The scope of ISO 28000 states that the standard provides requirements of managing security for an organization including, but not limited to security of the supply chain. ISO 28000 includes certifiable requirements and is classified as a Management System Standard (same as ISO 9001 on Quality management and ISO 14001 on Environmental management).
ISO 28000 is applicable to all types and sizes of organizations (e.g. commercial enterprises, government or other public agencies and non-profit organizations) which intend to establish, implement, maintain and improve a security management system. It provides a common approach and is not industry or sector specific.
ISO 28000 gives broad strategic, organizational and operational benefits that are realized throughout supply chains and business practices. The benefits of implementing ISO 28000 includes:
- Integrated enterprise resilience
- Systematized management practices
- Enhanced credibility and brand recognition
- Aligned terminology and conceptual usage
- Improved supply chain performance
- Benchmarking against internationally recognizable criteria
- Greater compliance processes
ISO 28000 was originally developed in 2007 by ISO/TC 8 on “Ships and marine technology” but the responsibility was moved to ISO/TC 292 on “Security and resilience” when this committee was created to develop security related standards.
What is new?
At the previous ballot (Committee Draft), ISO 28000 received an approval rate of 93 % from the ISO members. After resolving the comments provided at three virtual meetings it was forwarded to ISO for DIS.
One of the primary objectives for the revision of ISO 28000 was to align it to the “High Level Structure” for Management Systems Standards (MSS) and make sure it has the same format as for example ISO 9001. ISO 28000 is in fact one of the very last standards to be revised into this new, but also mandatory structure, which ISO has developed to enhance the consistency and alignment of MSS by providing a unifying and agreed-upon high level structure, identical core text and common terms and core definitions.
- Scope
- Normative references
- Terms and definitions
- Context of the organization
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Improvement
Even though the structure is very different from the 2007 version and the text might look significantly changed, the core text for the scope is basically as it was in the prior version and the intension has been to keep the requirements from the old version as intact as possible.
There are two main changes compared with the previous edition as follows:
- Recommendations on principles have been added in clause 4 to give better coordination with ISO 31000 on “Risk Management” and some other management system standards such as ISO 9001 on “Quality management” and ISO 55001 on “Asset management”.
- Recommendations have been added in clause 8 for better consistency with ISO 22301 on “Business Continuity Management” facilitating integration including:
- security strategies, procedures, processes and treatments
- security plans.
Dr. Frank Herdmann, the project leader for the revision, explains
“My very personal vision is that the new edition of the standard is openly and transparently a security management system standard that is fully applicable to the supply chain. The upside will be that end users of the previous edition will be able to use the new version without any interference. At the same time proliferation of standards will not impair industry and burden them with more standards to buy and follow.”
We have listed the various improvements in previous articel last autumn. It will be interesting to see security management evolve and graduate from a mere annex to ISO 31000.
Dr. Volker Ressler, Vice President at Robert Bosch GmbH and a member of DIN NA 175‑00‑05 GA Business continuity and 
Security and ISO/TC 292 WG 8, Global Head of Corporate Protection and Security for Associates and Property, underlines the importance of these features for his global group with almost 400,000 employees:
“I believe the new edition of ISO 28000 will contribute to a more risk-oriented, holistic and business-adequate Corporate Security. Furthermore, it will hopefully bring Physical- and Cyber-Security issues closer together, as such artificial walls are not fitting to the 21st century business world. In addition, we expect a better synchronization of our Security Management System with other ISO-standardized processes like Quality-, Crisis- or Business Continuity Management, thanks to the High Level Structure.”
As the new ISO 28000 will be aligned with any management system standard of ISO integration into (the) one holistic, integrated and sustainable management system of any organization will be possible without any big effort.
What can you do?
If you wish to review and comment on the new draft of ISO 28000, you need to contact the National Standards Body in your country for more information. A list of all NSBs is provided here at the ISO website.
The new version of ISO 28000 is expected to be published in the beginning of 2022.