By IJ Arora, Ph.D.
In this article on ISO 28000:2022, “Security and resilience—Security management systems—Requirements,” I want to emphasize the audit focus areas for the standard, based on what 2025 revealed and what auditors must prioritize in 2026 and beyond. This focus will allow organizations registered to the standard to go from mere compliance to resilience, leading to more secure supply chains.
The year 2025 can be seen as a watershed moment for supply chain security management systems. Global supply chains were subjected not to one dominant crisis, but to a convergence of pressures, geopolitical instability, regulatory fragmentation, cyber intrusion, logistics disruption, and heightened stakeholder scrutiny. For organizations certified to ISO 28000, and for auditors charged with assessing conformity, this past year exposed an uncomfortable truth: Many supply chain security management systems were compliant in form, but brittle in practice.
As we look toward 2026 and beyond, ISO 28000 audits must evolve to meet these challenges. Organizations should not wait for audits to ensure continual improvement, act on risks, and explore opportunities for improvement. However, the fact of the matter is that nonconformities drive corrective actions. As such, audits play a minor part in providing inputs at the check stage of the plan-do-check-act (PDCA) cycle. The question is no longer whether organizations have established a supply chain security management system, but whether that system is capable of sensing change, absorbing shocks, and adapting under stress. ISO 28001, as the supporting guidance standard, provides a valuable lens through which this shift can be framed, particularly in relation to risk assessment, security planning, and operational controls.
Lessons learned
Audits in 2025 outlined the audit focus areas that will define credible, value-adding ISO 28000 audits going forward. Following are four key audit lessons learned.
Lesson 1: Risk assessments were static in a dynamic threat environment
Audits conducted during 2025 repeatedly identified a reliance on periodic, document-driven risk assessments. Although these assessments were often well-structured and aligned with ISO 28000’s clause 4, “Security risk assessment and planning,” they frequently failed to reflect rapidly changing threat conditions.
ISO 28001 emphasizes that risk assessment should be an ongoing process, responsive to changes in threat, vulnerability, and consequence. In practice, however, many organizations treated risk reviews as annual or biennial events, disconnected from real-time intelligence, incident trends, or geopolitical developments.
The lesson for auditors was clear, conformity to the process was present, but the intent of continual risk awareness was not fully realized.
Lesson 2: Limited visibility beyond tier 1 suppliers
A second consistent audit finding in 2025 was the narrow scope of supplier security controls. Organizations could demonstrate security requirements for direct suppliers yet had little understanding or assurance of security practices deeper within the supply chain.
ISO 28001 explicitly recognizes the need to consider the full supply chain, including subcontractors and service providers, when establishing security plans and controls. Despite this guidance, audits revealed that supplier evaluation mechanisms often stopped at contractual clauses, with minimal follow-up, verification, or performance monitoring.
Security incidents originating in tier 2 or tier 3 suppliers highlighted the inadequacy of superficial supplier controls and reinforced the need for more robust assurance mechanisms.
Lesson 3: Cyber risks were poorly integrated into supply chain security
Although ISO 28000 is not a cybersecurity standard, 2025 audits increasingly revealed that cyber vulnerabilities were among the most significant enablers of supply chain disruption. Cargo tracking systems, access control platforms, vendor portals, and logistics planning tools were all identified as potential attack vectors. The use of the harmonized structure presumed that an integrated management system approach could answer this, but organizations did not generally integrate ISO 27001 and ISO 28001 with ISO/IEC 27001:2022, “Information security, cybersecurity and privacy protection—Information security management systems—Requirements.”
ISO 28001 encourages organizations to consider all relevant threats to the supply chain, including those affecting information and communication systems. Yet audits frequently found a disconnect between physical security management and information security governance, with limited coordination between security and IT functions.
This gap did not necessarily result in formal nonconformities, but it raised serious questions about the effectiveness of the overall security management system.
Lesson 4: Business continuity planning lacked supply chain realism
Many organizations could demonstrate alignment with business continuity frameworks and, in some cases, certification to ISO 22301:2019, “Security and resilience—Business continuity management systems—Requirements.” However, audits in 2025 showed that supply chain-specific disruption scenarios were rarely tested.
