ISO 28000:2007

SLOVENSKI STANDARD
SIST ISO 28000:2018
01-april-2018
Specifikacija za sisteme vodenja varnosti za dobavno verigo
Specification for security management systems for the supply chain
Spécifications relatives aux systèmes de management de la sûreté de la chaîne
d'approvisionnement
Ta slovenski standard je istoveten z: ISO 28000:2007
ICS:
03.100.10 Nabava. Dobava. Logistika Purchasing. Procurement.
Logistics
03.100.70 Sistemi vodenja Management systems
SIST ISO 28000:2018 en,fr
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST ISO 28000:2018

---------------------- Page: 2 ----------------------

SIST ISO 28000:2018

INTERNATIONAL ISO
STANDARD 28000
First edition
2007-09-15

Specification for security management
systems for the supply chain
Spécifications pour les systèmes de management de la sûreté pour la
chaîne d'approvisionnement




Reference number
ISO 28000:2007(E)
©
ISO 2007

---------------------- Page: 3 ----------------------

SIST ISO 28000:2018
ISO 28000:2007(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO 2007
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2007 – All rights reserved

---------------------- Page: 4 ----------------------

SIST ISO 28000:2018
ISO 28000:2007(E)
Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions. 1
4 Security management system elements . 3
4.1 General requirements. 3
4.2 Security management policy . 4
4.3 Security risk assessment and planning . 4
4.4 Implementation and operation . 7
4.5 Checking and corrective action . 10
4.6 Management review and continual improvement . 12
Annex A (informative) Correspondence between ISO 28000:2007, ISO 14001:2004 and
ISO 9001:2000. 13
Bibliography . 16

© ISO 2007 – All rights reserved iii

---------------------- Page: 5 ----------------------

SIST ISO 28000:2018
ISO 28000:2007(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 28000 was prepared by Technical Committee ISO/TC 8, Ships and marine technology, in collaboration
with other relevant technical committees responsible for specific nodes of the supply chain.
This first edition of ISO 28000 cancels and replaces ISO/PAS 28000:2005, which has been technically revised
iv © ISO 2007 – All rights reserved

---------------------- Page: 6 ----------------------

O 2 858: Ma tim Po t Fac ty Sec r ty
IS 0 ri e r ili u i
          Assessments and Security Plan
I 280 : Be ract s Cu dy in
SO 01 st P ice sto
          Supply Chain Security
Other specific existing standards or those
to be developed.
SIST ISO 28000:2018
ISO 28000:2007(E)
Introduction
This International Standard has been developed in response to demand from industry for a security
management standard. Its ultimate objective is to improve the security of supply chains. It is a high-level
management standard that enables an organization to establish an overall supply chain security management
system. It requires the organization to assess the security environment in which it operates and to determine if
adequate security measures are in place and if other regulatory requirements already exist with which the
organization complies. If security needs are identified by this process, the organization should implement
mechanisms and processes to meet these needs. Since supply chains are dynamic in nature, some
organizations managing multiple supply chains may look to their service providers to meet related
governmental or ISO supply chain security standards as a condition of being included in that supply chain in
order to simplify security management as illustrated in Figure 1.
ISO 28000:
Security
management systems
for the supply chain

Figure 1 — Relationship between ISO 28000 and other relevant standards
© ISO 2007 – All rights reserved v

---------------------- Page: 7 ----------------------

SIST ISO 28000:2018
ISO 28000:2007(E)
This International Standard is intended to apply in cases where an organization’s supply chains are required
to be managed in a secure manner. A formal approach to security management can contribute directly to the
business capability and credibility of the organization.
Compliance with an International Standard does not in itself confer immunity from legal obligations. For
organizations that so wish, compliance of the security management system with this International Standard
may be verified by an external or internal auditing process.
This International Standard is based on the ISO format adopted by ISO 14001:2004 because of its risk based
approach to management systems. However, organizations that have adopted a process approach to
management systems (e.g. ISO 9001:2000) may be able to use their existing management system as a
foundation for a security management system as prescribed in this International Standard. It is not the
intention of this International Standard to duplicate governmental requirements and standards regarding
supply chain security management to which the organization has already been certified or verified compliant.
Verification may be by an acceptable first, second, or third party organization.
NOTE This International Standard is based on the methodology known as Plan-Do-Check-Act (PDCA). PDCA can be
described as follows.
⎯ Plan: establish the objectives and processes necessary to deliver results in accordance with the organization’s
security policy.
⎯ Do: implement the processes.
⎯ Check: monitor and measure processes against security policy, objectives, targets, legal and other requirements, and
report results.
⎯ Act: take actions to continually improve performance of the security management system.

vi © ISO 2007 – All rights reserved

---------------------- Page: 8 ----------------------

SIST ISO 28000:2018
INTERNATIONAL STANDARD ISO 28000:2007(E)

Specification for security management systems for the supply
chain
1 Scope
This International Standard specifies the requirements for a security management system, including those
aspects critical to security assurance of the supply chain. Security management is linked to many other
aspects of business management. Aspects include all activities controlled or influenced by organizations that
impact on supply chain security. These other aspects should be considered directly, where and when they
have an impact on security management, including transporting these goods along the supply chain.
This International Standard is applicable to all sizes of organizations, from small to multinational, in
manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:
a) establish, implement, maintain and improve a security management system;
b) assure conformance with stated security management policy;
c) demonstrate such conformance to others;
d) seek certification/registration of its security management system by an Accredited third party Certification
Body; or
e) make a self-determination and self-declaration of conformance with this International Standard.
There are legislative and regulatory codes that address some of the requirements in this International
Standard.
It is not the intention of this International Standard to require duplicative demonstration of conformance.
Organizations that choose third party certification can further demonstrate that they are contributing
significantly to supply chain security.
2 Normative references
No normative references are cited. This clause is included in order to retain clause numbering similar to other
management system standards.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
facility
plant, machinery, property, buildings, vehicles, ships, port facilities and other items of infrastructure or plant
and related systems that have a distinct and quantifiable business function or service
NOTE This definition includes any software code that is critical to the delivery of security and the application of
security management.
© ISO 2007 – All rights reserved 1

---------------------- Page: 9 ----------------------

SIST ISO 28000:2018
ISO 28000:2007(E)
3.2
security
resistance to intentional, unauthorized act(s) designed to cause harm or damage to, or by, the supply chain
3.3
security management
systematic and coordinated activities and practices through which an organization optimally manages its risks,
and the associated potential threats and impacts therefrom
3.4
security management objective
specific outcome or achievement required of security in order to meet the security management policy
NOTE It is essential that such outcomes are linked either directly or indirectly to providing the products, supply or
services delivered by the total business to its customers or end users.
3.5
security management policy
overall intentions and direction of an organization, related to the security and the framework for the control of
security-related processes and activities that are derived from and consistent with the organization’s policy
and regulatory requirements
3.6
security management programmes
means by which a security management objective is achieved
3.7
security management target
specific level of performance required to achieve a security management objective
3.8
stakeholder
person or entity having a vested interest in the organization’s performance, success or the impact of its
activities
NOTE Examples include customers, shareholders, financiers, insurers, regulators, statutory bodies, employees,
contractors, suppliers, labour organizations, or society.
3.9
supply chain
linked set of resources and processes that begins with the sourcing of raw material and extends through the
delivery of products or services to the end user across the modes of transport
NOTE The supply chain may include vendors, manufacturing facilities, logistics providers, internal distribution centers,
distributors, wholesalers and other entities that lead to the end user.
3.9.1
downstream
refers to the actions, processes and movements of the cargo in the supply chain that occur after the cargo
leaves the direct operational control of the organization, including but not limited to insurance, finance, data
management, and the packing, storing and transferring of cargo
3.9.2
upstream
refers to the actions, processes and movements of the cargo in the supply chain that occur before the cargo
comes under the direct operational control of the organization, including but not limited to insurance, finance,
data management, and the packing, storing and transferring of cargo
2 © ISO 2007 – All rights reserved

