Your supply chain is only as strong as its weakest link—ISO 28000 changes that

Every company that manages a supply chain knows it doesn’t control everything. It controls its warehouse, its vehicles, and its employees. But what about the supplier’s supplier? The port operator handling your cargo? The transportation subcontractor hired by your freight forwarder? The pandemic, the Suez Canal blockage, and the semiconductor crisis have painfully demonstrated that in the global supply chain, a single weak link can halt production at thousands of companies on the other side of the globe. ISO 28000 is a system that identifies these links before they become a crisis.

Risks that no one includes in their risk assessment—but should

Most supply chain management companies conduct risk assessments. The problem is that these assessments typically cover only their own processes—the risk of a supply shortage from a specific supplier, the risk of downtime on their own production line, the risk of transportation delays. This is insufficient.

ISO 28000:2022 requires a security risk assessment covering the entire supply chain—including threats that traditionally do not make it into procurement departments’ spreadsheets:

• Physical threats—theft of cargo in transit, robberies of warehouses and vehicles, and unauthorized access to loading and unloading zones. It is estimated that losses due to theft in European supply chains amount to billions of euros annually—and affect not only transport companies but every participant in the chain
• Sabotage and terrorism – deliberate contamination of cargo, planting of hazardous substances, tampering with customs documentation. Threats that sound abstract—until they affect a specific company
• Cyber threats—attacks on WMS, TMS, and shipment tracking systems that can paralyze logistics operations just as effectively as a physical blockade of a warehouse
• Geopolitical and natural threats—border closures, armed conflicts, and natural disasters blocking transport routes. The experiences of the past five years show that these are not science-fiction scenarios, but real operational risks

ISO 28000 requires that each of these threats be identified, assessed, and addressed by a documented risk mitigation plan. Not as a paper exercise—but as a functioning system.

What exactly must a company do when implementing ISO 28000?

Implementing ISO 28000 does not mean building a system from scratch—it involves structuring activities that many companies already carry out, but in a disorganized and inconsistent manner. The standard organizes these activities into a logical system based on the PDCA cycle.

What about management commitment? ISO 28000 requires that top management actively participate in the supply chain security management system—establishing security policies, approving objectives, and providing resources. Supply chain security cannot be the sole domain of the logistics or security department—it must be an integral part of the organization’s strategy.

What does risk assessment look like according to ISO 28000? Risk assessment is the starting point of the entire system. It involves identifying threats at every stage of the supply chain, assessing the likelihood of their occurrence and potential consequences, and then selecting and implementing control measures appropriate to the level of risk. The results of the risk assessment must be documented and regularly updated—especially following incidents, changes in the supply chain structure, or the emergence of new threats.

How does the standard address the oversight of partners? ISO 28000 requires an organization to define security requirements for all partners in the supply chain—suppliers, transportation subcontractors, warehouse operators—and to verify their compliance. This is a key element that distinguishes the ISO 28000 system from security management conducted solely within the organization.

ISO 28000 as a selling point in tenders and relationships with Major Partners

ISO 28000 certification is no longer a niche standard for port operators and customs agencies. It is becoming an increasingly important criterion for qualifying suppliers and logistics partners in global supply chains.

Large manufacturing and trading corporations that have experienced supply chain disruptions in recent years are systematically tightening their requirements for their logistics partners. For them, ISO 28000 certification serves as objective, audited proof that a partner manages security within its segment of the supply chain in a systematic manner. This eliminates the need to conduct separate security audits for each supplier—resulting in measurable cost savings for both parties.

In public procurement—particularly for contracts related to critical infrastructure, defense, and the energy sector—ISO 28000 certification is increasingly appearing as a formal requirement or a criterion for evaluating bids. Certified companies are in a significantly stronger bidding position than those that must prove the security of their supply chain from scratch in every procurement process.

Synergy with other standards – why it is worth implementing ISO 28000 alongside ISO 9001 and ISO 27001

ISO 28000:2022 is structured in accordance with the High Level Structure – the same chapter structure used by ISO 9001, ISO 14001, ISO 45001 and ISO 27001. For companies that already hold other ISO certificates, integration with ISO 28000 is significantly simpler and cheaper than building a separate system.

There is particularly strong synergy between ISO 28000 and ISO 27001. Information security and supply chain security are now two aspects of the same challenge – cyberattacks on logistics systems are just as real a threat as physical cargo theft. A company holding both certificates manages security comprehensively – and can demonstrate this to trading partners and regulatory bodies.

Similarly, ISO 28000 naturally complements ISO 22301 (business continuity) – together, these standards provide a comprehensive answer to the question: “What do we do when the supply chain is at risk, and how do we ensure the company continues to operate despite disruptions?” For companies seeking to build a reputation as a resilient and reliable organisation, this combination of certifications is one of the strongest signals they can send to the market.