ISO 28000:2007

What is ISO 28000:2007 Supply Chain Security Management System?

ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. Security management is linked to many other parts of business management. Factors include all activities controlled or influenced by organizations that impact supply chain security.

ISO 28000: 2007 Supply Chain Management

These aspects should be considered directly, where and when they affect security management, including transporting them along the supply chain. It is an International Standard that enables organizations to establish an overall supply chain security management system. It was developed to codify operations of security within the broader supply chain management system.

It Addresses the requirements and aspects critical to security assurance of the supply chain. It enables the Organizations to determine whether appropriate security measures are in place and protect their properties from various threats of terrorism, fraud, and piracy.

Basis of ISO 28000

  • It is a risk-based approach to the management system.
  • Based on the ISO format adopted by ISO 14001: 2015, i.e. Environmental Management System (EMS).
  • Existing process-based management systems, e.g. ISO 9001, may be used as a foundation for the security management system.

Based on the methodology known as Plan-Do-Check-Act (PDCA)

  1. Plan: Establish the objectives and process
  2. Do: Implement the process
  3. Check: Monitor and measure process
  4. Act: Actions to continuously improve the security management system.

Suitable to all organizations that wish to:

ISO 28000:2007 applies to all sizes of organizations, from minor to multinational, in manufacturing, service, storage, or transportation at any stage of the production or supply chain that wishes to:

  • Establish, implement, maintain and improve a security management system
  • Assure conformance with stated security management policy
  • Demonstrate such conformance to others
  • Seek certification/registration of its security management system by an Accredited third-party Certification Body, or make a self-determination and self-declaration of conformance with ISO 28000:2007.

There are legislative and regulatory codes that address some of the requirements in ISO 28000:2007.

It is not the intention of ISO 28000:2007 to require a duplicative demonstration of conformance.

Organizations that choose third-party certification can further demonstrate that they are contributing significantly to supply chain security.

ISO 28000:2007 Benefits to your Organization During COVID-19

Managing Risk

  • Risk management is a fundamental corporate activity and is essential for organizations to operate effectively and efficiently.
  • Manage security risk throughout your organization and supply chain during these pandemic times as ISO 28000 takes a programmatic and business-centric approach to risk management.
  • The standard promotes risk management as a central component of effective management and allows organizations to stimulate their processes within supply chain management.

Competitive Advantage

  • ISO 28000 provides an unambiguous demonstration that an organization takes not only its security seriously but also the security of goods its customers expect it to protect.
  • Companies that embrace ISO 28000 will stand to benefit from a clear and cut competitive advantage over their competitors through the clear demonstration of their commitment to security matters the most.
  • Companies will benefit through increased market share and a greater degree of customer retention compared to their competitors.

Financial Performance

  • The standard allows management to target specific resources during such pandemic times.
  • Companies implementing ISO 28000 will very quickly be able to identify wasteful and inefficient resource management practices. Identifying such practices is crucial, especially when the company is already facing losses due to lockdown, to improve its financial performance.
  • Implementation of this standard will decrease expenses by reducing supply chain insecurity cases, resulting in cost-saving and an increased laved of accountability at all levels.

Increase in Profits

  • Increase the number of clients by minimizing the threads of fraud and piracy, thus enlarging the efficiency in general.
  • More trust from customers due to assured security in supply chain improving customer services and company productivity leading to increase in its profits
  • Time is money, and a reduction in lead time variance due to ISO 28000 will reduce costs and avoid a more significant loss to the company.

Organizational Reputation 

  • ISO 28000 assures the safety of people and the security of goods and services to your partners, thus maintaining reputation during such times.
  • It improves levels of safety and security for employees as the implementation of ISO 28000 within an organization will directly impact improving the levels of safety and security. The employees will feel more secure during such insecure times.
  • It will impact staff satisfaction and retention levels, which will impact customer satisfaction, thus improving and maintaining its organizational reputation.

