ISO 28000

ISO 28000:2007 (Specification for security management systems for the supply chain) is an International Organization for Standardization standard specifying requirements of a security management system particularly dealing with security assurance in the supply chain. Parts of the standard are considered publicly available, while the entire specification can be purchased from the International Standards Organization.


ISO 28000:2007 was developed to codify operations of security within the broader supply chain management system. The PDCA management systems structure was adopted in developing ISO 28000:2007 to bring the elements of this standard in congruence with related standards such as ISO 9001:2000 and ISO 14001:2004.[1][2]

Improved risk management integration

The development of an international standard addressing security risk management improves the broader interface with existing enterprise risk management in a common integrated platform. This integrated approach to risk management is often employed to better coordinate cross functional risk management mechanisms, improve performance measurement, ensure continual improvement and reducing misalignment of risk management objectives between silos.[3]


ISO 28000:2007 was developed such that organizations of varying scale could apply the standard to supply chains of various degrees of complexity.

The general rational for organizations to adopt ISO 28000:2007 pertains to:

  • developing a security management system,
  • internal compliance with objectives of a security management policy,
  • external compliance with best practice benchmarks,
  • ISO accreditation.


Adopting the ISO 28000 has broad strategic, organisational and operational benefits that are realized throughout supply chains and business practices.[4]

Benefits include, but are not limited to:

  • Integrated enterprise resilience
  • Systematised management practices
  • Enhanced credibility and brand recognition
  • Aligned terminology and conceptual usage
  • Improved supply chain performance
  • Benchmarking against internationally recognisable criteria
  • Greater compliance processes


ISO 28000:2007 is a certifiable standard.[5]

See also


  1. ^ ISO 28004: 2007 Guidelines for implementation of ISO 28000
  2. ^ Siegal, M. Standards Changing the World of Security Professionals. ASIS International: Virtual Seminar. 2008
  3. ^ Integrated Risk Management
  4. ^ Building SRM into Business Practice
  5. ^ ISO 28000: 2007 Specifications for security risk management systems for the supply chain
Annex SL

The Annex SL is a section of the ISO/IEC Directives part 1 that prescribes how ISO Management System Standard (MSS) standards should be written. The aim of Annex SL is to enhance the consistency and alignment of MSS by providing a unifying and agreed upon high level structure, identical core text and common terms and core definitions. The aim being that all ISO Type A MSS (and B where appropriate) are aligned and the compatibility of these standards is enhanced.

Before 2012, various standards for management systems were written in different ways. Several attempts have been made since the late 90s to harmonize the way to write these but the first group that succeeded to reach an agreement was the Joint Technical Coordination Group (JTCG) set up by ISO/Technical Management Board.

Various of Technical Committees within ISO are currently working on revising all MSS published before Annex SL was adopted. Many standards are already following Annex SL such as ISO 9001, and ISO 14001).

Bolaji Akinola

Bolaji Akinola is a Nigerian maritime expert, spokesperson of the Seaport Terminal Operators Association of Nigeria and the Chief Executive Officer of Ships and Ports Communication.

DP World

DP World is a global port operator that was founded in 2005 by a merger of Dubai Ports Authority and Dubai Ports International.


DQS Holding GmbH based in Frankfurt am Main is the holding company of the worldwide DQS Group. The group provides assessments and certifications of management systems and processes of any type.

ISO/TC 292

ISO/TC 292 Security and resilience is a technical committee of the International Organization for Standardization formed in 2015 to develop standards in the area of security and resilience.

In June 2014 the Technical management Board of ISO (TMB) took the decision to create a new ISO Technical committee called ISO/TC 292 where three committees were merged into one. The official starting date for the work of TC 292 was 2015-01-01, when the three committees were disbanded and their work incorporated into ISO/TC 292. The committee was also assigned the responsibility for the area of supply chain security, including the ISO 28000 series previously developed by ISO/TC 8.

