iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO 28000:2022

(Main)

Security and resilience — Security management systems — Requirements

Security and resilience — Security management systems — Requirements

This document specifies requirements for a security management system, including aspects relevant to the supply chain. This document is applicable to all types and sizes of organizations (e.g. commercial enterprises, government or other public agencies and non-profit organizations) which intend to establish, implement, maintain and improve a security management system. It provides a holistic and common approach and is not industry or sector specific. This document can be used throughout the life of the organization and can be applied to any activity, internal or external, at all levels.

Titre manque

Varnost in vzdržljivost - Sistemi vodenja varnosti - Zahteve

Ta dokument določa zahteve za sistem vodenja varnosti, vključno z vidiki v zvezi z dobavno verigo.
Uporablja se za vse vrste in velikosti organizacij (npr. komercialna podjetja, vladne ali druge javne agencije, neprofitne organizacije), ki nameravajo vzpostaviti, izvajati, vzdrževati ter izboljšati sistem vodenja varnosti. Podaja celosten in splošen pristop ter ni omejen na posamezno industrijo ali sektor.
Ta dokument je mogoče uporabljati v celotnem obdobju delovanja organizacije in za katero koli notranjo ali zunanjo dejavnost na vseh ravneh.

General Information

Status
Published
Publication Date
14-Mar-2022
ICS
03.100.01 - Company organization and management in general
03.100.70 - Management systems
Technical Committee
ISO/TC 292 - Security and resilience
Drafting Committee
ISO/TC 292/WG 8 - Supply chain security
Current Stage
6060 - International Standard published
Start Date
15-Mar-2022
Due Date
02-Oct-2022
Completion Date
15-Mar-2022
Ref Project
SIST ISO 28000:2023 - Security and resilience - Security management systems - Requirements

Relations

Amended By
ISO 28000:2022/Amd 1:2024 - Security and resilience — Security management systems — Requirements — Amendment 1: Climate action changes
Effective Date
18-Nov-2023
Revises
ISO 28000:2007 - Specification for security management systems for the supply chain
Effective Date
23-Apr-2020
ISO 28000:2023 - BARVEISO 28000:2023 - BARVE
PreviousNext
Standard
ISO 28000:2023 - BARVE
English language
27 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
ISO 28000:2022 - Security and resilience — Security management systems — Requirements Released:3/15/2022ISO 28000:2022 - Security and resilience — Security management systems — Requirements Released:3/15/2022
PreviousNext
Standard
ISO 28000:2022 - Security and resilience — Security management systems — Requirements Released:3/15/2022
English language
20 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


SLOVENSKI STANDARD
01-marec-2023
Nadomešča:
SIST ISO 28000:2018
Varnost in vzdržljivost - Sistemi vodenja varnosti - Zahteve
Security and resilience - Security management systems - Requirements
Titre manque
Ta slovenski standard je istoveten z: ISO 28000:2022
ICS:
03.100.10 Nabava. Dobava. Logistika Purchasing. Procurement.
Logistics
03.100.70 Sistemi vodenja Management systems
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

INTERNATIONAL ISO
STANDARD 28000
Second edition
2022-03
Security and resilience —
Security management systems —
Requirements
Reference number
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization .4
4.1 Understanding the organization and its context . 4
4.2 Understanding the needs and expectations of interested parties . 4
4.2.1 General . 4
4.2.2 Legal, regulatory and other requirements . 4
4.2.3 Principles . 5
4.3 Determining the scope of the security management system . 6
4.4 Security management system . 6
5 Leadership . 7
5.1 Leadership and commitment . 7
5.2 Security policy . 7
5.2.1 Establishing the security policy . 7
5.2.2 Security policy requirements . 8
5.3 Roles, responsibilities and authorities . 8
6 Planning . 8
6.1 Actions to address risks and opportunities . 8
6.1.1 General . 8
6.1.2 Determining security-related risks and identifying opportunities . 9
6.1.3 Addressing security-related risks and exploiting opportunities . 9
6.2 Security objectives and planning to achieve them . 9
6.2.1 Establishing security objectives . 9
6.2.2 Determining security objectives . 10
6.3 Planning of changes . 10
7 Support .10
7.1 Resources . 10
7.2 Competence . 10
7.3 Awareness . 11
7.4 Communication . 11
7.5 Documented information . 11
7.5.1 General . 11
7.5.2 Creating and updating documented information . 11
7.5.3 Control of documented information .12
8 Operation .12
8.1 Operational planning and control .12
8.2 Identification of processes and activities .12
8.3 Risk assessment and treatment . 13
8.4 Controls . 13
8.5 Security strategies, procedures, processes and treatments . 14
8.5.1 Identification and selection of strategies and treatments . 14
8.5.2 Resource requirements . 14
8.5.3 Implementation of treatments . 14
8.6 Security plans . 14
8.6.1 General . 14
8.6.2 Response structure . 14
8.6.3 Warning and communication . 15
8.6.4 Content of the security plans . 15
iii
8.6.5 Recovery . 16
9 Performance evaluation .16
9.1 Monitoring, measurement, analysis and evaluation . . 16
9.2 Internal audit . 17
9.2.1 General . 17
9.2.2 Internal audit programme . 17
9.3 Management review . 17
9.3.1 General . 17
9.3.2 Management review inputs . 18
9.3.3 Management review results . 18
10 Improvement .18
10.1 Continual improvement . 18
10.2 Nonconformity and corrective action . 19
Bibliography .20
iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/
...


