ISO 28000 2007 Plain English Introduction


ISO 28000 is a supply chain security management standard. It was
first published in 2005 as a publicly available specification (PAS).
This current version was officially published on September 15, 2007.
It cancels and replaces ISO/PAS 28000 2005. Its purpose is to help
improve the security of supply chains.

ISO 28000 can help organizations protect people, products, and
property. It can help both small organizations and multinational
corporations to improve their security.

ISO 28000 applies to any organization that is part of a local, national,
or international supply chain. And since almost all organizations belong
to a supply chain, it applies to virtually all organizations. It doesnít matter
what size they are or what they do. ISO 28000 applies to both exporters
and importers. It applies to airports, seaports, and terminals as well as
to organizations that move products by air, sea, rail, or road. It applies
to logistics, storage, transportation, and service companies as well
as to manufacturers, shippers, wholesalers, and distributors.

ISO 28000 defines a set of security management requirements.
If your organization is part of a supply chain, ISO 28000 expects you
to establish a security management system (SMS) that complies with
these requirements. It then expects you to use this system to protect
people, products, and property.

A SMS is a network of interrelated and interacting elements that
combine to resist, fend off, or withstand unauthorized acts that are
designed to cause intentional harm or damage to a supply chain.
These elements include a security management policy as well as the
many objectives, targets, programs, procedures, plans, practices,
processes, controls, documents, records, roles, relationships,
responsibilities, authorities, and resources that are used to
implement this policy.


If you use ISO 28000 to establish and maintain a security management
system (SMS), you will improve the overall security of your supply chain
and inspire the trust of your customers. Not only can ISO 28000 help you
to preserve the integrity of your shipments and safeguard your customersí
valuable property, it can also help you to protect personnel. When properly
implemented, an ISO 28000 SMS will not only decrease disruptions and
shorten transit times, it can also help you to reduce theft and combat
smuggling, piracy, and terrorism.

Since ISO 28000 is a generic security management standard, it will
support and provide a foundation for all of your security initiatives.
Because itís a generic security standard, it will also help you to
comply with all other national and international security programs
and requirements. An ISO 28000 SMS will help you to comply with:

ē  US Customs-Trade Partnership Against
   Terrorism (C-TPAT) security requirements.

ē  World Customs Organization (WCO)
   SAFE Framework security requirements.

ē  Safety of Life at Sea (SOLAS) security requirements.

ē  International Maritime Organization (IMO) International
   Ship and Port Facility security requirements.

ē  EU Authorized Economic Operator
   (AEO) security requirements.


If you donít already have a supply chain security management system
, you can use this ISO 28000 standard to establish one. And once
youíve established your organizationís SCSMS, you can use it to manage
and control your security risks and to improve your security performance.

However, the size and complexity of SCSMSs vary quite a bit. How far you
go is up to you. The size and complexity of your SCSMS, the extent of your
documentation, and the resources allocated to your system will depend on
many things. How you meet each of the ISO 28000 requirements, and to
what extent, depends on many factors, including:

  1. The size of your organization
  2. The location of your organization
  3. The nature and size of your supply chain
  4. The nature of your activities, products, and services
  5. The nature of your organizationís legal obligations
  6. The content of your organizationís security policy
  7. The nature of your organizationís security risks
  8. The scope of your organizationís SCSMS

ISO 28000 is designed to be used for certification purposes. In other
words, once youíve established a supply chain security management
system (SCSMS) that meets both the ISO 28000 requirements and your
organizationís needs, you can ask a registrar (certification body) to audit
your system. If you pass the audit, your registrar will issue a certificate
that states that your SCSMS meets the ISO 28000 requirements.

While ISO 28000 is designed to be used for certification purposes, you
donít have to become certified. You can be in compliance without being
formally registered by an accredited auditor. You can self-audit your
system and then announce to the world that your SCSMS complies with
the ISO 28000 2007 standard (assuming that it actually does). Of course,
your compliance claim may have more credibility if an independent
registrar has audited your SCSMS and agrees with your claim.


Supply Chain Security Management Definitions

Supply Chain Standard Translated into Plain English

Supply Chain Security System Development Plan

Supply Chain Security Management Audit Tool

How to Carry out a Security Gap Analysis

Home Page

Our Libraries

A to Z Index


How to Order

Our Products

Our Prices


Praxiom Research Group Limited        780-461-4514

Updated on December 2, 2013. First published on November 30, 2009.

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2009 - 2013 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited