ISO 28000 is a
supply chain security management
standard. It was
first published in 2005 as a
publicly available specification
This current version was officially published on September 15, 2007.
It cancels and replaces ISO/PAS 28000 2005. Its purpose is to help
improve the security of
ISO 28000 can help organizations protect
people, products, and
property. It can help both small organizations and multinational
corporations to improve their
ISO 28000 applies to any organization that is
part of a local, national,
or international supply chain. And since almost all organizations
to a supply chain, it applies to virtually all organizations. It
what size they are or what they do. ISO 28000 applies to both
and importers. It applies to airports, seaports, and terminals as well
to organizations that move products by air, sea, rail, or road. It
to logistics, storage, transportation, and service companies as well
as to manufacturers, shippers, wholesalers, and distributors.
ISO 28000 defines a set of security
If your organization is part of a supply chain, ISO 28000 expects you
to establish a security management system (SMS) that complies
these requirements. It then expects you to use this system to protect
people, products, and property.
A SMS is a network of interrelated and
interacting elements that
combine to resist, fend off, or withstand unauthorized acts that are
designed to cause intentional harm or
damage to a supply chain.
These elements include a security management policy as well as the
many objectives, targets, programs, procedures, plans, practices,
processes, controls, documents, records, roles, relationships,
responsibilities, authorities, and resources that are used to
implement this policy.
WHY USE ISO 28000
If you use ISO 28000 to establish and maintain a
system (SMS), you will improve the overall
security of your supply chain
and inspire the trust of your customers.
Not only can ISO 28000 help you
to preserve the integrity of your
shipments and safeguard your customersí
valuable property, it can also
help you to protect personnel. When properly
implemented, an ISO 28000
SMS will not only decrease disruptions and
shorten transit times, it
can also help you to reduce theft and combat
smuggling, piracy, and
Since ISO 28000 is a generic security
management standard, it will
support and provide a foundation for all
of your security initiatives.
Because itís a generic security
standard, it will also help you to
comply with all other national and
international security programs
and requirements. An ISO 28000 SMS
will help you to comply with:
ē US Customs-Trade Partnership Against
Terrorism (C-TPAT) security requirements.
ē World Customs Organization (WCO)
SAFE Framework security requirements.
ē Safety of Life at Sea (SOLAS) security requirements.
ē International Maritime Organization (IMO) International
Ship and Port Facility security requirements.
ē EU Authorized Economic Operator
(AEO) security requirements.
HOW TO USE ISO 28000
If you donít already have a supply chain security
(SCSMS), you can use this ISO 28000 standard to establish one. And
youíve established your organizationís SCSMS, you can use it to manage
and control your security risks and to improve your security
However, the size and complexity of SCSMSs vary quite a bit. How far
go is up to you. The size and complexity of your SCSMS, the extent of
documentation, and the resources allocated to your system will depend
many things. How you meet each of the ISO 28000 requirements, and to
what extent, depends on many factors, including:
- The size of your organization
- The location of your organization
- The nature and size of your supply chain
- The nature of your activities, products,
- The nature of your organizationís legal
- The content of your organizationís
- The nature of your organizationís security
- The scope of your organizationís SCSMS
ISO 28000 is designed to be used for
certification purposes. In other
words, once youíve established a
supply chain security management
system (SCSMS) that meets both the
ISO 28000 requirements and your
organizationís needs, you can ask a
registrar (certification body) to audit
your system. If you pass the
audit, your registrar will issue a certificate
that your SCSMS meets the ISO 28000 requirements.
While ISO 28000 is designed to be used for certification
donít have to become certified. You can be in compliance
formally registered by an accredited auditor. You can
system and then announce to the world that your SCSMS
the ISO 28000 2007 standard (assuming that it actually
does). Of course,
your compliance claim may have more credibility if
registrar has audited your SCSMS and agrees with your