---------------------- Page: 10 ----------------------

SIST ISO 28000:2018
ISO 28000:2007(E)
3.10
top management
person or group of people who directs and controls an organization at the highest level
NOTE Top management, especially in a large multinational organization, may not be personally involved as
described in this International Standard; however top management accountability through the chain of command shall be
manifest.
3.11
continual improvement
recurring process of enhancing the security management system in order to achieve improvements in overall
security performance consistent with the organization’s security policy
4 Security management system elements

CONTINUAL
IMPROVEMENT
Security management
policy
Management review and
continual improvement
Security planning
Risk assessment
Regulatory requirements
Security objectives and targets
Security management programme
Checking and corrective action
Measurement and monitoring
System evaluation
Non-conformance and corrective Implementation and operation
and preventive action Responsibilities and competence,
Records Communication
Audit Documentation
Operational control
Emergency preparedness

Figure 2 — Security management system elements
4.1 General requirements
The organization shall establish, document, implement, maintain and continually improve an effective security
management system for identifying security threats, assessing risks and controlling and mitigating their
consequences.
The organization shall continually improve its effectiveness in accordance with the requirements set out in the
whole of Clause 4.
The organization shall define the scope of its security management system. Where an organization chooses
to outsource any process that affects conformity with these requirements, the organization shall ensure that
such processes are controlled. The necessary controls and responsibilities of such outsourced processes
shall be identified within the security management system.
© ISO 2007 – All rights reserved 3

---------------------- Page: 11 ----------------------

SIST ISO 28000:2018
ISO 28000:2007(E)
4.2 Security management policy
The organization’s top management shall authorize an overall security management policy. The policy shall:
a) be consistent with other organizational policies;
b) provide the framework which, enables the specific security management objectives, targets and
programmes to be produced;
c) be consistent with the organization’s overall security threat and risk management framework;
d) be appropriate to the threats to the organization and the nature and scale of its operations;
e) clearly state the overall/broad security management objectives;
f) include a commitment to continual improvement of the security management process;
g) include a commitment to comply with current applicable legislation, regulatory and statutory requirements
and with other requirements to which the organization subscribes;
h) be visibly endorsed by top management;
i) be documented, implemented and maintained;
j) be communicated to all relevant employees and third parties including contractors and visitors with the
intent that these persons are made aware of their individual security management-related obligations;
k) be available to stakeholders where appropriate;
l) provide for its review in case of the acquisition of, or merger with other organizations, or other change to
the business scope of the organization which may affect the continuity or relevance of the security
management system.
NOTE Organizations may choose to have a detailed security management policy for internal use which would
provide sufficient information and direction to drive the security management system (parts of which may be confidential)
and have a summarized (non-confidential) version containing the broad objectives for dissemination to its stakeholders
and other interested parties.
4.3 Security risk assessment and planning
4.3.1 Security risk assessment
The organization shall establish and maintain procedures for the ongoing identification and assessment of
security threats and security management-related threats and risks, and the identification and implementation
of necessary management control measures. Security threats and risk identification, assessment and control
methods should, as a minimum, be appropriate to the nature and scale of the operations. This assessment
shall consider the likelihood of an event and all of its consequences which shall include:
a) physical failure threats and risks, such as functional failure, incidental damage, malicious damage or
terrorist or criminal action;
b) operational threats and risks, including the control of the security, human factors and other activities
which affect the organizations performance, condition or safety;
c) natural environmental events (storm, floods, etc.), which may render security measures and equipment
ineffective;
d) factors outside of the organization’s control, such as failures in externally supplied equipment and
services;
4 © ISO 2007 – All rights reserved

---------------------- Page: 12 ----------------------

SIST ISO 28000:2018
ISO 28000:2007(E)
e) stakeholder threats and risks such as failure to meet regulatory requirements or damage to reputation or
brand;
f) design and installation of security equipment including replacement, maintenance, etc.
g) information and data management and communications;
h) a threat to continuity of operations.
The organization shall ensure that the results of these assessments and the effects of these controls are
considered and, where appropriate, provide input into:
a) security management objectives and targets;
b) security management programmes;
c) the determination of requirements for the design, specification and installation;
d) identification of adequate resources including staffing levels;
e) identification of training needs and skills (see 4.4.2);
f) development of operational controls (see 4.4.6);
g) the organization’s overall threat and risk management framework.
The organization shall document and keep the above information up to date.
The organization’s methodology for threat and risk identification and assessment shall:
a) be defined with respect to its scope, nature and timing to ensure it is proactive rather than reactive;
b) include the collection of information related to security threats and risks;
c) provide for the classification of threats and risks and identification of those that are to be avoided,
eliminated or controlled;
d) provide for the monitoring of actions to ensure effectiveness and the timeliness of their implementation
(see 4.5.1).
4.3.2 Legal, statutory and other security regulatory requirements
The organization shall establish, implement and maintain a procedure
a) to identify and have access to the applicable legal requirements and other requirements to which the
organization subscribes related to its security threat and risks, and
b) to determine how these requirements apply to its security threats and risks.
The organization shall keep this information up-to-date. It shall communicate relevant information on legal and
other requirements to its employees and other relevant third parties including contractors.
© ISO 2007 – All rights reserved 5

---------------------- Page: 13 ----------------------

SIST ISO 28000:2018
ISO 28000:2007(E)
4.3.3 Security management objectives
The organization shall establish, implement and maintain documented security management objectives at
relevant functions and levels within the organization. The objectives shall be derived from and consistent with
the policy. When establishing and reviewing its objectives, an organization shall take into account:
a) legal, statutory and other security regulatory requirements;
b) security related threats and risks;
c) technological and other options;
d) financial, operational and business requirements;
e) views of appropriate stakeholders.
The security management objectives shall be:
a) consistent with the organization’s commitment to continual improvement;
b) quantified (where practicable);
c) communicated to all relevant employees and third parties, including contractors, with the intent that these
persons are made aware of their individual obligations;
d) reviewed periodically to ensure that they remain relevant and consistent with the security management
policy. Where necessary the security management objectives shall be amended accordingly.
4.3.4 Security management targets
The organization shall establish, implement and maintain documented security management targets
appropriate to the needs of the organization. The targets shall be derived from and be consistent with the
security management objectives.
These targets shall be:
a) to an appropriate level of detail;
b) specific, measurable, achievable, relevant and time-based (where practicable);
c) communicated to all relevant employees and third parties including contractors with the intent that these
persons are made aware of their individual obligations;
d) reviewed periodically to ensure that they remain relevant and consistent with the security management
objectives. Where necessary the targets shall be amended accordingly.
4.3.5 Security management programmes
The organization shall establish, implement and maintain security management programmes for achieving its
objectives and targets.
The programmes shall be optimized and then prioritized, and the organization shall provide for the efficient
and cost effective implementation of these programmes.
This shall include documentation which describes:
a) the designated responsibility and authority for achieving security management objectives and targets;
b) the means and time-scale by which security management objectives and targets are to be achieved.
The security management programmes shall be reviewed periodically to ensure that they remain effective and
consistent with the objectives and targets. Where necessary the programmes shall be amended accordingly.
6 © ISO 2007 – All rights reserved

