ISO 28000 — Supply Chain Security Management: A Complete Consultation Guide
Quick Reference
| Standard/Topic | Latest Version | Published By | Typical Duration | Difficulty Level |
|---|---|---|---|---|
| ISO 28000 — Security and Resilience: Security Management Systems | ISO 28000:2022 | International Organization for Standardization (ISO) | 7–11 months | Intermediate–Advanced |
Introduction
Modern supply chains are longer, faster, and more interconnected than at any time in history. They cross borders, touch hundreds of suppliers, and depend on a global ecosystem of carriers, terminals, customs authorities, and digital systems. They are also more exposed: cargo theft losses topped USD 35 billion globally in 2024, container disruption from geopolitical events cost shippers an estimated USD 80 billion in detentions and demurrage, and cyber-physical attacks on logistics platforms have moved from novelty to monthly occurrence. For senior leaders, supply chain security is no longer optional—it is the difference between operating and being shut down.
ISO 28000, fully revised in 2022, codifies what robust supply chain security management looks like. It defines the requirements for a security management system (SMS) covering the full spectrum of supply chain activities: production, storage, transport, handling, customs, finance, information flows, and personnel. The 2022 edition aligns with the Harmonized Structure and broadens the scope from logistics-only to the wider security and resilience family of standards (ISO 22301, ISO 22320, ISO 31000, ISO 22318).
This consultation guide is written for security directors, supply chain leaders, customs and trade compliance officers, port and terminal operators, freight forwarders, third-party logistics (3PL) providers, manufacturers, and exporters. It explains scope, key requirements, a practical consultation methodology, certification, common pitfalls, and the strategic benefits that flow from credible ISO 28000 conformance. Whether you ship containers, parcels, pharmaceuticals, hazardous materials, or high-value electronics, this guide will help you build a defensible, certifiable SMS that strengthens both security and competitive position.
Scope & Application
ISO 28000 applies to any organization participating in or supporting a supply chain. Typical adopters include:
- Manufacturers and exporters (electronics, pharmaceuticals, defence goods, automotive)
- Freight forwarders and customs brokers
- 3PL and 4PL logistics providers
- Shipping lines and air cargo carriers
- Port and terminal operators
- Warehousing and distribution operators
- Postal and parcel networks
- Retailers with international sourcing footprints
- Energy and commodity traders
- High-value cargo specialists (jewellery, precious metals, art)
Organizational size is not a limiting factor. While very large 3PLs and global manufacturers were among the early adopters, mid-sized enterprises increasingly certify because customers demand it. A regional manufacturer of pharmaceutical APIs, for example, may need ISO 28000 simply to remain on the approved supplier list of multinational pharma companies.
ISO 28000 integrates well with related standards and trusted-trader programmes. Common combinations include:
- ISO 9001 for quality
- ISO 45001 for safety
- ISO 27001 for information security
- ISO 22301 for business continuity
- ISO 31000 for risk
- AEO (Authorized Economic Operator) programmes — many customs authorities recognize ISO 28000 as evidence supporting AEO certification
- C-TPAT (US Customs Trade Partnership Against Terrorism) equivalencies
Because ISO 28000:2022 follows the Harmonized Structure, organizations with an existing IMS can integrate it without duplication. The standard's risk-based approach scales naturally from a single warehouse to a global supply network.
Key Requirements / Core Concepts
ISO 28000:2022 follows the standard ten-clause architecture. Its distinctive substance lies in the breadth of threat scope, the depth of risk assessment, and the integration with resilience.
Threat Scope
Unlike narrower physical-security standards, ISO 28000 covers a wide threat landscape:
| Threat Domain | Examples |
|---|---|
| Physical | Theft, hijacking, sabotage, intrusion |
| Personnel | Insider threat, fraud, collusion |
| Cyber-physical | OT/IoT compromise, GPS spoofing, ransomware |
| Geopolitical | Sanctions, port closures, conflict zones |
| Environmental | Climate disruption affecting routes |
| Compliance | Customs violations, sanctions breaches |
| Counterfeit and tampering | Brand protection, anti-counterfeit, seal integrity |
Security Policy and Objectives
Top management must publish a security policy aligned with organizational objectives, then translate it into measurable objectives at functional and site level.
💡 Pro Tip: Avoid the common error of writing a security policy that is indistinguishable from a corporate values statement. Auditors look for explicit references to threat domains, supply chain partners, and resilience outcomes.
Risk Assessment Methodology
The 2022 edition emphasises a structured, repeatable risk assessment combining likelihood, consequence, and vulnerability across each node and link in the chain. Many organizations use bow-tie analysis or threat-vulnerability-asset (TVA) frameworks.
💡 Pro Tip: Map your supply chain physically and digitally before you assess risk. Many organizations discover routes, sub-contractors, or data flows they did not know existed—and these unknowns are usually the highest-risk nodes.
Operational Controls
Required controls span:
- Personnel screening and vetting
- Site and facility security
- Conveyance security (vehicles, vessels, aircraft, containers)
- Cargo handling and chain-of-custody
- Information and data security
- Business partner security requirements
- Incident management and recovery
- Customs and trade compliance
Business Partner Security
ISO 28000 explicitly requires the organization to manage the security performance of upstream and downstream partners. This means contracts, audits, and monitoring extend to suppliers, sub-contractors, and intermediaries.
💡 Pro Tip: Build a tiered supplier security framework. Tier 1 (high risk, high value) gets full audits; tier 2 gets self-assessment plus spot checks; tier 3 gets contractual obligations only. This is realistic and audit-defensible.
Performance Evaluation
KPIs typically include:
- Loss-event frequency and severity
- Mean time to detect (MTTD) and respond (MTTR) to incidents
- Supplier security audit closure rate
- Personnel screening compliance
- Container or seal integrity rate
- Customs compliance rate
Documented Information
The SMS requires policy, scope, risk assessments, control procedures, partner agreements, training records, incident logs, internal audits, and management review records.
Consultation Approach
A credible ISO 28000 consultation engagement is part security architecture, part management systems, and part change management. Consultants typically follow a four-phase methodology.
Phase 1 — Discovery and Threat Assessment (Weeks 1–6)
Activities include supply chain mapping, threat intelligence review, vulnerability assessment, regulatory landscape, and stakeholder interviews. Output: an SMS baseline and a heat-mapped gap analysis against ISO 28000.
Phase 2 — Design (Weeks 7–16)
The consultant facilitates the design of the security policy, risk methodology, control framework, partner security requirements, and incident response plans.
Phase 3 — Implementation (Weeks 17–32)
Controls are deployed across sites, partners are onboarded, training is delivered, and KPI dashboards are launched. This is also where physical, personnel, and cyber-physical controls are tested.
Phase 4 — Assurance and Certification (Weeks 33–44)
Internal audits across nodes, management review, corrective action, and external certification.
Implementation Roadmap
| Phase | Duration | Key Activities | Primary Deliverable |
|---|---|---|---|
| Phase 1 | Weeks 1–6 | Supply chain mapping, threat assessment, gap analysis | Baseline report |
| Phase 2 | Weeks 7–16 | Policy, risk framework, control design | SMS documentation suite |
| Phase 3 | Weeks 17–32 | Site rollout, partner onboarding, training | Operational SMS live |
| Phase 4 | Weeks 33–44 | Internal audit, management review, certification | ISO 28000 certificate |
Documentation Essentials
- Security policy
- Scope and applicability statement
- Threat and risk assessment methodology and registers
- Site security plans
- Partner security requirements and contracts
- Incident response plan
- Training and awareness programme
- Internal audit programme
- Management review records
⚠️ Warning: Avoid the temptation to certify only the head office while leaving operating sites out of scope. Certification bodies reject narrow scopes that exclude the operational nodes where security risk actually lives.
Certification Process
Certification follows the two-stage model used across ISO management standards.
Step 1 — CB Selection. Choose a certification body accredited under IAF MLA. Many CBs in this space also offer joint audits with ISO 22301 or AEO.
Step 2 — Stage 1 Audit. Documentation review focusing on the policy, risk methodology, scope, and control framework. Duration: 2–4 days.
Step 3 — Stage 2 Audit. Site visits across sampled supply chain nodes, interviews with personnel, testing of controls, review of incident records, and supplier audit evidence. Duration: 5–12 days depending on geographic spread.
Step 4 — Findings Closure. Common nonconformities cluster in three areas: weak partner security oversight, inadequate cyber-physical coverage, and insufficient evidence of management review on security performance.
Step 5 — Certification. A three-year certificate is issued upon closure of major findings.
Step 6 — Surveillance and Recertification. Annual surveillance audits validate that the SMS continues to operate effectively, and recertification follows at year three. The cycle reinforces continual improvement, particularly important in a domain where threats evolve rapidly.
ISO 28000 certification is increasingly used as supporting evidence for customs trusted-trader programmes and large-shipper procurement frameworks. Organizations frequently align their certification cycle with AEO renewal dates to maximize regulatory leverage.
