ISO 28001 - Supply Chain Security Management

Table of Contents

Secure Your Supply Chain, Protect Your Business

Global supply chains face unprecedented security threats. Cargo theft, smuggling, terrorism, counterfeiting, and tampering cost businesses billions annually while threatening public safety and national security. A single security breach can disrupt operations, damage reputation, incur massive financial losses, and result in regulatory penalties. Supply chain complexity—spanning multiple countries, modes of transport, and third parties—creates vulnerability at every link. Yet many organizations lack systematic supply chain security management. At Glocert International, we specialize in providing independent third-party ISO 28001 certification that validates your organization's Supply Chain Security Management System. As a leader in the Testing, Inspection, and Certification industry, we conduct thorough ISO 28001 audits that verify your security management meets international standards, helping you protect cargo, ensure supply chain integrity, achieve customs compliance, and build resilience against security threats.

What is ISO 28001?

ISO 28001 is the international standard for Security Management Systems for the Supply Chain. Published by the International Organization for Standardization (ISO), ISO 28001:2007 specifies requirements for a security management system for organizations involved in manufacturing, service, storage, or transportation in the supply chain.

ISO 28001 is based on ISO 28000 (the overarching supply chain security standard) and provides specific requirements that enable assessment and certification. The standard helps organizations identify security threats, assess security risks, and implement controls to minimize security vulnerabilities throughout the supply chain. ISO 28001 is applicable to all sizes of organizations involved in any aspect of the supply chain - from manufacturing, storage, transportation, to distribution - and can be applied to any part of the supply chain regardless of geographic location, size, or complexity.

Key Components of ISO 28001

  • Security Threat Assessment: Systematic identification of security threats to the supply chain
  • Security Risk Assessment: Evaluation of security risks and their potential impact
  • Security Management Plan: Documented approach to managing security risks
  • Security Controls: Implementation of measures to mitigate security threats
  • Emergency Preparedness: Plans for responding to security incidents
  • Monitoring and Measurement: Evaluating security management system effectiveness
  • Continuous Improvement: Ongoing enhancement of supply chain security
  • Third-Party Management: Security requirements for suppliers and partners

Why is ISO 28001 Important?

ISO 28001 is essential for organizations seeking to protect supply chain integrity and resilience. Here's why this standard is crucial:

1. Supply Chain Security Threats

Global supply chains face multiple security threats:

  • Cargo theft costing global economy $50+ billion annually
  • Terrorism and use of supply chains for smuggling weapons, drugs, humans
  • Counterfeiting and product tampering threatening brand integrity and consumer safety
  • Cyber attacks on logistics systems and supply chain IT infrastructure
  • Internal threats from employees with access to cargo and facilities
  • Organized crime targeting high-value shipments
  • Geopolitical instability creating security risks in certain regions

2. Regulatory and Customs Requirements

Governments worldwide mandate supply chain security:

  • C-TPAT (Customs-Trade Partnership Against Terrorism) in the United States
  • AEO (Authorized Economic Operator) in the European Union
  • Similar programs in Canada, Australia, Japan, and other countries
  • Faster customs clearance and reduced inspections for certified organizations
  • International Ship and Port Facility Security (ISPS) Code for maritime
  • Increasing scrutiny on supply chain security by border agencies

3. Business Continuity and Resilience

Supply chain security is critical for business continuity enabling prevention of disruptions from security incidents, protection of inventory and assets, maintenance of delivery schedules and customer commitments, safeguarding of brand reputation, and reduction of insurance premiums through demonstrated security.

4. Customer and Partner Requirements

Supply chain partners increasingly require security credentials including large retailers mandating supplier security standards, logistics service providers requiring security certification, manufacturers requiring secure transportation, and international trade requiring customs-approved security programs.

5. Financial Impact

Security breaches create significant costs through stolen goods and inventory losses, operational disruptions and delays, liability for damaged or contaminated products, regulatory fines and penalties, increased insurance costs, and reputational damage affecting future business.

