ISO 28000 – Supply Chain Security as a System, Not a Coincidence

The COVID-19 pandemic, Russia’s invasion of Ukraine, and the Suez Canal blockage—recent years have served as a painful reminder to companies of just how fragile the supply chain can be. Most organizations managed risk solely within their own link in the chain—without considering what would happen if a supplier’s supplier failed, a port closed, or a component produced by a single global manufacturer ran out. ISO 28000 is the answer to this fragility: a standard that transforms supply chain security management from intuition and reactive firefighting into a documented, certifiable system.

What is ISO 28000 and who does it apply to

ISO 28000 is an international standard for supply chain security management systems. The current version—ISO 28000:2022—expands the scope compared to the previous 2007 edition: it can be applied to all aspects of an organization’s security, not just the supply chain. The standard focuses on aspects critical to security risk management, covering financing, production, information management, transportation, and the storage of goods in transit.

ISO 28000 can be implemented in any type of enterprise—from small businesses to multinational corporations. The standard applies to the manufacturing and service sectors, warehousing, and transportation at every stage of the production process or supply chain. In practice, the standard is particularly relevant for logistics operators, seaports and airports, freight forwarders, manufacturers operating in global supply chains, and importers and exporters.

ISO 28000:2022 applies the Plan-Do-Check-Act (PDCA) model to plan, establish, implement, monitor, review, and continuously improve the effectiveness of an organization’s security management system. Thanks to its alignment with the High Level Structure, the standard is easy to integrate with ISO 9001, ISO 14001, ISO 45001, and other management system standards.

Key Requirements – What a Supply Chain Security Management System Must Include

At the heart of the ISO 28000 standard is security risk assessment—the systematic identification of threats at every stage of the supply chain and the evaluation of their likelihood of occurrence and potential consequences. Supply chain risk assessment is the most important and starting point in supply chain security management. By applying the principles outlined in the ISO 28000 standard, it is possible to mitigate the negative effects of supply chain threats, thereby ensuring smoother and more stable business operations.

The standard requires the implementation of a supply chain security policy approved by top management, as well as documented objectives and action plans. Management of physical threats (theft, robbery, sabotage, terrorism), cyber threats in logistics and IT systems supporting the supply chain, threats related to personnel and access to facilities, as well as disruptions resulting from natural and geopolitical events is required.

ISO 28000 focuses on physical and technical security, covering both physical safeguards and technologies that support supply chain security, such as transport tracking and monitoring systems. Equally important is incident management—the standard requires documented procedures for responding to security incidents, documenting them, analyzing them, and translating the findings into system updates.

Supervision of partners in the supply chain is also a key element. Organizations managing multiple supply chains may require service providers to meet related security standards as a condition for inclusion in that supply chain. This means that ISO 28000 certification becomes a gateway to working with demanding partners, just as is the case with quality or food safety standards.

ISO 28000 and AEO Status – A Connection Worth Knowing

One of the most practical benefits of implementing ISO 28000, rarely discussed in Polish-language sources, is its connection to AEO (Authorized Economic Operator) status under EU customs law.

AEO status is granted by customs authorities to companies that have demonstrated reliability in the areas of customs compliance, financial solvency, and security standards. Implementing ISO 28000 facilitates obtaining and maintaining AEO status. This is because the ISO 28000 requirements for supply chain security risk management align with the security criteria used by customs authorities when evaluating applications for AEO status. An ISO 28000-certified company has a documented, audited security management system—which is one of the key elements verified by customs authorities.

AEO status, in turn, brings tangible operational benefits: faster customs clearance, fewer physical inspections of shipments, simplified access to customs procedures, and mutual recognition by countries with which the EU has concluded mutual recognition agreements (including the U.S., Japan, China, and Switzerland). For companies active in international trade, ISO 28000 and AEO status create a synergy that translates into real operational savings and faster movement of goods across borders.