ISO 28000

1. Introduction
2. Overview
3. Global adoption
4. Benefits
5. Auditing
6. Choosing a registrar
7. Route to registration
8. Costs
9. Contributing editor

ISO 28000 is the formal international security standard against which organizations may seek independent certification of their supply chain security management system. It specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Supply Chain Security Management System (SCSMS), using a continual improvement approach.

ISO 28000 is intended to be used in conjunction with ISO 28001 and ISO 28004 security Codes of Practice, which offer guidance on interpretation and implementation of the standard. It provides the foundation for third-party audits and is meant to ‘harmonize’ with other management standards, such as ISO 9001 (quality management) and ISO 14001 (environmental management).

The ISO 28000 standard is formally known as “Specifications for Security Management Systems in the Supply Chain”.

ISO 28000  has been  developed by the ISO Technical Committee TC8 “Ships and Maritime Technology”.  It is based on the ISO format adopted by ISO 14001:2004 because of its risk based approach to management standards. The  ISO 28000 series of standards consists of:

• ISO 28000:2007 – The Security Management Standard (SMS)  requirements standard, a specification for an SMS against which  organizations can certify compliant.   
• ISO 28001:2007 –. Provides requirements and guidance for organizations in international     supply chains.
• Assists in meeting the applicable authorized economic operator (AEO) criteria set forth in the World Customs Organization Framework of Standards and conforming national supply chain security programmes.
• ISO 28002:2010 PAS - Development of resilience in the supply chain - Requirements with guidance for use.
• ISO 28003:2007 -  Requirements for bodies providing audit and certification of supply chain security management systems
• ISO 28004:2007 - provides generic advice on the application of ISO 28000:2007.
• ISO/AWI 28005 – ( Under development) Electronic port clearance (EPC) -- Part 1: Message structures.
• ISO/AWI 28005 – Electronic port clearance (EPC) -- Part 2: Core data elements

Following the events of 9th September 2001 the United States of America developed C-TPAT.  (Customs Trade Partnership against Terrorism), a voluntary agreement that was undersigned by many US  and  other businesses.  It entails  conducting a self assessment of  supply chain security following  C-TPAT guidelines and provides fast track access to US ports for operators that are compliant.

In April 2005 the European Parliament adopted an amendment to the Community Customs Code (The Security Amendment) which allows Customs authorities to grant the status of AEO to any business that satisfies EU criteria. AEO is designed to provide fast track access to European ports.

There was no provision for mutual recognition between the two schemes,  In 2005, in answer to industry requests, ISO began work on a standard that was expected , by industry, to “bridge the gap” and allow organizations to certify to one single standard in order to achieve preferential status both in Europe and the USA.

Is ISO 28000 relevant to your organization?

According to the ISO it is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:

• establish, implement, maintain and improve a security management system;
• assure conformance with stated security management policy;
• demonstrate such conformance to others;
• seek certification/registration of its security management system by an Accredited third party Certification Body; or
• make a self-determination and self-declaration of conformance with ISO 28000:2007.

During development ISO 28000 was predicted to be the standard that would break all records, regarding the number of  organizations that would adopt it,  and the speed with which it would spread.  Whilst still in its PAS stage there were indications that many important organizations would be quick apply for certification.   This did not happen.  So far relatively few  organizations have, in fact, implemented  ISO 28000.

An explanation for this  can be found in a number of factors including:

• The economic recession, that began in 2007, but whose consequences were fully realised in 2008,  persuaded many organizations to modify priorities and wait,
• ISO 28000 has not successfully bridged the gap between C-TPAT and AEO.

There are several reasons why an organization might seek this certification. Some of the key benefits include:

• The implementation of an efficient Security Management System
• Increased credibility and trust
• Improved partner, customer and stakeholder confidence
• Organizational and trading partner assurance
• Demonstration to competent authorities that the organization observes all applicable laws and regulations
• Competitive advantage and market differentiation
• Reduced regulation costs

A benefit that has been overlooked is that this is, for the moment, the only ISO standard that an organization can implement, with or without, proceeding to certification, that contemplates a high level security management system. ISO 28000, albeit dedicated to supply chain security, is potentially applicable to any organization, that wishes to implement, self assess or certify to an internationally recognized security management standard.

To meet certification requirements, an organization's Supply Chain Security Management System must be audited by a certification body that is, as a minimum requirement, compliant with ISO 28003:2007. This standard, which is derived from the overarching standard ISO 17021:2006,  contains principles and requirements for bodies, providing the audit and certification of supply chain security management systems, according to management system specifications and standards such as ISO 28000. It defines the minimum requirements of a certification body and its associated auditors.

