ISO 28000:2022

INTERNATIONAL ISO
STANDARD 28000
Second edition
2022-03
Security and resilience —
Security management systems —
Requirements
Reference number
ISO 28000:2022(E)
© ISO 2022

---------------------- Page: 1 ----------------------
ISO 28000:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
  © ISO 2022 – All rights reserved

---------------------- Page: 2 ----------------------
ISO 28000:2022(E)
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization .4
4.1 Understanding the organization and its context . 4
4.2 Understanding the needs and expectations of interested parties . 4
4.2.1 General . 4
4.2.2 Legal, regulatory and other requirements . 4
4.2.3 Principles . 5
4.3 Determining the scope of the security management system . 6
4.4 Security management system . 6
5 Leadership . 7
5.1 Leadership and commitment . 7
5.2 Security policy . 7
5.2.1 Establishing the security policy . 7
5.2.2 Security policy requirements . 8
5.3 Roles, responsibilities and authorities . 8
6 Planning . 8
6.1 Actions to address risks and opportunities . 8
6.1.1 General . 8
6.1.2 Determining security-related risks and identifying opportunities . 9
6.1.3 Addressing security-related risks and exploiting opportunities . 9
6.2 Security objectives and planning to achieve them . 9
6.2.1 Establishing security objectives . 9
6.2.2 Determining security objectives . 10
6.3 Planning of changes . 10
7 Support .10
7.1 Resources . 10
7.2 Competence . 10
7.3 Awareness . 11
7.4 Communication . 11
7.5 Documented information . 11
7.5.1 General . 11
7.5.2 Creating and updating documented information . 11
7.5.3 Control of documented information .12
8 Operation .12
8.1 Operational planning and control .12
8.2 Identification of processes and activities .12
8.3 Risk assessment and treatment . 13
8.4 Controls . 13
8.5 Security strategies, procedures, processes and treatments . 14
8.5.1 Identification and selection of strategies and treatments . 14
8.5.2 Resource requirements . 14
8.5.3 Implementation of treatments . 14
8.6 Security plans . 14
8.6.1 General . 14
8.6.2 Response structure . 14
8.6.3 Warning and communication . 15
8.6.4 Content of the security plans . 15
iii
© ISO 2022 – All rights reserved

---------------------- Page: 3 ----------------------
ISO 28000:2022(E)
8.6.5 Recovery . 16
9 Performance evaluation .16
9.1 Monitoring, measurement, analysis and evaluation . . 16
9.2 Internal audit . 17
9.2.1 General . 17
9.2.2 Internal audit programme . 17
9.3 Management review . 17
9.3.1 General . 17
9.3.2 Management review inputs . 18
9.3.3 Management review results . 18
10 Improvement .18
10.1 Continual improvement . 18
10.2 Nonconformity and corrective action . 19
Bibliography .20
iv
  © ISO 2022 – All rights reserved

---------------------- Page: 4 ----------------------
ISO 28000:2022(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 292, Security and resilience.
This second edition cancels and replaces the first edition (ISO 28000:2007), which has been technically
revised, but maintains existing requirements to provide continuity for organizations using the previous
edition. The main changes are as follows:
— recommendations on principles have been added in Clause 4 to give better coordination with
ISO 31000;
— recommendations have been added in Clause 8 for better consistency with ISO 22301, facilitating
integration including:
— security strategies, procedures, processes and treatments;
— security plans.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
© ISO 2022 – All rights reserved

---------------------- Page: 5 ----------------------
ISO 28000:2022(E)
Introduction
Most organizations are experiencing an increasing uncertainty and volatility in the security
environment. As a consequence, they face security issues that impact on their objectives, which they
want to address systematically within their management system. A formal approach to security
management can contribute directly to the business capability and credibility of the organization.
This document specifies requirements for a security management system, including those aspects
critical to the security assurance of the supply chain. It requires the organization to:
— assess the security environment in which it operates including its supply chain (including
dependencies and interdependencies);
— determine if adequate security measures are in place to effectively manage security-related risks;
— manage compliance with statutory, regulatory and voluntary obligations to which the organization
subscribes;
— align security processes and controls, including the relevant upstream and downstream processes
and controls of the supply chain to meet the organization’s objectives.
Security management is linked to many aspects of business management. They include all activities
controlled or influenced by organizations, including but not limited to those that impact on the supply
chain. All activities, functions and operations should be considered that have an impact on the security
management of the organization including (but not limited to) its supply chain.
With regard to the supply chain, it has to be considered that supply chains are dynamic in nature.
Therefore, some organizations managing multiple supply chains may look to their providers to meet
related security standards as a condition of being included in that supply chain in order to meet
requirements for security management.
This document applies the Plan-Do-Check-Act (PDCA) model to planning, establishing, implementing,
operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an
organization’s security management system, see Table 1 and Figure 1.
Table 1 — Explanation of the PDCA model
Plan Establish security policy, objectives, targets, controls, processes and
(Establish) procedures relevant to improving security in order to deliver results
that align with the organization’s overall policies and objectives.
Do Implement and operate the security policy, controls, processes and
(Implement and operate) procedures.
Check Monitor and review performance against security policy and objectives,
(Monitor and review) report the results to management for review, and determine and
authorize actions for remediation and improvement.
Act Maintain and improve the security management system by taking
(Maintain and improve) corrective action, based on the results of management review and
reappraising the scope of the security management system and
security policy and objectives.