The creation of ISO/TC 292 clarifies ISO’s structural organization on security matters, and prepares ISO to tackle future topics in this field by creating a de facto coordination body within the TC central structure. This structure is optimized to limit and prevent conflict or duplication of work. It will assist public administrations/authorities with a general interest and protective mission to optimize their participation in ISO's work in this sector. Non-Profit organizations with limited resources will also benefit from this simplified structure.

The following committees were merged into ISO/TC 292.

ISO/TC 223 Societal security (2001-2014)

ISO/TC 247 Fraud countermeasures and controls (2009-2014)

ISO/PC 284 Management system for quality of PSC operations (2013-2014)

ISO 31000

ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions.

Currently, the ISO 31000 family is expected to include:

ISO 31000:2009 – Principles and Guidelines on Implementation

ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques

ISO Guide 73:2009 – Risk Management – VocabularyISO also designed its ISO 21500 Guidance on Project Management standard to align with ISO 31000:2009.

Indian Register Quality Systems

Indian Register Quality Systems (IRQS) is an Indian company that specializes in implementing quality management systems and training companies on these certifications. IRQS is department functioning under the parent organisation Indian register of shipping (IRS) which was formed as a public limited company.

List of International Organization for Standardization standards

This is a list of published International Organization for Standardization (ISO) standards and other deliverables. For a complete and up-to-date list of all the ISO standards, see the ISO catalogue.The standards are protected by copyright and most of them must be purchased. However, about 300 of the standards produced by ISO and IEC's Joint Technical Committee 1 (JTC1) have been made freely and publicly available.

List of International Organization for Standardization standards, 28000-29999

This is a list of published International Organization for Standardization (ISO) standards and other deliverables. For a complete and up-to-date list of all the ISO standards, see the ISO catalogue.The standards are protected by copyright and most of them must be purchased. However, about 300 of the standards produced by ISO and IEC's Joint Technical Committee 1 (JTC1) have been made freely and publicly available.

Risk assessment

Broadly speaking, a risk assessment is the combined effort of 1. identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e., risk analysis); and 2. making judgments "on the tolerability of the risk on the basis of a risk analysis" while considering influencing factors (i.e., risk evaluation). Put in simpler terms, a risk assessment analyzes what can go wrong, how likely it is to happen, what the potential consequences are, and how tolerable the identified risk is. As part of this process, the resulting determination of risk may be expressed in a quantitative or qualitative fashion. The risk assessment is an inherent part of an overall risk management strategy, which attempts to, after a risk assessment, "introduce control measures to eliminate or reduce" any potential risk-related consequences.

Supply-chain security

Supply-chain security refers to efforts to enhance the security of the supply chain, the transport and logistics system for the world's cargo. It combines traditional practices of supply-chain management with the security requirements driven by threats such as terrorism, piracy, and theft.

Typical supply-chain security activities include:

Credentialing of participants in the supply chain

Screening and validating of the contents of cargo being shipped

Advance notification of the contents to the destination country

Ensuring the security of cargo while in-transit via the use of locks and tamper-proof seals

Inspecting cargo on entry

Total security management

Total Security Management (TSM) is the business practice of developing and implementing comprehensive risk management and security practices for a firm’s entire value chain. This business process improvement strategy seeks to create added value for companies by managing security and resilience requirements as core business functions rather than as reactionary expenditures. TSM implementation involves a thorough evaluation of key internal and external stakeholders, distribution channels, and policies and procedures in terms of a firm’s level of preparedness for a variety of disruptive events.

TSM encourages companies to manage security initiatives as investments with a measurable return and seeks to transform security from a net cost to a net benefit. In applying TSM, the theory holds that companies may be able to realize cost savings, improve business processes, reduce theft, enhance asset management, increase brand equity and goodwill, and improve preparedness and resiliency.

ISO standards by standard number

This page is based on a Wikipedia article written by authors (here).
Text is available under the CC BY-SA 3.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.