ISO 28001 stresses the importance of preparedness and response planning based on realistic threat scenarios. Yet exercises involving port closures, border restrictions, supplier insolvency, or regulatory intervention were the exception rather than the rule. The result was a gap between documented preparedness and demonstrated capability, one that became increasingly visible to experienced auditors.
Actions to consider
Based on these lessons from 2025 I think the audit focus areas for 2026 and beyond should consider the following five actions.
Action 1: Going from risk identification to risk intelligence
From 2026 onwards, auditors will need to place greater emphasis on how organizations maintain the ongoing validity of their risk assessments. Clause 4 of ISO 28000, supported by ISO 28001 guidance, implicitly requires organizations to monitor changes that could affect supply chain security risks. Audits should therefore examine:
- The use of internal and external intelligence sources
- Defined triggers for risk reassessment
- Evidence that changes in risk lead to timely management action
The audit question is shifting from “Do you have a risk assessment?” to “How do you know your risk assessment reflects today’s reality?”
Action 2: Supplier security assurance, not just evaluation
ISO 28001 provides detailed guidance on supplier security planning, including differentiation based on criticality and risk exposure. In 2026, audits will increasingly probe how supplier security requirements are implemented, monitored, and enforced. Key audit considerations will include:
- Supplier segmentation and prioritization
- Proportionate security controls
- Evidence of supplier audits, self-assessments, or performance reviews
- Corrective action and escalation when requirements are not met
Supplier security must be demonstrable and sustained, not assumed.
Action 3: Integration of cyber and physical security controls
Auditors should expect to see clearer alignment between ISO 28000 systems and information security frameworks such as ISO/IEC 27001. ISO 28001 supports this integration by recognizing information flow and system integrity as essential elements of supply chain security. Audit focus areas will include:
- Identification of cyber-enabled supply chain risks
- Coordination between security and IT incident response
- Protection of logistics data, tracking systems, and access controls
Although ISO 28000 audits will not become cyber audits, unmanaged cyber dependencies will increasingly undermine audit confidence.
Action 4: Testing, exercises, and demonstrated preparedness
In 2026 and beyond, documented plans will carry less weight without evidence of testing. ISO 28001 places strong emphasis on preparedness, response, and recovery capabilities. Therefore, auditors should look for:
- Scenario-based exercises relevant to the organization’s supply chain
- Participation by relevant internal and external stakeholders
- Lessons learned and system improvements following exercises
Preparedness is best demonstrated through practice, not paperwork.
Action 5: Governance and leadership accountability
A notable trend emerging from late 2025 audits was increased attention to top management involvement. ISO 28000 requires leadership commitment, and ISO 28001 reinforces the importance of governance in sustaining effective security management. Audits in 2026 will increasingly examine:
- Management review outputs related to supply chain security
- Resource allocation decisions
- Evidence of board or senior leadership awareness of key risks
Implications and conclusions
Supply chain security is no longer solely an operational concern; it is a matter of organizational governance. Therefore, implications for auditors and organizations are twofold.
First, for auditors, the coming years will demand deeper understanding of risk dynamics, supply chain complexity, and the convergence of physical and digital threats. Checklist-based auditing will be insufficient where resilience and adaptability are the true measures of effectiveness.
Second, for organizations, ISO 28000 should be repositioned as a strategic risk management framework. Investment in intelligence, supplier assurance, and realistic testing will not only support certification outcomes but also strengthen operational resilience.
In conclusion, I would say 2025 taught us that supply chain security management systems fail not because organizations lack procedures, but because those procedures are not designed for volatility. As we move into 2026 and beyond, ISO 28000 audits must therefore measure more than conformity—they must assess resilience.
ISO 28001 provides the guidance needed to make this transition. The challenge for both auditors and organizations are to apply that guidance with realism, discipline, and strategic intent.
About the author
Inderjit (IJ) Arora, Ph.D., is the Chairman of QMII. He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and has a 34-year record of achievement in the military, mercantile marine, and civilian industry.

