Fifteen years after its initial publication, the international standard for supply chain security management systems is up for revision. The new version, scheduled for publication at the start of 2022, will align the standard with other ISO management system standards and increase the clarity and consistency. In this article, we have summarized the main changes. As the publication date moves closer, we will also provide an update on the transition timeline.
Let’s start with some good news for the more than 2500 sites that are already using the standard: the new version of ISO 28000 contains virtually no new requirements. Companies that are already certified to ISO 28000:2007 should have no trouble transitioning to ISO 28000:2022.
So if there are no new requirements, why did ISO bother with a new version at all? The answer is harmonization: because ISO 28000 is over a decade old, it was no longer in line with other, related ISO standards, such as the management system standards, the standards on organizational resilience and security (ISO 22316), and the risk management standard ISO 31000.
Alignment with the ISO Harmonized Structure
At first sight, one might think that the changes in ISO 28000:2022 are quite drastic: the entire structure has been changed. On closer look, however, you will notice that even though the structure is new, the requirements themselves have not changed much – they are simply presented in a new format.
Like all ISO management system standards, ISO 28000 now uses the so-called Harmonized Structure (HS). This is a common structure, core text and definitions that all management system standards share. With this approach, ISO ensures that management systems are harmonized and can easily be integrated.
If your company is also certified to ISO 9001, ISO 14001 and/or ISO 45001, we recommend to consult with the relevant departments on how the management systems can be aligned and integrated internally. With all of these standards sharing the same structure and core requirements, the teams responsible for implementing and maintaining these standards can learn from each other, use the synergies and promote a common understanding.
In two parts of the standard, recommendations have been added. It is important to understand that recommendations are not requirements. In ISO management system standards, requirements are usually indicated with the verb “shall”, whereas recommendations are indicated with “should”.
• In Section 4.2.3, a set of principles has been added to harmonize the standard with the ISO 31000 risk management guidelines. However, many of these principles are not new – rather, they provide extra clarification on some of the requirements.
• In Section 8, recommendations have been added to ensure consistency with ISO 22301, the international standard for business continuity management systems. This applies to security strategies, procedures, processes and treatments (8.5), as well security plans (8.6).
Timeline & Transition
A Draft International Standard (DIS) of ISO 28000 was published for public comment in April 2021. In the next weeks, all comments will be reviewed, but this usually does not lead to major changes, as all stakeholders have been involved in the process early on. The final publication is scheduled for the beginning of 2022.
The publication usually marks the start of a three-year transition period. All companies will be required to complete the transition before the end of the three-year period. As the publication date draws closer, we will be updating this page with more information.
DQS: Your Partner for ISO 28000:2022 Certification
DQS is an accredited certification body for the ISO 28000 standard. With a network of highly qualified auditors around the globe, DQS has the capability to provide value-adding certification audits to all interested parties.