ISO 28000 focuses on aspects critical to manage and assure supply chain security risks. This may include financing, manufacturing, information management and transportation, in-transit storage and warehousing of goods.
It specifies the aspects to help the organization to assess security threats and to manage them as they arise in their supply chain. Security Management is related to other aspects of business management. With ISO 28000, organizations can determine if appropriate security measures are in place and can protect their properties from various threats.
ISO 28000:2007 was initially developed so that organizations of varying scale could apply the standard to their supply chains of various degrees of complexity. Now, after the revison, ISO 28000:2022 can be applied beyond the supply chain to all aspects of the organization
This second edition of ISO 28000 cancelles and replaces the first edition from 2007. The primary objective of the revision was to align the standard to the Harmonized Structure (HS) laid out in the ISO Directives Annex SL Appendix 2 for ISO managements system standards in its latest version. This alignment makes the standard fully integratable and easy to use together with other managements systems standards like ISO 9001 on quality management or ISO 22301 for business continuity management.
The structure of the ISO 28000 for supply chains is organized into the following main areas:
Security Management Plan Defined
Security Management Plan Implemented
Security Management Plan Assessment and Audit
Security Management Plan Finding Communication, Recommendations, and Solution Implementations
Context of the organization
During an audit the organization needs to determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the expected outcomes of its Disaster Recovery/Business Continuity Plan including defining:
The organization's activities, functions, services, products, partnerships, supply chains, relationships with interested parties, and the potential impact related to an incident
Links between the business continuity policy and the organization's objectives and other policies, including its overall risk management strategy
The level of risk the organization can assume
The needs and expectations of relevant interested parties
Legal, regulatory and other requirements to which the organization subscribes
Leadership
Top management needs to show an ongoing commitment to the Disaster Recovery/Business Continuity Processes. Through its leadership and actions, management can create an environment in which different actors are fully involved and in which the management system can operate effectively in synergy with the objectives of the organization.
Leadership responsibilities include:
Ensuring the Supply Chain Security Management System is compatible with the strategic direction of the organization
Integrating the Supply Chain Security Management System requirements into the organization's business processes
Providing the necessary resources for the Supply Chain Security Management System
Communicating the importance of effective disaster recovery and business continuity management
Ensuring that the Supply Chain Security Management System achieves its expected outcomes
Directing and supporting continual improvement
Establish and communicate a disaster recovery and business continuity policy
Ensuring that Supply Chain Security Management System objectives and plans are established
Ensuring that the responsibilities and authorities for relevant roles are assigned
Planning
This is the process were organizations shows that it has defined strategic objectives and guiding principles for the Supply Chain Security Management System as a whole. The objectives of a Supply Chain Security Management System are the expression of the intent of the organization to treat the risks identified and/or to comply with requirements of organizational needs. The planning objectives must:
Be consistent with disaster recovery and business continuity policy
Take into account the minimum level of products and services that is acceptable to the organization to achieve its objectives
Create and apply metrics
Take into account applicable requirements
Be reviewed constantly and updated as appropriate