ISO 28000:2022 conformity assessment issued under the Guardian Approved Scheme — a structured conformity assessment programme administered by Guardian Middle East LLC.
Demonstrate your organisation’s commitment to systematic security management — protecting people, assets, infrastructure, and supply chain operations against security threats. Aligned with Qatar’s strategic infrastructure security expectations, Hamad Port (Mwani Qatar) operations, regional logistics hub ambitions, and broader supply chain security frameworks.
Important Disclosure: Tier 4 — Guardian Approved Scheme (NOT IAF MLA Accredited). Certificates for ISO 28000:2022 are issued under the Guardian Approved Scheme — Guardian’s own structured conformity assessment programme. This is NOT an internationally accredited certification under IAF MLA. See §12 for full disclosure.
Post-Transition Status. ISO 28000:2022 (second edition, published 15 March 2022) replaced ISO 28000:2007. The three-year transition period ended March 2025 — ISO 28000:2022 is now the only operative edition.
ISO 28000:2022 is the international standard for Security Management Systems (SeMS). It specifies requirements for a security management system, including aspects relevant to the supply chain. The standard provides a holistic and common approach to security management — applicable to all types and sizes of organizations across all industries.
ISO 28000:2022 was developed by ISO Technical Committee TC 292 (Security and resilience) and published on 15 March 2022 as the second edition. It replaced ISO 28000:2007 (originally developed by ISO/TC 8 for ships and maritime technology). The 2022 edition expanded scope beyond supply chain to all aspects of organizational security.
Key changes in ISO 28000:2022 (vs 2007 edition):
ISO 28000 family overview:
Key concepts of ISO 28000:2022:
Qatar’s strategic position as a regional logistics hub, combined with substantial port operations, energy export operations, and broader supply chain complexity, creates significant security management imperatives. ISO 28000:2022 provides the international framework most relevant to Qatar organisations with substantial security exposure.
Hamad Port serves as Qatar’s strategic seaport and regional logistics hub. Container security, cargo screening, ship security interfaces, and broader port security operations create substantial security management demands. ISO 28000:2022 provides systematic framework aligned with port security expectations.
Hamad International Airport’s substantial cargo operations, courier hub functions, and high-value goods movements create substantial security management demands. Aviation cargo security frameworks (ICAO, IATA, regulatory expectations) align with ISO 28000:2022 systematic approach.
QatarEnergy’s substantial export operations, LNG shipping, and broader energy supply chain face significant security threats — terrorism, sabotage, cargo theft, sanctions compliance. ISO 28000:2022 provides systematic security management framework.
Major logistics operators (DHL, Aramex, regional firms) face substantial security risks across cargo handling, transportation, warehousing, and last-mile delivery. ISO 28000:2022 provides foundational framework — increasingly required by major customers.
Qatar’s critical infrastructure — power generation, water desalination, telecommunications, financial systems — faces substantial security threats. ISO 28000:2022 provides systematic framework supporting critical infrastructure protection initiatives.
ISO 28000:2022 follows the Harmonized Structure (Clauses 4-10) with security-specific requirements throughout:
Clause | Title | Key Requirements |
4 | Context of the Organization | Internal/external issues · Stakeholder needs · SeMS scope · Eight security management principles (4.4) · Climate change relevance (Amd 1:2024) |
5 | Leadership | Top management commitment · Security policy · Roles, responsibilities, authorities · Security culture |
6 | Planning | Security risk assessment · Security risk treatment · Statement of Applicability (security controls) · Security objectives · Planning of changes |
7 | Support | Resources · Security competence · Awareness · Communication · Documented information |
8 | Operation | Operational planning and control · Security risk treatment implementation · Security incident response · Outsourced security activities |
9 | Performance Evaluation | Monitoring, measurement, analysis · Internal audit · Management review · Security performance evaluation |
10 | Improvement | Nonconformity and corrective action · Continual improvement · Security incident learning |
Distinctive ISO 28000:2022 requirements: Eight security management principles (Clause 4.4) provide foundational framework aligned with ISO 31000 risk management principles. Security risk assessment (Clause 6.1) addresses both intentional and unintentional security threats. Statement of Applicability documents security controls implemented to treat identified risks. Security incident response (Clause 8.4) provides systematic framework for managing security events.
