28000 Supply Chain Security Dictionary

Service Management - Auditing - Information Security - Risk Management
Business Continuity - Environmental Management - Occupational Health and Safety
Food Safety - Quality Management - Software Quality - Aerospace Quality Management

ISO 28000 is an international supply chain security management
standard. Our definitions are based on ISO 28000, section 3, Terms
and definitions. We have translated these terms and definitions into
Plain English in order to make them easier to understand. Weíve also
added a few definitions that arenít found in the original ISO 28000 2007
standard. Weíve taken this approach whenever an important term is
used in the ISO 28000 standard but not explicitly defined. Examples
of useful definitions that were overlooked include terms like controls,
security risk, security management system, security risk assessment,
and security threat. Since such terms are central to this standard,
weíve tried to define them. In order to do so, weíve used other ISO
standards as well as definitions taken from our own publications.

Continual Improvement

Continual improvement is a recurring process that enhances
an organizationís security management system and improves its
overall security performance. Continual improvements must be
consistent with the organizationís security policy and can be
achieved by carrying out audits, performing management
reviews, analyzing data, and implementing corrective
and preventive actions


A control is any administrative, management, technical, or legal
method that is used to manage risk. Controls are safeguards or
countermeasures. Controls include things like practices, policies,
procedures, programs, objectives, targets, techniques, technologies,
guidelines, requirements, and organizational structures.

Corrective Actions

Corrective actions are steps that are taken to remove the
causes of an existing security nonconformity or security incident.
The corrective action process is designed to prevent the recurrence
of security nonconformities and security incidents. It tries to make
sure that existing nonconformities and incidents donít happen
again. It tries to prevent recurrence by eliminating causes.


The term facility refers to any item of infrastructure that has
a business function or provides a business service. It includes
property, buildings, plants, machinery, ships, vehicles, port
facilities, and related systems (including software code
that facilitates security management).

Management Review

In the context of ISO 28000, the purpose of a management review
is to evaluate the suitability, adequacy, and effectiveness of an
organizationís supply chain security management system, and
to look for improvement opportunities. Management reviews are
also used to identify and assess opportunities to change an
organizationís security management policy, objectives, and
targets and to assess changes in security threats and risks.

Management System

A management system is a set of interrelated or interacting
elements that organizations use to implement policy and
achieve objectives. There are many types of
. Some of these include quality management systems, food
safety management systems, environmental management systems,
emergency management systems, occupational health and safety
management systems, information security management systems,
business continuity management systems, and, of course, supply
chain security management systems.


A nonconformance (or a nonconformity) is a failure to comply with
requirements. A requirement is an expectation or obligation. It can be
stated or implied by an organization, its customers, or other interested
parties. There are many types of requirements. Some of these include
legal requirements, regulatory requirements, customer requirements,
and management requirements.

ISO 28000 2007 Part 4 lists many supply chain security management
requirements. Whenever your organization fails to meet one of these
requirements, a nonconformance (or nonconformity) occurs.

Preventive Actions

Preventive actions are steps that are taken to remove the causes of
potential security nonconformances and security incidents, ones that
have not yet occurred. Preventive actions address potential problems
(not actual problems). While corrective actions prevent recurrence,
preventive actions prevent occurrence. Both types of actions are
intended to prevent nonconformities and incidents.


A procedure is a specified way of carrying out an activity
or a process. Procedures may or may not be documented. A
documented procedure describes and controls a logically distinct
process or activity, including the associated inputs and outputs.
Documented procedures can be very general or very detailed, or
anywhere in between. While a general procedure could take the
form of a simple flow diagram, a detailed procedure could be
a one page form or it could be several pages of text.

A detailed documented procedure defines and controls the work that
should be done, and explains how it should be done, who should do
it, and under what circumstances. In addition, it often explains what
authority and what responsibility has been allocated, which supplies
and materials should be used, and which documents and records
must be used to carry out the work.


A supply chain is secure when it can resist, fend off, or withstand
unauthorized acts that are designed to cause intentional harm or
damage. Conversely, it is insecure when it cannot successfully
resist or repel such acts. Therefore, security is a variable and
relative state of resistance.

It is variable because it can vary from very secure to very insecure.
And it is relative because it depends on how threatening or dangerous
specific harmful acts are. A supply chain may be secure relative to
some threats but insecure relative to other threats.

Security Management

Security management includes all the activities and practices that
organizations use to manage security risks, threats, and impacts.
According to ISO 28000, your security management activities and
practices should be coordinated, systematic, and optimized.