INTERNATIONAL ISO
STANDARD 28000
Second edition
2022-03
Security and resilience —
Security management systems —
Requirements
Reference number
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization .4
4.1 Understanding the organization and its context . 4
4.2 Understanding the needs and expectations of interested parties . 4
4.2.1 General . 4
4.2.2 Legal, regulatory and other requirements . 4
4.2.3 Principles . 5
4.3 Determining the scope of the security management system . 6
4.4 Security management system . 6
5 Leadership . 7
5.1 Leadership and commitment . 7
5.2 Security policy . 7
5.2.1 Establishing the security policy . 7
5.2.2 Security policy requirements . 8
5.3 Roles, responsibilities and authorities . 8
6 Planning . 8
6.1 Actions to address risks and opportunities . 8
6.1.1 General . 8
6.1.2 Determining security-related risks and identifying opportunities . 9
6.1.3 Addressing security-related risks and exploiting opportunities . 9
6.2 Security objectives and planning to achieve them . 9
6.2.1 Establishing security objectives . 9
6.2.2 Determining security objectives . 10
6.3 Planning of changes . 10
7 Support .10
7.1 Resources . 10
7.2 Competence . 10
7.3 Awareness . 11
7.4 Communication . 11
7.5 Documented information . 11
7.5.1 General . 11
7.5.2 Creating and updating documented information . 11
7.5.3 Control of documented information .12
8 Operation .12
8.1 Operational planning and control .12
8.2 Identification of processes and activities .12
8.3 Risk assessment and treatment . 13
8.4 Controls . 13
8.5 Security strategies, procedures, processes and treatments . 14
8.5.1 Identification and selection of strategies and treatments . 14
8.5.2 Resource requirements . 14
8.5.3 Implementation of treatments . 14
8.6 Security plans . 14
8.6.1 General . 14
8.6.2 Response structure . 14
8.6.3 Warning and communication . 15
8.6.4 Content of the security plans . 15
iii
8.6.5 Recovery . 16
9 Performance evaluation .16
9.1 Monitoring, measurement, analysis and evaluation . . 16
9.2 Internal audit . 17
9.2.1 General . 17
9.2.2 Internal audit programme . 17
9.3 Management review . 17
9.3.1 General . 17
9.3.2 Management review inputs . 18
9.3.3 Management review results . 18
10 Improvement .18
10.1 Continual improvement . 18
10.2 Nonconformity and corrective action . 19
Bibliography .20
iv
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles i
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO 28000:2022/Amd 1:2024(Amendment)
Security and resilience — Security management systems — Requirements — Amendment 1: Climate action changes
  • Standard
    1 page
    English language
    sale 15% off
ISO
ISO 22301:2019/Amd 1:2024(Amendment)
Security and resilience — Business continuity management systems — Requirements — Amendment 1: Climate action changes
  • Standard
    1 page
    English language
    sale 15% off
  • Standard
    1 page
    French language
    sale 15% off
  • Standard
    1 page
    French language
    sale 15% off
ISO
ISO 22313:2020(Main)
Security and resilience — Business continuity management systems — Guidance on the use of ISO 22301

This document gives guidance and recommendations for applying the requirements of the business continuity management system (BCMS) given in ISO 22301. The guidance and recommendations are based on good international practice. This document is applicable to organizations that: a) implement, maintain and improve a BCMS; b) seek to ensure conformity with stated business continuity policy; c) need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption; d) seek to enhance their resilience through the effective application of the BCMS. The guidance and recommendations are applicable to all sizes and types of organizations, including large, medium and small organizations operating in industrial, commercial, public and not-for-profit sectors. The approach adopted depends on the organization's operating environment and complexity.

  • Standard
    55 pages
    English language
    sale 15% off
  • Standard
    58 pages
    French language
    sale 15% off
ISO
ISO 22301:2019(Main)
Security and resilience — Business continuity management systems — Requirements

This document specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise. The requirements specified in this document are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity. This document is applicable to all types and sizes of organizations that: a) implement, maintain and improve a BCMS; b) seek to ensure conformity with stated business continuity policy; c) need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption; d) seek to enhance their resilience through the effective application of the BCMS. This document can be used to assess an organization's ability to meet its own business continuity needs and obligations.

