What is ISO 28000?

ISO 28000 specifies the requirements for establishing, implementing, maintaining, and improving a security management system (SeMS), including the aspects relevant to the security of the supply chain.

ISO 28000:2022 Security and resilience—Security management systems—Requirements replace the ISO 28000:2007 Specification for security management systems for the supply chain. The standard's title has been changed to emphasize that ISO 28000 requirements apply to organizations in the supply chain and all organizations, regardless of their type, size, or industry.

The new edition of ISO 28000 follows the harmonized structure of ISO, where the requirements for the SeMS are outlined in clauses 4 to 10. This enables organizations to integrate the SeMS with other management systems based on ISO standards.

The new edition of ISO 28000 includes additional recommendations. In clause 4, recommendations on eight principles for security management have been added to ensure better alignment with ISO 31000 (the standard for risk management). In addition, clause 8 recommends security strategies, procedures, processes and treatments, and security plans that ensure consistency with ISO 22301 (the standard for business continuity management). 

Why is ISO 28000 important for organizations?

Since security incidents can occur at any moment, organizations need to adopt a proactive approach toward security management. A security management system based on ISO 28000 enables organizations to identify their valuable assets, including property, personnel, products, data, and infrastructure, and implement appropriate security processes and controls to safeguard them. In addition, an effective SeMS enables organizations to improve recognition, increase reputation, enhance business profitability and efficiency, and reduce long-term costs.

ISO 28000 requires the organization’s leadership to demonstrate commitment to security management by establishing a security policy, setting security objectives, and integrating security management into the organization’s processes and operations. This enables organizations to align security efforts with their overall goals and objectives, embed security in their daily operations, and promote a security culture that leads to proactive risk management.

In addition, ISO 28000 includes requirements that address risk assessment, security controls and strategies, and security plans. By establishing processes for risk assessment, organizations can effectively identify, analyze, and evaluate security-related risks. Then, they can implement controls and strategies to prevent security-related risks or mitigate and treat those that cannot be stopped. On the other hand, security plans enable organizations to respond to security-related incidents to minimize possible impact on operations and business.

ISO 28000 also outlines requirements regarding the monitoring and measurement of the SeMS. Monitoring enables organizations to identify and appropriately address vulnerabilities, thus minimizing risk and loss. In addition, it allows them to ensure compliance with changing regulations and standards related to security, as violations of such rules may lead to legal consequences and reputational damage.