There are a growing number of organizations accredited to grant certification against ISO 27001. While the approach to the certification processes may differ, there are common steps required within an application, these include:

• Stage I document review
• Stage II compliance audit
• Ongoing surveillance or review audits

There are over 1,000 certification bodies globally. It is important to select an approved certification body and to ensure they comply with the following criteria:

• Ensure the company is accredited to ISO/IEC 17021:2006, and the certification body accreditation is issued by a recognised competent body.
• Receive quotations from several certification bodies.
• Do not select the cheapest quote as their auditing or service may be below standard.
• Ensure the certification body is recognised by your customers and they have the relevant sector experience for your industry sector.
• Enquire as to the experience and qualifications of the audit personnel that will conduct the audit. Although this standard stems from the principles of QMS Quality Management Systems it is a Security Management System. A qualified audit  will require auditors with specific security experience and qualifications.

There are various phases to registration:

1. Pre-audit Assessment
   • Check documentation with the certification organization
     Together, you and the organization will review your documentation. This will ensure that all documented procedures cover the requirements of ISO 28000:2007.
   • Determine date of assessment
     Together with the organization you will determine the best timetable for your registration and agree on a date for initial assessment. Many organizations benefit from a pre-assessment "dry run", also called  “pre audit”, of the formal assessment.
2. Initial Audit Stage I Documentation
   • An initial Stage I documentation assessment will be conducted by your auditor. The Documentation Audit includes a document review, which needs to be completed before the Implementation Audit can begin. Your certification body is expected to review all documents relating to the design and implementation of the Supply Chain Security SMS.
3. Implementation Audit Stage 2
   The Implementation Audit Stage 2 takes place at the site of the client. The audit plan is agreed and circulated to the client in advance of the commencement of Stage 2 and is finalized to fit in with the clients business commitments at the commencement of this stage. All the elements and controls of ISO 28000 are covered in depth at this stage. The audit findings are summarised and confirmed during a formal closing meeting.
4. Registration Confirmation
   Following your auditor's recommendation, your registration will be confirmed by the technical reviewers.
5. Certificate Issue
   Your certificate of registration will arrive after your registration has been confirmed.
6. Continued Assessment
   After registration, your nominated auditor will visit your organization at appropriate intervals to ensure that your management system continues to meet the requirements of ISO 28000.
7. Reassessment
   Your registrar is required to perform a reassessment of your management system every 3 years. This is normally 2/3 of the initial assessment duration at the end of the closing meeting your auditor will confirm the outcome if you are successful.

The answer depends on a number of factors. There are costs to both implement and to maintain your certification.

Implementation Costs

In terms of costs to implement, if you choose a full do-it-yourself approach, the only real costs will be the time for resources dedicated to the implementation process and in time spent writing documents and training your staff. If you have little experience with ISO 28000, or have limited internal resources, you might choose to get outside professional help through a security management system consultant. There are advantages in recruiting a qualified consultant as you are able to guarantee your registration within a given period of time.

Certification Costs

Costs of registration are dependent on the size of your organization.  Most registrars charge a certain rate per day to be on-site at your facility. This day rate will vary depending on your country. To maintain your certification, the registrar must return annually to audit a portion of your system. These costs will be less than the original visit, since the time spent will be shorter. Once every three years, the registrar returns to audit your entire system.

Roger D. Warwick

Roger Warwick is certified RABQSA Lead Auditor and Skill Examiner Security Management Systems, ISO 28000, and has audited organizations to this standard in Europe and the Americas.

He is a BSI certified Lead Auditor for ISO 27001, holding the internationally recognised security certification CPP. Nominated "Expert" by UNI (The Italian National Standardization Organization) for the development of ISO and CEN security standards and coordinator for the further development of Supply Chain Security standards. Roger is a member and project coordinator ESRIF (European Security, Research and Innovation Forum) and a member of the Standards & Guidelines Commission ASIS International.

His career includes thirty years experience in corporate security and investigations assisting many Fortune 100 international corporations. Roger is the owner and MD of Pyramid International, a security and investigations consultancy based in Italy and is a founder and senior partner of Temi Group Ltd. a worldwide partnership of security and investigations experts. He is also a regular speaker at international symposiums on security and economic crime, and a regional secretary for the British Chamber of Commerce for Italy.