ISO 28000:2022 is an international standard that specifies requirements for a security management system, including aspects relevant to the supply chain. It gives any organization a certifiable, risk-based framework to protect people, goods, infrastructure and transport against deliberate security incidents.
Modern supply chains stretch across dozens of suppliers, carriers, ports and jurisdictions, and every handoff is a potential point of failure. ISO 28000 gives organizations a structured way to identify those security threats, treat them systematically and demonstrate to customers and regulators that supply chain security is managed, not improvised. In this guide we walk through what the standard covers, its key requirements, how it relates to ISO 27001, ISO 22301 and ISO 31000, and how to implement it.
What ISO 28000:2022 covers
ISO 28000 addresses security management across all levels of the supply chain — sourcing, manufacturing, storage, transportation and distribution. Its aim is to establish a system that protects assets, cargo, facilities and people against threats such as theft, tampering, smuggling, sabotage, terrorism and, increasingly, cyber-enabled disruption. Although its heritage is supply chain security, the 2022 revision broadened the language so the requirements apply to any organization seeking a systematic approach to security, regardless of type, size or sector.
The standard is generic and not industry specific. It is widely used by manufacturers, logistics and freight operators, port and warehouse operators, shipping lines, and government or public agencies — anywhere goods move and security matters. Importantly, ISO 28000:2022 is a certifiable standard: an accredited certification body can audit your management system and issue certification, which many organizations use to satisfy customer and tender requirements.
The 2022 revision and Annex SL
The revised standard was published on 15 March 2022, replacing the 2007 edition. The headline change is structural: ISO 28000:2022 adopts the harmonized high-level structure (Annex SL) shared by all modern ISO management system standards. That means ten clauses covering context of the organization, leadership, planning, support, operation, performance evaluation and improvement — the same backbone you find in ISO 9001, ISO 14001, ISO 45001 and ISO/IEC 27001. Organizations certified to the 2007 version were given a three-year transition period to migrate.
Nearly 80% of organizations experienced at least one supply chain disruption in the past year, with third-party failure the leading cause, ahead of cyber-attacks and natural disasters. (BCI Supply Chain Resilience Report, 2024)
The practical benefit of Annex SL is integration. Because ISO 28000 now shares its structure and much of its core text with other standards, an organization already running an ISO 27001 ISMS or an ISO 22301 business continuity system can bolt on supply chain security without rebuilding its management framework from scratch.
Key requirements of ISO 28000
Following the Annex SL clauses, the standard asks organizations to build a Plan-Do-Check-Act security management system. The essential requirements include:
- Context and scope: understand internal and external issues, interested parties and the boundaries of the security management system.
- Leadership and policy: secure top-management commitment and establish a documented security management policy with clear roles and responsibilities.
- Security risk assessment and planning: identify security threats and vulnerabilities across the supply chain, assess their likelihood and impact, and plan treatments and objectives.
- Support: provide resources, competent personnel, awareness, communication and documented information.
- Operation: implement security strategies, procedures, processes, treatments and security plans to control identified risks.
- Performance evaluation: monitor, measure, audit internally and review the system at management level.
- Improvement: manage nonconformities, take corrective action and continually improve the system.
How ISO 28000 relates to ISO 27001, ISO 22301 and ISO 31000
ISO 28000 rarely lives in isolation. It sits within a family of complementary standards, and the 2022 revision was deliberately drafted to align with them. Understanding these relationships helps you avoid duplicating effort.
ISO/IEC 27001 — information security
ISO/IEC 27001 protects information assets through an information security management system. ISO 28000 targets physical and operational security across the supply chain — cargo, facilities, transport and people. The two overlap on cyber-enabled threats and share the same Annex SL structure, so organizations frequently run them as an integrated management system. A useful way to remember the split: ISO 27001 secures the data, ISO 28000 secures the goods and the chain that moves them.
ISO 22301 — business continuity
ISO 28000's operation clause on security strategies, procedures and plans was written to stay consistent with ISO 22301, the business continuity management standard. Where ISO 28000 works to prevent and control security incidents, ISO 22301 ensures the organization can keep operating and recover when disruption does occur. Together they cover both the prevention and the response sides of supply chain resilience.
ISO 31000 — risk management
ISO 28000 draws its risk-based thinking from ISO 31000, the standard for risk management. Its principles for security management echo ISO 31000's integrated, coordinated approach — treating security risk as part of enterprise risk rather than a siloed concern, which improves performance measurement and supports continual improvement.
How to implement ISO 28000
Implementation follows the familiar management-system path. A realistic sequence looks like this:
- Secure leadership buy-in and define the scope of the supply chain and operations to be covered.
- Conduct a gap analysis against the ten Annex SL clauses to see what you already have.
- Perform a security risk assessment across your supply chain, mapping threats, vulnerabilities and critical dependencies.
- Draft the security policy, objectives, procedures and security plans that treat the risks you identified.
- Provide training and awareness so staff and partners understand their security responsibilities.
- Operate the system for a period — often around three months — to generate records and evidence.
- Run internal audits and a management review, then correct any nonconformities.
- Engage an accredited certification body for the stage 1 and stage 2 certification audit.
Tip: if you already hold ISO 27001, ISO 22301 or ISO 9001, reuse your existing context analysis, leadership structures, internal audit programme and management review process. Thanks to Annex SL, most of that framework transfers directly to ISO 28000.
ISO 28000:2022 turns supply chain security from an ad-hoc set of controls into a governed, auditable and continually improving system. With disruptions now affecting the large majority of organizations, a certified security management system is both a risk-reduction measure and a competitive signal to customers that your supply chain can be trusted.