Security management systems for the supply chain - Requirements and guidance

ISO 28001:2007

The context

Security incidents against international supply chains are threats to international trade and the economic growth of trading nations. People, goods, infrastructure and equipment including means of transport need to be protected against security incidents and their potentially devastating effects. Such protection benefits the economy and society as a whole.
International supply chains are highly dynamic and consist of many entities and business partners. ISO 28001 recognizes this complexity. It has been developed to allow an individual organization in the supply chain to apply its requirements in conformance with the organization’s particular business model and its role and function in the international supply chain.
ISO 28001 provides an option for organizations to establish and document reasonable levels of security within international supply chains and their components. It will enable such organizations to make better risk-based decisions concerning the security in those international supply chains.
This International Standard is multi modal and is intended to be in concert with and to complement the World Customs Organization’s Framework of Standards to secure and facilitate global trade (Framework). It does not attempt to cover, replace or supersede individual customs agencies’ supply chain security programmes and their certification and validation requirements.
The use of this International Standard will help an organization to establish adequate levels of security within those part(s) of an international supply chain which it controls. It is also a basis for determining or validating the level of existing security within such organizations’ supply chain(s) by internal or external auditors or by those government agencies that choose to use compliance with ISO 28001 as the baseline for acceptance into their supply chain security programmes. Customers, business partners, government agencies and others might request organizations which claim compliance with this International Standard to undergo an audit or a validation to confirm such compliance. Government agencies might find it mutually agreeable to accept validations conducted by other governments’ agencies. If a third-party organization audit is to be conducted, then the organization needs to consider employing a third-party certification body accredited by a competent body, which is a member of the International Accreditation Forum.
It is not the intention of this International Standard to duplicate governmental requirements and standards regarding supply chain security in compliance with the WCO SAFE Framework.
Outputs resulting from this International Standard will be the following.
  • A Statement of Coverage that defines the boundaries of the supply chain that is covered by the security plan.
  • A Security Assessment that documents the vulnerabilities of the supply chain to defined security threat scenarios. It also describes the impacts that can reasonably be expected from each of the potential security threat scenarios.
  • A Security Plan that describes security measures in place to manage the security threat scenarios identified by the Security assessment.
  • A training programme setting out how security personnel will be trained to meet their assigned security related duties.
To undertake the security assessment needed to produce the security plan, an organization using this International Standard will
  • identify the threats posed (security threat scenarios);
  • determine how likely persons could progress each of the security threat scenarios identified by the Security Assessment into a security incident.
This determination is made by reviewing the current state of security in the supply chain. Based on the findings of that review, professional judgment is used to identify how vulnerable the supply chain is to each security threat scenario.
If the supply chain is considered unacceptably vulnerable to a security threat scenario, the organization will develop additional procedures or operational changes to lower likelihood, consequence or both. These are called countermeasures. Based upon a system of priorities, countermeasures need to be incorporated into the security plan to reduce the threat to an acceptable level.

Who is ISO 28001 for?

This standard is generic and applicable to any organization regardless of  it size and kind products/services which is somehow involved in a supply chain and striving to implement security management systems to ensure an appropriate level of supply chain security.

Such organizations can include:

  • product manufacturers,
  • importers &/or exporters,
  • customs &/or shipping brokers,
  • transport operators (auto, railway, aero, marine, river),
  • container terminal operators,
  • airports, maritime and river port, railway station,
  • warehouse complexes,
  • shipping agents, and
  • distributors.

The benefits of ISO 28001 based management systems

Benefits through compliance with the requirements of ISO 28000 include

  • reduction in the number of security incidents,
  • reduction in the extent of damage, caused by security incidents, embezzlement and smuggling on transport,
  • efficient monitoring and risk management in respect of security hazards, applicable to the kind of activity of the Organization,
  • better image in the market of provided products/rendered services, and
  • optimization of costs through the systematic use of the internal resources.
How'll we do it

ISO 28001:2007 -The process for the development and implementation of management systems

Gap analysis

- Business Excellence' team will conduct an initial assessment/gap analysis according to the scope of services with reference to ISO 28001 including permanent as well as temporary sites, and
- A comprehensive written report will be presented to the Top Management on the status of the compliance against standard’ requirements in order to know as to what are the gaps.

Awareness training on ISO 28001:2007

- Business Excellence's team will provide awareness training to the key process owners and relevant staff, on the requirements of the standard
- Further to this, they'll explain how these requirements apply to their business


Business Excellence' team will provide full assistance for the development of documentation according to the requirements
These documents will be of different types at different levels (in the order of importance) including policies, manual, system element procedures, and associated 'forms' including RACI matrix, process maps, risks & opportunities register, KPI’s, etc


Business Excellence' team will extend its full support in regards to the implementation of the aforementioned documented management systems in letter and spirit
This may include SWOT analysis, process mapping, setting objectives & targets, development of RACI matrices, training need analysis, internal audit, corrective action including root cause analysis, management review meeting etc

Internal audit

- Finally, a mock assessment by the 'Business Excellence' team will be performed before third-party arrives
- The detailed report of which shall be submitted to the management and will help rectify the non-conformities & concerns
- However, management to ensure rectification of the identified concerns within the time frame, as agreed

Third party audit by an independent certification body

- The selected third party to review documentation including records
- Lastly, conduct an onsite audit

Closing out of non-conformities

- Consequent upon the independent review and assessment by the relevant authority, the corrective action plan to be developed for each of the non-conformities
- Business Excellence to provide guidance to implement the corrective action plan

The value of the money

ISO 28001 - Key deliverables for the development, training and implementation of management systems

Gap analysis report

To evaluate the existing systems to ascertain as to what is in compliance and what're the gaps and submitting a comprehensive report to the client

Documentation kit

The templates for documents of all types (at all levels) including policies, manuals, system element procedures, work instructions, RACI matrices, forms, process maps, checklist, registers, etc.

Training on ISO 28001 and pertinent sector best practices

On the requirements of the international standard and how these apply in the context of the business

Review of documentation and associated records

- Business Excellence' team will review each & every provided document prior to finalization
- However, after review by us; the client shall also review these documents prior to approval

Support for Implementation

Business Excellence's team will extend its full support in regards to the implementation of the documented management systems in letter & spirit. This may include SWOT analysis, process mapping, risk assessment, objectives and targets, RACI matrices, training need analysis & training plan, internal audit, corrective action, management review etc

Mock third-party assessment

Finally, a mock assessment by Business Excellence' team will be performed before the third-party assessment and a detailed report of this shall be submitted to the management in order to help rectify the non-conformities & concerns

Support for corrective actions

Business Excellence' team shall help develop and implement corrective actions to closeout findings consequent upon 3'rd party review &/or assessment till approval of the management systems and issue of the certificate

Various Options

Delivery methods

Face To Face (On Client' Premises)
Online & Virtual (through e-mail, phone and video calling)
Blended (Mix of Option 1 & 2)

    Contact us through any of the below channels

    For Further Information
    00971 50 406 5134