ISO 28000 Security Management System

Overview of ISO 28000
ISO 28000:2022 Security and resilience — Security management systems — Requirements (SMS)

ISO 28001 is a management system standard published by International Organization for Standardization (ISO) that specifies requirements for a security management system including aspects relevant to the supply chain.
ISO 28000 establishes a security system that will protect people, goods, infrastructure, equipment, and transportation against security incidents and other potentially devastating situations. It specifies the requirements to establish, implement, maintain, improve, and audit a security management system for the supply chain.
Who Should Use ISO 28000?
  1. Organizations of all types and sizes can implement ISO 28000 SMS.
    It does not matter what size your organization is:
    • Any organisation with as few as 2 persons to as large as million persons can benefit from ISO 28000 SMS.
    It does not matter what type of organization you are:
    • commercial enterprises;
    • government or other public agencies; 
    • non-profit organizations;
    • manufacturing;
    • service; or
    • storage or transportation at any stage of the production or supply chain;
    you can use ISO 28000 to establish, implement, maintain and improve a security management system and benefit from it.
  2. Any organization that wants to gain an internationally recognized framework for implementing a security management system.
  3. Any organization that wants to optimize the processes and ensure that the supply chain remains free of disruptions.
Why Should You Use ISO 28000?
  1. You want to ensure that the security and threats coming from logistical operations and supply chain partners are being managed and controlled.
  2. You want to monitor and manage security risks throughout your business and supply chain.
  3. You want to reassure stakeholders of your organization’s commitment to the safety of individuals and the security of goods and services.
  4. You may face the risks and lost opportunities involved with not having an ISO 28000:
    • where ISO 28000 may be a legal or contractual requirement; and
    • you will potentially be eligible for more lucrative, large scale both government and private sector contracts that are only offered to organisations that have ISO 28000.
ISO 28000:2018 key documentation requirements:
Clause 4 Context Of The Organization

4.1 Understanding the organization and its context
4.2 Understanding the needs and expectations of interested parties
4.2.1 General
4.2.2 Legal, regulatory and other requirements
4.2.3 Principles
4.3 Determining the scope of the security management system
4.4 Security management system
Clause 5 Leadership
5.1 Leadership and commitment
5.2 Security policy
5.2.1 Establishing the security policy
5.2.2 Security policy requirements
5.3 Roles, responsibilities and authorities
Clause 6 Planning
6.1 Actions to address risks and opportunities
6.1.1 General
6.1.2 Determining security-related risks and identifying opportunities
6.1.3 Addressing security-related risks and exploiting opportunities
6.2 Security objectives and planning to achieve them
6.2.1 Establishing security objectives
6.2.2 Determining security objectives
6.3 Planning of changes
Clause 7 Support
7.1 Resources
7.2 Competence
7.3 Awareness
7.4 Communication
7.5 Documented information
7.5.1 General
7.5.2 Creating and updating documented information
7.5.3 Control of documented information
Clause 8 Operation
8.1 Operational planning and control
8.2 Identification of processes and activities
8.3 Risk assessment and treatment
8.4 Controls
8.5 Security strategies, procedures, processes and treatments
8.5.1 Identification and selection of strategies and treatments
8.5.2 Resource requirements
8.5.3 Implementation of treatments
8.6 Security plans
8.6.1 General
8.6.2 Response structure
8.6.3 Warning and communication
8.6.4 Content of the security plans
8.6.5 Recovery
Clause 9 Performance Evaluation
9.1 Monitoring, measurement, analysis and evaluation
9.2 Internal audit
9.2.1 General
9.2.2 Internal audit programme
9.3 Management review
9.3.1 General
9.3.2 Management review inputs
9.3.3 Management review results
Clause 10 Improvement
10.1 Continual improvement
10.2 Nonconformity and corrective action
MLOK’s methodology and approach to making your company ISO 28000 complied for certification
We adopt four stages of the most practical and methodological process to help you certified for ISO 28000.

Stage 1: Planning
Conduct Kick-Off Meeting to:
  1. establish implementation schedule and plan;
  2. appoint SMS Committee;
  3. establish an ISO 28000 SMS documentation framework; and
  4. have a fundamental understanding of the requirements of ISO 28000.
Stage 2: Documentation
Drafting and writing documents to comply with ISO 28000 requirements:
  1. SMS Manual;
  2. Job Description;
  3. SMS Procedures:
  4. SMS Supporting Process Procedures;
  5. SMS System Procedures; and
  6. SMS Forms, Work Instructions and others.
Stage 3: Implementation
  1. Guidance and advice on the implementation of the documented SMS.
  2. To conduct ISO 28000 SMS Internal Audit Training.
  3. To conduct an ISO 23001 SMS Internal Audit.
  4. To conduct an ISO 23001 SMS Management Review Meeting.
Stage 4: External Audit
  • Stage 1 Documentation Audit by the Certification Body.
  • Rectification of Stage 1 Audit Finding issued by the Certification Body.
  • Stage 2 Audit Compliance Audit by the Certification Body.
  • Rectification of Stage 2 NCRs issued by the Certification Body.
You will then receive your ISO 28000 certificate.


 Inquiry - ISO 28000 Security Management System