ISO 28000:2022
Supply Chain Security Management System
Complete Audit Checklist
Organization:
Audit Ref #:
Site / Location:
Date of Audit:
Lead Auditor:
Audit Type: ☐ Internal ☐ External ☐ Surveillance ☐ Certification
Audit Team Members:
Standard: ISO 28000:2022
Conformance Legend
Y
Fully conformant – evidence reviewed and acceptable
N
Non-conformity – documented finding required
NA
Not applicable – justification required in findings
P
Partial conformity – minor gaps noted, opportunity for improvement
OFI
Opportunity for Improvement – not a non-conformity
This checklist is designed for auditing conformance with ISO 28000:2022 — Specification for Security Management Systems for the Supply Chain. Complete each row by reviewing documented evidence, interviewing personnel, and observing operations. Record findings in the Findings/Observations column and raise formal Non-Conformity Reports (NCRs) where required.
Section 4 — Context of the Organization
#
Clause
Requirement
Audit Questions
Evidence Required
Conform?
Findings / Observations
1
4.1
Understanding the organization and its context
• Has the organization identified internal and external issues relevant to supply chain security?
• Are geopolitical, regulatory, and market factors documented?
• Is there a process for periodically reviewing context?
Context analysis records, PESTLE/SWOT analysis, management review minutes
☐ Y ☐ N ☐ NA ☐ P
2
4.2
Understanding needs and expectations of interested parties
• Are relevant interested parties (customers, regulators, authorities, partners) identified?
• Are their security-related requirements and expectations documented?
• Is there a mechanism to capture changes in stakeholder requirements?
Stakeholder register, contractual requirements, regulatory compliance matrix
☐ Y ☐ N ☐ NA ☐ P
3
4.3
Determining scope of the SCSMS
• Is the scope of the Supply Chain Security Management System (SCSMS) defined in writing?
• Does scope cover all relevant products, services, locations, and supply chain activities?
• Are boundaries and applicability of the SCSMS clearly stated?
SCSMS scope statement, organizational charts, site/location lists
☐ Y ☐ N ☐ NA ☐ P
4
4.4
Supply Chain Security Management System
• Is the SCSMS established, implemented, maintained, and continually improved?
• Are processes and interactions between processes defined?
• Is the SCSMS documented and accessible to relevant personnel?
SCSMS manual, process maps, documented procedures
☐ Y ☐ N ☐ NA ☐ P
Section 5 — Leadership
#
Clause
Requirement
Audit Questions
Evidence Required
Conform?
Findings / Observations
5
5.1
Leadership and commitment
• Is there demonstrable top management commitment to the SCSMS?
• Has top management established a supply chain security policy?
• Are security roles, responsibilities, and authorities assigned and communicated?
• Does leadership ensure resources are available for the SCSMS?
Policy signed by leadership, resource allocation records, leadership meeting minutes, organizational structure
☐ Y ☐ N ☐ NA ☐ P
6
5.2
Policy
• Is a documented supply chain security policy established?
• Does the policy include a commitment to continual improvement?
• Is the policy communicated internally and available to relevant interested parties?
• Is the policy reviewed and updated at defined intervals?
Supply chain security policy document, distribution records, policy review logs
☐ Y ☐ N ☐ NA ☐ P
7
5.3
Roles, responsibilities and authorities
• Are security-related roles and responsibilities assigned and documented?
• Is there a designated security management representative?
• Are reporting lines for security incidents clearly defined?
• Are responsibilities communicated to relevant personnel?
Job descriptions, RACI matrix, appointment letters, organization chart
☐ Y ☐ N ☐ NA ☐ P
Section 6 — Planning
#
Clause
Requirement
Audit Questions
Evidence Required
Conform?
Findings / Observations
8
6.1
Actions to address risks and opportunities
• Has the organization conducted a supply chain security risk assessment?
• Are risks prioritized using a defined methodology (likelihood × consequence)?
• Are opportunities for improvement identified alongside risks?
• Are risk treatment plans documented and implemented?
Risk register, risk assessment methodology, risk treatment plans, threat/vulnerability analysis
☐ Y ☐ N ☐ NA ☐ P
9
6.1.2
Security threat and risk assessment
• Does the threat assessment cover physical, cyber, personnel, and cargo security threats?