Management Process Compatibility

  • Implementation of ISO 28000 is hassle-free as it considers existing management systems and processes, reducing the time required for implementation, an essential component during such times of crisis.
  • It can be integrated into the existing internationally recognized quality management processes of ISO 14001 and ISO 9001.

Improvement in Operational Management

  • Simplify business during such complex times and advance the transport of goods by targeting best security management practices.
  • Companies adopting ISO 28000 make an organizational commitment to security and effective operational management, and continual improvement.

Advertising of Organization

  • In times of crisis, people will feel more comfortable operating with organizations with a secured supply chain leading to new opportunities.
  • ISO 28000 will lead to higher information and material flow visibility, gain more transparency, and provide a competitive edge.
  • Implementation will bring better service to the importer and better reaction to customer requirements leading to a high satisfaction level. High satisfaction levels often increase the chances of the spread of word of mouth.


  • ISO 28000 is specially designed to be flexible during such pandemic times and can be applied to all tiers of a business, from the head office to a remote warehouse.
  • The standard can be implemented equally effectively for smaller companies, just like for major international organizations.

What are the ISO 28000 Certification steps?

If your company is looking for an ISO 28000 Certification on Supply Chain Security System-based standard, you might be overwhelmed with fighting out where to start. To help with this, here is an overview of the steps needed to help you make sure that nothing is missed during your implementation and preparation for certification.

Management Support

It is the most critical. Without the support of management, your implementation of ISO 28000 will almost certainly fail. Plan your sales pitch well to convince your management that

ISO 28000 is a good idea.

Establish ISO 28000 Certification Project, Project Plan, and Resources

Determine the cut-off period by which you need to have ISO 28000 certification in place. Enables reverse engineering of the project and the importance of timelines, including the early start-off date. Identify the project leader. Identify the products or services to be included in the scope of ISO 28000 certification. Do the costing. It includes implementation learning costs and certification fees.

Conduct ISO 28000 Awareness Training

It is required to gain A to Z of the fundamentals of ISO 28000. Therefore, we need to cover all resources in the scope. This training is imparted in batches by specialists and industry experts. Evidence of training records needs to be maintained for demonstration during ISO 28000 certification Audit.

Identify the ISO 28000 Implementation Team

ISO 28000 implementation can no longer be tasked to a single person or group of few persons in the organization. The ISO 28000 standard is premised on Risk-Based Thinking, and risk management must be done at the hands of respective departments and functions, such that the head of the departments are the “Risk-Owners.” Therefore, the implementation team would include Heads of the departments, deputies, or other critical resources in each function, besides the central team.

Context, Scope, and Policy

Defining the context, scope, and policy of your supply chain management system will help ensure you know the limits of what needs to be done so that you do not include areas of your business that might not affect your system. The essential tool to define the scope is the dependency matrix which will be the first document you will need to create for the Supply chain management system.

Risk Assessment and Risk Treatment

Risk Assessment and Risk treatment are the backbone of ISO 28000 objectives to help conduct dipstick checks of the performance levels. In addition, documentation will include the mandatory procedures defined by the ISO 28000 standard and any additional processes and procedures required by your company to ensure consistent and adequate results concerning the supply chain system.

The main thing is to define all the processes in your company and look at how they interact with your organization. It is in these interactions that problems can occur. The extent of documentation depends on the organization’s size, the complexity of the people’s processes, and competence.

Implement ISO 28000 Processes and Procedures

Often, these processes will already be in place at your company and will need to be adequately documented procedures. Still, it is essential to decide which one needs to be to ensure compliant products and services.

Conduct ISO 28000 Internal Auditor Training

ISO 28000 standard requires the organization to train a team of internal auditors who would perform across audits on one another regularly. Therefore, internal Auditors need to be competent. In addition, the organization shall need a specialist industry expert to impart ISO 28000 internal auditor training to evidence the same.

