ISO 28000:2022, Security and resilience – Security management systems – Requirements, is a management system standard published by International Organization for Standardization that specifies requirements of a security management system particularly dealing with security assurance in the supply chain.
The standard was originally developed by ISO/TC 8 on "Ships and maritime technology" and published in 2007. In 2015 the responsibility for the ISO 28000 series was transferred to ISO/TC 292 on "Security and resilience", who in 2019 decided to start a revision. A justification study for the revision was accepted by ISO TMB (Technical Management Board). The revised version of ISO 28000 was published on March 15, 2022.
Similar to other management system standards by ISO, the requirements specified in ISO 28000 are generic and intended to be applicable to all organizations, regardless of type, size, and industry. However, the extent of applicability of the requirements depends on the organization's environment and complexity.
ISO 28000:2022 is divided into 10 main clauses and has adopted the high-level structure and standardized text set out by Annex L.
The standard is divided as follows:
ISO 28000:2007 was developed to codify operations of security within the broader supply chain management system. The PDCA management systems structure was adopted in developing ISO 28000:2007 to bring the elements of this standard in congruence with related standards such as ISO 9001:2000 and ISO 14001:2004.
ISO 28000:2007 includes the following main clauses:
Annex A Correspondence between ISO 28000:2007, ISO 14001:2004 and ISO 9001:2000
Adopting the ISO 28000 has broad strategic, organisational and operational benefits that are realized throughout supply chains and business practices.
Benefits include, but are not limited to:
The development of an international standard addressing security risk management improves the broader interface with existing enterprise risk management in a common integrated platform. This integrated approach to risk management is often employed to better coordinate cross functional risk management mechanisms, improve performance measurement, ensure continual improvement and reducing misalignment of risk management objectives between silos.
ISO 28000:2007 was developed such that organizations of varying scale could apply the standard to supply chains of various degrees of complexity.
The general rational for an organization to adopt ISO 28000:2007 pertains to:
ISO 28000:2007 is a certifiable standard. In 2016, the countries with the highest number of certificates were India (425), Japan (299), Spain (231), US (223) and UK (197).
ISO 28000 was originally developed as a Publicly Available Specification by ISO technical committee ISO/TC 8 on Ships and marine technology  and published in 2005. In 2007, ISO/PAS 28000:2005 was withdrawn and replaced by a full ISO standard under the title ISO 28000:2007. In 2014, ISO 28000:2007 was reviewed and confirmed.
In 2015, ISO/TC 292 Security and resilience took over the responsibility of the standard and decided later in 2019 to initiate a revision of the standard.
|2007||ISO 28000 (1st edition)|
|2022||ISO 28000 (2nd edition)|
ISO 28000 is the first of a series of ISO security management standards including:
((cite web)): CS1 maint: archived copy as title (link)