ISO 22373 Security and resilience – Authenticity, integrity and trust for products and documents – Framework for establishing trustworthy supply chains
This project will create an international standard that provides a framework to support stakeholders to establish and ensure trustworthiness along supply chains. The guidelines set out in this document are generic and are intended to be applicable to all organizations, regardless of their type, size, or nature. It can also be used to support existing systems. This document is technology agnostic, and the aspects specified in this document can be implemented using various technologies such as PKI (Public Key Infrastructure) certificates, Decentralized Identifiers (DID) and Verifiable Credentials (VC), etc.
Aliza Maftun, the project leader responsible for the development of ISO 22373 explains:
Supply chain trustworthiness is a crucial topic that affects every organization, regardless of their size, geographical location, or industry. With the increasing globalization, reliance on technology and digital communications, risks of attacks on supply chains are higher than ever. Therefore, this document intends to provide guidelines to supply chain stakeholders to decide about attributes to consider in their supply chains to make it trustworthy.
As supply chain are complex, comprising of several entities with varying business context and technological solutions, a framework to ensure end-to-end supply chain trustworthiness is required. ISO 22373 provides guidelines for chain of trustworthiness catering to the end-to-end supply chain trustworthiness. It guides regarding identification of different trust domains and the measures that each trust domain must employ to meet their trustworthiness targets.
ISO 22373 also introduces an interoperable data structure to exchange trustworthiness relevant information amongst supply chain stakeholders. The interoperable data construct can be used to negotiate and exchange trustworthiness properties between different trust domains. This supports achievement of several properties, such as interoperability, robustness, accountability, transparency while preserving privacy.
The standard provides guidelines for chain of trustworthiness with includes continuous trustworthiness for parts of supply chain that in principle can be extended to the end-to-end supply chain.