Conduct ISO 28000 Internal Audits

Before the Lead Auditors of Certification body visits to audit your system, ISO 28000 mandates that you audit each process internally. It will give you a chance to make sure that the processes are going as you had planned. You will also have a chance to implement the necessary corrective actions to fix any problems that you find.

Closure activities and Corrective Action Reports

It is the step where you find the root cause of any problems found during your measurements, internal audits and management review, deviations from established processes, customer concerns, and take action to correct the root cause. It is the critical step toward continual improvement, which focuses on having an ISO 28000.

Conduct ISO 28000 management reviews

Just as management must support the implementation of ISO 28000, it is also essential that they are fully involved in maintaining the supply chain system. Top management needs to review specific data from the activities of the supply chain system to ensure that the processes have adequate resources to be effective and improve.

ISO 28000 Gap Analysis

Specialist industry experts do this to help the organization in gap analysis so that gaps identified during pre-assessment/Gap analysis are plugged before the organization proceeds for the certification audit. In addition, it is a crucial step to raise the confidence level of the auditees.

Choose a Certification Body

It can be a crucial step in determining how effective your implementation is. The certification body is the company that will ultimately audit your supply chain system and decides if it is compliant with ISO 28000 requirements and whether it is effective and improving.

Operate & Measure the Supply Chain Security Management

When you collect the records required in audits to show that your processes meet the requirements set out for them, improvements are being made in your supply chain system as needed. Certification bodies need this to happen over a certain length of time (generally not less than three months), which they will identify to ensure that the system is mature enough to show compliance.

ISO 28000 Certification Audit-Stage 1

It is a review of your documentation by the certification body auditors to verify that, on paper, you have addressed all the requirements of the ISO 28000 standard. The Auditors will issue a report outlining where you comply and where there are problems, and you will have a chance to implement any corrective actions to address the problems. It may take place during the time frame defined for the initial operation of the supply chain system.

ISO 28000 Certification Audit-Stage 2

It is the leading audit when the certification body auditors review the records you have accumulated by operating your supply chain system processes, including your internal audit records, management review, and corrective actions. This review will take several days to issue a report detailing their findings and whether they have found your supply chain system effective and compliant with the ISO 28000 requirements. The auditors will also make a recommendation for certification if you meet all requirements. However, if you have any significant non-Conformances, you will need to take corrective action for those problems before recommended certification.

Time to Plan

A good plan will help a lot when you implement ISO 28000 and work toward certification, so do take the time to plan and know what resources you need- this will save you time and resources later on.

Why is ISO 28000: 2007 Supply Chain Security Management System Important?

  • ISO 28000 Certification demonstrates that you are an asset to your organization
  • It specifies that you are a trustworthy expert.
  • Enables an organization to establish a Security Management System (SMS), ensuring sound management and control of security and threats from supply chain partners and logistical operations.
  • With ISO 28000 Certification, organizations will gain visibility in the market, improving their profitability and quality.

Why Choose TUV Austria Bureau of Inspection & Certification For Implementing ISO 28000 Requirements

Some of the leading international accreditation bodies have awarded TUV Austria Bureau of Inspection & Certification with the accreditation to offer certification to a vast range of industry sectors. For certification services, TUV Austria BIC. is the preferred brand across multiple industry sectors.

Local Regulatory authorities like The Pakistan National Accreditation Council (PNAC) and The Pakistan Engineering Council (PEC) also recognize TUV Austria Bureau of Inspection & Certification as a leading certification and inspection body in Pakistan. TUV Austria BIC. has earned global respect instead of its approach and service quality through its highly trained and experienced Consultants. Our professional auditors work with clients to ensure that the requirements are maintained and continuously improved to be up to customers’ expectations and the law.

In Addition, to ISO 28000:2007 Audits we also offer a range of complimentary services:


IS ISO 28000 Applicable to All Organizations or is There Any Specification?

ISO 28000 is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage, or transportation at any stage of the production or supply chain.

Would you mind sending an Enquiry so we can assist you in getting certified?

Send Enquiry