Risk Management

ISO 28000: The Supply Chain Security Standard

Standarity Editorial Team·ISO management-system implementers and supply chain security practitioners
··9 min read

ISO 28000:2022 is an international standard that specifies requirements for a security management system, including aspects relevant to the supply chain. It gives any organization a certifiable, risk-based framework to protect people, goods, infrastructure and transport against deliberate security incidents.

Modern supply chains stretch across dozens of suppliers, carriers, ports and jurisdictions, and every handoff is a potential point of failure. ISO 28000 gives organizations a structured way to identify those security threats, treat them systematically and demonstrate to customers and regulators that supply chain security is managed, not improvised. In this guide we walk through what the standard covers, its key requirements, how it relates to ISO 27001, ISO 22301 and ISO 31000, and how to implement it.

What ISO 28000:2022 covers

ISO 28000 addresses security management across all levels of the supply chain — sourcing, manufacturing, storage, transportation and distribution. Its aim is to establish a system that protects assets, cargo, facilities and people against threats such as theft, tampering, smuggling, sabotage, terrorism and, increasingly, cyber-enabled disruption. Although its heritage is supply chain security, the 2022 revision broadened the language so the requirements apply to any organization seeking a systematic approach to security, regardless of type, size or sector.

The standard is generic and not industry specific. It is widely used by manufacturers, logistics and freight operators, port and warehouse operators, shipping lines, and government or public agencies — anywhere goods move and security matters. Importantly, ISO 28000:2022 is a certifiable standard: an accredited certification body can audit your management system and issue certification, which many organizations use to satisfy customer and tender requirements.

The 2022 revision and Annex SL

The revised standard was published on 15 March 2022, replacing the 2007 edition. The headline change is structural: ISO 28000:2022 adopts the harmonized high-level structure (Annex SL) shared by all modern ISO management system standards. That means ten clauses covering context of the organization, leadership, planning, support, operation, performance evaluation and improvement — the same backbone you find in ISO 9001, ISO 14001, ISO 45001 and ISO/IEC 27001. Organizations certified to the 2007 version were given a three-year transition period to migrate.

Nearly 80% of organizations experienced at least one supply chain disruption in the past year, with third-party failure the leading cause, ahead of cyber-attacks and natural disasters. (BCI Supply Chain Resilience Report, 2024)

The practical benefit of Annex SL is integration. Because ISO 28000 now shares its structure and much of its core text with other standards, an organization already running an ISO 27001 ISMS or an ISO 22301 business continuity system can bolt on supply chain security without rebuilding its management framework from scratch.

Key requirements of ISO 28000

Following the Annex SL clauses, the standard asks organizations to build a Plan-Do-Check-Act security management system. The essential requirements include:

  • Context and scope: understand internal and external issues, interested parties and the boundaries of the security management system.
  • Leadership and policy: secure top-management commitment and establish a documented security management policy with clear roles and responsibilities.
  • Security risk assessment and planning: identify security threats and vulnerabilities across the supply chain, assess their likelihood and impact, and plan treatments and objectives.
  • Support: provide resources, competent personnel, awareness, communication and documented information.
  • Operation: implement security strategies, procedures, processes, treatments and security plans to control identified risks.
  • Performance evaluation: monitor, measure, audit internally and review the system at management level.
  • Improvement: manage nonconformities, take corrective action and continually improve the system.

How ISO 28000 relates to ISO 27001, ISO 22301 and ISO 31000

ISO 28000 rarely lives in isolation. It sits within a family of complementary standards, and the 2022 revision was deliberately drafted to align with them. Understanding these relationships helps you avoid duplicating effort.

ISO/IEC 27001 — information security

ISO/IEC 27001 protects information assets through an information security management system. ISO 28000 targets physical and operational security across the supply chain — cargo, facilities, transport and people. The two overlap on cyber-enabled threats and share the same Annex SL structure, so organizations frequently run them as an integrated management system. A useful way to remember the split: ISO 27001 secures the data, ISO 28000 secures the goods and the chain that moves them.