ISO 28000:2022 follows the Harmonised Structure (Clauses 4-10) with security-specific requirements throughout:
Clause | Title | Key Requirements |
4 | Context of the Organization | Internal/external issues · Stakeholder needs · SeMS scope · Eight security management principles (4.4) · Climate change relevance (Amd 1:2024) |
5 | Leadership | Top management commitment · Security policy · Roles, responsibilities, authorities · Security culture |
6 | Planning | Security risk assessment · Security risk treatment · Statement of Applicability (security controls) · Security objectives · Planning of changes |
7 | Support | Resources · Security competence · Awareness · Communication · Documented information |
8 | Operation | Operational planning and control · Security risk treatment implementation · Security incident response · Outsourced security activities |
9 | Performance Evaluation | Monitoring, measurement, analysis · Internal audit · Management review · Security performance evaluation |
10 | Improvement | Nonconformity and corrective action · Continual improvement · Security incident learning |
Distinctive ISO 28000:2022 requirements: Eight security management principles (Clause 4.4) provide foundational framework aligned with ISO 31000 risk management principles. Security risk assessment (Clause 6.1) addresses both intentional and unintentional security threats. Statement of Applicability documents security controls implemented to treat identified risks. Security incident response (Clause 8.4) provides systematic framework for managing security events.
Sector | ISO 28000 Relevance |
Port Operations (Mwani Qatar) | Critical for Hamad Port operations and supporting service providers. Port security has multiple regulatory frameworks (ISPS Code, AEO, etc.) — ISO 28000 provides integrating management framework. |
Airport Cargo & Logistics | Important for Hamad International Airport cargo operations, Qatar Airways Cargo, courier hubs. Aviation cargo security alignment. |
Logistics & Freight | Strong fit for major logistics operators. Customer security expectations increasingly require ISO 28000 evidence. |
Energy Sector Supply Chain | Critical for QatarEnergy operations, LNG shipping, oil & gas supply chain. Substantial security threats; sanctions compliance integration. |
Pharmaceutical & Medical Devices | Important for pharmaceutical importers, distributors, manufacturers. Cold chain integrity, anti-counterfeiting, controlled substance security. |
High-Value Goods | Relevant for jewellery, electronics, luxury goods importers/distributors. Substantial theft and diversion risks. |
Defence & Security | Applicable to defence contractors, security service providers. Sensitive operations with substantial security frameworks. |
Critical Infrastructure | Important for Kahramaa, telecommunications operators, financial systems operators. Critical asset protection. |
Banking Physical Security | Relevant for banks with substantial physical security operations — branch network, ATM, cash transit, vault operations. |
Manufacturing | Applicable to manufacturers with substantial supply chain security exposure. |
Free Zones (QFZ) | Important for Qatar Free Zones Authority operations and tenant companies. Free zone security frameworks align with ISO 28000. |
Guardian’s conformity assessment pathway under the Guardian Approved Scheme follows ISO/IEC 17021-1:2015 principles for management system assessment, even though the resulting certificate is not IAF MLA accredited:
Stage | Activity | Outcome |
1 | Application & Contract | Application form. Guardian reviews scope (operations, sites, supply chain footprint, security threats), proposes assessment plan. Contract signed. |
2 | Stage 1 Assessment | On-site readiness review. Assessor verifies SeMS documentation, security policy, security risk register, Statement of Applicability, security incident response procedures. |
3 | Stage 2 Assessment | On-site full assessment. Assessor samples evidence, observes security operations across sample sites, reviews security incident records, audits supplier security controls, validates access control and physical security. |
4 | Conformity Decision | Guardian’s conformity assessment committee reviews assessment report. Guardian Approved Scheme certificate issued (3-year validity). |
5 | Surveillance & Re-Assessment | Annual surveillance assessments. Re-assessment before Year 3. |
Assessor competence: ISO 28000 conformity assessments require assessors with substantive security competence — typically security management, supply chain security, or risk management backgrounds with sector experience. Sensitive operations may require additional vetting.
Typical end-to-end implementation timeline is 8 to 14 months depending on operational complexity and security threat exposure:
Phase | Duration | Activities |
Gap Analysis & Threat Assessment | 4-8 weeks | Review existing security practices against ISO 28000:2022. Comprehensive security threat and vulnerability assessment. |
System Design | 8-12 weeks | Develop SeMS Manual, security policy, security risk methodology, security objectives, Statement of Applicability, integration with risk management. |
Implementation | 12-20 weeks | Roll out new processes. Implement security controls. Train security and operations staff. Implement supplier security controls. Test incident response. |
Internal Audit & Review | 4 weeks | Internal audit cycle. Security performance review. Management review. Address findings. |
Conformity Assessment | 3-5 weeks | Stage 1 readiness review. Stage 2 full assessment. |
Key implementation considerations: Security risk assessment requires specialist competence — engaging security professionals with sector experience helps. Existing security operations may need formalisation rather than complete reinvention. Multi-site operations require careful sampling and consistency.
Indicative pricing range: QAR 5,000 – 20,000 depending on operational scope, sites, security threat exposure, and integration with other certifications.
Assessment time and corresponding fee considerations:
For an exact quotation, contact Guardian directly.
Tier 4 Disclosure — Guardian Approved Scheme (Conformity Assessment).Certificates for ISO 28000:2022 are issued under the Guardian Approved Scheme — a structured conformity assessment programme administered by Guardian Middle East LLC (QFC 03870). This is NOT an internationally accredited certification under IAF MLA recognition.
ISO 28000 currently falls outside the accreditation scope of Guardian Assessment Pvt Ltd, TNV Global Limited, or any other entity within the Guardian/TNV group. Rather than misrepresent third-party accreditation, Guardian offers transparent conformity assessment under our own scheme.
ISO 28000 is the fifth standard in Guardian’s portfolio under Tier 4 (Guardian Approved Scheme), following ISO 41001:2018 (R13), ISO 37301:2021 (R15), ISO 20121:2024 (R16), and ISO 39001:2012 (R17). All Tier 4 standards are issued under the Guardian Approved Scheme administered by Guardian Middle East LLC.
Tier | Issuing Body & Standards |
Tier 1 | Guardian Assessment Pvt Ltd · QS RB066-26 + UAF/IAS · ISO 9001/14001/45001 · IAF MLA accredited |
Tier 2 | Guardian Assessment Pvt Ltd · UAF/IAS only · ISO 21001/27001/37001/27701/55001/13485 · IAF MLA accredited |
Tier 2-Special | Third-Party CB · IAS MSCB 154 · ISO 22301 · IAF MLA accredited |
Tier 3 | TNV Global Limited · UAF only · ISO/IEC 20000-1, ISO 50001, ISO/IEC 42001 · IAF MLA accredited |
Tier 4 (this standard) | Guardian Middle East LLC · Guardian Approved Scheme · ISO 41001, ISO 37301, ISO 20121, ISO 39001, ISO 28000 (and future) · NOT IAF MLA accredited |
ISO 28000:2022 is the current second edition, published on 15 March 2022 by ISO/TC 292. The 2022 edition replaced ISO 28000:2007 with title change reflecting expanded scope (from supply-chain-only to all organisational security).
Transition Complete. ISO 28000:2007 is fully withdrawn. The three-year transition period from publication ended March 2025. ISO 28000:2022 is the only operative edition.
ISO 28000:2022 / Amendment 1:2024 — Climate action changes is now in effect as part of the IAF/ISO joint Climate Action initiative. No transition period applies — the amendment is effective from publication. The 2022 edition with this amendment is the current operative edition.
No formal revision project for ISO 28000 is currently active. Recently revised (2022), ISO 28000:2022 is in early adoption phase. ISO/TC 292 systematic review will commence around 2027. The 2022 edition with Climate Amendment 1:2024 is current and stable.
No §13b section for this standard — successor not in development.
Reality: The 2022 edition expanded scope to all organisational security. The title changed from ‘Specification for security management systems for the supply chain’ to ‘Security and resilience — Security management systems — Requirements’. Now applicable across organisational security broadly.
Reality: Different scope. ISO 27001 covers information security specifically. ISO 28000 covers physical, supply chain, and operational security. Many organisations certify both — they are complementary.
Reality: The 2022 edition contains ‘almost no new requirements’ for organisations previously certified to ISO 28000:2007. Title and scope updates plus Harmonised Structure adoption are the main changes — most existing security practices map directly to 2022 edition.
Reality: It is NOT the same. The Guardian Approved Scheme is Guardian’s own conformity assessment programme — credible, but NOT recognised under IAF MLA.
Reality: Different frameworks. ISPS Code is international ship/port security regulation. AEO (Authorised Economic Operator) is customs trusted trader programme. ISO 28000 is voluntary international standard providing systematic security management — supports compliance with ISPS, AEO, and other security frameworks but is distinct from them.
