According to the justification study approved by ISO TMB (Technical Management Board) the purpose of the standard is
»to provide requirements of managing security for an organization including, but not limited to security of the supply chain«
ISO 28000 is a management system standard which includes certifiable requirements in the same way as well-known ISO 9001 on quality management. In 2016, the countries with the highest number of ISO 28000 certificates were:
- India (425)
- Japan (299)
- Spain (231)
ISO/TC 8 on “Ships and marine technology” was responsible for the earlier versions of ISO 28000, but now the work has been moved to ISO/TC 292 which has established a Working Group (WG 8) responsible for the revision of the whole ISO 28000 series. As the current version of the standard is rather old, it is one of the few management system standards left that has not yet been updated in accordance with the high-level structure (»HLS«) outlined in the ISO Directives Annex SL. Therefore, the primary objective of the revision is to align the standard with the HLS. At the same time, the objective is to avoid, as far as possible, new requirements as they might be burdensome to the end-user already certified according to ISO 28000.
The project leader for the revision of ISO 28000, Dr. Frank Herdmann from Germany explains
“The revision was supported by the experts in Working Group 8 working hard in the virtual meetings developing the draft from the skeleton document to the CD within a relatively short period. The CD ballot will hopefully show that the outcome will be a standard of wide applicability and usefulness to industry. It will be a step forward for the security of organizations as a whole (including the supply chain) and – together with ISO 22301 – contribute to the resilience of organizations.”
Besides updating the standard to the mandatory High Level Structure specified in Annex SL, the Committee Draft includes various of improvements that will
- ensure the identification of applicable legal, regulatory and other requirements related to the organization’s security are identified and taken into account,
- list and explain the eight principles of security management that shall be applied,
- ensure that externally provided processes that affect the conformity with the security management system shall be controlled,
- explain the requirements of a proactive risk assessment and treatment
- explain what to take into account when establishing and reviewing security objectives and in planning changes to the security management system
- be more precise on documented information.
Also, in clause 8, the standard will clarify what shall be considered in
- identifying processes and activities relevant for security management
- risk assessment and treatment related to the security of the organization with regard to controls
- identifying and selecting strategies and treatments
- determining resource requirements and implementation of treatments
- implementing a response structure related to security, imminent security threats and ongoing security violations as well as the content of a security plan
- establishing a process to restore the organization’s security.
This will align the standard to other management system standards of TC 292, in particular to ISO 22301 dealing with business continuity. This ensures compatibility of ISO’s two most important standards contributing to the resilience of an organization and facilitate the integrated use of both standards allowing for synergies within the organization.
Experts are still able to join Working Group 8 and work with the finalization of this this project and contribute to the other implementing standards in the series, by contacting their National Standards Body.