vi
  © ISO 2022 – All rights reserved

---------------------- Page: 6 ----------------------
ISO 28000:2022(E)
Figure 1 — PDCA model applied to the security management system
This ensures a degree of consistency with other management system standards, such as ISO 9001,
ISO 14001, ISO 22301, ISO/IEC 27001, ISO 45001, etc., thereby supporting consistent and integrated
implementation and operation with related management systems.
For organizations that so wish, conformity of the security management system to this document may
be verified by an external or internal auditing process.
vii
© ISO 2022 – All rights reserved

---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO 28000:2022(E)
Security and resilience — Security management systems —
Requirements
1 Scope
This document specifies requirements for a security management system, including aspects relevant to
the supply chain.
This document is applicable to all types and sizes of organizations (e.g. commercial enterprises,
government or other public agencies and non-profit organizations) which intend to establish, implement,
maintain and improve a security management system. It provides a holistic and common approach and
is not industry or sector specific.
This document can be used throughout the life of the organization and can be applied to any activity,
internal or external, at all levels.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 22300, Security and resilience — Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 22300 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.7)
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the
larger entity that is within the scope of the security management system (3.5).
3.2
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
1
© ISO 2022 – All rights reserved

---------------------- Page: 8 ----------------------
ISO 28000:2022(E)
3.3
top management
person or group of people who directs and controls an organization (3.1) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top
management refers to those who direct and control that part of the organization.
3.4
management system
set of interrelated or interacting elements of an organization (3.1) to establish policies (3.6) and
objectives (3.7), as well as processes (3.9) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,
planning and operation.
3.5
security management system
system of coordinated policies (3.6), processes (3.9) and practices through which an organization
manages its security objectives (3.7)
3.6
policy
intentions and direction of an organization (3.1) as formally expressed by its top management (3.3)
3.7
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety, and environment).
They can be, for example, organization-wide or specific to a project, product and process (3.9).
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, as a purpose, as an
operational criterion, as a security objective, or by the use of other words with similar meaning (e.g. aim, goal, or
target).
Note 4 to entry: In the context of security management systems (3.5), security objectives are set by the organization
(3.1), consistent with the security policy (3.6), to achieve specific results.
3.8
risk
effect of uncertainty on objectives (3.7)
Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both, and can address,
create or result in opportunities and threats.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Risk is usually expressed in terms of risk sources, potential events, their consequences and their
likelihood.
3.9
process
set of interrelated or interacting activities that uses or transforms inputs to deliver a result
Note 1 to entry: Whether the result of a process is called an output, a product or a service depends on the context
of the reference.
2
  © ISO 2022 – All rights reserved

---------------------- Page: 9 ----------------------
ISO 28000:2022(E)
3.10
competence
ability to apply knowledge and skills to achieve intended results
3.11
documented information
information required to be controlled and maintained by an organization (3.1) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media, and from any source.
Note 2 to entry: Documented information can refer to:
— the management system (3.4), including related processes (3.9);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
3.12
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to managing activities, processes (3.9), products, services, systems or
organizations (3.1).
3.13
continual improvement
recurring activity to enhance performance (3.12)
3.14
effectiveness
extent to which planned activities are realized and planned results are achieved
3.15
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization (3.1) and
interested parties (3.2) that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information (3.11).
3.16
conformity
fulfilment of a requirement (3.15)
3.17
nonconformity
non-fulfilment of a requirement (3.15)
3.18
corrective action
action to eliminate the cause(s) of a nonconformity (3.17) and to prevent recurrence
3
© ISO 2022 – All rights reserved

---------------------- Page: 10 ----------------------
ISO 28000:2022(E)
3.19
audit
systematic and independent process (3.9) for obtaining evidence and evaluating it objectively to
determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization (3.1) itself, or by an external party on its
behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
3.20
measurement
process (3.9) to determine a value
3.21
monitoring
determining the status of a system, a process (3.9) or an activity
Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe.
4 Context of the organization
4.1 Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and
that affect its ability to achieve the intended result(s) of its security management system including the
requirements of its supply chain.
4.2 Understanding the needs and expectations of interested parties
4.2.1 General
The organization shall determine:
— the interested parties that are relevant to the security management system;
— the relevant requirements of these interested parties;
— which of these requirements will be addressed through the security management system.
4.2.2 Legal, regulatory and other requirements
The organization shall:
a) implement and maintain a process to identify, have access to and assess the applicable legal,
regulatory and other requirements related to its security;
b) ensure that these applicable legal, regulatory and other requirements are taken into account in
implementing and maintaining its security management system;
c) document this information and keep it up to date;
d) communicate this information to relevant interested parties as appropriate.
4
  © ISO 2022 – All rights reserved

---------------------- Page: 11 ----------------------
ISO 28000:2022(E)
4.2.3 Principles
4.2.3.1 General
The purpose of security management within the organization is the creation and, in particular, the
protection of value.
The organization should apply the principles given in Figure 2 and described in 4.2.3.2 to 4.2.3.9.
Figure 2 — Principles
4.2.3.2 Leadership
Leaders at all levels should establish unity of purpose and direction. They should create conditions to
align the organization's strategies, policies processes and resources to achieve its objectives. Clause 5
explains the requirements with regard to this principle.
4.2.3.3 Structured and comprehensive process approach based on best available information
A structured and comprehensive approach to security management including the supply chain should
contribute to consistent and comparable results, which are achieved more effectively and efficiently
when activities are understood and managed as interrelated processes functioning as a coherent
system.
4.2.3.4 Customized
The security management system should be customized and proportionate to the organization’s
external and internal context and needs. It should be related to its objectives.
5
© ISO 2022 – All rights reserved

---------------------- Page: 12 ----------------------
ISO 28000:2022(E)
4.2.3.5 Inclusive engagement of people
The organization should involve interested parties appropriately and in a timely manner. It should
consider their knowledge, views and perceptions appropriatel
...

FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 28000
ISO/TC 292
Security and resilience —
Secretariat: SIS
Security management systems —
Voting begins on:
2021-12-03 Requirements
Voting terminates on:
2022-01-28
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/FDIS 28000:2021(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO 2021

---------------------- Page: 1 ----------------------
ISO/FDIS 28000:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
  © ISO 2021 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/FDIS 28000:2021(E)
Contents Page
Foreword .v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Context of the organization .4
4.1 Understanding the organization and its context . 4
4.2 Understanding the needs and expectations of interested parties . 4
4.2.1 General . 4
4.2.2 Legal, regulatory and other requirements . 4
4.2.3 Principles . 5
4.3 Determining the scope of the security management system . 6
4.4 Security management system . 6
5 Leadership . 7
5.1 Leadership and commitment . 7
5.2 Security policy . 7
5.2.1 Establishing the security policy . 7
5.2.2 Security policy requirements . 8
5.3 Roles, responsibilities and authorities . 8
6 Planning . 8
6.1 Actions to address risks and opportunities . 8
6.1.1 General . 8
6.1.2 Determining security-related risks and identifying opportunities . 9
6.1.3 Addressing security-related risks and exploiting opportunities . 9
6.2 Security objectives and planning to achieve them . 9
6.2.1 Establishing security objectives . 9
6.2.2 Determining security objectives . 10
6.3 Planning of changes . 10
7 Support .10
7.1 Resources . 10
7.2 Competence . 10
7.3 Awareness . 11
7.4 Communication . 11
7.5 Documented information . 11
7.5.1 General . 11
7.5.2 Creating and updating documented information . 11
7.5.3 Control of documented information .12
8 Operation .12
8.1 Operational planning and control .12
8.2 Identification of processes and activities .12
8.3 Risk assessment and treatment . 13
8.4 Controls . 13
8.5 Security strategies, procedures, processes and treatments . 14
8.5.1 Identification and selection of strategies and treatments . 14
8.5.2 Resource requirements . 14
8.5.3 Implementation of treatments . 14
8.6 Security plans . 14
8.6.1 General . 14
8.6.2 Response structure . 14
8.6.3 Warning and communication . 15
8.6.4 Content of the security plans . 15
iii
© ISO 2021 – All rights reserved