  • Standard
    21 pages
    English language
    sale 15% off
  • Standard
    21 pages
    English language
    sale 15% off
  • Standard
    22 pages
    French language
    sale 15% off
  • Standard
    22 pages
    French language
    sale 15% off
ISO
ISO/TS 22331:2018(Main)
Security and resilience — Business continuity management systems — Guidelines for business continuity strategy

This document gives guidance for business continuity strategy determination and selection. It is applicable to all organizations regardless of type, size and nature, whether in the private, public or not-for-profit sectors. It is intended for use by those responsible for, or participating in, strategy determination and selection.

  • Technical specification
    25 pages
    English language
    sale 15% off
  • Technical specification
    28 pages
    French language
    sale 15% off
ISO
ISO/TS 22330:2018(Main)
Security and resilience — Business continuity management systems — Guidelines for people aspects of business continuity

This document gives guidelines for the planning and development of policies, strategies and procedures for the preparation and management of people affected by an incident. This includes: — preparation through awareness, analysis of needs, and learning and development; — coping with the immediate effects of the incident (respond); — managing people during the period of disruption (recover); — continuing to support the workforce after returning to business as usual (restore). The management of people relating to civil emergencies or other societal disruption is out of the scope of this document.

  • Technical specification
    38 pages
    English language
    sale 15% off
ISO
ISO 28004-3:2014(Main)
Security management systems for the supply chain — Guidelines for the implementation of ISO 28000 — Part 3: Additional specific guidance for adopting ISO 28000 for use by medium and small businesses (other than marine ports)

ISO 28004-3:2014 has been developed to supplement ISO 28004-1 by providing additional guidance to medium and small businesses (other than marine ports) that wish to adopt ISO 28000. The additional guidance in ISO 28004-3:2014, while amplifying the general guidance provided in the main body of ISO 28004-1, does not conflict with the general guidance, nor does it amend ISO 28000.

  • Standard
    15 pages
    English language
    sale 15% off
  • Standard
    15 pages
    Russian language
    sale 15% off
  • Standard
    18 pages
    Russian language
    sale 15% off
ISO
ISO 28004-4:2014(Main)
Security management systems for the supply chain — Guidelines for the implementation of ISO 28000 — Part 4: Additional specific guidance on implementing ISO 28000 if compliance with ISO 28001 is a management objective

ISO 28004-4:2014 provides additional guidance for organizations adopting ISO 28000 that also wish to incorporate the Best Practices identified in ISO 28001 as a management objective on their international supply chains. The Best Practices in ISO 28001 both help organizations establish and document levels of security within an international supply chain and facilitate validation in national Authorized Economic Operator (AEO) programmes that are designed in accordance with the World Customs Organization (WCO) Framework of Standards. ISO 28004-4:2014 is not designed as a standalone document. The main body of ISO 28004-1 provides significant guidance pertaining to required inputs, processes, outputs and other elements required by ISO 28000. ISO 28004-4:2014 provides additional specific guidance on implementing ISO 28000 if compliance with ISO 28001 is a management objective.

  • Standard
    6 pages
    English language
    sale 15% off
  • Standard
    6 pages
    Russian language
    sale 15% off
ISO
ISO 28001:2007(Main)
Security management systems for the supply chain — Best practices for implementing supply chain security, assessments and plans — Requirements and guidance

ISO 28001:2007 provides requirements and guidance for organizations in international supply chains to develop and implement supply chain security processes; establish and document a minimum level of security within a supply chain(s) or segment of a supply chain; assist in meeting the applicable authorized economic operator (AEO) criteria set forth in the World Customs Organization Framework of Standards and conforming national supply chain security programmes. In addition, ISO 28001:2007 establishes certain documentation requirements that would permit verification. Users of ISO 28001:2007 will define the portion of an international supply chain within which they have established security; conduct security assessments on that portion of the supply chain and develop adequate countermeasures; develop and implement a supply chain security plan; train security personnel in their security related duties.

  • Standard
    27 pages
    English language
    sale 15% off
  • Standard
    35 pages
    Russian language
    sale 15% off
ISO
ISO 28004-1:2007(Main)
Security management systems for the supply chain — Guidelines for the implementation of ISO 28000 — Part 1: General principles

ISO 28004:2007 provides generic advice on the application of ISO 28000:2007, Specification for security management systems for the supply chain. It explains the underlying principles of ISO 28000 and describes the intent, typical inputs, processes and typical outputs for each requirement of ISO 28000. This is to aid the understanding and implementation of ISO 28000. ISO 28004:2007 does not create additional requirements to those specified in ISO 28000, nor does it prescribe mandatory approaches to the implementation of ISO 28000.

  • Standard
    56 pages
    English language
    sale 15% off
  • Standard
    61 pages
    French language
    sale 15% off
  • Standard
    80 pages
    Russian language
    sale 15% off