• Are supply chain partners included in risk assessments?
• Are assessments reviewed following significant changes or security incidents?
• Are residual risks accepted by authorized personnel?
Threat assessment reports, risk matrices, incident review records, risk acceptance records
☐ Y ☐ N ☐ NA ☐ P
10
6.2
Supply chain security objectives and planning
• Are security objectives established at relevant functions and levels?
• Are objectives measurable, monitored, and communicated?
• Is there a documented plan for achieving security objectives?
• Are resources, timelines, and responsibilities assigned for each objective?
Security objectives register, KPI dashboards, action plans, management review outputs
☐ Y ☐ N ☐ NA ☐ P
11
6.3
Planning of changes
• Is there a documented process for managing planned changes to the SCSMS?
• Are security implications of changes assessed before implementation?
• Are resources and responsibilities for changes clearly defined?
Change management procedure, change request records, impact assessment records
☐ Y ☐ N ☐ NA ☐ P
Section 7 — Support
#
Clause
Requirement
Audit Questions
Evidence Required
Conform?
Findings / Observations
12
7.1
Resources
• Are sufficient human, infrastructure, and financial resources allocated to the SCSMS?
• Are physical security resources (cameras, access control, barriers) maintained?
• Are technology resources (IT systems, tracking) adequate and maintained?
Budget allocations, asset registers, maintenance records, infrastructure inventory
☐ Y ☐ N ☐ NA ☐ P
13
7.2
Competence
• Are competency requirements defined for security-sensitive roles?
• Are personnel qualifications, training records, and certifications maintained?
• Are competency gaps identified and addressed?
• Are background checks and vetting procedures applied to relevant roles?
Competency framework, training records, personnel files, background check records
☐ Y ☐ N ☐ NA ☐ P
14
7.3
Awareness
• Are all personnel aware of the supply chain security policy?
• Do employees understand how their role contributes to security?
• Is security awareness training conducted and records maintained?
• Are personnel aware of consequences of non-compliance?
Awareness training records, induction materials, signed awareness acknowledgements
☐ Y ☐ N ☐ NA ☐ P
15
7.4
Communication
• Is there a documented internal and external communication plan for security matters?
• Are security alerts and updates communicated to relevant personnel and partners?
• Is there a process for communicating with authorities and regulatory bodies?
• Are communication channels tested and maintained?
Communication plan, alert distribution records, authority contact lists, drill records
☐ Y ☐ N ☐ NA ☐ P
16
7.5
Documented information
• Are all required SCSMS documents identified, created, and controlled?
• Is there a document control procedure covering creation, review, approval, and disposal?
• Are documents protected from unauthorized access or modification?
• Are retained records (evidence of conformity) controlled with defined retention periods?
Document register, document control procedure, version-controlled documents, record retention schedule
☐ Y ☐ N ☐ NA ☐ P
Section 8 — Operation
#
Clause
Requirement
Audit Questions
Evidence Required
Conform?
Findings / Observations
17
8.1
Operational planning and control
• Are operational security processes planned, implemented, and controlled?
• Are security measures for cargo, vehicles, personnel, and premises defined?
• Are outsourced processes identified and controlled?
• Are operational procedures documented and accessible to relevant staff?
Standard operating procedures (SOPs), contractor agreements, process control records
☐ Y ☐ N ☐ NA ☐ P
18
8.1.2
Physical security controls
• Are perimeter security measures implemented (fencing, barriers, lighting)?
• Is access control in place for restricted areas?
• Are CCTV and intrusion detection systems operational and maintained?
• Are physical security checks conducted at defined intervals?
Security inspection logs, access control records, CCTV maintenance logs, perimeter audit reports
☐ Y ☐ N ☐ NA ☐ P
19
8.1.3
Personnel security
• Are pre-employment background verification checks performed?
• Are security ID badges and access credentials managed and controlled?
• Is there a process for managing visitors and contractors on-site?
• Are personnel security incidents investigated and recorded?
Background check records, badge management logs, visitor registers, incident investigation reports
☐ Y ☐ N ☐ NA ☐ P
20
8.1.4
Cargo and conveyance security
• Are cargo sealing and inspection procedures documented and followed?
• Are tamper-evident devices used and records maintained?
• Is cargo tracking (GPS, container tracking) implemented?
