ISO 28000:2007 is a management system standard which has been developed specifically for logistics companies and organizations that manage supply chain operations. Published as a Publicly Available Specification by the International Standards Organization in 2005, this was replaced in 2007 by the full standard, ISO 28000:2007.
ISO 28000:2007 is suitable for all sizes and types of organizations involved in manufacturing, service, storage or transportation that wish to implement and maintain a security management system.
ISO 28000:2007 specifies the requirements for a security management system, including those aspects critical to security assurance of the supply chain. Security management is linked to many other aspects of business management. Aspects include all activities controlled or influenced by organizations that impact on supply chain security. These other aspects should be considered directly, where and when they have an impact on security management, including transporting these goods along the supply chain.
Supply Chain is linked set of resources and processes that begin with the sourcing of raw material and extend through the delivery of products or services to the end user across the modes of transport, including transportation, loading information and relevant activities. The supply chain may include raw material manufacturer, intermediate product manufacturer, product manufacturer, wholesalers, distributors, vendors, logistics providers, trucking industries, train transport, air transport, port terminal operators, shipping transport, forwarders, custom agency, accountant and information agency, importing business.
ISO 28000:2007 is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:
- Establish, implement, maintain and improve a security management system;
- Demonstrate such conformance to others;
- Seek certification/registration of its security management system by an Accredited third party Certification Body; or
- Make a self-determination and self-declaration of conformance with ISO 28000:2007.
There are legislative and regulatory codes that address some of the requirements in ISO 28000:2007.
It is not the intention of ISO 28000:2007 to require duplicative demonstration of conformance.
Organizations that choose third party certification can further demonstrate that they are contributing significantly to supply chain security.
- By businesses that are going out to tender for their services.
- To provide a consistent approach by all service providers in a supply chain.
- To benchmark supply chain security management.
- As the basis for an independent assessment.
- To demonstrate the ability to meet customer requirements.
- To improve services.
- Allows security to be managed as a process so that the effectiveness of security management can be measured and improved;
- Allows management to focus resources and efforts on areas with high-risk concerns (through a security risk assessment);
- Allows management to benchmark its security management efforts with international standards; and
- Demonstrates to stakeholders the commitment to enforce a systematic security management. ISO 28000:2007 uses a more pragmatic approach in which the risk levels of your supply chain operations are identified. It enables your organization to perform a risk assessment with supporting management tools (i.e., document controls, key performance indicators, internal audits and training) and applies the controls in accordance with the risk involved.
The framework of ISO 28000:2007 is structurally very similar to ISO 14001:2004 Environmental Management Systems (EMS) standard. The environmental aspects identification and evaluation process in EMS is analogous to security risk assessment in security management.