ISO 28001 Security Management Framework

ISO 28001 provides comprehensive guidance on supply chain security management:

Core Security Elements

Security Policy

Documented commitment to supply chain security

Threat & Risk Assessment

Identifying and evaluating security threats

Physical Security

Facility, warehouse, and cargo security measures

Personnel Security

Employee screening and access control

Information Security

Protecting logistics and cargo information

Cargo Security

Seals, tracking, and cargo integrity measures

Transport Security

Vehicle and driver security requirements

Incident Response

Emergency procedures and recovery plans

Supply Chain Security Threats

  • Cargo Theft: Theft of goods during storage or transportation
  • Terrorism: Use of supply chain to transport weapons or explosives
  • Smuggling: Illegal transportation of contraband, drugs, humans
  • Counterfeiting: Introduction of counterfeit products into supply chain
  • Tampering: Product contamination or alteration
  • Piracy: Hijacking of vessels or cargo (maritime, land)
  • Cyber Threats: Hacking of logistics systems, data breaches
  • Internal Threats: Employee theft, collusion, sabotage
  • Facility Breaches: Unauthorized access to warehouses, terminals

Security Control Categories

  • Physical Controls: Fencing, lighting, CCTV, access control, secure parking
  • Procedural Controls: Screening, inspections, seal protocols, documentation
  • Personnel Controls: Background checks, training, access authorization
  • Technology Controls: GPS tracking, electronic seals, cargo monitoring, IT security
  • Third-Party Controls: Supplier security requirements, carrier vetting

Benefits of ISO 28001 Certification

Achieving ISO 28001 certification provides organizations with numerous strategic, operational, and financial benefits:

Enhanced Cargo Protection

Systematically protect goods from theft, tampering, and loss.

Customs Compliance

Meet C-TPAT, AEO, and other customs security programs.

Faster Customs Clearance

Reduced inspections and faster border crossing.

Supply Chain Resilience

Build resilience against security disruptions.

Customer Confidence

Demonstrate security commitment to customers and partners.

Reduced Insurance Costs

Lower premiums through demonstrated security management.

Competitive Advantage

Win contracts requiring supply chain security credentials.

Global Recognition

Internationally recognized supply chain security standard.

Our ISO 28001 Certification Process

At Glocert International, we follow a structured and systematic approach to conduct ISO 28001 certification audits. Our audit process is designed to be transparent, thorough, and supportive, verifying that your security management system meets all ISO 28001 requirements:

1

Application Process

Submit your application with required documentation. We review your organization's scope and readiness for certification.

2

Initial Audit (Stage 1)

Documentation review and readiness assessment. Our auditors verify that your security management documentation meets ISO 28001 requirements.

3

Initial Audit (Stage 2)

On-site audit to verify security management implementation. Our auditors assess physical security, cargo controls, and security procedures.

4

Technical Review

Independent review of audit findings by our technical committee to ensure accuracy and compliance.

5

Decision and Approval

Certification decision based on audit findings. Upon successful completion, certification is approved.

6

Certification Issuance

Receive your ISO 28001 certificate, valid for three years, with international recognition.

7

Surveillance Audits

Annual surveillance audits to ensure continued compliance and effectiveness of your security management system.

8

Re-certification Audit

Comprehensive audit before certificate expiry to renew certification for another three-year period.

Learn More About Our ISO 28001 Certification Process

Steps in Obtaining ISO 28001 Certification

While obtaining ISO 28001 certification may seem daunting, following a structured approach makes the process manageable. Here's the path your organization should take:

  1. Gap Analysis and Readiness Assessment: Assess your current supply chain security practices against ISO 28001 requirements. (Note: This should be conducted by an independent consultant, as certification bodies cannot provide consultation services.)
  2. Top Management Commitment: Secure leadership commitment to supply chain security.
  3. Define Security Scope: Define boundaries of your security management system (facilities, operations, supply chain segments).
  4. Develop Security Policy: Create supply chain security policy expressing organizational commitment.
  5. Security Threat Assessment: Systematically identify all security threats to your supply chain operations.
  6. Security Risk Assessment: Evaluate likelihood and impact of identified security threats.
  7. Develop Security Management Plan: Document approach to managing identified security risks.
  8. Implement Physical Security Controls: Establish facility security (fencing, lighting, CCTV, access control).
  9. Implement Personnel Security: Develop employee screening, background checks, and access authorization procedures.
  10. Implement Cargo Security: Establish cargo sealing, tracking, inspection, and integrity verification procedures.
  11. Implement Information Security: Protect logistics and shipping information systems.
  12. Establish Transport Security: Develop vehicle security and driver vetting procedures.
  13. Third-Party Security Requirements: Establish security requirements for suppliers, carriers, and partners.
  14. Emergency Preparedness: Develop incident response and recovery procedures for security breaches.
  15. Security Training: Train personnel on security procedures and threat recognition.
  16. Develop Security Documentation: Create comprehensive security management system documentation.
  17. Establish Monitoring Systems: Implement systems to monitor security performance and incidents.
  18. Internal Security Audits: Conduct internal audits of security management system.
  19. Management Review: Conduct management reviews of security system effectiveness.
  20. Pre-assessment Audit (Optional): Consider a pre-assessment audit to identify any remaining issues.
  21. Final Assessment and Certification: Undergo the formal certification audit conducted by Glocert International's accredited security auditors.
  22. Surveillance Audits and Recertification: Maintain certification through annual surveillance audits and recertification every three years.

Typical Timeline: The certification process typically takes 6-12 months from application to certificate issuance, depending on your organization's size, supply chain complexity, and current security maturity level.

ISO 28001 Certification Pricing

Our ISO 28001 certification pricing is transparent and based on your organization's size, complexity, and scope. We offer competitive rates with no hidden fees. Contact us for a customized quote tailored to your specific needs.

Request a Quote

Get a personalized estimate based on your organization's size, supply chain complexity, and security management requirements.

Contact Us for Pricing

What's Included in ISO 28001 Certification Pricing:

  • Documentation review and security management assessment
  • Stage 1 and Stage 2 audit days (calculated per IAF MD 5)
  • Physical security inspection
  • Cargo and transport security assessment
  • Technical review and certification decision
  • ISO 28001 certificate (valid 3 years)
  • Certificate listing on our public register
  • First year surveillance audit
  • Ongoing audit services and support

Note: ISO 28001 pricing may vary based on supply chain complexity, number of sites, transportation modes, and additional services. Small logistics organizations typically start from $4,000, medium organizations from $7,000. Contact us for a detailed, no-obligation quote.

Frequently Asked Questions (FAQ)

Find answers to common questions about ISO 28001 certification:

What is ISO 28001 and why do I need it?

ISO 28001 is the international standard for Supply Chain Security Management Systems. You need it to systematically protect cargo from theft and tampering, comply with customs security programs (C-TPAT, AEO), achieve faster customs clearance, build supply chain resilience, demonstrate security commitment to customers, reduce security-related losses and disruptions, and meet customer supply chain security requirements.

What is the difference between ISO 28000 and ISO 28001?

ISO 28000 and ISO 28001 are closely related: ISO 28000 is the overarching specification for security management systems in the supply chain (general framework). ISO 28001 is based on ISO 28000 but provides specific, certifiable requirements for assessment. ISO 28001 includes more detailed requirements that enable third-party certification. Organizations typically pursue ISO 28001 certification as it provides the certifiable standard. ISO 28001 is essentially the certifiable version of ISO 28000.

How does ISO 28001 relate to C-TPAT and AEO?

ISO 28001 aligns with customs security programs: C-TPAT (Customs-Trade Partnership Against Terrorism) is the US customs security program. AEO (Authorized Economic Operator) is the EU customs security program. ISO 28001 provides systematic framework meeting requirements of these programs. Many ISO 28001 security controls map directly to C-TPAT and AEO criteria. ISO 28001 certification can support your C-TPAT or AEO application by demonstrating systematic security management. However, ISO 28001 is not a replacement—you still need separate C-TPAT or AEO approval from customs authorities. ISO 28001 provides additional credibility beyond mandatory customs programs.

How long does ISO 28001 certification take?

The timeline varies based on your organization's size, supply chain complexity, and current security maturity. Typically, the ISO 28001 certification process takes 6-12 months from application to certificate issuance. This includes gap analysis, threat and risk assessment, security control implementation, physical security upgrades, documentation development, internal audits, and the formal certification audit (Stage 1 and Stage 2). Organizations with existing security programs or C-TPAT/AEO certification may complete the process faster.

Who should get ISO 28001 certified?

ISO 28001 is applicable to any organization involved in the supply chain: Freight forwarders and logistics service providers, Transportation and trucking companies, Warehousing and distribution centers, Port terminals and maritime facilities, Air cargo handlers and airports, Manufacturing companies shipping products internationally, Importers and exporters, Customs brokers, Third-party logistics (3PL) providers, and any organization handling, storing, or transporting goods. If your organization is part of the supply chain and faces security threats, ISO 28001 is relevant.

How much does ISO 28001 certification cost?

ISO 28001 certification costs vary based on organization size, supply chain complexity, number of facilities, and transportation modes. Small logistics operations typically start from $4,000, medium organizations from $7,000, and large multi-site supply chain organizations require custom pricing. Costs include audit days, physical security assessments, technical review, certificate issuance, and first-year surveillance. Investment in security management typically pays for itself through reduced losses, insurance savings, and improved customs clearance. Contact us for a detailed quote tailored to your organization.

What physical security measures are required?

ISO 28001 requires risk-based physical security controls which may include: Perimeter security (fencing, barriers, controlled access points), Lighting (adequate illumination of facilities, cargo areas, parking), Access control (badge systems, visitor management, restricted area controls), CCTV surveillance (cameras covering critical areas, recording retention), Alarm systems (intrusion detection, response procedures), Secure parking (separate areas for loaded trailers, driver parking), Cargo handling areas (physical barriers, supervision), and Building security (locked doors, key control). Specific requirements depend on your threat and risk assessment—ISO 28001 requires controls appropriate to your risks, not prescriptive one-size-fits-all measures.