• Are shortages, overages, and damages recorded and investigated?
Cargo inspection checklists, seal logs, tracking system records, discrepancy reports
☐ Y ☐ N ☐ NA ☐ P
21
8.1.5
IT and cybersecurity
• Are cybersecurity controls implemented to protect supply chain data?
• Is there access control and authentication for critical IT systems?
• Are cyber incident detection, response, and recovery procedures in place?
• Are software and systems patched and updated regularly?
IT security policy, access logs, patch management records, cyber incident reports
☐ Y ☐ N ☐ NA ☐ P
22
8.2
Supply chain partner security
• Are security requirements included in contracts with suppliers and partners?
• Are supply chain partners assessed and approved against security criteria?
• Is there a process for monitoring supplier security performance?
• Are security clauses included in all relevant procurement documents?
Supplier evaluation records, contract security clauses, supplier audit reports, approved vendor list
☐ Y ☐ N ☐ NA ☐ P
23
8.3
Incident management
• Is there a documented security incident response procedure?
• Are all security incidents (theft, intrusion, tampering, cyber) reported and investigated?
• Is there a root cause analysis process for significant incidents?
• Are corrective actions tracked to closure?
Incident register, investigation reports, corrective action records, closure evidence
☐ Y ☐ N ☐ NA ☐ P
24
8.4
Business continuity and emergency preparedness
• Are business continuity plans (BCP) developed for supply chain disruptions?
• Are emergency response procedures documented for security incidents?
• Are BCP and emergency plans tested through exercises or drills?
• Are recovery time objectives (RTOs) defined for critical supply chain functions?
Business continuity plans, emergency response procedures, drill records, BCP test reports
☐ Y ☐ N ☐ NA ☐ P
Section 9 — Performance Evaluation
#
Clause
Requirement
Audit Questions
Evidence Required
Conform?
Findings / Observations
25
9.1
Monitoring, measurement, analysis and evaluation
• Are KPIs and security metrics defined and monitored?
• Are monitoring results analyzed and reported to management?
• Is the SCSMS performance evaluated against defined objectives?
• Is data used to drive continual improvement decisions?
KPI dashboards, security performance reports, trend analyses, management review inputs
☐ Y ☐ N ☐ NA ☐ P
26
9.2
Internal audit
• Is there a documented internal audit program for the SCSMS?
• Are auditors competent and independent of the areas they audit?
• Are audit findings reported to top management?
• Are non-conformities from audits tracked and corrective actions implemented?
Audit schedule, audit reports, auditor qualifications, corrective action logs
☐ Y ☐ N ☐ NA ☐ P
27
9.3
Management review
• Does top management conduct periodic reviews of the SCSMS?
• Are review inputs documented (audit results, incidents, objectives, KPIs, changes)?
• Are management review outputs documented (decisions, resource commitments)?
• Are action items from management reviews tracked to completion?
Management review minutes, agenda, action item tracker, review frequency records
☐ Y ☐ N ☐ NA ☐ P
Section 10 — Improvement
#
Clause
Requirement
Audit Questions
Evidence Required
Conform?
Findings / Observations
28
10.1
Continual improvement
• Is there a systematic approach to identifying improvement opportunities?
• Are improvement initiatives tracked and their effectiveness measured?
• Is the SCSMS continually improved based on performance data, incidents, and audits?
Improvement register, Kaizen or improvement initiative records, effectiveness review records
☐ Y ☐ N ☐ NA ☐ P
29
10.2
Non-conformity and corrective action
• Is there a documented process for managing non-conformities?
• Are root causes of non-conformities identified?
• Are corrective actions implemented and effectiveness verified?
• Are lessons learned shared across the organization?
NCR register, corrective action reports, root cause analysis records, effectiveness review evidence
☐ Y ☐ N ☐ NA ☐ P
Audit Summary & Disposition
Metric
Total Checked
Conformant (Y)
Non-Conformant (N)
Partial (P)
Not Applicable (NA)
Checklist Items
Overall Audit Conclusion
☐ Conformant ☐ Conditionally Conformant ☐ Non-Conformant
Major Non-Conformities
Minor Non-Conformities
Opportunities for Improvement
Positive Observations / Strengths
Recommended Actions / Follow-up Date
Signatures
Lead Auditor Name & Signature
Auditee Representative
Date of Report