The requirements provided in ISO 28000 help to
- establish, implement, maintain and improve a security management system;
- assure conformance with stated security management policy;
- demonstrate such conformance to others;
- seek certification/registration of its security management system by an accredited third-party Certification Body.
Similar to ISO 9001, this standard contains management requirements and it is therefore certifiable. In 2016, the top 5 countries with highest number of ISO 28000 certificates were: India (425), Japan (299), Spain (231), US (223), and UK (197).
ISO has now decided to initiate a revision of the standard. So far, a justification study for the revision has been presented and approved by the ISO Technical Management Board. A new working group (WG 8) responsible for the revision of ISO 28000 as well as the other documents in this series of supply chain security standards has been established. The first meeting is planned for the days from September 11th to September 13th in Bangkok where ISO/TC 292 is holding its annual plenary meeting together with all its working groups.
Dr. Frank Herdmann, who has been appointed as Project Leader for ISO 28000, explains what we can expect for the revision:
“The current version is rather old and one of the few Management Systems Standards in ISO that has not yet been updated in accordance with the High-Level Structure (HLS) outlined in ISO Directives, Annex L. By restructuring the standard and aligning it with the HLS we will ensure that it is compatible with all modern Management System Standard within the ISO world such as ISO 9001 and ISO 14001. This will facilitate its integrated use allowing for synergies within the organization.“
In the agreed Justification study for ISO 28000 the scope of the standard is defined to be:
This document specifies requirements for a security management system, including those aspects critical to security assurance of the supply chain.
This document is applicable to all types and sizes of organizations (e.g. commercial enterprises, government or other public agencies and non-profit organizations) which intend to establish, implement, maintain and improve a security management system. It provides a common approach and is not industry or sector specific.
This document can be used throughout the life of the organization and can be applied to any activity, internal and external at all levels.
Frank Herdmann further states:
“Support in the revision is expected from any organization managing security in any sector as the standard in its revised form will be helpful for any organization involved in managing security. Looking closely at the wording of ISO 28000:2007 the standard while redefining security in a restrictive manner even today seems to set requirements for security in general and rarely (only three times) mentions the supply chain in its vital clause 4.
ISO/TC 292 WG 8 is looking for additional experts interested in security management and willing to support their endeavors in the revision of the standard. Experts should contact their National standardization body (NSB) and participate in their national mirror committee. This mirror committee and the NSB will nominate them for WG 8.”