ISO 28000:2007 (Specification for security management systems for the supply chain) is an ISO standard published by International Organization for Standardization which includes requirements of a security management system particularly dealing with security assurance in the supply chain. The standard was developed by ISO/TC 8 on "Ships and maritime technology" and published in 2007 . In 2015 the responsability of the ISO 28000 series was transferred to ISO/TC 292 on "Security and resilience" who in 2019 decided to start a revision which is expected to take 3 years. A justification study for the revision has already been accepted by ISO TMB (Technical Management Board).
ISO 28000:2007 was developed to codify operations of security within the broader supply chain management system. The PDCA management systems structure was adopted in developing ISO 28000:2007 to bring the elements of this standard in congruence with related standards such as ISO 9001:2000 and ISO 14001:2004.
The scope of the revised document will be changed only in so far as its new wording will be in conformity to today's way of wrting standards: "[The standard] specifies requirements for a security management system, including those aspects crucial to security assurance of the supply chain"
The development of an international standard addressing security risk management improves the broader interface with existing enterprise risk management in a common integrated platform. This integrated approach to risk management is often employed to better coordinate cross functional risk management mechanisms, improve performance measurement, ensure continual improvement and reducing misalignment of risk management objectives between silos.
ISO 28000:2007 was developed such that organizations of varying scale could apply the standard to supply chains of various degrees of complexity.
The general rational for organizations to adopt ISO 28000:2007 pertains to:
Adopting the ISO 28000 has broad strategic, organisational and operational benefits that are realized throughout supply chains and business practices.
Benefits include, but are not limited to:
ISO/TC 292 has establihed a Working Group on Supply chain security (WG 8) to review and update the standard. ISO 28000 will be restructured to align it with other Management System Standards of ISO in accordance with Annex SL (to support the integration of the security management system of an organization with its other management systems (e.g. quality management, energy management, environmental management, information security management, business continuity management, ...)).
It is not planned to delete any of the requirements in the existing standard nor is it planned to add new requirements so that organizations certified in accordance with ISO 28000 will not encounter any difficulties due to the revision. The countries with the highest number of certificates in 2016 were India (425), Japan (299), Spain (231), US (223) and UK (197).
Experts interested to support the revision should inquire with their national standardization organization how to join ISO/TC 292 WG 8. A list of the participating member organizations is provided by ISO.
ISO 28000:2007 is a certifiable standard.
ISO 28000 is a the first of a series of ISO standards including