By CAS

ISO 28000:2022 — Security Management Systems

Security and resilience — security management systems for the supply chain. ISO 28000:2022 (second edition) replaces ISO 28001:2007 with a comprehensive PDCA-based security management system framework, aligned with ISO 31000 (risk) and ISO 22301 (business continuity).

By CAS ISO 28000:2022 + Amd.1:2024

Apply for Certification Talk to Our Team

ISO 28000:2022 + Amd.1:2024

SeMS

What is Security Management Systems?

ISO 28000:2022 is the second edition of the international standard for security management systems, prepared by Technical Committee ISO/TC 292 (Security and resilience), published March 2022. It cancels and replaces ISO 28000:2007 (also known as ISO 28001:2007 — Supply Chain Security). The 2022 edition maintains existing requirements while adding recommendations aligned with ISO 31000 (risk management) in Clause 4, and recommendations for better consistency with ISO 22301 (business continuity) in Clause 8 — including security strategies, procedures, processes and treatments, security plans with response structure, warning and communication, and recovery. It applies the Plan-Do-Check-Act (PDCA) model to the organisation's security management system.

Who Is This For?

Logistics companies, freight forwarders, customs brokers, exporters, importers, port operators, and supply chain participants requiring documented security management practices for international trade.

Key Benefits

Demonstrates supply chain security practices to customs and trade authorities
Supports AEO (Authorised Economic Operator) status applications
Reduces risk of cargo theft, tampering, and smuggling
Required by some shipping lines and logistics clients
Structured approach to supply chain threat and risk assessment
Improves supply chain transparency and traceability

Certification Process

Application & Review

Submit your application. CAS reviews your organisation's scope, personnel, sites, and activities to prepare a detailed audit time calculation and formal commercial proposal.

Stage 1 — Document Review

On-site or remote review of your management system documentation, readiness assessment, and confirmation of Stage 2 audit scope and plan.

Stage 2 — On-site Audit

Full on-site audit of the implemented management system against the standard's requirements. Findings are reported; nonconformities must be closed before certification.

Certification Decision

CAS's independent certification committee reviews the audit findings and issues the certificate. The certificate is valid for 3 years.

Surveillance & Recertification

Annual surveillance audits (~1/3 of initial audit time) maintain certification. Recertification audit (~2/3 of initial time) is conducted before certificate expiry to renew for a further 3 years.

Frequently Asked Questions

How does ISO 28000:2022 differ from ISO 28001:2007?

ISO 28000:2022 (Second edition, March 2022) cancels and replaces ISO 28001:2007. The 2022 edition adopts the PDCA management system model, adds ISO 31000 risk management alignment in Clause 4, and adds ISO 22301 business continuity alignment in Clause 8 with security strategies, procedures, and security plans including response and recovery. Both standards address supply chain security — ISO 28001:2007 remains valid for organisations with existing certificates during any transition period.

How does ISO 28000 relate to C-TPAT?

ISO 28001 is aligned with the principles of C-TPAT (US Customs-Trade Partnership Against Terrorism) and similar trade security programmes. It provides a certifiable standard for supply chain security practices.

Related Services