---------------------- Page: 3 ----------------------
ISO/FDIS 28000:2021(E)
8.6.5 Recovery . 16
9 Performance evaluation .16
9.1 Monitoring, measurement, analysis and evaluation . . 16
9.2 Internal audit . 17
9.2.1 General . 17
9.2.2 Internal audit programme . 17
9.3 Management review . 17
9.3.1 General . 17
9.3.2 Management review inputs . 18
9.3.3 Management review results . 18
10 Improvement .18
10.1 Continual improvement . 18
10.2 Nonconformity and corrective action . 19
Bibliography .20
iv
  © ISO 2021 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/FDIS 28000:2021(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see
www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 292, Security and resilience.
This second edition cancels and replaces the first edition (ISO 28000:2007), which has been technically
revised, but maintains existing requirements to provide continuity for organizations using the previous
edition. The main changes are as follows:
— recommendations on principles have been added in Clause 4 to give better coordination with
ISO 31000;
— recommendations have been added in Clause 8 for better consistency with ISO 22301, facilitating
integration including:
— security strategies, procedures, processes and treatments;
— security plans.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
v
© ISO 2021 – All rights reserved

---------------------- Page: 5 ----------------------
ISO/FDIS 28000:2021(E)
Introduction
Most organizations are experiencing an increasing uncertainty and volatility in the security
environment. As a consequence, they face security issues that impact on their objectives, which they
want to address systematically within their management system. A formal approach to security
management can contribute directly to the business capability and credibility of the organization.
This document specifies requirements for a security management system, including those aspects
critical to the security assurance of the supply chain. It requires the organization to:
— assess the security environment in which it operates including its supply chain (including
dependencies and interdependencies);
— determine if adequate security measures are in place to effectively manage security-related risks;
— manage compliance with statutory, regulatory and voluntary obligations to which the organization
subscribes;
— align security processes and controls, including the relevant upstream and downstream processes
and controls of the supply chain to meet the organization’s objectives.
Security management is linked to many aspects of business management. They include all activities
controlled or influenced by organizations, including but not limited to those that impact on the supply
chain. All activities, functions and operations should be considered that have an impact on the security
management of the organization including (but not limited to) its supply chain.
With regard to the supply chain, it has to be considered that supply chains are dynamic in nature.
Therefore, some organizations managing multiple supply chains may look to their providers to meet
related security standards as a condition of being included in that supply chain in order to meet
requirements for security management.
This document applies the Plan-Do-Check-Act (PDCA) model to planning, establishing, implementing,
operating, monitoring, reviewing, maintaining and continually improving the effectiveness of an
organization’s security management system, see Table 1 and Figure 1.
Table 1 — Explanation of the PDCA model
Plan Establish security policy, objectives, targets, controls, processes and
(Establish) procedures relevant to improving security in order to deliver results that
align with the organization’s overall policies and objectives.
Do Implement and operate the security policy, controls, processes and
(Implement and operate) procedures.
Check Monitor and review performance against security policy and objectives,
(Monitor and review) report the results to management for review, and determine and
authorize actions for remediation and improvement.
Act Maintain and improve the security management system by taking correc-
(Maintain and improve) tive action, based on the results of management review and reappraising
the scope of the security management system and security policy and
objectives.
vi
 © ISO 2021 – All rights reserved

---------------------- Page: 6 ----------------------
ISO/FDIS 28000:2021(E)
Figure 1 — PDCA model applied to the security management system
This ensures a degree of consistency with other management system standards, such as ISO 9001,
ISO 14001, ISO 22301, ISO/IEC 27001, ISO 45001, etc., thereby supporting consistent and integrated
implementation and operation with related management systems.
For organizations that so wish, conformity of the security management system to this document may
be verified by an external or internal auditing process.
vii
© ISO 2021 – All rights reserved