Common Challenges & Solutions
Challenge 1 — Incomplete Supply Chain Visibility. Problem: Tier-2 and tier-3 suppliers are unknown. Solution: Conduct a structured visibility programme using digital mapping platforms. Outcome: Defensible scope and risk picture.
Challenge 2 — Cyber-Physical Blind Spots. Problem: OT and IoT devices in warehouses, terminals, and vehicles are unmanaged. Solution: Extend information security controls into the operational technology environment. Outcome: Reduced ransomware and spoofing exposure.
Challenge 3 — Partner Resistance. Problem: Suppliers refuse audits or push back on security requirements. Solution: Use commercial leverage (contracts, RFP scoring) and tier the requirements proportionately. Outcome: Stronger supply chain security culture.
Challenge 4 — Static Risk Assessments. Problem: Risk assessments are completed once and never updated. Solution: Build a dynamic risk register tied to threat intelligence and incident learnings. Outcome: Living, defensible risk management.
Challenge 5 — Incident Underreporting. Problem: Front-line staff hide near-misses. Solution: Implement a no-blame reporting culture and make reporting easy via mobile apps. Outcome: Better data, faster learning.
Benefits
ISO 28000 certification delivers measurable improvements in loss prevention, customer trust, regulatory standing, and operational resilience. It also unlocks commercial advantages, particularly with customers who require certified suppliers in their tendering processes.
Benefits Matrix
| Horizon | Operational | Strategic |
|---|---|---|
| Short-term (0–12 months) | Reduced cargo loss, faster incident response, fewer compliance findings | Stronger customer trust, AEO support |
| Long-term (1–5 years) | Lower insurance costs, fewer disruptions, better partner alignment | Premium tendering position, M&A resilience, ESG advantage |
Key Takeaway Infographic (Description)
A horizontal supply chain timeline runs across the page: Source → Make → Move → Store → Deliver. Above the timeline, a shield labeled ISO 28000 SMS protects each node. Below, a continuous bar labeled Risk Intelligence, Partner Assurance, Incident Management underpins the system. Surrounding arrows show data flows in and out, illustrating that security is a continuous, intelligence-driven discipline rather than a static perimeter.
Tools & Resources
- GRC platforms: ServiceNow GRC, OneTrust, MetricStream, RSA Archer
- Supply chain visibility platforms: project44, FourKites, Shippeo, Sourcemap
- Threat intelligence: BSI SCREEN, Riskpulse, Everstream Analytics, FlashPoint
- Security operations: Genetec, Milestone, AXIS, smart-seal vendors (TydenBrooks, ECSI)
- Reference texts: Supply Chain Risk Management by Gregory Schlegel; The Resilient Enterprise by Yossi Sheffi
- Frameworks: ISO 28001, ISO 28002, AEO Compendium, C-TPAT MSCs, TAPA FSR/TSR
📥 Downloadable Checklist: ISO Xpert hosts the ISO 28000 Readiness Checklist and the Supplier Security Self-Assessment Pack.
✅ Checklist: Stage 1 readiness requires a published policy, an approved scope, a documented risk methodology with registers per node, partner security requirements embedded in contracts, an incident response plan tested in the last 12 months, an internal audit covering all sites, and a management review with documented outputs.
Case Study
Pacific Apex Logistics — a fictional regional 3PL with 1,800 employees operating eight cross-dock terminals and managing 14,000 cross-border shipments per year — engaged a consulting team after losing two large pharmaceutical contracts that required ISO 28000 certification.
Before: Security was managed by a small team focused on warehouse perimeter and CCTV. Cyber-physical controls were minimal. Partner security was unverified. The annual loss event rate stood at 1.3 percent of shipments, and insurance premiums had risen 22 percent over two years.
After: A 10-month consultation programme delivered an aligned policy, a node-by-node risk register, a tiered supplier security framework, OT security controls in all eight terminals, mandatory training for 100 percent of operational staff, and an incident-response capability tested through tabletop exercises. Within 12 months, the loss event rate fell to 0.4 percent, two former customers returned, and Pacific Apex achieved ISO 28000 certification under an accredited CB. Insurance premiums dropped 11 percent, and the company secured AEO equivalency in its primary jurisdiction.
Lessons learned: Engaging the chief information officer early closed the cyber-physical gap that purely physical-security teams had missed. Tiering supplier expectations made the partner programme realistic and durable. Lastly, the visible support of the CEO at a town-hall launch event signaled that security was a strategic priority rather than a cost center.
Conclusion
ISO 28000 transforms supply chain security from a reactive cost center into a strategic capability that protects revenue, reputation, and resilience. A structured consultation programme—anchored in threat intelligence, risk assessment, partner assurance, and incident readiness—delivers measurable improvements in loss prevention, customer trust, and regulatory standing.