---------------------- Page: 14 ----------------------

SIST ISO 28000:2018
ISO 28000:2007(E)
4.4 Implementation and operation
4.4.1 Structure, authority and responsibilities for security management
The organization shall establish and maintain an organizational structure of roles, responsibilities and
authorities, consistent with the achievement of its security management policy, objectives, targets and
programmes.
These roles, responsibilities and authorities shall be defined, documented and communicated to the
individuals responsible for implementation and maintenance.
Top management shall provide evidence of its commitment to the development and implementation of the
security management system (processes) and continually improving its effectiveness by:
a) appointing a member of top management who, irrespective of other responsibilities, shall be responsible
for the overall design, maintenance, documentation and improvement of the organization’s security
management system;
b) appointing (a) member(s) of management with the necessary authority to ensure that the objectives and
targets are implemented;
c) identifying and monitoring the requirements and expectations of the organization’s stakeholders and
taking appropriate and timely action to manage these expectations;
d) ensuring the availability of adequate resources;
e) considering the adverse impact that the security management policy; objectives, targets, programmes,
etc. may have on other aspects of the organization;
f) ensuring any security programmes generated from other parts of the organization complement the
security management system;
g) communicating to the organization the importance of meeting its security management requirements in
order to comply with its policy;
h) ensuring security-related threats and risks are evaluated and included in organizational threat and risk
assessments, as appropriate;
i) ensuring the viability of the security management objectives, targets and programmes.
4.4.2 Competence, training and awareness
The organization shall ensure that personnel responsible for the design, operation and management of
security equipment and processes are suitably qualified in terms of education, training and/or experience. The
organization shall establish and maintain procedures to make persons working for it or on its behalf aware of:
a) the importance of compliance with the security management policy and procedures, and to the
requirements of the security management system;
b) their roles and responsibilities in achieving compliance with the security management policy and
procedures and with the requirements of the security management system, including emergency
preparedness and response requirements;
c) the potential consequences to the organization’s security by departing from specified operating
procedures.
Records of competence and training shall be kept.
© ISO 2007 – All rights reserved 7

---------------------- Page: 15 ----------------------

SIST ISO 28000:2018
ISO 28000:2007(E)
4.4.3 Communication
The organization shall have procedures for ensuring that pertinent security management information is
communicated to and from relevant employees, contractors and other stakeholders.
Because of the sensitive nature of certain security related information, due consideration should be given to
the sensitivity of information prior to dissemination.
4.4.4 Documentation
The organization shall establish and maintain a security management documentation system that includes,
but is not limited to the following:
a) the security policy, objectives and targets,
b) description of the scope of the security management system,
c) description of the main elements of the security management system and their interaction, and reference
to related documents,
d) documents, including records, required by this International Standard, and
e) documents, including records determined by the organization to be necessary to ensure the effective
planning, operation and control of processes that relate to its significant security threats and risks.
The organization shall determine the security sensitivity of information and shall take steps to prevent
unauthorized access.
4.4.5 Document and data control
The organization shall establish and maintain procedures for controlling all documents, data and information
required by Clause 4 of this International Standard to ensure that:
a) these documents, data and information can be located and accessed only by authorized individuals;
b) these documents, data and information are periodically review
...

INTERNATIONAL ISO
STANDARD 28000
First edition
2007-09-15

Specification for security management
systems for the supply chain
Spécifications pour les systèmes de management de la sûreté pour la
chaîne d'approvisionnement




Reference number
ISO 28000:2007(E)
©
ISO 2007

---------------------- Page: 1 ----------------------
ISO 28000:2007(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO 2007
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2007 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 28000:2007(E)
Contents Page
Foreword. iv
Introduction . v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions. 1
4 Security management system elements . 3
4.1 General requirements. 3
4.2 Security management policy . 4
4.3 Security risk assessment and planning . 4
4.4 Implementation and operation . 7
4.5 Checking and corrective action . 10
4.6 Management review and continual improvement . 12
Annex A (informative) Correspondence between ISO 28000:2007, ISO 14001:2004 and
ISO 9001:2000. 13
Bibliography . 16

© ISO 2007 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO 28000:2007(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 28000 was prepared by Technical Committee ISO/TC 8, Ships and marine technology, in collaboration
with other relevant technical committees responsible for specific nodes of the supply chain.
This first edition of ISO 28000 cancels and replaces ISO/PAS 28000:2005, which has been technically revised
iv © ISO 2007 – All rights reserved

---------------------- Page: 4 ----------------------
O 2 858: Ma tim Po t Fac ty Sec r ty
IS 0 ri e r ili u i
          Assessments and Security Plan
I 280 : Be ract s Cu dy in
SO 01 st P ice sto
          Supply Chain Security
Other specific existing standards or those
to be developed.
ISO 28000:2007(E)
Introduction
This International Standard has been developed in response to demand from industry for a security
management standard. Its ultimate objective is to improve the security of supply chains. It is a high-level
management standard that enables an organization to establish an overall supply chain security management
system. It requires the organization to assess the security environment in which it operates and to determine if
adequate security measures are in place and if other regulatory requirements already exist with which the
organization complies. If security needs are identified by this process, the organization should implement
mechanisms and processes to meet these needs. Since supply chains are dynamic in nature, some
organizations managing multiple supply chains may look to their service providers to meet related
governmental or ISO supply chain security standards as a condition of being included in that supply chain in
order to simplify security management as illustrated in Figure 1.
ISO 28000:
Security
management systems
for the supply chain

Figure 1 — Relationship between ISO 28000 and other relevant standards
© ISO 2007 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO 28000:2007(E)
This International Standard is intended to apply in cases where an organization’s supply chains are required
to be managed in a secure manner. A formal approach to security management can contribute directly to the
business capability and credibility of the organization.
Compliance with an International Standard does not in itself confer immunity from legal obligations. For
organizations that so wish, compliance of the security management system with this International Standard
may be verified by an external or internal auditing process.
This International Standard is based on the ISO format adopted by ISO 14001:2004 because of its risk based
approach to management systems. However, organizations that have adopted a process approach to
management systems (e.g. ISO 9001:2000) may be able to use their existing management system as a
foundation for a security management system as prescribed in this International Standard. It is not the
intention of this International Standard to duplicate governmental requirements and standards regarding
supply chain security management to which the organization has already been certified or verified compliant.
Verification may be by an acceptable first, second, or third party organization.
NOTE This International Standard is based on the methodology known as Plan-Do-Check-Act (PDCA). PDCA can be
described as follows.
⎯ Plan: establish the objectives and processes necessary to deliver results in accordance with the organization’s
security policy.
⎯ Do: implement the processes.
⎯ Check: monitor and measure processes against security policy, objectives, targets, legal and other requirements, and
report results.
⎯ Act: take actions to continually improve performance of the security management system.

vi © ISO 2007 – All rights reserved

---------------------- Page: 6 ----------------------
INTERNATIONAL STANDARD ISO 28000:2007(E)

