# ISO 28000:2022: Security and resilience - Security management systems - Requirements

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
ISO International Organization for Standardization
PDCA Plan-Do-Check-Act

# Overview

ISO 28000 specifies requirements for a security management system, including those aspects critical to the security assurance of the supply chain. It requires the organization to:

  • assess the security environment in which it operates including its supply chain (including dependencies and interdependencies);
  • determine if adequate security measures are in place to effectively manage security-related risks;
  • manage compliance with statutory, regulatory and voluntary obligations to which the organization subscribes;
  • align security processes and controls, including the relevant upstream and downstream processes and controls of the supply chain to meet the organization's objectives.

ISO 28000 applies the Plan-Do-Check-Act (PDCA) model to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an organization's security management system.

Function Description
Plan (Establish) Establish security policy, objectives, targets, controls, processes and procedures relevant to improving security in order to deliver results that align with the organization's overall policies and objectives.
Do (Implement and operate) Implement and operate the security policy, controls, processes and procedures.
Check (Monitor and review) Monitor and review performance against security policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement.
Act (Maintain and improve) Maintain and improve the security management system by taking corrective action, based on the results of management review and reappraising the scope of the security management system and security policy and objectives.

PDCA model applied to the security management system
PDCA model applied to the security management system

# Noteworthy

  • The focus of ISO 28000 is to assist organizations in the identification and implementation of controls to safeguard people, products, and assets.
  • Similar to other ISO security-related management systems, ISO 28000 focuses on the use of PDCA as a lifecycle of continual improvement and enhancement.

# Sources