Alignment with the ISO Harmonized Structure (HS)
At first glance, one might think that the changes in ISO 28000:2022 are quite drastic: The entire structure has been rearranged. However, upon closer inspection, it becomes clear that the requirements themselves have barely changed - they are simply presented in a new format.
Like all ISO management system standards, ISO 28000 now uses the so-called Harmonized Structure (HS). This is a structure, core text and definitions common to all management system standards. With this approach, ISO ensures that management systems are harmonized and can be easily integrated.
If your company is also certified to ISO 9001, ISO 14001 and/or ISO 45001, we recommend that you discuss with the relevant departments how the management systems can be harmonized and integrated internally. Since all of these standards share the same structure and core requirements, the teams responsible for implementing and maintaining these standards can take advantage of the synergies and promote a common understanding of the management systems.
Other changes
Recommendations were added in two places in the standard. Important: Recommendations are not requirements. In ISO management system standards, requirements are usually indicated with the verb "shall," while recommendations are described with "should."
- In clause 4.2.3, a number of principles have been added to harmonize the standard with the ISO 31000 risk management guidelines. However, many of these principles are not new - rather, they serve to provide additional clarification of some requirements.
- In Section 8, recommendations have been added to ensure consistency withISO 22301, the international standard for business continuity management systems. This relates to security policies, procedures, processes and treatments (8.5), as well as security plans (8.6).
Timetable & Transition Period
A draft (DIS) of ISO 28000 was released for public comment in April 2021. Final publication is scheduled for early 2022.
Publication generally marks the beginning of a three-year transition period. All companies must complete the transition before the end of the three-year period. As the publication date approaches, we will update this page with more information.
DQS: Your partner for ISO 28000:2022 certification
DQS is an accredited certification body for the ISO 28000 standard, and we're here to help - with smooth audit planning, experienced auditors, and in-depth audit reports.