BS ISO 28001 Security management systems for the supply chain. Best practices for implementing supply chain security, assessments and plans. Requirements and guidance
We will be carrying out essential maintenance work on BSI Shop between 08:00-14:00 BST on Sat 15th May 2021. During this time, BSI Shop will be unavailable or will have limited functionality. Please DO NOT place any orders whilst this work is taking place. Please accept our apologies for any inconvenience caused.

BS ISO 28001:2007

Security management systems for the supply chain. Best practices for implementing supply chain security, assessments and plans. Requirements and guidance

Status : Confirmed, Current   Published : December 2007



BS ISO 28001:2007 Security management systems for the supply chain. Best practices for implementing supply chain security, assessments and plans. Requirements and guidance

BS ISO 28001 is the Standard that provides requirements and guidance for organizations in international supply chains to:

  • Develop and implement supply chain security processes
  • Establish and document a minimum level of security within a supply chain(s) or segment of a supply chain
  • Assist in meeting the applicable authorized economic operator (AEO) criteria set forth in the World Customs Organization Framework of Standards and conforming national supply chain security programmes.

Only a participating National Customs Agency can designate organizations as AEOs in accordance with its supply chain security programme and its attendant certification and validation requirements.

In addition, BS ISO28001 establishes certain documentation requirements that would permit verification. BS ISO28001 can be used to:

  • Define the portion of an international supply chain within which they have established security
  • Conduct security assessments on that portion of the supply chain and develop adequate countermeasures
  • Develop and implement a supply chain security plan
  • Train security personnel in their security related duties.

Security incidents against international supply chains are threats to international trade and the economic growth of trading nations. People, goods, infrastructure and equipment — including means of transport — need to be protected against security incidents and their potentially devastating effects. Such protection benefits the economy and society as a whole.

International supply chains are highly dynamic and consist of many entities and business partners. BS ISO 28001 recognizes this complexity. It has been developed to allow an individual organization in the supply chain to apply its requirements in conformance with the organization’s particular business model and its role and function in the international supply chain.

BS ISO 28001 provides an option for organizations to establish and document reasonable levels of security within international supply chains and their components. It will enable such organizations to make better risk-based decisions concerning the security in those international supply chains.

BS ISO28001 is multimodal and is intended to be in concert with and to complement the World Customs Organization’s Framework of Standards to secure and facilitate global trade (Framework). It does not attempt to cover, replace or supersede individual customs agencies’ supply chain security programmes and their certification and validation requirements.

Organizations can implement BS ISO28001 in order to establish adequate levels of security within the parts of the international supply chain that it controls. It is also a basis for determining or validating the level of existing security within an organizations’ supply chain by internal or external auditors or by those government agencies that choose to use compliance with BS ISO 28001 as the baseline for acceptance into their supply chain security programmes.

Customers, business partners, government agencies and others might request organizations that claim compliance with BS ISO 28001 to undergo an audit or a validation to confirm such compliance. Government agencies might find it mutually agreeable to accept validations conducted by other governments’ agencies. If a third-party organization audit is to be conducted, then the organization needs to consider employing a third-party certification body accredited by a competent body, which is a member of the International Accreditation Forum.

BS ISO 28001 is not intended to duplicate governmental requirements and standards regarding supply chain security in compliance with the WCO SAFE Framework. Organizations that have already been certified or validated by mutually recognizing governments are compliant with BS ISO 28001.

Outputs resulting from BS ISO28001 will be the following:

  • A Statement of Coverage that defines the boundaries of the supply chain that is covered by the security plan.
  • A Security Assessment that documents the vulnerabilities of the supply chain to defined security threat scenarios. It also describes the impacts that can reasonably be expected from each of the potential security threat scenarios.
  • A Security Plan that describes security measures in place to manage the security threat scenarios identified by the Security assessment.
  • A training programme setting out how security personnel will be trained to meet their assigned security related duties.

To undertake the security assessment needed to produce the security plan, an organization using BS ISO28001 will:

  • Identify the threats posed (security threat scenarios)
  • Determine how likely persons could progress each of the security threat scenarios identified by the Security Assessment into a security incident.

This determination is made by reviewing the current state of security in the supply chain. Based on the findings of that review, professional judgment is used to identify how vulnerable the supply chain is to each security threat scenario.

If the supply chain is considered unacceptably vulnerable to a security threat scenario, the organization will develop additional procedures or operational changes to lower likelihood, consequence or both. These are called countermeasures. Based upon a system of priorities, countermeasures need to be incorporated into the security plan to reduce the threat to an acceptable level.