Build the internal capability you need. The ISO Xpert ISO 28000 Lead Consultant programme equips security, supply chain, and compliance professionals with the methods, templates, and toolkits required to deliver and sustain certifiable security management systems. Visit https://iso-xpert.com/courses/iso-28000 to enrol or to request a tailored consulting proposal.
FAQ
Q1: How is ISO 28000:2022 different from the 2007 edition? The 2022 edition aligns with the Harmonized Structure, broadens scope from logistics-only to the wider security and resilience family, and strengthens cyber-physical and partner security expectations.
Q2: Is ISO 28000 mandatory? No, but it is increasingly required by customers, customs authorities, and insurers.
Q3: Does ISO 28000 cover cybersecurity? It covers cyber-physical security and information security as they relate to the supply chain. For full information security, combine it with ISO 27001.
Q4: How does ISO 28000 support AEO certification? Many customs authorities accept ISO 28000 evidence as supporting documentation for AEO applications and renewals.
Q5: Can ISO 28000 cover only one site? Technically yes, but most CBs and customers expect a meaningful operational scope.
Q6: How long does certification take? 7 to 11 months for a mid-sized organization with reasonable starting maturity.
Q7: How does ISO 28000 relate to TAPA standards? TAPA standards cover specific aspects of cargo security (FSR for facilities, TSR for transport). ISO 28000 provides the management system umbrella; many organizations operate both.
Q8 (advanced): How does ISO 28000 handle sanctions and trade compliance? Through the operational controls clause, organizations are expected to maintain trade compliance procedures, screen counterparties against sanctions lists, and maintain audit trails of customs declarations.
Q9 (advanced): How does ISO 28000 interact with ESG due diligence regulations? Recent regulations such as the EU CSDDD and the German LkSG require supply chain due diligence. ISO 28000 provides the security and resilience layer, which is one of several due diligence dimensions.
Glossary
- AEO: Authorized Economic Operator (customs trusted-trader programme).
- Bow-Tie Analysis: Risk visualization combining threats, top events, consequences, and controls.
- Chain of Custody: Documented control of cargo from origin to destination.
- C-TPAT: Customs Trade Partnership Against Terrorism (US programme).
- Cyber-Physical: Convergence of digital and physical security.
- GRC: Governance, Risk, and Compliance platform.
- MTTD: Mean Time to Detect.
- MTTR: Mean Time to Respond.
- OT: Operational Technology.
- SMS: Security Management System.
- Supply Chain Visibility: Capability to see assets, flows, and partners end to end.
- TAPA: Transported Asset Protection Association.
- Threat Intelligence: Curated information on adversaries and risks.
- TVA: Threat-Vulnerability-Asset risk model.
- Tier 1/2/3 Supplier: Direct, indirect, and sub-tier suppliers.
References & Further Reading
- ISO 28000:2022 — https://www.iso.org/standard/79612.html
- World Customs Organization — SAFE Framework — https://www.wcoomd.org
- TAPA EMEA — https://tapaemea.org
- BSI Supply Chain Solutions — https://www.bsigroup.com/supply-chain
- ENISA Supply Chain Threat Landscape — https://www.enisa.europa.eu
- ISO Xpert — ISO 28000 Lead Consultant Course — https://iso-xpert.com/courses/iso-28000-lead-consultant
- ISO Xpert — Supply Chain Risk Management Foundation — https://iso-xpert.com/courses/supply-chain-risk-management
- ISO Xpert — Security Resilience Auditor Programme — https://iso-xpert.com/courses/security-resilience-auditor
About the Author
Written by ISO Xpert Consultants — a senior team of certified security professionals, customs experts, and IRCA-registered Lead Auditors. Credentials include CPP (Certified Protection Professional), CSCP (Certified Supply Chain Professional), CISM, MCIPS, and Lead Auditor (ISO 28000, ISO 22301, ISO 27001). Our consultants have led ISO 28000 implementations across global manufacturers, 3PLs, port operators, and pharmaceutical exporters in more than 40 countries.
Related Articles
- ISO 22301 — Business Continuity Management: A Complete Implementation Guide
- ISO 27001 — Information Security Management: A Complete Implementation Guide
- ISO 31000 — Risk Management: A Complete Implementation Guide
- ISO 9001 — Quality Management Systems: A Complete Consultation Guide
- ISO 30301 — Records Management Systems: A Complete Implementation Guide
Ready to take the next step?
Browse 221 toolkits and services, or talk to a lead auditor about certification, gap analysis, internal audit or training.
Share This Article
Found this useful? Share it with your network: