The supply chain is today one of the most critical risk vectors for any company that moves goods or depends on external suppliers. A security incident — cargo theft, container tampering, origin fraud — does not only cause direct losses: it can halt production, compromise product integrity and damage a reputation at a time when clients increasingly demand documented guarantees. ISO 28000 is the international standard that addresses this problem: a systematic framework for identifying, assessing and controlling security risks throughout the supply chain, from the first-tier supplier to final delivery to the customer.
What ISO 28000 is and what it covers
The ISO 28000:2022 — «Security and resilience — Security management systems — Requirements» — is the most recent revision of the standard originally published in 2007. This edition adopted the High Level Structure (HLS) common to the entire ISO family (the same as ISO 9001, ISO 14001 or ISO 45001), which greatly facilitates integration with other management systems the organisation already has in place.
Its scope is broad: it applies to any organisation participating in the supply chain, regardless of size or sector. Manufacturers, logistics operators, importers, exporters, port operators, road, maritime or air transport companies, and any critical supplier can benefit from — or be required to — implement this standard.
The central objective is not to eliminate risk (which is impossible), but to proactively manage security risks: identify them before they materialise, define proportionate controls and demonstrate that capability to customers, insurers, customs authorities and other stakeholders.
Difference between ISO 28000 and other supply chain security programmes
There is some confusion between ISO 28000 and programmes such as C-TPAT (Customs-Trade Partnership Against Terrorism, from the USA) or AEO (Authorised Economic Operator, from the European Union). The table below clarifies the main differences:
| Element | ISO 28000:2022 | AEO (EU) | C-TPAT (USA) |
|---|---|---|---|
| Nature | Internationally certifiable standard (ISO) | Public customs authorisation | Voluntary USCBP programme |
| Issuer | ISO / accredited certification body | Customs authority of each EU Member State | U.S. Customs and Border Protection |
| Recognition | Global (ISO) | European Union + bilateral agreements | USA + bilateral agreements |
| HLS compatible | Yes (integrable with ISO 9001, 14001, 45001) | Not a management system | Not a management system |
| Direct customs benefit | Indirect (can support AEO application) | Yes (customs simplifications) | Yes (priority border checks) |
| Periodic audit | Yes, by accredited body | Yes, by customs authorities | Yes, by USCBP |
ISO 28000 and AEO status are complementary, not mutually exclusive. In fact, many companies use the ISO 28000 implementation as a documentary foundation to apply for or maintain AEO authorisation with their national customs authority.
Key requirements of ISO 28000:2022
The standard follows the ten-clause HLS structure. The substantive security management requirements are concentrated in chapters 4 to 10:
Context and interested parties (clause 4)
The organisation must map its complete supply chain: who the actors are (suppliers, carriers, warehouses, customers), what flows of goods, information and money exist, and what legal, contractual or sector requirements apply. Relevant interested parties in security matters must also be identified: customers, customs authorities, insurers, product certifiers.
Leadership and security policy (clause 5)
Top management must assume visible leadership of the system. This translates into a documented security policy, clear assignment of roles and responsibilities, and the guarantee of sufficient resources. Delegating security to the logistics manager is not enough: the standard requires demonstrable executive commitment.
Planning and security risk assessment (clause 6)
This is the technical core of the system. The organisation must carry out a security risk assessment covering at least:
- Physical threats: cargo theft, unauthorised access to facilities, sabotage.
- In-transit threats: route deviation, cargo substitution, container contamination.
- Origin threats: suppliers with deficient controls, high-risk countries or areas.
- Cyber threats with impact on the physical chain: manipulation of tracking systems, electronic document fraud.
- Compliance threats: smuggling, trade-based money laundering.
Identified risks are assessed in terms of probability and impact, then prioritised to define the corresponding controls.
Operation and controls (clause 8)
The standard requires that security controls be planned, documented and verified. Common controls that organisations implement under ISO 28000 include:
- Physical access control to facilities and loading areas.
- Identity verification procedures for carriers and drivers.
- Inspection and sealing of containers and vehicles.
- Selection and evaluation of suppliers with security criteria.
- Documentary traceability of goods (Bill of Lading, packing list, CMR).
- Security incident response plans.
- Training and awareness for own and subcontracted staff.
Performance evaluation and continual improvement (clauses 9 and 10)
The system must be measured: security incident indicators, internal audit results, management review and corrective actions for deviations. Continual improvement is not a slogan: it is a verifiable requirement by the certification body.
