ISO 28000 Supply Chain Security in Plain English

ISO 28000 is a supply chain security management standard.
Use it to protect your people, your products, and your property


General Security Requirements

Security Policy Requirements

  • Authorize the establishment of a security management policy.

  • Document your organization's security management policy.

  • Implement your organizationís security management policy.

  • Maintain your organizationís security management policy.

Security Planning Requirements

4.3.1 Analyze Security Threats and Select Controls

  • Identify security threats and assess your risks.

    • Define a methodology to identify your organization's supply chain security threats and assess its security risks.

    • Establish procedures to identify threats and assess risks.

    • Use your security risk assessment methods and  procedures to identify threats and assess risks.

  • Identify security management control measures.

    • Establish procedures to identify and implement supply chain security management control measures.

    • Use your procedures to identify supply chain security management control measures.     

    • Use your procedures to implement your supply  chain security management control measures.


4.3.2 Respect Legal and Other Security Requirements

  • Establish procedures to manage the legal, statutory, and regulatory security requirements that you subscribe to.

  • Communicate information about all relevant, legal, statutory,  and regulatory security management requirements.


4.3.3 Set Security Management Objectives

  • Establish security management objectives.

  • Document security management objectives.

  • Implement security management objectives.

  • Maintain security management objectives.


4.3.4 Specify Security Management Targets

  • Establish security management targets.

  • Implement security management targets.

  • Maintain security management targets.


4.3.5 Develop Security Management Programs

  • Establish security programs to achieve objectives and targets.

  • Implement your organization's security management programs.

  • Maintain your organization's security management programs.

Security Implementation Requirements

4.4.1 Create a Security Management Structure

  • Establish a security management structure of roles, responsibilities, and authorities for your organization.

  • Communicate security management roles, responsibilities, and authorities to those who must implement and maintain your SMS.

  • Demonstrate a commitment to the development, implementation, and continual improvement of your organization's SMS.


4.4.2 Ensure Competence and Provide Security Training

  • Make sure that personnel responsible  for security are suitably qualified.                         

  • Establish procedures to make people who work  for you, or on your behalf, aware of your SMS.

  • Keep records of competence and training.


4.4.3 Develop Security Communication Procedures

  • Establish procedures to ensure that pertinent  security information is communicated.                 


4.4.4 Establish SMS Documents and Records

  • Establish and maintain a security management  documentation system for your organization.           

  • Establish the security sensitivity of information before you consider giving people access to it.


4.4.5 Control your SMS Documents and Data

  • Establish procedures to control the documents,  data, and information required by ISO 28000.

  • Maintain your organization's SMS document,  data, and information control procedures.   


4.4.6 Implement Operational SMS Control Measures

  • Identify the security activities and operations  that your organization needs to carry out.     

  • Carry out your security activities and  operations under specified conditions.         

  • Consider your security threats and risks before you decide  to revise your current arrangements or implement new ones.


4.4.7 Prepare Emergency SMS Plans and Procedures

  • Prepare appropriate emergency preparedness plans  and procedures to deal with security threats, incidents,  breaches, and emergencies.                                  

  • Prepare appropriate plans and procedures to  respond to security incidents and emergencies.

  • Prepare appropriate security recovery plans and procedures.

Security Checking Requirements

4.5.1 Monitor and Measure Security Performance

  • Establish procedures to monitor and measure security.

  • Use your procedures to monitor and measure security.

  • Maintain supply chain security management records.


4.5.2 Evaluate your Security Management System (SMS)

  • Evaluate supply chain security management plans.

  • Evaluate supply chain security management procedures.

  • Evaluate supply chain security management capabilities.

  • Evaluate compliance with regulations and best practices.

  • Evaluate conformance with security policy and objectives.


4.5.3 Investigate Security Incidents and Take Action

  • Establish security response procedures.

  • Implement your security response procedures.

  • Maintain your security response procedures.


4.5.4 Control your Security Management Records

  • Establish your organization's security management records.

  • Establish procedures to control security management records.


4.5.5 Audit your Security Management System (SMS)

  • Establish a security management audit program.

  • Establish security management audit procedures.

Security Review Requirements

  • Review your SMS by examining inputs.

  • Assess the results of your management reviews.

  • Generate management review outputs.



This page presents a preview of ISO 28000 2007.
It highlights the main points. It does not present detail.
To get the complete version, please consider purchasing
Title 80: ISO 28000 2007 Translated into Plain English.

Title 80 is detailed, accurate, and complete. It uses language
that is clear, precise, and easy to understand. We guarantee it!
Title 80 is 77 pages long and comes in pdf and MS doc file formats.

Title 80 Contents

Place an Order

Check our Prices

Product License


Introduction to ISO 28000 Supply Chain Security

Plain English Supply Chain Security Management Definitions

Supply Chain Security Management System Development Plan

ISO 28000 Supply Chain Security Management Audit Tool

Knowledge and Skills Security Auditors Should Have

How to Carry out a Security Gap Analysis

Security and Risk Management Guide


ISO 19011 2011 Auditing Standard

ISO 31000 2009 Risk Management Standard

ISO 9001 2015 Quality Management Standard

ISO 14001 2015 Environmental Management Standard

ISO 27001 2013 Information Security Management Standard

ISO 27002 2013 Information Security Management Standard

OHSAS 18001 2007 Occupational Health and Safety Standard

Home Page

Our Libraries

A to Z Index


How to Order

Our Products

Our Prices


Praxiom Research Group Limited        780-461-4514

Updated on February 14, 2017. First published on November 30, 2009.

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are welcome to view our material as often as
you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright © 2009 - 2017 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited