ISO 28000:2022
Security and resilience — Security management systems — Requirements
Standard Introduction
ISO 28000:2022 is the international standard for security management systems with a focus on supply chain security. Published in March 2022 as the second edition, it specifies requirements for establishing, implementing, maintaining, and continually improving a security management system. The standard addresses contemporary threats including cyber attacks, terrorism, organized crime, natural disasters, pandemics, and geopolitical instability.
The 2022 revision adopts the ISO Harmonized Structure (HLS), enabling integration with other management system standards such as ISO 9001, ISO 14001, and ISO 27001. ISO 28000 is applicable to organizations of all sizes involved in manufacturing, service, storage, and transportation at any stage of the supply chain. Certification supports participation in trusted trader programs such as the US C-TPAT and EU AEO schemes, providing expedited customs clearance and reduced inspections.
Supply Chain Security
Provides a comprehensive framework for managing security threats across the entire supply chain, from procurement through manufacturing to final delivery and distribution.
HLS Aligned
The 2022 revision adopts the ISO Harmonized Structure (HLS), enabling seamless integration with ISO 9001, ISO 14001, ISO 27001, and other management system standards.
Multi-Threat Coverage
Addresses modern security threats including cyber attacks, terrorism, organized crime, natural disasters, pandemics, and geopolitical instability affecting supply chains.
list_alt Security Management Elements
- Security threat and risk assessment
- Security management policy and objectives
- Organizational context and interested parties
- Leadership commitment and security roles
- Operational planning and control
- Supply chain partner security requirements
- Incident management and business continuity
- Performance evaluation and continual improvement
Who Needs to Comply?
Organizations involved in supply chain management — manufacturers, logistics providers, freight forwarders, port operators, warehousing companies, and any organization seeking to protect its supply chain from security threats.
Key Requirements
Security Threat Assessment
Identify, analyze, and evaluate security threats and vulnerabilities across the supply chain. Consider physical, cyber, personnel, and information security risks relevant to the organization's operations.
Security Management Plan
Develop and implement security management plans that address identified threats, define response procedures, assign responsibilities, and establish communication protocols for security incidents.
Supply Chain Partner Management
Establish security requirements for supply chain partners, contractors, and service providers. Verify partner compliance and maintain oversight of outsourced security-relevant activities.
Incident Response and Recovery
Establish procedures for detecting, reporting, and responding to security incidents. Implement business continuity plans to minimize disruption and recover from security events.
Penalties & Enforcement
No direct legal penalties — ISO 28000 is a voluntary standard. However, certification can be required by customs authorities for trusted trader programs (e.g., C-TPAT, AEO) and by business partners in high-security supply chains. Loss of certification may affect trade facilitation benefits.