Who ISO 28000 applies to in practice
Although any organisation can voluntarily implement ISO 28000, there are profiles where the pressure — contractual, regulatory or market-driven — is more intense:
- Logistics operators and freight forwarders working with large distributors or in foreign trade.
- Industrial manufacturers with international supply chains (automotive, aerospace, defence).
- Port and terminal operators subject to ISPS Code regulation.
- Companies with AEO status seeking to reinforce their management system with a standardised framework.
- First-tier suppliers to customers who contractually require evidence of supply chain security management.
- Food sector companies that must demonstrate cold chain integrity and absence of intentional contamination.
National customs authorities take into account the maturity of supply chain security management systems when granting and renewing AEO status. A company with ISO 28000 implemented and certified starts with a documentary advantage over one that manages security on an ad hoc basis.
Implementation process: from zero to certificate
At Summum Calidad we accompany the implementation of ISO 28000 following a structured process adapted to the size and maturity of each organisation. The typical journey includes the following phases:
Initial diagnosis (gap analysis)
We analyse the current state of security controls against the requirements of the standard. We obtain a clear picture: what is covered, what is missing and what needs to be built from scratch. This phase avoids surprises at the certification audit.
Supply chain mapping and risk assessment
Together with the internal team, we map the flows of goods, money and information. We apply the security risk assessment methodology and prioritise controls according to the organisation's actual exposure level.
System design and implementation
We develop the security policy, operating procedures, supplier selection criteria and incident response plans. We train key staff and review contracts with critical suppliers to include verifiable security clauses.
Internal audit and management review
Before applying for external certification, we carry out a full internal audit that simulates the certification body's perspective. Detected deviations are corrected before the official visit.
Certification by an accredited third party
The certificate is issued by an accredited body (AENOR, Bureau Veritas, SGS, Lloyd's Register or others), not by Summum. Our work is to ensure the organisation arrives at that audit prepared and without surprises.
If the company also needs to integrate ISO 28000 with an existing ISO 9001 or ISO 14001 system, the prior work carried out avoids duplicating documentation and effort: the HLS structure allows sharing policy, objectives, resource management and continual improvement.
Concrete benefits for the company
Implementing ISO 28000 is not an end in itself. The real benefits that justify the investment are:
- Reduction of security incidents: proactive risk identification and control implementation reduce the frequency and impact of theft, damage and fraud in the chain.
- Access to demanding contracts: customers in sectors such as defence, pharmaceuticals, food or automotive increasingly include supply chain security requirements as a supplier qualification condition.
- Support for AEO status: ISO 28000 certification is recognised by customs authorities as evidence of maturity in security management.
- Better conditions with insurers: some transport and logistics insurers apply more favourable premiums to organisations with certified security management systems.
- Customer and partner confidence: holding a certificate from an accredited third party is an objective signal that the organisation manages security systematically, not reactively.
- Foundation for business continuity: supply chain security risk management is a pillar of operational resilience, complementary to ISO 22301.
Frequently asked questions
How long does it take to implement ISO 28000 in an SME?
It depends on the starting point. A company with already documented security controls (for example, because it holds AEO status or works with client protocols) can be ready for the certification audit in four to six months. If security management is informal or non-existent, the process typically requires eight to twelve months. The initial diagnosis is the best way to obtain a realistic estimate for your specific situation.
Is ISO 28000 mandatory in Europe?
It is not a legally binding standard with general scope. However, it can become a de facto obligation through two routes: (1) contractual, if a customer or contracting authority requires it as a qualification condition; (2) indirect regulatory, if the company operates as an Authorised Economic Operator (AEO) or works in sectors with specific supply chain security regulation (dangerous goods transport, food, defence). In those contexts, not having it implemented represents a real competitive disadvantage.
Does ISO 28000 also cover cyber risks in the supply chain?
The 2022 revision expanded the scope of the standard to explicitly include cyber threats with impact on the physical supply chain: manipulation of traceability systems, electronic document fraud, unauthorised access to order management platforms. However, for comprehensive cybersecurity management, ISO 28000 is complemented by ISO 27001 (information security). Both standards are integrable under the HLS structure.
What is the difference between an ISO 28000 system and a simple logistics security plan?
A logistics security plan is a document; an ISO 28000 management system is a cycle of continual improvement. The practical difference lies in the fact that the system includes: periodic risk assessment, measurable security objectives, internal audits, management review and documented corrective actions. Furthermore, it is verified by an accredited external body, which provides objective credibility with customers and authorities. An internal plan, however well written, does not offer that third-party guarantee.