ISO 28000:2007 | Key Steps to Achieve ISO 28000 Certification!

TUV Austria Bureau of Inspection & Certification (Pvt.) Ltd.

ISO 28000:2007 Supply Chain Security Management System

What is ISO 28000:2007 Supply Chain Security Management System?

ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to the security assurance of the supply chain. Security management is linked to many other parts of business management. Factors include all activities controlled or influenced by organizations that impact supply chain security.

ISO 28000 Supply Chain Security Management System

These aspects should be considered directly, where and when they affect security management, including transporting them along the supply chain. It is an International Standard that enables organizations to establish an overall supply chain security management system. It was developed to codify security operations within the broader supply chain management system.

ISO 28000 Addresses the requirements and aspects critical to security assurance of the supply chain. It enables the Organizations to determine whether appropriate security measures are in place and protect their properties from various threats of terrorism, fraud, and piracy.

  • It is a risk-based approach to the management system.
  • Based on the ISO format adopted by ISO 14001: 2015, i.e., Environmental Management System (EMS).
  • Existing process-based management systems, e.g., ISO 9001, may be used as a foundation for the security management system.

Based on the methodology known as Plan-Do-Check-Act (PDCA)

  1. Plan: Establish the objectives and process.
  2. Do: Implement the process.
  3. Check: Monitor and measure the process.
  4. Act: Actions to continuously improve the security management system.

ISO 28000 is Suitable for all organizations that wish to:

ISO 28000:2007 applies to all sizes of organizations, from minor to multinational, in manufacturing, service, storage, or transportation at any stage of the production or supply chain that wishes to:

  • Establish, implement, maintain and improve a security management system
  • Assure conformance with the stated security management policy
  • Demonstrate such conformance to others
  • Seek certification/registration of its security management system by an Accredited third-party Certification Body, or make a self-determination and self-declaration.

There are legislative and regulatory codes that address some of the requirements in this standard.

It is not the intention of the Supply Chain Management System to require a duplicative demonstration of conformance.

Organizations that choose third-party certification can further demonstrate that they contribute significantly to supply chain security.

What are the Benefits of ISO 28000 During COVID-19?

1). Managing Risk

  • Risk management is a fundamental corporate activity and is essential for organizations to operate effectively and efficiently.
  • Manage security risk throughout your organization and supply chain during these pandemic times as ISO 28000 takes a programmatic and business-centric approach to risk management.
  • The standard promotes risk management as a central component of effective management and allows organizations to stimulate their processes within supply chain management.

2). Competitive Advantage

  • ISO 28000 provides an unambiguous demonstration that an organization takes its security seriously and its customers expect it to protect the security of goods.
  • Companies that embrace this standard will stand to benefit from a clear and cut competitive advantage over their competitors through the clear demonstration of their commitment to security matters the most.
  • Companies will benefit through increased market share and a greater degree of customer retention compared to their competitors.

3). Financial Performance

  • ISO 28000 standard allows management to target specific resources during such pandemic times.
  • Companies implementing this standard will very quickly be able to identify wasteful and inefficient resource management practices. Identifying such practices is crucial to improving its financial performance, especially when the company is already facing losses due to the lockdown.
  • Implementing the ISO 28000 standard will decrease expenses by reducing supply chain insecurity cases, resulting in cost-saving and increased accountability at all levels.

4). Increase in Profits

  • Increase the number of clients by minimizing the threads of fraud and piracy, thus enlarging the efficiency in general.
  • More trust from customers due to assured security in the supply chain improves customer services and company productivity, leading to increased profits.
  • Time is money, and a reduced lead time variance due to ISO 28000 will reduce costs and avoid a more significant loss to the company.

5). Organizational Reputation 

  • ISO 28000 assures the safety of people and the security of goods and services to your partners, thus maintaining a reputation during such times.
  • It improves levels of safety and security for employees as the implementation of SCMS within an organization will directly impact improving the levels of safety and security. The employees will feel more secure during such insecure times.
  • It will impact staff satisfaction and retention levels, which will impact customer satisfaction, thus improving and maintaining its organizational reputation.

6). Management Process Compatibility

  • Implementing ISO 28000 is hassle-free as it considers existing management systems and processes, reducing the time required for implementation, an essential component during such times of crisis.
  • It can be integrated into the existing internationally recognized quality management processes of ISO 14001 and ISO 9001.

7). Improvement in Operational Management

  • Simplify business during such complex times and advance the transport of goods by targeting best security management practices.
  • Companies adopting Supply Chain Security Management systems make an organizational commitment to security and effective operational management, and continual improvement.

8). Advertising of Organization

  • In times of crisis, people will feel more comfortable operating with organizations with a secured supply chain leading to new opportunities.
  • ISO 28000 will increase information and material flow visibility, transparency, and a competitive edge.
  • Implementation will bring better service to the importer and better reaction to customer requirements leading to high satisfaction. High satisfaction levels often increase the chances of the spread of word of mouth.

9). Scalability

  • ISO 28000 standard is specially designed to be flexible during such pandemic times and can be applied to all tiers of a business, from the head office to a remote warehouse.
  • The standard can be implemented equally effectively for smaller companies, just like for major international organizations.

What are the ISO 28000 Certification steps?

If your company is looking for this Certification on Supply Chain Security System-based standard, you might be overwhelmed with fighting out where to start. To help with this, here is an overview of the steps needed to help you make sure that nothing is missed during your implementation and preparation for certification.

Supply Chain Management System

1). Management Support

It is the most critical. Without the support of management, your implementation of SCMS will almost certainly fail. Plan your sales pitch well to convince your management that this is a good idea.