Specification for security management systems for the supply
chain
1 Scope
This International Standard specifies the requirements for a security management system, including those
aspects critical to security assurance of the supply chain. Security management is linked to many other
aspects of business management. Aspects include all activities controlled or influenced by organizations that
impact on supply chain security. These other aspects should be considered directly, where and when they
have an impact on security management, including transporting these goods along the supply chain.
This International Standard is applicable to all sizes of organizations, from small to multinational, in
manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:
a) establish, implement, maintain and improve a security management system;
b) assure conformance with stated security management policy;
c) demonstrate such conformance to others;
d) seek certification/registration of its security management system by an Accredited third party Certification
Body; or
e) make a self-determination and self-declaration of conformance with this International Standard.
There are legislative and regulatory codes that address some of the requirements in this International
Standard.
It is not the intention of this International Standard to require duplicative demonstration of conformance.
Organizations that choose third party certification can further demonstrate that they are contributing
significantly to supply chain security.
2 Normative references
No normative references are cited. This clause is included in order to retain clause numbering similar to other
management system standards.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
facility
plant, machinery, property, buildings, vehicles, ships, port facilities and other items of infrastructure or plant
and related systems that have a distinct and quantifiable business function or service
NOTE This definition includes any software code that is critical to the delivery of security and the application of
security management.
© ISO 2007 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO 28000:2007(E)
3.2
security
resistance to intentional, unauthorized act(s) designed to cause harm or damage to, or by, the supply chain
3.3
security management
systematic and coordinated activities and practices through which an organization optimally manages its risks,
and the associated potential threats and impacts therefrom
3.4
security management objective
specific outcome or achievement required of security in order to meet the security management policy
NOTE It is essential that such outcomes are linked either directly or indirectly to providing the products, supply or
services delivered by the total business to its customers or end users.
3.5
security management policy
overall intentions and direction of an organization, related to the security and the framework for the control of
security-related processes and activities that are derived from and consistent with the organization’s policy
and regulatory requirements
3.6
security management programmes
means by which a security management objective is achieved
3.7
security management target
specific level of performance required to achieve a security management objective
3.8
stakeholder
person or entity having a vested interest in the organization’s performance, success or the impact of its
activities
NOTE Examples include customers, shareholders, financiers, insurers, regulators, statutory bodies, employees,
contractors, suppliers, labour organizations, or society.
3.9
supply chain
linked set of resources and processes that begins with the sourcing of raw material and extends through the
delivery of products or services to the end user across the modes of transport
NOTE The supply chain may include vendors, manufacturing facilities, logistics providers, internal distribution centers,
distributors, wholesalers and other entities that lead to the end user.
3.9.1
downstream
refers to the actions, processes and movements of the cargo in the supply chain that occur after the cargo
leaves the direct operational control of the organization, including but not limited to insurance, finance, data
management, and the packing, storing and transferring of cargo
3.9.2
upstream
refers to the actions, processes and movements of the cargo in the supply chain that occur before the cargo
comes under the direct operational control of the organization, including but not limited to insurance, finance,
data management, and the packing, storing and transferring of cargo
2 © ISO 2007 – All rights reserved

---------------------- Page: 8 ----------------------
ISO 28000:2007(E)
3.10
top management
person or group of people who directs and controls an organization at the highest level
NOTE Top management, especially in a large multinational organization, may not be personally involved as
described in this International Standard; however top management accountability through the chain of command shall be
manifest.
3.11
continual improvement
recurring process of enhancing the security management system in order to achieve improvements in overall
security performance consistent with the organization’s security policy
4 Security management system elements

CONTINUAL
IMPROVEMENT
Security management
policy
Management review and
continual improvement
Security planning
Risk assessment
Regulatory requirements
Security objectives and targets
Security management programme
Checking and corrective action
Measurement and monitoring
System evaluation
Non-conformance and corrective Implementation and operation
and preventive action Responsibilities and competence,
Records Communication
Audit Documentation
Operational control
Emergency preparedness

Figure 2 — Security management system elements
4.1 General requirements
The organization shall establish, document, implement, maintain and continually improve an effective security
management system for identifying security threats, assessing risks and controlling and mitigating their
consequences.
The organization shall continually improve its effectiveness in accordance with the requirements set out in the
whole of Clause 4.
The organization shall define the scope of its security management system. Where an organization chooses
to outsource any process that affects conformity with these requirements, the organization shall ensure that
such processes are controlled. The necessary controls and responsibilities of such outsourced processes
shall be identified within the security management system.
© ISO 2007 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO 28000:2007(E)
4.2 Security management policy
The organization’s top management shall authorize an overall security management policy. The policy shall:
a) be consistent with other organizational policies;
b) provide the framework which, enables the specific security management objectives, targets and
programmes to be produced;
c) be consistent with the organization’s overall security threat and risk management framework;
d) be appropriate to the threats to the organization and the nature and scale of its operations;
e) clearly state the overall/broad security management objectives;
f) include a commitment to continual improvement of the security management process;
g) include a commitment to comply with current applicable legislation, regulatory and statutory requirements
and with other requirements to which the organization subscribes;
h) be visibly endorsed by top management;
i) be documented, implemented and maintained;
j) be communicated to all relevant employees and third parties including contractors and visitors with the
intent that these persons are made aware of their individual security management-related obligations;
k) be available to stakeholders where appropriate;
l) provide for its review in case of the acquisition of, or merger with other organizations, or other change to
the business scope of the organization which may affect the continuity or relevance of the security
management system.
NOTE Organizations may choose to have a detailed security management policy for internal use which would
provide sufficient information and direction to drive the security management system (parts of which may be confidential)
and have a summarized (non-confidential) version containing the broad objectives for dissemination to its stakeholders
and other interested parties.
4.3 Security risk assessment and planning
4.3.1 Security risk assessment
The organization shall establish and maintain procedures for the ongoing identification and assessment of
security threats and security management-related threats and risks, and the identification and implementation
of necessary management control measures. Security threats and risk identification, assessment and control
methods should, as a minimum, be appropriate to the nature and scale of the operations. This assessment
shall consider the likelihood of an event and all of its consequences which shall include:
a) physical failure threats and risks, such as functional failure, incidental damage, malicious damage or
terrorist or criminal action;
b) operational threats and risks, including the control of the security, human factors and other activities
which affect the organizations performance, condition or safety;
c) natural environmental events (storm, floods, etc.), which may render security measures and equipment
ineffective;
d) factors outside of the organization’s control, such as failures in externally supplied equipment and
services;
4 © ISO 2007 – All rights reserved

---------------------- Page: 10 ----------------------
ISO 28000:2007(E)
e) stakeholder threats and risks such as failure to meet regulatory requirements or damage to reputation or
brand;
f) design and installation of security equipment including replacement, maintenance, etc.
g) information and data management and communications;
h) a threat to continuity of operations.
The organization shall ensure that the results of these assessments and the effects of these controls are
considered and, where appropriate, provide input into:
a) security management objectives and targets;
b) security management programmes;
c) the determination of requirements for the design, specification and installation;
d) identification of adequate resources including staffing levels;
e) identification of training needs and skills (see 4.4.2);
f) development of operational controls (see 4.4.6);
g) the organization’s overall threat and risk management framework.
The organization shall document and keep the above information up to date.
The organization’s methodology for threat and risk identification and assessment shall:
a) be defined with respect to its scope, nature and timing to ensure it is proactive rather than reactive;
b) include the collection of information related to security threats and risks;
c) provide for the classification of threats and risks and identification of those that are to be avoided,
eliminated or controlled;
d) provide for the monitoring of actions to ensure effectiveness and the timeliness of their implementation
(see 4.5.1).
4.3.2 Legal, statutory and other security regulatory requirements
The organization shall establish, implement and maintain a procedure
a) to identify and have access to the applicable legal requirements and other requirements to which the
organization subscribes related to its security threat and risks, and
b) to determine how these requirements apply to its security threats and risks.
The organization shall keep this information up-to-date. It shall communicate relevant information on legal and
other requirements to its employees and other relevant third parties including contractors.
© ISO 2007 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO 28000:2007(E)
4.3.3 Security management objectives
The organization shall establish, implement and maintain documented security management objectives at
relevant functions and levels within the organization. The objectives shall be derived from and consistent with
the policy. When establishing and reviewing its objectives, an organization shall take into account:
a) legal, statutory and other security regulatory requirements;
b) security related threats and risks;
c) technological and other options;
d) financial, operational and business requirements;
e) views of appropriate stakeholders.
The security management objectives shall be:
a) consistent with the organization’s commitment to continual improvement;
b) quantified (where practicable);
c) communicated to all relevant employees and third parties, including contractors, with the intent that these
persons are made aware of their individual obligations;
d) reviewed periodically to ensure that they remain relevant and consistent with the security management
policy. Where necessary the security management objectives shall be amended accordingly.
4.3.4 Security management targets
The organization shall establish, implement and maintain documented security management targets
appropriate to the needs of the organization. The targets shall be derived from and be consistent with the
security management objectives.
These targets shall be:
a) to an appropriate level of detail;
b) specific, measurable, achievable, relevant and time-based (where practicable);
c) communicated to all relevant employees and third parties including contractors with the intent that these
persons are made aware of their individual obligations;
d) reviewed periodically to ensure that they remain relevant and consistent with the security management
objectives. Where necessary the targets shall be amended accordingly.
4.3.5 Security management programmes
The organization shall establish, implement and maintain security management programmes for achieving its
objectives and targets.
The programmes shall be optimized and then prioritized, and the organization shall provide for the efficient
and cost effective implementation of these programmes.
This shall include documentation which describes:
a) the designated responsibility and authority for achieving security management objectives and targets;
b) the means and time-scale by which security management objectives and targets are to be achieved.
The security management programmes shall be reviewed periodically to ensure that they remain effective and
consistent with the objectives and targets. Where necessary the programmes shall be amended accordingly.
6 © ISO 2007 – All rights reserved

