1. What is ISO 28000?

ISO 28000 is an international standard developed by the International Organization for Standardization (ISO) for supply chain security management systems. Based on a process approach and the PDCA (Plan-Do-Check-Act) cycle, it provides a systematic framework for organizations of all types to establish, implement, and improve supply chain security management systems.

This standard covers the entire supply chain process (from raw material procurement, production and processing, to warehousing, transportation, and delivery). Its core objective is to identify and control security risks in all stages of the supply chain (such as cargo theft, terrorist attacks, illegal infiltration, and logistics disruptions), ensuring the integrity, reliability, and continuity of the supply chain. It is applicable to all organizations involved in supply chain operations, including manufacturing, logistics, retail, etc.

2. Core Control Elements of ISO 28000

(1) Security Management Policy and Organization

• Top management formulates a clear supply chain security policy, defining security objectives and commitments.

• Appoints a supply chain security manager, assigns security responsibilities to each department, and ensures clear roles and effective coordination.

• Establishes a security management team with adequate human, technical, and financial resources.

(2) Risk Assessment and Treatment

• Identifies security risks across the entire supply chain (procurement, production, warehousing, transportation, delivery, and reverse logistics), including theft, hijacking, illegal intrusion, cargo tampering, and information leakage.

• Evaluates the likelihood and impact of risks, and classifies risk levels.

• Develops measures to eliminate, reduce, or transfer high‑risk points and establishes a risk control list.

(3) Supplier and Partner Security Control

• Conducts due diligence on the security capabilities of upstream and downstream partners and establishes an access review mechanism.

• Includes clear security clauses in contracts, requiring partners to comply with relevant ISO 28000 requirements.

• Regularly monitors partners’ security performance and conducts special audits on high‑risk partners.

(4) Facility and Physical Security

• Installs physical barriers (fences, access control) in factories, warehouses, etc., divides security zones, and implements graded access control.

• Installs security monitoring systems and intrusion alarm devices, deploys security personnel, and establishes patrol systems.

• Standardizes cargo loading/unloading and storage procedures, and implements cargo labeling and traceability mechanisms to prevent loss or tampering.

(5) Transportation and Logistics Security

• Selects compliant carriers and conducts security assessments and route planning for vehicles and routes.

• Implements full‑process cargo monitoring using seals, GPS, and other technical means to ensure cargo security.

• Develops transportation emergency plans to address traffic accidents, cargo delays, severe weather, and other contingencies.

(6) Personnel Security Management

• Conducts background checks on key personnel to eliminate potential security risks.

• Provides supply chain security training for all employees, covering security policies, emergency procedures, and risk identification.

• Establishes personnel access authorization, requiring identification for entry into restricted areas and recording personnel movement.

(7) Information Security Control

• Protects sensitive supply chain information (such as cargo details, transportation routes, and customer data) from leakage, tampering, or theft.

• Establishes access control for information systems and regularly updates security measures.

• Develops information security incident response procedures to address vulnerabilities in a timely manner.

(8) Emergency Preparedness and Response

• Identifies potential security emergencies (such as fire, cargo hijacking, and pandemic‑related disruptions) and formulates targeted emergency plans.

• Conducts regular emergency drills to validate and optimize the plans.

• Establishes an emergency reporting and communication mechanism to coordinate internal and external stakeholders during crises.

(9) Monitoring, Audit, and Continuous Improvement

• Regularly monitors supply chain security performance indicators to track the effectiveness of risk control measures.

• Conducts internal audits and management reviews to assess the system’s compliance, suitability, and effectiveness.

• Develops corrective and preventive actions for audit findings or security incidents to drive continuous improvement of the security management system.