ISO 22301 — business continuity

ISO 28000's operation clause on security strategies, procedures and plans was written to stay consistent with ISO 22301, the business continuity management standard. Where ISO 28000 works to prevent and control security incidents, ISO 22301 ensures the organization can keep operating and recover when disruption does occur. Together they cover both the prevention and the response sides of supply chain resilience.

ISO 31000 — risk management

ISO 28000 draws its risk-based thinking from ISO 31000, the standard for risk management. Its principles for security management echo ISO 31000's integrated, coordinated approach — treating security risk as part of enterprise risk rather than a siloed concern, which improves performance measurement and supports continual improvement.

How to implement ISO 28000

Implementation follows the familiar management-system path. A realistic sequence looks like this:

  • Secure leadership buy-in and define the scope of the supply chain and operations to be covered.
  • Conduct a gap analysis against the ten Annex SL clauses to see what you already have.
  • Perform a security risk assessment across your supply chain, mapping threats, vulnerabilities and critical dependencies.
  • Draft the security policy, objectives, procedures and security plans that treat the risks you identified.
  • Provide training and awareness so staff and partners understand their security responsibilities.
  • Operate the system for a period — often around three months — to generate records and evidence.
  • Run internal audits and a management review, then correct any nonconformities.
  • Engage an accredited certification body for the stage 1 and stage 2 certification audit.

Tip: if you already hold ISO 27001, ISO 22301 or ISO 9001, reuse your existing context analysis, leadership structures, internal audit programme and management review process. Thanks to Annex SL, most of that framework transfers directly to ISO 28000.

ISO 28000:2022 turns supply chain security from an ad-hoc set of controls into a governed, auditable and continually improving system. With disruptions now affecting the large majority of organizations, a certified security management system is both a risk-reduction measure and a competitive signal to customers that your supply chain can be trusted.

Frequently Asked Questions

What is ISO 28000:2022?

ISO 28000:2022 is an international standard that specifies requirements for a security management system, including aspects relevant to the supply chain. It helps organizations protect people, goods, infrastructure and transport against security incidents, and it is certifiable by an accredited certification body.

What changed in the 2022 revision of ISO 28000?

Published on 15 March 2022, the revision adopted the Annex SL high-level structure shared by all modern ISO management system standards, giving it ten clauses aligned with ISO 9001, ISO 14001, ISO 45001, ISO 22301 and ISO/IEC 27001. It also broadened the scope so the requirements apply to any organization, not only supply chain operators. A three-year transition period applied to the previous 2007 edition.

What is the difference between ISO 28000 and ISO 27001?

ISO 28000 focuses on security across the supply chain — protecting cargo, facilities, transport and people from physical and operational threats. ISO/IEC 27001 focuses on information security, protecting data and information assets. They share the same Annex SL structure and are often implemented together as an integrated management system.

How does ISO 28000 relate to ISO 22301 and ISO 31000?

ISO 28000's operational clauses were aligned with ISO 22301, the business continuity standard, so prevention and recovery work together. Its risk-based principles draw on ISO 31000, the risk management standard, encouraging an integrated approach where security risk is managed as part of enterprise risk rather than in a silo.

Who needs ISO 28000 certification?

ISO 28000 is applicable to all types and sizes of organizations, from small businesses to multinationals, in manufacturing, service, storage or transportation at any stage of the supply chain. Logistics providers, port and warehouse operators, shipping lines and public agencies commonly pursue it to satisfy customer and tender requirements.

How do you get ISO 28000 certified?

Typical steps are: define scope, run a gap analysis, perform a supply chain security risk assessment, document the policy and security plans, train staff, operate the system for a period (often around three months) to build evidence, conduct internal audits and a management review, then engage an accredited certification body for the stage 1 and stage 2 audits.

Explore Courses on Udemy

Intermediate

ISO 28000: Security Management Systems for the Supply Chain

Intermediate

ISO 31000: Risk Management Implementation Step by Step

Intermediate

Supply Chain Risk Management & Mitigation Guide