Recovery
Establish procedures for detecting, reporting, and responding to security incidents. Implement business continuity plans to minimize disruption and recover from security events.
Implementation Roadmap
Prepare scope, ownership and obligations
Define the security management system for the supply chain scope across supply-chain operations, logistics nodes, transport partners, facilities, cargo flows, contractors, security threats, legal obligations, and continuity dependencies. Assign accountable owners, identify applicable legal, customer, certification, or regulatory drivers, and agree how evidence will be governed.
Gap analysis and risk prioritisation
Assess current practices against ISO 28000 expectations and risk context. Review security risk assessment, supply-chain context, security objectives, threat controls, access control, cargo integrity, incident response, supplier controls, emergency preparedness, monitoring, and continual improvement, then prioritize gaps by legal exposure, safety or consumer impact, customer impact, operational dependency, and review readiness.
Implement controls, records and reporting
Deploy required controls, operating processes, documentation, supplier or partner workflows, testing, reporting, and escalation paths. Build traceable evidence around security risk assessments, supply-chain maps, access records, cargo integrity checks, incident logs, supplier assessments, emergency exercises, monitoring results, corrective actions, and management reviews.
Review, audit and keep current
Complete readiness reviews, internal checks, and corrective actions before the certification audit or customer security review. Refresh the program after product, service, supplier, technology, legal, market, incident, or regulator changes.
Compliance Checklist
checklist Scope and accountability
checklist Controls and evidence
checklist Monitoring and improvement
Penalties & Enforcement
No direct legal penalties — ISO 28000 is a voluntary standard. However, certification can be required by customs authorities for trusted trader programs (e.g., C-TPAT, AEO) and by business partners in high-security supply chains. Loss of certification may affect trade facilitation benefits.
Frequently Asked Questions
Who needs ISO 28000?
expand_more
ISO 28000 is relevant for organizations whose products, services, systems, or regulated activities fall within supply-chain operations, logistics nodes, transport partners, facilities, cargo flows, contractors, security threats, legal obligations, and continuity dependencies. It is commonly driven by regulation, customers, certification, market access, or assurance needs.
What is the main purpose of ISO 28000?
expand_more
The practical purpose is to create a repeatable program for security risk assessment, supply-chain context, security objectives, threat controls, access control, cargo integrity, incident response, supplier controls, emergency preparedness, monitoring, and continual improvement. The program should make obligations visible, define accountable owners, operate controls, and keep evidence current.
What should be done first?
expand_more
Start by confirming scope, ownership, and applicable obligations. This prevents teams from building documents or controls that do not match the actual product, service, system, or regulated activity.
How long does implementation take?
expand_more
A focused implementation can take several weeks or months. Timing depends on maturity, number of sites or systems, supplier involvement, technical complexity, testing needs, and external review depth.
What evidence is most useful?
expand_more
Useful evidence includes security risk assessments, supply-chain maps, access records, cargo integrity checks, incident logs, supplier assessments, emergency exercises, monitoring results, corrective actions, and management reviews. Reviewers usually expect traceable evidence that connects obligations to decisions, controls, tests, reports, and corrective actions.
How should suppliers or partners be managed?
expand_more
Supplier and partner duties should be documented through contracts, onboarding requirements, data or evidence requests, performance monitoring, and escalation routes for findings, incidents, or changes.
When should the program be updated?
expand_more
Update the program after legal changes, product or service changes, supplier changes, new markets, incidents, complaints, regulator feedback, or audit findings. Stale evidence is a common compliance failure.
Can this be integrated with other programs?
expand_more
Yes. ISO 28000 can usually share governance, document control, training, supplier management, issue tracking, risk management, internal review, and corrective-action workflows with adjacent compliance programs.
Official Documentation
ISO 28000:2022
External Link • iso.org • Standard Purchase Page
Online Browsing Platform
External Link • iso.org • Official Preview
Supply Chain Security Resources
External Link • iso.org • Implementation Guidance