Many organizations are experiencing an increasing uncertainty and volatility in their security environment turning to security issues that impact on their objectives. A formal approach to security management can contribute directly to the business capability and credibility of an organization and to its resilience. A formal approach to security management should consider all activities, functions and operations impacting on the organization’s vulnerabilities related to security and imminent security threats or ongoing security violations including associated security-related risks. ISO 28000 applies the Plan-Do-Scheck-Act (PDCE model to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of the organization’s security management system.
This second edition of ISO 28000 cancelles and replaces the first edition from 2007. The primary objective of the revision was to align the standard to the Harmonized Structure (HS) laid out in the ISO Directives Annex SL Appendix 2 for ISO managements system standards in its latest version. This alignment makes the standard fully integratable and easy to use together with other managements systems standards like ISO 9001 on quality management or ISO 22301 for business continuity management. Aside of the alignment with the HS the main changes are:
- recommendations on principles have been added in clause 4 to provide for a better coordination with ISO 31000
- recommendations have been added in clause 8 for better consistency with ISO 22301 facilitating integration of requirements and recommendations of both standards into one holistic integrated and sustainable management system of the user. It now includes
- security strategies, procedures, processes and treatments and
- security plans.
Dr. Frank Herdmann (Germany), the project leader responsible for the revision of ISO 28000 explains:
"The Security Management experts in ISO/TC 292/Working Group 8 were working hard to reach consensus ahead of the scheduled time in a difficult environment. Only the first out of seven meetings was a meeting where the group was able to meet personally. All other meeting were held by Zoom some intentionally most due to the restrictions of the pandemic. We wrote the new version of the standard for the users who need clarity over the process to protect their organizations from vulnerabilities related to security and imminent security threats or ongoing security violations including associated security-related risks. People will not need to use intuition or ideas from the internet to provide security. They now will be able to follow global best practice for protecting the organization from disruption."
Similar to ISO 22301 on Business continuity management systems, ISO 28000 contains requirements and remains therefore open for certification. Its title is now aligned to its content but of course the standard remains applicable to the supply chain as it has been in the past. Existing certificates remain in place and end-users will have no problem having their certificates renewed as the intention was to keep the requirements from the old version of the standard as intact as possible. The standard now has the modern structure of the HS and has thus has graduated to become a grown up member of the ISO system of management system standards. Its requirements and recommendations can now be fully integrated into any organization’s management system.
ISO 28000:2022, Security and resilience – Business continuity management systems – Requirements, is available from ISO national member institutes. It may also be obtained directly from the ISO Central Secretariat, respectively through the ISO store or by contacting the Marketing, Communication & Information department.
ISO 28000 – Frequently Asked Questions
1. Why was ISO 28000 revised?
All ISO standards have to be periodically revised to reflect the current collective view of global good practice. To ensure this happens ISO sets a review cycle of 5 years.
In the case of ISO 28000, the first (and last) release was published in 2007 by ISO/TC 8 Ships and marine technology. Since then, the Harmonized Structure of in the ISO directives ANNEX SL, Appendix 2 has been introduced and became mandatory for all ISO Management System Standards, the responsibility was transferred to ISO/TC 292 and pre revision an ad hoc group came to the consensus that a combination of the experience gained in using the standard and the way we now think about security management drove a need to revise the document.
2. The Title of ISO 28000 has changed. Does this impact the standard’s scope and does it still apply to all organizations (in scale, type and industry)?
In the context of the revision ISO insured that the title of the standard is fully aligned to its content. The scope of standard remains the same as the 2007 version. However, the title has been updated to ensure that it is understood that it covers security management systems and it applies to ALL organizations including (but not limited to) organizations in the supply chain.
3. When will the other standards in the 28000 family be revised?
ISO/TC 292/WG 8 has started to investigate end-user needs concerning the revision of the companion standards in the 28000 family. Results are expected to be reported to the Technical Committee at its meeting this summer.
4. My organization is expected to align with ISO 28000; will the revision have an impact on this? If my organization is already certified against the 2012 version, what happens now?
Given that the aim of the revision was not to add new requirements in ISO 28000 when it comess to secrity but to update it to the new ISO format for writing Management Systems Standards it is unlikely there will be a significant impact. There is no immediate impact on organizations that are already certified. Organizations will have 3 years to assess the impact of the new edition of the standard. Since the changes has mostly been about making it inline with all other MSS such as ISO 9001 and ISO 22301, there should be a minimal impact on the certification process.
5. My organization is part way through a certification process using the 2007 version of the standard, will the 2022 version affect that?
No, you will be free to complete the certification process using the previous version and then update it when it requires renewal (after 3 years).
However, considering the age of the old version, in discussion with your certification body you may decide to pause the process and use the new version.
6. Can we still use the 2007 version?
Technically that is possible though anyone purchasing the Standard after the revision will be buying the 2022 version. Moving to the new version will ensure your Security Management System continues to be aligned with the latest good practice.