---------------------- Page: 12 ----------------------
ISO 28000:2007(E)
4.4 Implementation and operation
4.4.1 Structure, authority and responsibilities for security management
The organization shall establish and maintain an organizational structure of roles, responsibilities and
authorities, consistent with the achievement of its security management policy, objectives, targets and
programmes.
These roles, responsibilities and authorities shall be defined, documented and communicated to the
individuals responsible for implementation and maintenance.
Top management shall provide evidence of its commitment to the development and implementation of the
security management system (processes) and continually improving its effectiveness by:
a) appointing a member of top management who, irrespective of other responsibilities, shall be responsible
for the overall design, maintenance, documentation and improvement of the organization’s security
management system;
b) appointing (a) member(s) of management with the necessary authority to ensure that the objectives and
targets are implemented;
c) identifying and monitoring the requirements and expectations of the organization’s stakeholders and
taking appropriate and timely action to manage these expectations;
d) ensuring the availability of adequate resources;
e) considering the adverse impact that the security management policy; objectives, targets, programmes,
etc. may have on other aspects of the organization;
f) ensuring any security programmes generated from other parts of the organization complement the
security management system;
g) communicating to the organization the importance of meeting its security management requirements in
order to comply with its policy;
h) ensuring security-related threats and risks are evaluated and included in organizational threat and risk
assessments, as appropriate;
i) ensuring the viability of the security management objectives, targets and programmes.
4.4.2 Competence, training and awareness
The organization shall ensure that personnel responsible for the design, operation and management of
security equipment and processes are suitably qualified in terms of education, training and/or experience. The
organization shall establish and maintain procedures to make persons working for it or on its behalf aware of:
a) the importance of compliance with the security management policy and procedures, and to the
requirements of the security management system;
b) their roles and responsibilities in achieving compliance with the security management policy and
procedures and with the requirements of the security management system, including emergency
preparedness and response requirements;
c) the potential consequences to the organization’s security by departing from specified operating
procedures.
Records of competence and training shall be kept.
© ISO 2007 – All rights reserved 7

---------------------- Page: 13 ----------------------
ISO 28000:2007(E)
4.4.3 Communication
The organization shall have procedures for ensuring that pertinent security management information is
communicated to and from relevant employees, contractors and other stakeholders.
Because of the sensitive nature of certain security related information, due consideration should be given to
the sensitivity of information prior to dissemination.
4.4.4 Documentation
The organization shall establish and maintain a security management documentation system that includes,
but is not limited to the following:
a) the security policy, objectives and targets,
b) description of the scope of the security management system,
c) description of the main elements of the security management system and their interaction, and reference
to related documents,
d) documents, including records, required by this International Standard, and
e) documents, including records determined by the organization to be necessary to ensure the effective
planning, operation and control of processes that relate to its significant security threats and risks.
The organization shall determine the security sensitivity of information and shall take steps to prevent
unauthorized access.
4.4.5 Document and data control
The organization shall establish and maintain procedures for controlling all documents, data and information
required by Clause 4 of this International Standard to ensure that:
a) these documents, data and information can be located and accessed only by authorized individuals;
b) these documents, data and information are periodically reviewed, revised as necessary, and approved for
adequacy by authorized personnel;
c) current versions of relevant documents, data and information are available at all locations where
operations essential to the effective functioning of the security management system are performed;
d) obsolete documents, data and information are promptly removed from all points of issue and points of use,
or otherwise assured against unintended use;
e) archival documents, data and information retained for legal or knowledge preservation purposes or both
are suitably identified;
f) these documents, data and information are secure, and if in electronic form are adequately backed up
and can be recovered.
8 © ISO 2007 – All rights reserved

---------------------- Page: 14 ----------------------
ISO 28000:2007(E)
4.4.6 Operational control
The organization shall identify those operations and activities that are necessary for achieving:
a) its security management policy;
b) the control of activities and mitigation of threats identifie
...

NORME ISO
INTERNATIONALE 28000
Première édition
2007-09-15


Spécifications relatives aux systèmes
de management de la sûreté de la chaîne
d'approvisionnement
Specifications for security management systems for the supply chain




Numéro de référence
ISO 28000:2007(F)
©
ISO 2007

---------------------- Page: 1 ----------------------
ISO 28000:2007(F)
PDF – Exonération de responsabilité
Le présent fichier PDF peut contenir des polices de caractères intégrées. Conformément aux conditions de licence d'Adobe, ce fichier
peut être imprimé ou visualisé, mais ne doit pas être modifié à moins que l'ordinateur employé à cet effet ne bénéficie d'une licence
autorisant l'utilisation de ces polices et que celles-ci y soient installées. Lors du téléchargement de ce fichier, les parties concernées
acceptent de fait la responsabilité de ne pas enfreindre les conditions de licence d'Adobe. Le Secrétariat central de l'ISO décline toute
responsabilité en la matière.
Adobe est une marque déposée d'Adobe Systems Incorporated.
Les détails relatifs aux produits logiciels utilisés pour la création du présent fichier PDF sont disponibles dans la rubrique General Info
du fichier; les paramètres de création PDF ont été optimisés pour l'impression. Toutes les mesures ont été prises pour garantir
l'exploitation de ce fichier par les comités membres de l'ISO. Dans le cas peu probable où surviendrait un problème d'utilisation,
veuillez en informer le Secrétariat central à l'adresse donnée ci-dessous.


DOCUMENT PROTÉGÉ PAR COPYRIGHT


©  ISO 2007
Droits de reproduction réservés. Sauf prescription différente, aucune partie de cette publication ne peut être reproduite ni utilisée sous
quelque forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les microfilms, sans l'accord écrit
de l'ISO à l'adresse ci-après ou du comité membre de l'ISO dans le pays du demandeur.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax. + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Version française parue en 2008
Publié en Suisse

ii © ISO 2007 – Tous droits réservés

---------------------- Page: 2 ----------------------
ISO 28000:2007(F)
Sommaire Page
Avant-propos. iv
Introduction . v
1 Domaine d'application. 1
2 Références normatives . 1
3 Termes et définitions. 2
4 Éléments du système de management de la sûreté . 3
4.1 Exigences générales . 4
4.2 Politique de management de la sûreté . 4
4.3 Évaluation des risques et planification . 5
4.4 Mise en œuvre et fonctionnement . 7
4.5 Contrôle et action corrective . 10
4.6 Revue de direction et amélioration continue. 12
Annexe A (informative) Correspondance entre l’ISO 28000:2007, l’ISO 14001:2004 et
l’ISO 9001:2000. 13
Bibliographie . 16
© ISO 2007 – Tous droits réservés iii

---------------------- Page: 3 ----------------------
ISO 28000:2007(F)
Avant-propos
L'ISO (Organisation internationale de normalisation) est une fédération mondiale d'organismes nationaux de
normalisation (comités membres de l'ISO). L'élaboration des Normes internationales est en général confiée
aux comités techniques de l'ISO. Chaque comité membre intéressé par une étude a le droit de faire partie du
comité technique créé à cet effet. Les organisations internationales, gouvernementales et non
gouvernementales, en liaison avec l'ISO participent également aux travaux. L'ISO collabore étroitement avec
la Commission électrotechnique internationale (CEI) en ce qui concerne la normalisation électrotechnique.
Les Normes internationales sont rédigées conformément aux règles données dans les Directives ISO/CEI,
Partie 2.
La tâche principale des comités techniques est d'élaborer les Normes internationales. Les projets de Normes
internationales adoptés par les comités techniques sont soumis aux comités membres pour vote. Leur
publication comme Normes internationales requiert l'approbation de 75 % au moins des comités membres
votants.
L'attention est appelée sur le fait que certains des éléments du présent document peuvent faire l'objet de
droits de propriété intellectuelle ou de droits analogues. L'ISO ne saurait être tenue pour responsable de ne
pas avoir identifié de tels droits de propriété et averti de leur existence.
L'ISO 28000 a été élaborée par le comité technique ISO/TC 8, Navires et technologie maritime, en
collaboration avec les autres comités techniques concernés responsables pour les nœuds spécifiques de la
chaîne d’approvisionnement.
Cette première édition de l’ISO 28000 annule et remplace l’ISO/PAS 28000:2005, qui a fait l'objet d'une
révision technique.
iv © ISO 2007 – Tous droits réservés

---------------------- Page: 4 ----------------------
ISO 28000:2007(F)
Introduction
La présente Norme internationale a été élaborée en réponse à une demande de l’industrie visant à disposer
d’une norme de management de la sûreté. Son objectif ultime est d’améliorer la sûreté des chaînes
d’approvisionnement. C’est une norme de management de haut niveau qui permet à un organisme de définir
un système global de management de la sûreté de sa chaîne d’approvisionnement. Il exige de l’organisme
qu’il évalue la sûreté de l’environnement dans lequel il évolue et qu’il détermine si les mesures de sécurité
adéquates sont en place et si d’autres obligations réglementaires existent déjà auxquelles l’organisme doit
souscrire. Si le processus permet d’identifier ce genre de besoins, il convient que l’organisme mette en place
des mécanismes et des processus qui les prennent en compte. Dans la mesure où les chaînes
d’approvisionnement sont de nature dynamique, pour simplifier le management de leur sûreté tel que l’illustre
la Figure 1, certains organismes qui en gèrent de multiples peuvent attendre de leurs prestataires de services
qu’ils respectent la réglementation nationale ou les normes ISO correspondantes s’ils veulent être intégrés
dans ces chaînes.

Figure 1 — Relations entre l’ISO 28000 et d’autres normes correspondantes
© ISO 2007 – Tous droits réservés v

---------------------- Page: 5 ----------------------
ISO 28000:2007(F)
La présente Norme internationale est destinée à s’appliquer dans les cas où les chaînes d’approvisionnement
d’un organisme doivent être gérées d’une manière sûre. La formalisation du management de la sûreté peut
contribuer directement à la crédibilité et à l’efficacité professionnelle de l’organisme.
La conformité à une Norme internationale n’exonère pas les organismes de leurs obligations légales. Pour
ceux qui le souhaitent, il est possible de faire vérifier la conformité de leur système de management de la
sûreté à la présente Norme internationale par un processus d’audit interne ou externe.
La présente Norme internationale est bâtie sur le modèle adopté pour l’ISO 14001:2004 en raison de
l’approche système adoptée dans cette norme fondée sur une évaluation des risques. Pour les organismes
ayant en revanche adopté pour leurs systèmes de management une approche processus (comme celle de
l’ISO 9001:2000 par exemple), il est possible de se servir de leur système en vigueur comme base d’un
système de management de la sûreté du type prescrit dans la présente Norme internationale. Il n’est pas
dans les objectifs visés par la présente Norme internationale de faire doublon avec les exigences
gouvernementales ou les normes relatives au management de la sûreté des chaînes d’approvisionnement par
rapport auxquelles l’organisme a déjà été certifié ou vérifié conforme. La vérification peut être faite par une
première, une seconde ou une tierce partie.
NOTE La présente Norme internationale est bâtie sur la méthodologie dite PDCA (Plan-Do-Check-Act), qui peut être
décrite comme suit:
• Planifier (Plan): établir les objectifs et les processus nécessaires pour fournir des résultats correspondant à la
politique de sûreté de l’organisme.
• Faire (Do): mettre en œuvre les processus.
• Vérifier (Check): surveiller et mesurer les processus par rapport aux politiques, objectifs et exigences légales et
autres de sûreté et rendre compte des résultats.
• Agir (Act): entreprendre les actions pour améliorer en permanence les performances du système de
management de la sûreté.
vi © ISO 2007 – Tous droits réservés

---------------------- Page: 6 ----------------------
NORME INTERNATIONALE ISO 28000:2007(F)

Spécifications relatives aux systèmes de management
de la sûreté de la chaîne d'approvisionnement
1 Domaine d'application
La présente Norme internationale prescrit les exigences applicables à un système de management de la
sûreté, y compris les aspects cruciaux pour l’assurance sûreté de la chaîne d’approvisionnement. Le
management de la sûreté est lié à beaucoup d’autres aspect de la gestion des entreprises. Ces aspects
comprennent toutes les activités contrôlées par les organismes ayant un impact sur la sûreté de la chaîne
d’approvisionnement ou sur lesquelles ils ont une influence. Il convient de prendre tous ces aspects en
considération directement, où et quand ils ont une influence sur le management de la sûreté, y compris
pendant le transport des marchandises le long de la chaîne d’approvisionnement.
La présente Norme internationale est applicable à toutes les tailles d’organismes, de la petite entreprise à
l’entreprise multinationale souhaitant, pendant la fabrication, la maintenance, le stockage ou le transport des
marchandises à quelque stade que ce soit de la chaîne de production ou d’approvisionnement:
a) définir, mettre en place, maintenir et améliorer un système de management de la sûreté;
b) s’assurer de sa conformité à la politique de sûreté qu’il a définie;
c) démontrer cette conformité à autrui;
d) faire certifier ou enregistrer son système de management de la sûreté auprès d’un organisme de
certification par tierce partie accrédité; ou
e) réaliser une autoévaluation et une autocertification de conformité à la présente Norme internationale.
Certaines exigences de la présente Norme internationale sont régies par des codes législatifs ou
réglementaires.
Il n’est pas prévu dans la présente Norme internationale d’exiger une double démonstration de conformité.
Les organismes qui choisissent la certification par tierce partie peuvent également démontrer qu’ils
contribuent grandement à la sûreté de la chaîne d’approvisionnement.
2 Références normatives
Aucune référence normative n’est donnée. Le présent article est conservé uniquement pour avoir une
numérotation similaire à celle des autres normes de systèmes de management.
© ISO 2007 – Tous droits réservés 1

---------------------- Page: 7 ----------------------
ISO 28000:2007(F)
3 Termes et définitions
Pour les besoins du présent document, les termes et définitions suivants s’appliquent.
3.1
installation
usine, machine, bien, bâtiment, véhicule, navire, installation portuaire ou autre élément d’infrastructure,
d’usine ou de système connexe assurant une fonction ou un service distinct et quantifiable
NOTE Cette définition inclut tout code logiciel important pour la sûreté et l’application du management de cette
sûreté.
3.2
sûreté
résistance à un ou des actes intentionnels non autorisés destinés à endommager la chaîne d’approvisionnement
ou à nuire à son fonctionnement
3.3
management de la sûreté
ensemble des activités et pratiques coordonnées systématiques par lesquelles un organisme gère ses risques
et les menaces et impacts potentiels qui leur sont associés
3.4
objectif du management de la sûreté
résultat ou réalisation spécifique du système de sûreté nécessaire pour mettre en œuvre la politique de
management de la sûreté
NOTE Il est essentiel que ces résultats soient liés de façon directe ou indirecte à la fourniture des produits,
approvisionnements ou services offerts par la totalité de l’entreprise à ses clients ou utilisateurs finals.
3.5
politique de management de la sûreté
ensemble des intentions et orientations d’un organisme s’agissant de la sûreté et du cadre de contrôle des
processus et activités relatifs à la sûreté qui découlent de la politique de l’organisme et des exigences
réglementaires et sont cohérents avec ces derniers
3.6
programme de management de la sûreté
moyen permettant d’atteindre un objectif de management de la sûreté
3.7
cible de management de la sûreté
niveau spécifique de performance requis pour atteindre un objectif de management de la sûreté
3.8
partie prenante
personne physique ou morale ayant un intérêt direct à la performance, au succès ou à l’impact des activités
de l’organisme
NOTE Par exemple les clients, les actionnaires, les financiers, les assureurs, les autorités de réglementation, les
organismes institutionnels, les employés, les sous-traitants, les fournisseurs, les organisations syndicales ou la société en
général.
3.9
chaîne d’approvisionnement
ensemble lié de ressources et de processus qui commence avec l’identification de l’origine des matières
premières et qui va jusqu’à la livraison des produits ou services à l’utilisateur final en passant par les divers
modes de transport
NOTE La chaîne d’approvisionnement peut inclure les vendeurs, les fabricants, les prestataires de logistique, les
centres de distribution interne, les distributeurs, les grossistes et toutes les autres entités qui conduisent à l’utilisateur final.
2 © ISO 2007 – Tous droits réservés

---------------------- Page: 8 ----------------------
ISO 28000:2007(F)
3.9.1
aval
qualifie dans la chaîne d’approvisionnement les actions, processus et mouvements de la marchandise qui
interviennent dès que celle-ci sort de la zone de maîtrise opérationnelle directe de l’organisme et qui
comprennent les assurances, les finances, le traitement des données, l’emballage, l’entreposage et le
transfert de la marchandise sans s’y limiter
3.9.2
amont
qualifie dans la chaîne d’approvisionnement les actions, processus et mouvements de la marchandise qui
interviennent avant que celle-ci ne sorte de la zone de maîtrise opérationnelle directe de l’organisme et qui
comprennent les assurances, les finances, le traitement des données, l’emballage, l’entreposage et le
transfert de la marchandise sans s’y limiter
3.10
direction
personne ou groupe de personnes qui dirige(nt) et contrôle(nt) un organisme au plus haut niveau
NOTE La direction, notamment dans un grand organisme multinational, peut ne pas être impliquée personnellement
de la manière décrite dans la présente Norme internationale, mais sa responsabilité tout au long de la chaîne de
commandement doit être manifeste.
3.11
amélioration continue
processus récurrent d’enrichissement du système de management de la sûreté qui permet de progresser
dans la performance globale de sûreté en cohérence avec la politique de sûreté de l’organisme
4 Éléments du système de management de la sûreté

Figure 2 — Éléments du système de management de la sûreté

© ISO 2007 – Tous droits réservés 3

---------------------- Page: 9 ----------------------
ISO 28000:2007(F)
4.1 Exigences générales
L’organisme doit établir, documenter, mettre en application, maintenir et améliorer en continu un système
efficace de management de la sûreté qui permet d’identifier les risques et de contrôler et d’atténuer leurs
conséquences.
L’organisme doit améliorer en continu son efficacité conformément aux exigences de l’ensemble de l’Article 4.
L’organisme doit définir l’objet de son système de management de la sûreté. Lorsqu’il choisit de sous-traiter
un quelconque des processus qui affectent la conformité à ces exigences, l’organisme doit garantir la maîtrise
de ces processus. Il doit, à l’intérieur du système de management de la sûreté, identifier les contrôles et
responsabilités nécessaires des processus sous-traités.
4.2 Politique de management de la sûreté
La direction de l’organisme au plus haut niveau doit autoriser une politique globale de management de la
sûreté. Cette politique doit avoir les caractéristiques suivantes:
a) être cohérente avec les autres politiques de l’organisme;
b) fournir le cadre permettant d’atteindre les objectifs, cibles et programmes spécifiques de management de
la sûreté;
c) être cohérente avec le cadre global de management des menaces et risques pesant sur la sûreté;
d) être proportionnée aux menaces pesant sur l’organisme et à la nature et à l’échelle de ses opérations;
e) indiquer clairement les objectifs globaux (au sens large) du management de la sûreté;
f) inclure un engagement d’amélioration continue du processus de management de la sûreté;
g) inclure un engagement de respect de la législation en vigueur, des exigences réglementaires et
statutaires et des autres exigences auxquelles l’organisme souscrit;
h) être soutenue de façon visible par la direction;
i) être documentée, mise en œuvre et maintenue;
j) être communiquée à tous les employés concernés et aux tiers, y compris les sous-traitants et les visiteurs,
dans le but de sensibiliser ces personnes aux obligations qui sont les leurs en matière de management
de la sûreté;
k) être divulguée aux parties prenantes, le cas échéant;
l) être soumise à révision dans le cas d’acquisitions ou de fusions impliquant d’autres organismes, ou de
modification du domaine traité par l’organisme, susceptible d’affecter la continuité ou la pertinence du
système de management de la sûreté.
NOTE Les organismes peuvent choisir d’avoir une politique détaillée de management de la sûreté à usage interne
qui donne des informations et des orientations suffisantes pour conduire le système de management de la sûreté (dont
une partie peut être confidentielle) et une version résumée (non confidentielle) de cette politique reprenant les grands
objectifs à diffuser à leurs parties prenantes et autres parties intéressées.
4 © ISO 2007 – Tous droits réservés

---------------------- Page: 10 ----------------------
ISO 28000:2007(F)
4.3 Évaluation des risques et planification
4.3.1 Évaluation des risques
L’organisme doit établir et maintenir des procédures d’identification et d’évaluation en continu des menaces
pesant sur la sûreté et des menaces et risques liés au management de la sûreté ainsi que d’identification et
de mise en œuvre des mesures de maîtrise nécessaire de ce management. Il convient que cette identification,
cette évaluation et ce contrôle des menaces et risques pesant sur la sûreté soient au minimum adaptés à la
nature et à l’échelle des opérations. L’évaluation doit prendre en compte la probabilité d’un tel événement et
de toutes les conséquences qu’il implique, à savoir les aspects suivants:
a) les menaces et risques de défaillance physique, du type panne de fonctionnement, accident
dommageable, dommage intentionnel, action terroriste ou criminelle;
b) les menaces et risques pesant sur le fonctionnement, du type contrôle de la sûreté, facteurs humains et
autres activités qui affectent la performance de l’organisme, son état ou sa sécurité;
c) les incidents de l’environnement naturel (tempêtes, inondations, etc.) qui peuvent rendre inefficaces les
mesures et les matériels assurant la sûreté;
d) les facteurs échappant au contrôle de l’organisme, du type défaillances d’un équipement ou de services
fournis par l’extérieur;
e) les menaces et risques du fait de parties prenantes, du type non-respect des exigences réglementaires
ou atteinte à la réputation ou à la marque de l’organisme;
f) la conception et l’installation des équipements de sûreté, maintenance et remplacement compris;
g) le traitement de l’information et des données et communications;
h) la menace à la continuité des opérations.
L’organisme doit garantir que les résultats de ces évaluations et les effets de ces contrôles sont pris en
compte et, le cas échéant, utilisés comme données d’entrée pour les aspects suivants:
a) la fixation des objectifs et cibles du management de la sûreté;
b) l’établissement des programmes de management de la sûreté;
c) la détermination des exigences de conception, de spécification et d’installation;
d) l’identification des ressources nécessaires, y compris des niveaux de main-d’œuvre;
e) l’identification des besoins de formation et des compétences (voir 4.4.2);
f) la mise au point des contrôles de fonctionnement (voir 4.4.6);
g) le cadre global de management des menaces et des risques dans l’organisme.
L’organisme doit répertorier et conserver les informations ci-dessus à jour.
La méthodologie d’identification et d’évaluation des menaces et des risques de l’organisme doit avoir les
caractéristiques suivantes:
a) être définie en fonction de son objectif, de sa nature et de son calendrier, en vérifiant qu’elle est proactive
plutôt que réactive;
b) inclure le recueil des informations relatives aux menaces et risques pesant sur la sûreté;
© ISO 2007 – Tous droits réservés 5

---------------------- Page: 11 ----------------------
ISO 28000:2007(F)
c) permettre une classification des menaces et des risques et une identification de ceux qu’il faut éviter,
éliminer ou maîtriser;
d) permettre un suivi des actions garantissant l’efficacité et l’opportunité de leur mise en œuvre (voir 4.5.1).
4.3.2 Exigences légales, statutaires et autres exigences réglementaires liées à la sûreté
L’organisme doit établir, mettre en œuvre et maintenir une procédure lui permettant ce qui suit:
a) identifier les exigences légales et autres exigences applicables auxquelles il souscrit en fonction des
menaces et risques qu’il affronte, et y avoir accès;
b) déterminer la manière dont ces exigences s’appliquent aux menaces et risques qui sont les siens.
L’organisme doit tenir ces informations à jour. Il doit communiquer les informations pertinentes quant aux
exigences légales et autres à ses employés et aux tiers concernés, y compris les sous-traitants.
4.3.3 Objectifs du management de la sûreté
L’organisme doit établir, mettre en œuvre et maintenir des objectifs documentés de management de la sûreté
aux fonctions et niveaux pertinents de son organisation. Les objectifs doivent découler de la politique et être
en cohérence avec elle. Lorsqu’il établit et revoit ses objectifs, l’organisme doit tenir compte des aspects
suivants:
a) des exigences légales, statutaires et autres exigences réglementaires liées à la sûreté;
b) des menaces et risques pesant sur la sûreté;
c) des options technologiques et autres;
d) des exigences financières, opérationnelles et commerciales;
e) du point de vue des parties prenantes concernées.
Les objectifs de management de la sûreté doivent être les suivants:
a) cohérents avec les engagements d’amélioration continue de l’organisme;
b) quantifiés (si possible);
c) communiqués à tous les employés et à tous les tiers concernés, y compris les sous-traitants, dans le but
que ces personnes prennent conscience de leurs obligations individuelles;
d) revus périodiquement pour garantir qu’ils demeurent pertinents et en cohérence avec la politique de
management de la sûreté. Ils doivent être modifiés si besoin est.
4.3.4 Cibles de management de la sûreté
L’organisme doit établir, mettre en œuvre et maintenir des cibles documentées de management de la sûreté
adaptées à ses besoins. Ces cibles doivent découler des objectifs de management de la sûreté et être
cohérentes avec ces derniers.
Ces cibles doivent être comme suit:
a) d’un niveau de détail approprié;
b) spécifiques, mesurables, atteignables, pertinentes et échelonnées dans le temps (si possible);
6 © ISO 2007 – Tous droits réservés

---------------------- Page: 12 ----------------------
ISO 28000:2007(F)
c) communiquées à tous les employés et à tous les tiers concernés, y compris les sous-traitants, dans le but
que ces personnes prennent conscience de leurs obligations individuelles;
d) revues périodiquement pour garantir qu’elles demeurent pertinentes et cohérentes avec la politique de
management de la sûreté. Elles doivent être modifiées si besoin est.
4.3.5 Programmes de management de la sûreté
L’organisme doit établir, mettre en œuvre et maintenir des programmes de management de la sûreté lui
permettant d’atteindre ses objectifs et ses cibles.
Les programmes doivent être optimisés puis déclinés en priorités et l’organisme doit assurer leur mise en
application efficace et rentable.
Les programmes doivent inclure une documentation qui décrit:
a) les responsables et les autorités désignées pour la réalisation des objectifs et cibles du management de
la sûreté;
b) les moyens et les calendriers permettant de réaliser les objectifs et cibles du management de la sûreté.
Les programmes de management de la sûreté doivent être revus périodiquement pour vérifier qu’ils
demeurent efficaces et en cohérence avec les objectifs et cibles. Ils doivent être modifiés si besoin est.
4.4 Mise en œuvre et fonctionnement
4.4.1 Structure, autorité et responsabilités du management de la sûreté
L’organisme doit établir et maintenir une structure organisationnelle de rôles, responsabilités et autorités, en
cohérence avec la réalisation de la politique, des objectifs, des cibles et des programmes de management de
la sûreté.
Ces rôles, responsabilités et autorités doivent être définis, documentés et communiqués aux individus
responsables de la mise en œuvre et de la maintenance.
La direction doit fournir la preuve de son engagement en matière de mise au point et de mise en œuvre du
système de management de la sûreté (processus) et d’amélioration continue de l’efficacité de ce dernier en
faisant ce qui suit:
a) nommant l’un de ses membres responsable, entre autres responsabilités, de la conception globale, de la
maintenance, de la documentation et de l’amélioration du système de management de la sûreté de
l’organisme;
b) conférant à un ou plusieurs membres du management l’autorité nécessaire pour garantir la bonne mise
en œuvre des objectifs et des cibles;
c) identifiant et contrôlant les exigences et les attentes des parties prenantes de l’organisme et en prenant
en temps opportun les mesures nécessaires pour gérer ces attentes;
d) assurant la mise à disposition de ressources suffisantes;
e) considérant les effets négatifs que la politique, les objectifs, les cibles, les programmes, etc. de
management de la sûreté peuvent avoir sur d’autres aspects de l’organisme;
f) vérifiant que les programmes liés à la sûreté mis en œuvre par d’autres parties de l’organisme
complètent le programme de management de la sûreté;
© ISO 2007 – Tous droits réservés 7

---------------------- Page: 13 ----------------------
ISO 28000:2007(F)
g) communiquant à l’organisme l’importance de respecter ses exigences de management de la sûreté pour
être conforme à la politique affichée;
h) vérifiant que les menaces et les risques liés à la sûreté sont évalués et inclus, selon les besoins, dans les
évaluations des menaces et risques organisationnels;
i) garantissant la viabilité des objectifs, cibles et programmes de management de la sûreté.
4.4.2 Compétences, formation et sensibilisation
L’organisme doit garantir que le personnel responsable de la conception, du fonctionnement et du
management des équipements et processus liés à la sûreté est convenablement qualifié en termes
d’éducation, formation et/ou expérience. L’organisme doit établir et maintenir des procédures pour sensibiliser
les personnes travaillant pour lui ou en son nom aux aspects suivants:
a) l’importance du respect de la politique et des procédures de management de la sûreté, et des exigences
relatives au système de management de la sûreté;
b) leur rôle et leurs responsabilités en matière de respect de la politique et des procédures de management
de la sûreté, et de conformité aux exigences relatives au système de management de la sûreté, y
compris les exigences de préparation et de réponse aux urgences;
c) les conséquences potentielles sur la sécurité de l’organisme de tout écart par rapport aux procédures de
fonctionnement spécifiées.
Des enregistrements des compétences et des formations doivent être conservés.
4.4.3 Communication
L’organisme doit avoir des procédures garantissant que les informations pertinentes concernant le
management de la sûreté sont communiquées aux employé
...