Product & Regulatory

ISO 28000 — supply-chain security, system led.

A security management system for the supply chain — risk-based controls over physical, informational, and personnel threats, audited against the revised 2022 standard.

Request a readiness assessment Our approach

What it is

The international standard for security management in the supply chain.

ISO 28000 specifies the requirements for a security management system, including aspects critical to the security assurance of the supply chain. The 2022 revision substantially rewrote the original 2007 standard, adopting the harmonised high-level structure used across ISO management-system standards and broadening the scope beyond purely physical goods movement to include security of assets, information, personnel, and operations across any organisation with a supply chain.

Certification confirms that an organisation has identified its supply-chain security risks, implemented proportionate controls, monitored their performance, and committed leadership to continual improvement. The standard is most visible in logistics and freight, but the 2022 revision explicitly positions it for manufacturers, service providers, and any operation whose continuity depends on secure supply-chain practice.

Who needs it

Logistics providers, manufacturers, and operators where security in supply matters.

Freight forwarders, third-party logistics operators, shipping lines, port operators, warehousing and distribution providers, customs brokerages, and manufacturers with complex inbound supply chains. Secondary adopters include defence suppliers, pharmaceutical distributors with cold-chain security obligations, high-value electronics and jewellery logistics operators, and any organisation participating in authorised economic operator schemes.

Benefits

What a well-built BIFMA system earns you.

AEO alignment.

AEO programmes — EU, UK, Indian Customs, US C-TPAT — recognise ISO 28000 as evidence of security management. Certification often shortens AEO application timelines materially.

Customer eligibility.

Large retailers, automotive OEMs, and pharmaceutical companies increasingly list ISO 28000 in their logistics-partner selection criteria.

Risk-based control.

Formal risk assessment forces the organisation to differentiate high-value, high-sensitivity, and high-risk flows from routine ones, and allocate control accordingly.

Integrated resilience.

The standard aligns well with ISO 22301 (continuity) and ISO 27001 (information security), forming a resilient operations trio for complex logistics businesses.

Insurance positioning.

Cargo insurers and business interruption underwriters routinely price risk on the presence and depth of security management systems.

Regulatory alignment.

ISPS, IMO, and national port security requirements map comfortably into a 28000 management system, removing duplication.

Requirements, in outline

What the standard actually asks of you.

Following the 2022 revision, ISO 28000 uses the harmonised high-level structure. Clauses 4 through 7 cover context, leadership, planning, and support. Clause 8 is operational — risk treatment, security awareness, and implementation of controls commensurate with the risk profile across the supply chain. Clause 9 covers evaluation: monitoring, measurement, internal audit, and management review. Clause 10 covers non-conformity and continual improvement.

Annex A provides principles and guidance for implementation, including types of threats that the security management system should contemplate — unauthorised access, theft, tampering, smuggling, terrorism, sabotage, cyber threats affecting supply-chain assets, and the consequences of these events on operations. Organisations define their own scope and risk profile; the standard avoids prescribing controls because supply-chain risk varies so much by sector and geography.

Our approach

Five stages, from discovery to certificate.

Scope & threat landscape

Define the supply-chain scope, identify threat categories relevant to your operations, and baseline existing security practice against the standard.

Risk assessment

Asset-by-asset, flow-by-flow risk assessment — physical goods, information, personnel, infrastructure — with treatment decisions that the board will stand behind.

Security controls

Implementation of proportionate controls: physical security, access control, personnel vetting, cargo inspection, information security, incident response. Calibrated to the risk assessment, not a template library.

Internal audit & exercise

Full internal audit plus a security incident tabletop and, where relevant, a live drill. Management review conducted to the depth a Stage 2 auditor will apply.

Certification audit

Attendance at Stage 1 and Stage 2, findings response, and surveillance support. For combined 28000 + 22301 engagements, a unified audit programme is our default.

Timeline & investment

Honest ranges, not placeholder pricing.

A logistics or distribution operator with existing security practice and known customer security expectations typically reaches Stage 2 in ten to sixteen weeks. Manufacturing organisations pursuing 28000 as part of a broader resilience programme — alongside 22301 or 27001 — typically run to sixteen to twenty weeks for the combined scope.

Fees depend on site count, flow complexity, number of sub-contractor parties in scope, and whether combined certification is pursued. Certification body fees are separate.

Frequently asked

Questions we answer on most BIFMA calls.

Yes. Most customs authorities operating AEO schemes accept ISO 28000 evidence as a substantial accelerator of the AEO application. The two are not equivalent, but a certified 28000 system typically leaves only customs-specific gaps to close.

The 2022 revision deliberately broadened scope beyond logistics. Any organisation whose continuity depends on secure supply-chain practice can benefit — pharmaceutical manufacturers, defence suppliers, and high-value goods producers are growing adoption segments.

ISO 22301 is business continuity — what the organisation does when things break. ISO 28000 is security management — the measures that reduce the chance of things breaking in the first place. Complementary, frequently integrated.

The standard requires proportionate personnel security controls. Whether that translates to formal background checks depends on the risk assessment and the jurisdiction's employment law. We calibrate both rather than imposing a universal standard.

Yes — scope is organisational choice, provided it is coherent and clearly stated on the certificate. Carving out transport but retaining warehousing is common where transport is contracted out.

Related services

Get a readiness assessment for ISO 28000.

Half a day with a senior consultant, a clause-level gap report, and a candid timeline. No commitment beyond the assessment itself.

Request assessment