ISO 28000


ISO 28000:2007 (Specification for security management systems for the supply chain) is an ISO standard published by International Organization for Standardization which includes requirements of a security management system particularly dealing with security assurance in the supply chain.[1] The standard was developed by ISO/TC 8 on "Ships and maritime technology" and published in 2007.[2] In 2015 the responsibility for the ISO 28000 series was transferred to ISO/TC 292 on "Security and resilience", who in 2019 decided to start a revision which is expected to take 3 years. A justification study for the revision has been accepted by ISO TMB (Technical Management Board).[3]

Scope and contents

ISO 28000:2007 was developed to codify operations of security within the broader supply chain management system. The PDCA management systems structure was adopted in developing ISO 28000:2007 to bring the elements of this standard in congruence with related standards such as ISO 9001:2000 and ISO 14001:2004.[4][5]

The scope of the revised document will be changed only in so far as its new wording will be in conformity to today's way of writing standards: "[The standard] specifies requirements for a security management system, including those aspects crucial to security assurance of the supply chain".[3]

ISO 28000 includes the following main clauses:[6]

  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Security management system elements
  • General requirements
  • Security management policy
  • Security risk assessment and planning
  • Implementation and operation
  • Checking and corrective action
  • Management review and continual improvement

Annex A Correspondence between ISO 28000:2007, ISO 14001:2004 and ISO 9001:2000


Adopting the ISO 28000 has broad strategic, organisational and operational benefits that are realized throughout supply chains and business practices.[7]

Benefits include, but are not limited to:

  • Integrated enterprise resilience
  • Systematised management practices
  • Enhanced credibility and brand recognition
  • Aligned terminology and conceptual usage
  • Improved supply chain performance
  • Benchmarking against internationally recognisable criteria
  • Greater compliance processes

Improved risk management integration

The development of an international standard addressing security risk management improves the broader interface with existing enterprise risk management in a common integrated platform. This integrated approach to risk management is often employed to better coordinate cross functional risk management mechanisms, improve performance measurement, ensure continual improvement and reducing misalignment of risk management objectives between silos.[8]


ISO 28000:2007 was developed such that organizations of varying scale could apply the standard to supply chains of various degrees of complexity.

The general rational for an organization to adopt ISO 28000:2007 pertains to:

  • developing a security management system,
  • internal compliance with objectives of a security management policy,
  • external compliance with best practice benchmarks,
  • ISO accreditation.

ISO 28000:2007 is a certifiable standard.[9] In 2016, the countries with the highest number of certificates were India (425), Japan (299), Spain (231), US (223) and UK (197).[3]


ISO 28000 was originally developed as a Publicly Available Specification by ISO technical committee ISO/TC 8 on Ships and marine technology [2] and published in 2005. In 2007, ISO/PAS 28000:2005 was withdrawn and replaced by a full ISO standard under the title ISO 28000:2007. In 2014, ISO 28000:2007 was reviewed and confirmed.[10]
In 2015, ISO/TC 292 Security and resilience took over the responsibility of the standard and decided later in 2019 to initiate a revision of the standard.[11]

Year Description
2005 ISO/PAS 28000
2007 ISO 28000 (1st edition)
2019 ISO 28000 (2nd edition under development)


ISO/TC 292 has established a Working Group on Supply chain security (WG 8), who will review and update the standard. ISO 28000 will be restructured to align it with other management system standards of ISO in accordance with Annex SL to support the integration of an organization's security management system with its other management systems (e.g. quality management, energy management, environmental management, information security management, and business continuity management).[12]

It is not planned to delete any of the requirements in the existing standard, nor is it planned to add new requirements, so organizations currently certified in accordance with ISO 28000 will not encounter any difficulties due to the revision.

Related standards

ISO 28000 is the first of a series of ISO security management standards including:[13]

  • ISO 28001:2007 Security management systems for the supply chain – Best practices for implementing supply chain security, assessments and plans – Requirements and guidance
  • ISO 28002:2011 Security management systems for the supply chain – Development of resilience in the supply chain – Requirements with guidance for use
  • ISO 28003:2007 Security management systems for the supply chain – Requirements for bodies providing audit and certification of supply chain security management systems
  • ISO 28004 Security management systems for the supply chain – Guidelines for the implementation of ISO 28000
    • ISO 28004-1:2007 Part 1: General principles
    • ISO 28004-2:2014 Part 2: Guidelines for adopting ISO 28000 for use in medium and small seaport operations[14]
    • ISO 28004-3:2014 Part 3: Additional specific guidance for adopting ISO 28000 for use by medium and small businesses (other than marine ports)
    • ISO 28004-4:2014 Part 4: Additional specific guidance on implementing ISO 28000 if compliance with ISO 28001 is a management objective
  • ISO 28005 Security management systems for the supply chain – Electronic port clearance (EPC)
    • ISO 28005-1:2013 Part 1: Message structures
    • ISO 28005-2:2011 Part 2: Core data elements

See also


  1. ^ "ISO 28000:2007". ISO.
  2. ^ a b "ISO/TC 8 - Ships and marine technology". ISO.
  3. ^ a b c Swedish Civil Contingencies Agency, The revision of ISO 28000 will begin in September in Bangkok, ISO/TC 292 Online, accessed 1 March 2020
  4. ^ ISO 28004: 2007 Guidelines for implementation of ISO 28000
  5. ^ Siegal, M. Standards Changing the World of Security Professionals. ASIS International: Virtual Seminar. 2008
  6. ^ "Archived copy". Archived from the original on 2015-02-17. Retrieved 2015-02-17.CS1 maint: archived copy as title (link)
  7. ^ "".
  8. ^ "".
  9. ^ ISO 28000: 2007 Specifications for security risk management systems for the supply chain [1]
  10. ^ ISO 28000:2007 Specification for security management systems for the supply chain
  11. ^ "ISOTC292".
  12. ^ "Management system standards". ISO.
  13. ^ "ISO 28000:2007". SRI. Retrieved 2020-07-27.
  14. ^ "ISO 28004-2:2014". ISO.