Integration | Why & When |
28000 + 27001 | SeMS + InfoSec — Most natural pairing. Physical and information security complementary. Most security-conscious organisations certify both. |
28000 + 22301 | SeMS + Business Continuity — Strong pairing. Security incidents create business continuity disruptions. Combined approach provides resilience. |
28000 + 9001 | SeMS + Quality — Common foundation pairing. |
28000 + 45001 | SeMS + OH&S — Important for sectors with security-related personnel safety risks. |
28000 + 31000 | SeMS + Risk Management — ISO 31000 risk management framework supports SeMS approach. |
28000 + AEO | SeMS + Customs Trusted Trader — Strong synergy. AEO and ISO 28000 share security philosophy. |
28000 + ISPS Code | SeMS + Port/Ship Security Regulation — Complementary. ISO 28000 provides management system; ISPS provides regulatory framework. |
Common pairing: ISO 28000 + ISO 27001 + ISO 22301 triple integration provides comprehensive security and resilience framework for major operators.
Integration | Why & When |
28000 + 27001 | SeMS + InfoSec — Most natural pairing. Physical and information security complementary. Most security-conscious organisations certify both. |
28000 + 22301 | SeMS + Business Continuity — Strong pairing. Security incidents create business continuity disruptions. Combined approach provides resilience. |
28000 + 9001 | SeMS + Quality — Common foundation pairing. |
28000 + 45001 | SeMS + OH&S — Important for sectors with security-related personnel safety risks. |
28000 + 31000 | SeMS + Risk Management — ISO 31000 risk management framework supports SeMS approach. |
28000 + AEO | SeMS + Customs Trusted Trader — Strong synergy. AEO and ISO 28000 share security philosophy. |
28000 + ISPS Code | SeMS + Port/Ship Security Regulation — Complementary. ISO 28000 provides management system; ISPS provides regulatory framework. |
Common pairing: ISO 28000 + ISO 27001 + ISO 22301 triple integration provides comprehensive security and resilience framework for major operators.
Assessment | Timing & Scope |
Surveillance 1 | Within 12 months of Stage 2. Mandatory: management review, internal audit, security performance review, security incident review, corrective actions. |
Surveillance 2 | Within 24 months of Stage 2. Same scope, different operations sample. |
Re-Assessment | Before 3-year anniversary. Re-evaluation of full SeMS. |
Special assessments triggered by: significant scope change, major site addition, certificate transfer, material security incident.
Conformity-assessed organisations may use the Guardian Approved Scheme Mark on documents, marketing, websites, tender submissions — subject to Guardian’s Use of Marks Policy.
Permitted: Letterhead, marketing materials, websites, tender submissions, security communications.
PROHIBITED: CRITICAL — Use that implies IAF MLA accredited certification, UAF/IAS/QS accreditation, or equivalence with accredited certification is STRICTLY PROHIBITED.
Full policy: → /use-of-marks/
Guardian operates an independent complaints and appeals process for the Guardian Approved Scheme. Process aligned with ISO/IEC 17021-1:2015 principles.
Full process: → /complaints-appeals/
Ready to begin your ISO 28000 security management conformity assessment journey? Contact Guardian Middle East LLC for a no-obligation initial consultation.
Guardian Middle East LLC
QFC Licence 03870 · Doha, Qatar · Guardian Approved Scheme Administrator
→ /contact/
No. The Guardian Approved Scheme provides credible conformity evidence following ISO/IEC 17021-1 principles, but it is NOT IAF MLA accredited.
Title changed (now 'Security and resilience — Security management systems'). Scope expanded from supply-chain-only to all organisational security. Harmonised Structure adopted. Eight security management principles added. Risk-based approach strengthened. Most operational requirements retained for continuity.
Yes. Three-year transition period from March 2022 publication ended March 2025. ISO 28000:2007 is fully withdrawn. ISO 28000:2022 is the only operative edition.
AEO is customs trusted trader programme. ISPS Code is regulatory framework for ship and port security. ISO 28000 is voluntary international standard providing systematic security management framework. Complementary; ISO 28000 supports AEO and ISPS compliance.
Guardian's indicative range is QAR 5,000–20,000 (Cluster B) for initial assessment, depending on operational scope and security threat exposure.
Typically 8-14 months. Security risk assessment requires specialist competence. Multi-site operations require careful coordination.
Typically 8-14 months. Security risk assessment requires specialist competence. Multi-site operations require careful coordination
No. Recently published (March 2022). ISO/TC 292 systematic review will commence around 2027. Climate Amendment 1:2024 in effect. Edition is current and stable.
Increasingly. Mwani Qatar port security expectations align with ISO 28000 principles. Customs procedures reference international security standards. Major customer security requirements increasingly cite ISO 28000.
Documentation of which security controls are implemented (and which are excluded with rationale). Similar concept to ISO/IEC 27001 SoA. Clause 6.1 requires SoA covering all security controls relevant to identified security risks.