BS ISO 28001 contains illustrative examples of risk management based security processes for protecting people, assets and international supply chain missions. They facilitate both a macro approach for complex supply chains and/or more discrete approaches for some aspects:

These examples are also intended to:

  • Facilitate understanding, adoption and implementation of methodologies, which can be customized by organizations
  • Provide guidance for baseline security management for continual improvement
  • Assist organizations to manage resources to address existing and emerging security risks
  • Describe possible means for assessment of risk and mitigation of security threats in the supply chain from raw materiel allocation through storage, manufacturing and transportation of finished goods to the market place.

BS ISO 28001 also contains guidance for obtaining advice and certification for BS ISO 28001 if an organization using it chooses to exercise this option.

Contents of BS ISO 28001 include:

  • Scope
  • Normative references
  • Terms and definitions
  • Field of application
  • Statement of application
  • Business partners
  • Internationally accepted certificates or approvals
  • Business partners exempt from security declaration requirement
  • Security reviews of business partners
  • Supply chain security process
  • Identification of the scope of security assessment
  • Conduction of the security assessment
  • Development of the supply chain security plan
  • Execution of the supply chain security plan
  • Documentation and monitoring of the supply chain security process
  • Actions required after a security incident
  • Protection of the security information
  • Supply chain security process
  • Identification of the scope of the security assessment
  • Conduction of the security assessment
  • Development of the security plan
  • Execution of the security plan
  • Documentation and monitoring of the security process
  • Continual improvement
  • Methodology for security risk assessment and development of countermeasures
  • Step one – Consideration of the security threat scenarios
  • Step two – Classification of consequences
  • Step three – Classification of likelihood of security incidents
  • Step four – Security incident scoring
  • Step five – Development of countermeasures
  • Step six – Implementation of countermeasures
  • Step seven – Evaluation of countermeasures
  • Step eight – Repetition of the process
  • Continuation of the process
  • Guidance for obtaining advice and certification
  • Demonstrating conformance with ISO 28001 by audit
  • Certification of ISO 28001 by third party certification bodies
  • Bibliography


Standard NumberBS ISO 28001:2007
TitleSecurity management systems for the supply chain. Best practices for implementing supply chain security, assessments and plans. Requirements and guidance
StatusConfirmed, Current
Publication Date31 December 2007
Confirm Date24 February 2021
Normative References(Required to achieve compliance to this standard)(SOLAS), 1974, International Convention for the Safety of Life at Sea
Informative References(Provided for Information)ISO 28000:2007, ISO 17021:2006, ISO 28003:2007, ISO/PAS 20858:2004, ISO 19011:2002, ISO/PAS 17712:2006, ISO 14001:2004, SAFE Framework of Standards, International Safety Management (ISM) Code, ISO 9001:2000
ReplacesDD ISO/PAS 28001:2006
International RelationshipsISO 28001:2007
Draft Superseded By07/30161531 DC
DescriptorsQuality assurance systems, Security, Materials handling operations, Transportation, Marine transport, Materials handling, Freight transport, Personnel, Documents, Physical distribution management, Safety measures, Risk assessment, Logistics, Management
Title in FrenchSystèmes de management de la sûreté pour la chaîne d'approvisionnement. Meilleures pratiques pour la mise en application de la sûreté de la chaîne d'approvisionnement, évaluations et plans. Exigences et guidage
Title in GermanSicherheitsmanagementssysteme für die Lieferkette. Gute fachliche Praxis zur Einführung von Sicherheitssystemen der Lieferkette, Beurteilung und Planung. Anforderungen und Leitfaden
ISBN978 0 580 58319 3
File Size583 KB

 Your basket
Your basket is empty

Multi-user access to over 3,500 medical device standards, regulations, expert commentaries and other documents

Develop a PAS

Develop a fast-track standardization document in 9-12 months


Access, view and download standards with multiple user access, across multiple sites with BSOL

Tracked Changes

Understand the changes made to a standard with our new Tracked Changes version

Customers who bought this product also bought

  • BS ISO 28000:2007
    Specification for security management systems for the supply chain
  • BS ISO 28003:2007
    Security management systems for the supply chain. Requirements for bodies providing audit and certification of supply chain security management systems
  • BS ISO 28004-4:2014
    Security management systems for the supply chain. Guidelines for the implementation of ISO 28000 Additional specific guidance on implementing ISO 28000 if compliance with ISO 28001 is a management objective