ISO 28000:2022 — Security Management Systems
Security and resilience — security management systems for the supply chain. ISO 28000:2022 (second edition) replaces ISO 28001:2007 with a comprehensive PDCA-based security management system framework, aligned with ISO 31000 (risk) and ISO 22301 (business continuity).
Standard
ISO 28000:2022 + Amd.1:2024
Service type
By CAS
Issued under
CAS — own authority
Standards & technical basis
Certified standard
ISO 28000:2022 + Amd.1:2024
Certification-body competence
ISO/IEC 17021-1:2015
CAS certifies to the general requirements of ISO/IEC 17021-1:2015; no scheme-specific ISO/IEC 17021 competence part is published for this standard.
Mark & recognition
Issued by CAS under its own authority — carries the CAS mark and does not bear the EGAC or IAF marks.
What it is
ISO 28000:2022 is the second edition of the international standard for security management systems, prepared by Technical Committee ISO/TC 292 (Security and resilience), published March 2022. It cancels and replaces ISO 28000:2007 (also known as ISO 28001:2007 — Supply Chain Security). The 2022 edition maintains existing requirements while adding recommendations aligned with ISO 31000 (risk management) in Clause 4, and recommendations for better consistency with ISO 22301 (business continuity) in Clause 8 — including security strategies, procedures, processes and treatments, security plans with response structure, warning and communication, and recovery. It applies the Plan-Do-Check-Act (PDCA) model to the organisation's security management system.
Who needs it
Logistics companies, freight forwarders, customs brokers, exporters, importers, port operators, and supply chain participants requiring documented security management practices for international trade.
Benefits of certification
- Demonstrates supply chain security practices to customs and trade authorities
- Supports AEO (Authorised Economic Operator) status applications
- Reduces risk of cargo theft, tampering, and smuggling
- Required by some shipping lines and logistics clients
- Structured approach to supply chain threat and risk assessment
- Improves supply chain transparency and traceability
Frequently asked questions
Common questions
How does ISO 28000:2022 differ from ISO 28001:2007?
ISO 28000:2022 (Second edition, March 2022) cancels and replaces ISO 28001:2007. The 2022 edition adopts the PDCA management system model, adds ISO 31000 risk management alignment in Clause 4, and adds ISO 22301 business continuity alignment in Clause 8 with security strategies, procedures, and security plans including response and recovery. Both standards address supply chain security — ISO 28001:2007 remains valid for organisations with existing certificates during any transition period.
How does ISO 28000 relate to C-TPAT?
ISO 28001 is aligned with the principles of C-TPAT (US Customs-Trade Partnership Against Terrorism) and similar trade security programmes. It provides a certifiable standard for supply chain security practices.
Ready to certify against ISO 28000:2022 + Amd.1:2024?
Send us a brief description of your organisation — we’ll come back with a quotation within one working day.
Request a quotation →