Since security incidents can occur at any moment, it is pivotal for organizations to adopt a proactive approach toward security management. A security management system based on ISO 28000 enables organizations to identify their valuable assets—including property, personnel, products, data, and infrastructure—and implement the appropriate security processes and controls to safeguard these assets. Moreover, a security management system based on ISO 28000 specifications allows organizations to improve recognition, increase reputation, enhance business profitability and efficiency, and reduce long-term costs.
What Is Security Management?
ISO 28000 defines a “security management system” as a system of coordinated policies, processes, and practices through which an organization manages its security objectives. In other words, security management is the identification of an organization’s assets including people, buildings, machines, systems and information assets, followed by the development, documentation, and implementation of policies and procedures that protect these assets. It relates to the physical safety of buildings, people and products, as well as information, network, and telecommunications systems protection.
Security management is linked to many aspects of business management. It includes but is not limited to those activities that impact the supply chain. ISO 28000, however, focuses on the supply chain level of security management. The standard notes that supply chains are dynamic in nature and hence some organizations are managing multiple supply chains. Because of that, these organizations may look to their providers to meet the related security management standard requirements as a condition of being included in that supply chain.
What Is ISO 28000?
ISO 28000 specifies requirements for a security management system, including aspects relevant to all levels of the supply chain. This standard establishes a security system that will protect people, goods, infrastructure, equipment, and transportation against security incidents and other potentially devastating situations. It specifies the requirements to establish, implement, maintain, improve, and audit a security management system. ISO 28000 also specifies requirements for the organization to:
- Assess the security environment in which it operates including its supply chain (including dependencies and interdependencies)
- Determine if adequate security measures are in place to effectively manage security-related risks
- manage compliance with statutory, regulatory and voluntary obligations to which the organization subscribes
- Align security processes and controls, including the relevant upstream and downstream processes and controls of the supply chain to meet the organization’s objectives
ISO 28000 is applicable to all types and sizes of organizations (e.g., commercial enterprises, government, or other public agencies and non-profit organizations) that intend to establish, implement, maintain, and improve a security management system. It provides a holistic and common approach and is not industry or sector specific. The standard can be used throughout the life of an organization and can be applied to any activity, internal or external, at all levels.
ISO 28000:2022—Security And Resilience – Security Management Systems – Requirements is available on the ANSI Webstore and in the ISO 28000 – Supply Chain Security Management Systems Package.
Risks and Opportunities in Security Management Systems
When planning for the security management system, ISO 28000 specifies that the organization should determine security-related risks and exploit the opportunities. To do so requires a proactive risk assessment that can include:
- Physical or functional failures
- Malicious or criminal acts
- Environmental, human, and cultural factors
- Other internal or external contexts, including factors outside the organization’s control affecting the organization’s security
- The design, installation, maintenance, and replacement of security equipment
- The organization’s information, data, knowledge, and communication management
- Information related to security threats and vulnerabilities
- The interdependencies between suppliers
Based on the vulnerability, threat analysis, and risk assessment, the organization should identify and select a security strategy which comprises one or more procedures, processes, and treatments outlined in ISO 28000.
Benefits of an ISO 28000 Security Management System
A security management system based on ISO 28000 enables organizations to achieve their security management objectives. In particular, it enables organizations to:
- Monitor and manage security-related risks
- Ensure the security of the environment in which they operate
- Comply with statutory, regulatory, and voluntary security obligations
- Identify and address risks and opportunities related to security management
- Effectively deal with security violations
- Recover from disruptions in the supply chain
- Manage relationships with all relevant interested parties in the supply chain
- Create and protect value
- Demonstrate commitment to ensure safety of individuals and security of goods and services
- Align security processes and controls with the organization’s objectives
- Gain a competitive advantage and new business opportunities
- Facilitate trade and expedite the transfer of goods across borders
- Achieve cost-savings by reducing security incidents
- Demonstrate conformity to ISO 28000 through assessments by accredited third parties
ISO 28000 can easily be integrated with other major management system standards, like ISO 9001, ISO 14001, ISO 22301, ISO/IEC 27001, ISO 45001, etc., thereby supporting consistent and integrated implementation and operation with related management systems. This is an advantage for organizations looking to incorporate security aspects into other existing management systems.
Supply Chain ISO 28000 Management Systems Accreditation
ANAB offers Accreditation for ISO 28000 Management Systems. Becoming accredited by an independent third-party, such as ANAB, verifies that a supply chain security management system complies with the ISO 28000 requirements. ISO 28000 Accreditation demonstrates that a certification body (CB) possesses the competencies to certify organizations for Security and Resilience – Security Management Systems (SRSMS) conforming with ISO 28000. Certified organizations have identified the security risks within their supply chain and implemented the appropriate measures in production, storage, distribution, and transportation of goods.
You can view the ISO 28000 Application to understand specific ANAB requirements. The application process must be completed online via ANAB’s EQM Database, and first-time EQM users must register to create an account.