Site icon The ANSI Blog

What Is ISO 28000?

Factory industry partner and worker on digital technology implementing an ISO 28000 security management system for the supply chain.

Warehouse, tablet and people teamwork for storage, inventory and supply chain management for b2b distribution. Factory, Industry partner or worker on digital technology, software and logistics boxes

Since security incidents can occur at any moment, it is pivotal for organizations to adopt a proactive approach toward security management. A security management system based on ISO 28000 enables organizations to identify their valuable assets—including property, personnel, products, data, and infrastructure—and implement the appropriate security processes and controls to safeguard these assets. Moreover, a security management system based on ISO 28000 specifications allows organizations to improve recognition, increase reputation, enhance business profitability and efficiency, and reduce long-term costs.

What Is Security Management?

ISO 28000 defines a “security management system” as a system of coordinated policies, processes, and practices through which an organization manages its security objectives. In other words, security management is the identification of an organization’s assets including people, buildings, machines, systems and information assets, followed by the development, documentation, and implementation of policies and procedures that protect these assets. It relates to the physical safety of buildings, people and products, as well as information, network, and telecommunications systems protection.

Security management is linked to many aspects of business management. It includes but is not limited to those activities that impact the supply chain. ISO 28000, however, focuses on the supply chain level of security management. The standard notes that supply chains are dynamic in nature and hence some organizations are managing multiple supply chains. Because of that, these organizations may look to their providers to meet the related security management standard requirements as a condition of being included in that supply chain.

What Is ISO 28000?

ISO 28000 specifies requirements for a security management system, including aspects relevant to all levels of the supply chain. This standard establishes a security system that will protect people, goods, infrastructure, equipment, and transportation against security incidents and other potentially devastating situations. It specifies the requirements to establish, implement, maintain, improve, and audit a security management system. ISO 28000 also specifies requirements for the organization to:

ISO 28000 is applicable to all types and sizes of organizations (e.g., commercial enterprises, government, or other public agencies and non-profit organizations) that intend to establish, implement, maintain, and improve a security management system. It provides a holistic and common approach and is not industry or sector specific. The standard can be used throughout the life of an organization and can be applied to any activity, internal or external, at all levels.

ISO 28000:2022—Security And Resilience – Security Management Systems – Requirements is available on the ANSI Webstore and in the ISO 28000 – Supply Chain Security Management Systems Package.

Risks and Opportunities in Security Management Systems

When planning for the security management system, ISO 28000 specifies that the organization should determine security-related risks and exploit the opportunities. To do so requires a proactive risk assessment that can include:

Based on the vulnerability, threat analysis, and risk assessment, the organization should identify and select a security strategy which comprises one or more procedures, processes, and treatments outlined in ISO 28000.

Benefits of an ISO 28000 Security Management System

A security management system based on ISO 28000 enables organizations to achieve their security management objectives. In particular, it enables organizations to: 

ISO 28000 can easily be integrated with other major management system standards, like ISO 9001, ISO 14001, ISO 22301, ISO/IEC 27001, ISO 45001, etc., thereby supporting consistent and integrated implementation and operation with related management systems. This is an advantage for organizations looking to incorporate security aspects into other existing management systems.

Supply Chain ISO 28000 Management Systems Accreditation

ANAB offers Accreditation for ISO 28000 Management Systems. Becoming accredited by an independent third-party, such as ANAB, verifies that a supply chain security management system complies with the ISO 28000 requirements. ISO 28000 Accreditation demonstrates that a certification body (CB) possesses the competencies to certify organizations for Security and Resilience – Security Management Systems (SRSMS) conforming with ISO 28000. Certified organizations have identified the security risks within their supply chain and implemented the appropriate measures in production, storage, distribution, and transportation of goods.

You can view the ISO 28000 Application to understand specific ANAB requirements. The application process must be completed online via ANAB’s EQM Database, and first-time EQM users must register to create an account.

Exit mobile version