2). Establish ISO 28000 Certification Project, Project Plan, and Resources

Determine the cut-off period by which you need to have ISO 28000 certification in place. Enables reverse engineering of the project and the importance of timelines, including the early start-off date. Identify the project leader. Identify the products or services to be included in the scope of certification. Do the costing. It includes implementation learning costs and certification fees.

3). Conduct ISO 28000 Awareness Training

It is required to gain A to Z of the fundamentals of this standard. Therefore, we need to cover all resources in the scope. This training is imparted in batches by specialists and industry experts. Evidence of training records needs to be maintained for demonstration during the certification Audit.

4). Identify the ISO 28000 Implementation Team

The implementation can no longer be tasked to a single person or group of few persons in the organization. This standard is premised on Risk-Based Thinking, and risk management must be done at the hands of respective departments and functions, such that the head of the departments are the “Risk-Owners.”

Therefore, the implementation team would include Heads of the departments, deputies, or other critical resources besides the central team in each function.

5). Context, Scope, and Policy

Defining the context, scope, and policy of your supply chain management system will help ensure you know the limits of what needs to be done so that you do not include areas of your business that might not affect your system.

The essential tool to define the scope is the dependency matrix which will be the first document you will need to create for the Supply chain management system.

6). Risk Assessment and Risk Treatment

Risk Assessment and Risk Treatment are the backbone of ISO 28000 objectives to help conduct dipstick checks of performance levels.

In addition, documentation will include the mandatory procedures defined by the SCMS standard and any additional processes and procedures required by your company to ensure consistent and adequate results concerning the supply chain system.

The main thing is to define all the processes in your company and look at how they interact with your organization. It is in these interactions that problems can occur. The extent of documentation depends on the organization’s size, the complexity of the people’s processes, and competence.

7). Implement ISO 28000 Processes and Procedures

Often, these processes will already be in place at your company and must be adequately documented procedures. Still, deciding which one needs to be is essential to ensure compliant products and services.

8). Conduct Internal Auditor Training

ISO 28000 standard requires the organization to train a team of internal auditors who regularly perform audits on one another. Therefore, internal Auditors need to be competent. In addition, the organization shall need a specialist industry expert to impart internal auditor training to evidence the same.

9). Conduct Internal Audits

Before the Lead Auditors of the Certification body visit to audit your system, ISO 28000 mandates that you audit each process internally. It will allow you to ensure that the processes are going as planned. You will also have a chance to implement the necessary corrective actions to fix any problems you find.

10). Closure activities and Corrective Action Reports

It is the step where you find the root cause of any problems found during your measurements, internal audits and management review, deviations from established processes, and customer concerns, and take action to correct the root cause. It is the critical step toward continual improvement.

11). Conduct management reviews

Just as management must support the implementation of ISO 28000. it is also essential that they fully maintain the supply chain system. Top management needs to review specific data from the activities of the supply chain system to ensure that the processes have adequate resources to be effective and improve.

12). Gap Analysis

Specialist industry experts do this to help the organization in gap analysis so that gaps identified during pre-assessment/Gap analysis are plugged before the organization proceeds with the certification audit. In addition, it is a crucial step to raise the confidence level of the auditees.

13). Choose a Certification Body

It can be a crucial step in determining how effective your implementation is. The certification body is the company that will ultimately audit your supply chain system and decides if it complies with ISO 28000 requirements and whether it is effective and improving.

14). Operate & Measure the Supply Chain Security Management

When you collect the records required in audits to show that your processes meet the requirements set out for them, improvements are being made in your supply chain system as needed. Certification bodies need this to happen over a certain length of time (generally not less than three months), which they will identify to ensure that the system is mature enough to show compliance.

15). ISO 28000 Certification Audit-Stage 1

It is a review of your documentation by the certification body auditors to verify that, on paper, you have addressed all the requirements of the ISO 28000 standard.

The Auditors will issue a report outlining where you comply and where there are problems, and you will have a chance to implement any corrective actions to address the problems. It may occur during the time frame defined for the initial operation of the supply chain system.

16). ISO 28000 Certification Audit-Stage 2

It is the leading audit when the certification body auditors review the records you have accumulated by operating your supply chain system processes, including your internal audit records, management review, and corrective actions. This review will take several days to issue a report detailing their findings and whether your supply chain system is effective and compliant with the ISO 28000 requirements.

The auditors will also recommend certification if you meet all requirements. However, if you have any significant non-Conformances, you will need to take corrective action for those problems before recommended certification.

17). Time to Plan

A good plan will help a lot when you implement ISO 28000 and work toward certification, so do take the time to plan and know what resources you need- this will save you time and resources later on.

Why is ISO 28000: 2007 Supply Chain Security Management System Important?

  • ISO 28000 Certification demonstrates that you are an asset to your organization.
  • It specifies that you are a trustworthy expert.
  • Enables an organization to establish a Security Management System (SMS), ensuring sound management and control of security and threats from supply chain partners and logistical operations.
  • With ISO 28000 Certification, organizations will gain visibility in the market, improving their profitability and quality.

In Addition, to ISO 28000:2007 Audits TUV Austria BIC. also offer a range of complimentary services:


IS ISO 28000 Applicable to All Organizations, or is There Any Specification?

ISO 28000 applies to all sizes of organizations, from small to multinational, in manufacturing, service, storage, or transportation at any stage of the production or supply chain.

Would you mind sending an Enquiry so we can assist you in getting certified?

Send Enquiry