Security Management Objective

A security management objective is a security outcome or
achievement. Objectives must be specific and must support and
comply with your security management policy. Security management
should be tied directly or indirectly to an organizationís
product and service delivery activities.

Security Management Policy

Your organizationís security management policy should define its
general security intentions and clarify its overall direction. It should
support your organizationís general security framework and should
be used to control its security activities and processes. A security
management policy
should also be used to generate security
and targets and encourage their achievement. And
it should be consistent with your organizationís other policies
and must comply with all regulatory requirements.

Security Management Program

Security management programs (or programmes) are used
to achieve security management objectives and targets. This
definition establishes a means-end relationship between programs
on the one hand and objectives and targets on the other.

Security Management System

A security management system (SMS) is a complex network of
interrelated and interacting elements that combine to resist, fend off,
or withstand unauthorized acts that are designed to cause intentional
harm or damage to a supply chain. These elements include a security
management policy as well as the many programs, objectives, targets,
procedures, plans, practices, processes, controls, documents,
records, roles, relationships, responsibilities, authorities, and
resources that are used to implement this policy.

Security Management Target

Objectives are achieved by meeting specific targets. A security
management target
is a specific level of performance that must be
attained in order to be able to say that a related security management
objective has actually been achieved.

Security Risk

Risk combines three elements: it starts with a potential threat
and then combines its probability with its potential severity.
In the context of ISO 28000, the concept of risk asks two
future oriented questions:

  1. What is the probability that a potential security
    threat will actually occur in the future?

  2. How severe would the impact be if the potential
    security threat became an actual security incident?

A high risk security threat would have both a high probability
of occurring and a severe impact if it actually occurred.

Security Risk Assessment

A risk assessment considers the effectiveness of existing security
controls and then evaluates the probability and the potential severity
of specific security threats. On the basis of such an assessment,
organizations decide what steps should be taken to manage
and control their risk.

Security Threat

A security threat is any possible intentional action or series of actions
that could potentially damage stakeholders, facilities, or operations;
destroy the integrity of a business or jeopardize its continuation;
or disrupt a supply chain or an entire economy.


Individuals, groups, and organizations become an organizationís
stakeholders when they have a vested interest in its performance or its
success or are concerned about the impact of its activities. Examples
include shareholders, financiers, insurers, customers, employees,
suppliers, contractors, regulators, statutory bodies, labor
organizations, and members of society.

Supply Chain

A supply chain is a set of interconnected processes and
resources that starts with the sourcing of raw materials and
ends with the delivery of products and services to end users.
Supply chains
may include producers, suppliers, manufacturers,
distributors, wholesalers, vendors, and logistics providers. They
include facilities, plants, offices, warehouses, and branches and
can be both internal or external to an organization.

Top Management

When ISO 28000 uses the term top management, it is referring to a
person or group of people at the highest level within an organization. It
refers to the people who coordinate, direct, and control organizations.
While top management in large organizations may not be personally
involved in the management of supply chain security, accountability
through the chain of command must, nevertheless, be manifest

Upstream and Downstream

In the context of ISO 28000, the terms upstream and downstream
refer to the relative location and movement of cargo within a supply
chain and to the associated cargo management activities, processes,
and operations that occur.

Activities, processes, and operations that occur before cargo comes
under the direct operational control of an organization are said to be
upstream from it. Conversely, activities, processes, and operations
that occur after cargo leaves the direct operational control of an
organization are said to be downstream from it. Downstream and
upstream cargo management functions can include insurance,
finance, packing, storing, delivery, data processing, etcetera.


Introduction to ISO 28000 Supply Chain Security

ISO 28000 Supply Chain Security Translated into Plain English

Supply Chain Security Management System Development Plan

ISO 28000 Supply Chain Security Management Audit Tool

How to Carry out a Supply Chain Gap Analysis


ISO 31000 2009 Risk Management Library

ISO 9001 2015 Quality Management Library

ISO 9004 2009 Quality Management Library

ISO IEC 20000 Service Management Library

ISO 22000 Food Safety Management Library

OHSAS 18001 Worker Health and Safety Library

ISO 19011 2011 Management System Audit Library

ISO 22301 Business Continuity Management Library

ISO 14001 2015 Environmental Management Library

Home Page

Our Libraries

A to Z Index


How to Order

Our Products

Our Prices


Praxiom Research Group Limited      780-461-4514

Updated on May 19, 2016. First published on November 30, 2009.

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2009 - 2016 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research
        Group Limited