Supply Chain Security Management
System Certification
ISO 28000 is the international standard for Security Management Systems — providing a structured framework for organisations to identify, assess and control security threats across the supply chain, from logistics operators and port authorities to manufacturers and freight forwarders.
What is ISO 28000?
ISO 28000 is the internationally recognised standard specifying requirements for a Security Management System (SMS) applicable to all organisations in the supply chain. It provides a systematic framework to identify security threats, assess security risks and implement appropriate controls to mitigate vulnerabilities across logistics, warehousing, ports, freight, manufacturing and related operations.
The 2022 edition represented a significant revision — replacing the 2007 version with a standard fully aligned with the ISO High-Level Structure (HLS), making it compatible for integration with ISO 9001, ISO 14001, ISO 45001 and ISO 27001. The revised standard focuses on risk-based security management, replacing the prescriptive checklist approach of the earlier edition with a flexible, proportionate framework.
ISO 28000 addresses a wide spectrum of supply chain security threats — including theft, piracy, terrorism, smuggling, counterfeiting, tampering, cyber attacks on logistics systems and insider threats. Organisations must identify which threats are relevant to their supply chain context, assess the likelihood and consequence of security incidents, and implement controls proportionate to the assessed risk.
For organisations operating internationally, ISO 28000 aligns closely with the WCO SAFE Framework of Standards and complements Authorised Economic Operator (AEO) programmes operated by customs authorities — providing a structured security management framework that supports AEO accreditation and trusted trader status.
Systematically identify security threats relevant to the supply chain — theft, piracy, smuggling, tampering, cyber threats — and assess their likelihood and impact.
Implement proportionate security controls across facilities, vehicles, personnel, cargo, ICT systems and supply chain partner interfaces.
ISO 28000 aligns with WCO SAFE Framework and supports Authorised Economic Operator (AEO) accreditation — facilitating faster customs clearance.
Establish procedures for detecting, reporting, investigating and recovering from security incidents — and for notifying relevant authorities.
Fully aligned with ISO HLS — integrate SMS with ISO 9001, ISO 14001, ISO 45001 and ISO 27001 in a single management system.
Benefits of ISO 28000 Certification
Third-party certification by RBA Registrars provides independent, credible verification that your management system meets international requirements.
Systematic threat identification and risk-based controls reduce the likelihood of cargo theft, tampering, smuggling concealment and supply chain disruption.
ISO 28000 certification supports Authorised Economic Operator (AEO) applications — enabling faster customs clearance and reduced inspection rates internationally.
Certification demonstrates to global supply chain partners — shippers, consignees, port authorities — that security management meets internationally recognised standards.
Provides a framework for compliance with national and international security regulations — including port facility security plans, aviation security requirements and customs regulations.
Demonstrable security management controls and lower incident rates can support favourable insurance premiums for logistics, cargo and liability cover.
Major shippers, retailers and manufacturers are increasingly requiring supply chain security management system certification from their logistics and warehousing providers.
Certification contributes to achieving multiple United Nations Sustainable Development Goals (SDGs), supporting your organisation's sustainability commitments and ESG reporting.
Why Certify with RBA Registrars?
RBA Registrars provides ISO 28000 certification services to organisations across the UK, Bangladesh, Asia and internationally — delivered by practising auditors with genuine sector competence and understanding of local and regional regulatory frameworks.
Our auditors are assessed for technical competence across specific NACE/EA sector codes prior to assignment, ensuring that every audit is conducted by someone who understands the management system requirements relevant to your industry.
Whether your organisation is implementing a system for the first time or transferring your existing ISO 28000 certificate from another body, RBA Registrars offers a clear, transparent and professionally conducted certification pathway.
All auditors assessed for NACE/EA sector knowledge before assignment.
Local knowledge, internationally recognised certification processes.
Impartial, consistent and integrity-driven certification operations.
Transfer your existing certificate to RBA Registrars via a streamlined process.
RBA Registrars can support your staff training alongside certification.
Implementing Your Management System
ISO 28000 follows the Plan–Do–Check–Act (PDCA) cycle. The eight stages below map the standard's clauses to a logical implementation sequence.
Define the SMS scope across supply chain activities. Understand the security environment, applicable regulations and interested parties' requirements. (Cl. 4)
Top management establishes the Security Policy, appoints a Security Management Representative and defines roles, responsibilities and authorities. (Cl. 5)
Identify supply chain security threats. Assess risks — likelihood and consequence. Develop risk treatment plan. Set security objectives. (Cl. 6)
Provide resources — security personnel, CCTV, access control, ICT security. Establish competence and awareness training. Manage documented information. (Cl. 7)
Implement physical, personnel and ICT security controls. Manage contractors and supply chain partners. Establish incident detection and response procedures. (Cl. 8)
Monitor security performance indicators — incident rates, detection rates, response times. Evaluate control effectiveness. Evaluate compliance with security regulations. (Cl. 9)
Audit SMS conformity and security control effectiveness. Investigate security incidents. Implement and verify corrective actions. (Cl. 9.2)
Top management reviews SMS performance, security threat landscape changes and improvement priorities. Updates risk assessments and objectives. (Cl. 9.3, 10)
ISO 28000 Certification Process
RBA Registrars's certification pathway is transparent, structured and aligned with ISO/IEC 17021-1 — from initial enquiry through to certificate issue and ongoing surveillance.
Contact RBA Registrars to discuss your organisation's activities, the proposed ISO 28000 scope, number of sites and relevant NACE/EA sector codes. We confirm auditor competence for your sector and issue a tailored, no-obligation quotation.
Complete the RBA Registrars Application for Systems Certification and sign the Certification Agreement setting out the audit programme, fees, surveillance schedule, certification mark rights, confidentiality and rights of appeal.
An RBA Registrars auditor reviews your ISO 28000 management system documentation to assess readiness for the Stage 2 implementation audit. The Stage 1 report identifies any significant gaps to address before Stage 2 proceeds.
A comprehensive on-site or remote audit assessing the full implementation and effectiveness of the management system against all normative clauses of ISO 28000. Nonconformities must be closed before certification is granted.
An independent technical reviewer — not involved in either audit — reviews the complete audit file and makes the certification decision. On approval, RBA Registrars issues a ISO 28000 certificate valid for three years.
At least one surveillance audit per calendar year verifies continued conformity with ISO 28000, monitors system performance and checks progress on objectives and corrective actions.
Before certificate expiry, RBA Registrars conducts a full recertification audit. On successful completion, the certificate is renewed for a further three-year cycle.
The RBA Registrars Certification Mark
Once certified to ISO 28000, RBA Registrars will issue your certificate and authorise use of the RBA Registrars certification mark on tenders, client communications, AEO applications and marketing materials. The mark demonstrates to customs authorities, supply chain partners and clients that your security management system has been independently certified to the international standard.
Enquire About Certification →ISO 28000 — Edition & Transition
ISO 28000 significantly revised and replaced ISO 28000:2007, introducing full HLS alignment and a more flexible risk-based approach. Organisations previously certified to ISO 28000:2007 should have transitioned to the 2022 edition. RBA Registrars issues certificates to ISO 28000. Contact us to discuss certification or transition from an earlier edition.
Ready to achieve ISO 28000 certification?
Contact RBA Registrars for a no-obligation scoping call and tailored quotation.