Seguridad y cadena

ISO 28000

The international standard that protects your supply chain against theft, fraud, sabotage and operational disruptions. Applicable to any organisation that moves or manages goods, regardless of size or sector.

StandardISO 28000:2022
Estimated duration4-8 months
Target profileLogistics, transport, warehousing, industry

The 2022 edition of ISO 28000 broadened the scope of the original standard (2007): it is no longer limited to the supply chain in the strict sense, but covers every aspect of organisational security — people, physical assets, information, critical facilities and operational continuity. It adopts the High-Level Structure (HLS) shared by ISO 9001, ISO 27001 and ISO 22301, which makes integration with management systems already in place considerably easier. Transitioning from the 2007 edition is, in most cases, a process of documentary and scope adaptation, not a complete overhaul.

The problem it solves is concrete: companies that operate complex supply chains — logistics operators, distributors, manufacturers with multiple suppliers, freight forwarders, cargo transport companies — accumulate security risks that conventional quality audits do not cover. Theft in transit, cargo tampering, unauthorised access to warehouses, identity fraud in deliveries, or pressure from major clients who require security standards from their suppliers: all of these risk vectors receive a systematic response in ISO 28000:2022. For many medium-sized companies in the logistics sector, holding the certificate is also an explicit requirement to access large-account clients or public transport contracts.

Summum Calidad guides the entire process: from the initial gap diagnosis and risk assessment specific to your operation, through to implementation of the documentary system, training of internal teams, and preparation for the external audit with an accredited certification body (AENOR, Bureau Veritas, SGS or another of your choice). We are consultants, not certification bodies; the certificate is issued by a third party accredited by ENAC. With offices in Castilla y León (Valladolid, Burgos, Palencia, Aranda de Duero) and Las Palmas, and more than ~200 ISO certifications supported since 2007, we bring the standard to companies that need results, not bureaucracy.

The ISO 28000 process.

The process · four stages
01

Security diagnosis

We analyse your current supply chain: goods flows, transfer points, physical and logical access, existing controls and historical incidents. We identify gaps against ISO 28000:2022 and prioritise risks by impact and probability.

02

Management system design

We define the security policy, system scope and operational controls: access control procedures, critical supplier management, incident response plans, asset classification, and security team roles and responsibilities.

03

Implementation and training

We roll out the documentary system, train the staff involved — warehouse managers, logistics, procurement, physical security — and support the first round of incident response exercises and drills as required by the standard.

04

Internal audit and certification

We carry out a full internal audit to detect non-conformities before the certification audit. We prepare the dossier, coordinate with the certification body and accompany the Stage 1 and Stage 2 audits through to certificate issuance.

What is included

What ISO 28000 includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Security risk analysis

    Threat and vulnerability assessment methodology specific to your type of operation: transport, warehousing, manufacturing or logistics intermediation.

  • Security policy and objectives

    Framework document aligned with the business strategy and applicable legal requirements (private security, data protection, transport regulations).

  • Operational control procedures

    Physical and logical access control, identity verification at delivery, visitor management, sealing and custody of high-value goods.

  • Supplier and subcontractor management

    Security-focused supplier selection and evaluation criteria, contractual clauses and performance monitoring across the extended supply chain.

  • Incident response plan

    Action protocols for theft, fraud, accidents or security threats, including internal communication channels, notification to authorities and incident recording.

  • Internal audit and management review

    Annual internal audit programme and formal management review of the system, with security performance indicators and continuous improvement plans.

Summum cluster

How it connects with its sisters.

Supply chain security is strengthened by combining ISO 28000 with business continuity management (ISO 22301, also at Summum Calidad) and, where digital assets are involved, with managed cybersecurity from Summum Sistemas.

Frequently asked questions about ISO 28000.

What is the difference between ISO 28000:2007 and ISO 28000:2022?

The 2022 edition adopts the ISO High-Level Structure (HLS), making integration with other standards such as ISO 9001 or ISO 27001 much easier. The scope is broadened: it is no longer limited to the supply chain strictly defined, but covers every aspect of organisational security. The substantive requirements do not change radically, but the structure is clearer and the language is harmonised with the rest of the ISO ecosystem.

What types of companies get certified to ISO 28000?

Logistics operators, cargo transport companies (road, sea, air), distributors, manufacturers with complex supply chains, freight forwarders, customs agents, and companies handling high-value or sensitive goods. It is also relevant for industrial companies that require documented security standards from their suppliers.

Is ISO 28000 certification mandatory?

It is not a legally mandatory standard in Spain as a general rule. However, many major clients — especially in the automotive, pharmaceutical or defence sectors — require it as a supplier approval condition. It can also be a differentiating factor in public transport and logistics tenders.

How long does it take to implement ISO 28000?

It depends on the size and complexity of the organisation and the security systems already in place. For a medium-sized company (50-200 employees) with no prior system, the full process through to the certification audit typically takes between 4 and 8 months. If ISO 9001 or ISO 22301 is already implemented, the timeline can be reduced significantly.

Does Summum Calidad issue the ISO 28000 certificate?

No. Summum Calidad is an implementation consultancy: we guide your organisation through the entire process until you are ready for the audit. The certificate is issued by a certification body accredited by ENAC (AENOR, Bureau Veritas, SGS, TÜV Rheinland or others). You choose the certifier; we prepare you to pass with confidence.