---------------------- Page: 7 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/FDIS 28000:2021(E)
Security and resilience — Security management systems —
Requirements
1 Scope
This document specifies requirements for a security management system, including aspects relevant to
the supply chain.
This document is applicable to all types and sizes of organizations (e.g. commercial enterprises,
government or other public agencies and non-profit organizations) which intend to establish, implement,
maintain and improve a security management system. It provides a holistic and common approach and
is not industry or sector specific.
This document can be used throughout the life of the organization and can be applied to any activity,
internal or external, at all levels.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO 22300, Security and resilience — Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 22300 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (3.7)
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
Note 2 to entry: If the organization is part of a larger entity, the term “organization” refers only to the part of the
larger entity that is within the scope of the security management system (3.5).
3.2
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.1) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
1
© ISO 2021 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/FDIS 28000:2021(E)
3.3
top management
person or group of people who directs and controls an organization (3.1) at the highest level
Note 1 to entry: Top management has the power to delegate authority and provide resources within the
organization.
Note 2 to entry: If the scope of the management system (3.4) covers only part of an organization, then top
management refers to those who direct and control that part of the organization.
3.4
management system
set of interrelated or interacting elements of an organization (3.1) to establish policies (3.6) and
objectives (3.7), as well as processes (3.9) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The management system elements include the organization’s structure, roles and responsibilities,
planning and operation.
3.5
security management system
system of coordinated policies (3.6), processes (3.9) and practices through which an organization
manages its security objectives (3.7)
3.6
policy
intentions and direction of an organization (3.1) as formally expressed by its top management (3.3)
3.7
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as finance, health and safety, and environment).
They can be, for example, organization-wide or specific to a project, product and process (3.9).
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended result, as a purpose, as an
operational criterion, as a security objective, or by the use of other words with similar meaning (e.g. aim, goal, or
target).
Note 4 to entry: In the context of security management systems (3.5), security objectives are set by the organization
(3.1), consistent with the security policy (3.6), to achieve specific results.
3.8
risk
effect of uncertainty on objectives (3.7)
Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both, and can address,
create or result in opportunities and threats.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Risk is usually expressed in terms of risk sources, potential events, their consequences and their
likelihood.
3.9
process
set of interrelated or interacting activities that uses or transforms inputs to deliver a result
Note 1 to entry: Whether the result of a process is called an output, a product or a service depends on the context
of the reference.
2
  © ISO 2021 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/FDIS 28000:2021(E)
3.10
competence
ability to apply knowledge and skills to achieve intended results
3.11
documented information
information required to be controlled and maintained by an organization (3.1) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media, and from any source.
Note 2 to entry: Documented information can refer to:
— the management system (3.4), including related processes (3.9);
— information created in order for the organization to operate (documentation);
— evidence of results achieved (records).
3.12
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to managing activities, processes (3.9), products, services, systems or
organizations (3.1).
3.13
continual improvement
recurring activity to enhance performance (3.12)
3.14
effectiveness
extent to which planned activities are realized and planned results are achieved
3.15
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization (3.1) and
interested parties (3.2) that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, e.g. in documented information (3.11).
3.16
conformity
fulfilment of a requirement (3.15)
3.17
nonconformity
non-fulfilment of a requirement (3.15)
3.18
corrective action
action to eliminate the cause(s) of a nonconformity (3.17) and to prevent recurrence
3
© ISO 2021 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/FDIS 28000:2021(E)
3.19
audit
systematic and independent process (3.9) for obtaining evidence and evaluating it objectively to
determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization (3.1) itself, or by an external party on its
behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
3.20
measurement
process (3.9) to determine a value
3.21
monitoring
determining the status of a system, a process (3.9) or an activity
Note 1 to entry: To determine the status, there can be a need to check, supervise or critically observe.
4 Context of the organization
4.1 Understanding the organization and its context
The organization shall determine external and internal issues that are relevant to its purpose and
that affect its ability to achieve the intended result(s) of its security management system including the
requirements of its supply chain.
4.2 Understanding the needs and expectations of interested parties
4.2.1 General
The organization shall determine:
— the interested parties that are relevant to the security management system;
— the relevant requirements of these interested parties;
— which of these requirements will be addressed through the security management system.
4.2.2 Legal, regulatory and other requirements
The organization shall:
a) implement and maintain a process to identify, have access to and assess the applicable legal,
regulatory and other requirements related to its security;
b) ensure that these applicable legal, regulatory and other requirements are taken into account in
implementing and maintaining its security management system;
c) document this information and keep it up to date;
d) communicate this information to relevant interested parties as appropriate.
4
  © ISO 2021 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/FDIS 28000:2021(E)
4.2.3 Principles
4.2.3.1 General
The purpose of security management within the organization is the creation and, in particular, the
protection of value.
The organization should apply the principles given in Figure 2 and described in 4.2.3.2 to 4.2.3.9.
Figure 2 — Principles
4.2.3.2 Leadership
Leaders at all levels should establish unity of purpose and direction. They should create conditions to
align the organization's strategies, policies processes and resources to achieve its objectives. Clause 5
explains the requirements with regard to this principle.
4.2.3.3 Structured and comprehensive process approach based on best available information
A structured and comprehensive approach to security management including the supply chain should
contribute to consistent and comparable results, which are achieved more effec
...