Are background checks required for all employees?

Yes, ISO 28001 requires personnel security measures including background checks appropriate to the role and risk. At minimum, this includes pre-employment screening (criminal background checks, employment verification, reference checks), ongoing screening for employees with access to cargo or security-sensitive areas, periodic re-screening based on risk, procedures for handling adverse findings, and access authorization based on job requirements. The depth of screening should be proportionate to the security risk associated with the role. Employees with direct cargo access typically require more extensive screening than administrative staff.

What happens after I get certified?

After certification, your ISO 28001 certificate is valid for three years. You'll undergo annual surveillance audits to ensure continued compliance. You must continue operating and improving your security management system, monitoring security incidents and threats, maintaining physical security controls, conducting personnel screening, training employees on security procedures, managing third-party security requirements, and demonstrating continuous improvement. During the third year, you'll complete a recertification audit to renew your certificate.

Does ISO 28001 reduce cargo theft?

Yes, ISO 28001 significantly reduces cargo theft risk through systematic security management including identification of theft vulnerabilities in your supply chain, implementation of physical security controls (fencing, lighting, CCTV, access control), cargo sealing and tracking procedures, employee screening to identify insider threats, secure parking and facility management, incident monitoring and response procedures, and third-party carrier security requirements. Organizations with ISO 28001 certification report substantial reductions in cargo theft and security incidents through proactive, systematic security management rather than reactive responses.

Can ISO 28001 be integrated with other management systems?

Yes, ISO 28001 can be integrated with other management system standards. It uses management system approach compatible with ISO 9001 (Quality), ISO 14001 (Environmental), ISO 45001 (OH&S), and ISO 22301 (Business Continuity). Many logistics and supply chain organizations implement integrated management systems combining security, quality, environmental, and safety management for efficiency and comprehensive risk management.

Why Choose Glocert for ISO 28001 Certification?

Accreditations

Glocert International is a globally accredited Conformity Assessment Body for ISO/IEC 17021-1:2015 by IAS Inc, USA, a member of the IAF (International Accreditation Forum) and signatory to a number of bilateral, regional and international agreements.

This provides international recognition and acceptance to certificates issued by Glocert International in the following schemes:

  • ISO 9001 – Quality Management Systems (QMS)
  • ISO 20000-1 – Information Technology Service Management Systems (ITSMS)
  • ISO 22301 – Business Continuity Management Systems (BCMS)
  • ISO 27001 – Information Security Management Systems (ISMS)
  • ISO/IEC 27701 – Privacy Information Management Systems (PIMS)
  • ISO 55001 – Asset Management Systems (AMS)
IAS Inc USA Accreditation - ISO 28001 Supply Chain Security Management Systems Certification Body

Expertise in Supply Chain Security Auditing

Our team of experienced auditors possess in-depth knowledge of ISO 28001, supply chain security, logistics operations, cargo security, customs compliance (C-TPAT, AEO), and industry best practices across transportation modes (road, rail, sea, air). Our supply chain security auditors understand the unique challenges of logistics operations and security threats. We understand that every supply chain is unique, which is why we conduct thorough ISO 28001 certification audits that assess your specific security threats, physical security measures, cargo protection procedures, and security management system effectiveness.

Continuous Audit Support

Beyond ISO 28001 certification, we provide ongoing audit services through surveillance audits to help you maintain supply chain security and demonstrate continuous improvement. We pride ourselves in providing the highest standard of audit services in the industry and it is a major reason why more and more logistics and supply chain organizations choose us as their certification partner for their ISO 28001 certification needs.

Related Certifications

Many supply chain organizations combine ISO 28001 with other certifications for comprehensive management system governance. ISO 28001 pairs naturally with ISO 9001 for quality management and ISO 22301 for business continuity. Consider also ISO 14001 for environmental management or ISO 45001 for occupational health and safety to create an integrated management system framework.

Unlock the Full Potential of Your Organization

Contact us today to learn more about our ISO 28001 certification and audit services and how we can verify your organization's supply chain security management system.
Request a Quote
Cutting-Edge Solutions

Choose Glocert for innovative TIC solutions at the forefront of modern technology

Compliance Leaders

Rely on Glocert as the cornerstone of your ever-lasting compliance journey

Global Expertise, Local Insight

Count on Glocert for solutions that blend global expertise with localized precision

Reliability Redefined

Experience peace of mind with Glocert - where reliability meets excellence