Fifteen years after its initial publication, the international standard for supply chain security management systems is being revised. The new version, to be published in early 2022, will align the standard with other ISO management system standards and increase clarity and consistency. In this article, we have summarized the key changes. As soon as more info is available, we will also report on the transition timeline.

Let's start with some welcome news for the more than 2500 sites already using the standard: The new version of ISO 28000 contains virtually no new requirements. Companies already certified to ISO 28000:2007 should have no problems transitioning to ISO 28000:2022.

So if there are no new requirements, why did ISO even bother to develop a new version? The answer lies in harmonization: because ISO 28000 is over a decade old, it was out of step with other related ISO standards, such as the management systems standards, the resilience and security standards (ISO 22316), and the risk management standard ISO 31000.

Alignment with the ISO Harmonized Structure (HS)

At first glance, one might think that the changes in ISO 28000:2022 are quite drastic: The entire structure has been rearranged. However, upon closer inspection, it becomes clear that the requirements themselves have barely changed - they are simply presented in a new format.

Like all ISO management system standards, ISO 28000 now uses the so-called Harmonized Structure (HS). This is a structure, core text and definitions common to all management system standards. With this approach, ISO ensures that management systems are harmonized and can be easily integrated.

If your company is also certified to ISO 9001, ISO 14001 and/or ISO 45001, we recommend that you discuss with the relevant departments how the management systems can be harmonized and integrated internally. Since all of these standards share the same structure and core requirements, the teams responsible for implementing and maintaining these standards can take advantage of the synergies and promote a common understanding of the management systems.

Other changes

Recommendations were added in two places in the standard. Important: Recommendations are not requirements. In ISO management system standards, requirements are usually indicated with the verb "shall," while recommendations are described with "should."

- In clause 4.2.3, a number of principles have been added to harmonize the standard with the ISO 31000 risk management guidelines. However, many of these principles are not new - rather, they serve to provide additional clarification of some requirements.
- In Section 8, recommendations have been added to ensure consistency with ISO 22301, the international standard for business continuity management systems. This relates to security policies, procedures, processes and treatments (8.5), as well as security plans (8.6).

Timetable & Transition Period

In March 2022, the revision of ISO 28000 was published. You can access the standard here. The publication marks the beginning of a three-year transition period. All companies must complete the transition before the end of the three-year period.

DQS: Your partner for ISO 28000:2022 certification

DQS is an accredited certification body for the ISO 28000 standard, and we're here to help - with smooth audit planning, experienced auditors, and in-depth audit reports.

Dr. Thijs Willaert

Dr. Thijs Willaert is Head of Marketing & Communications for the Sustainability and Food Safety segments. He is also an auditor for the external audit of sustainability reports. His areas of interest include sustainability management, sustainable procurement, and the digitalization of the audit landscape.