In this article on ISO 28000 I want to emphasize the audit focus areas based on what 2025 revealed and what auditors must prioritize in 2026 and beyond. The emphasis is from mere compliance to resilience leading to secure supply chains.
The year 2025 can be seen as a watershed moment for supply chain security management systems. Global supply chains were subjected not to one dominant crisis, but to a convergence of pressures, geopolitical instability, regulatory fragmentation, cyber intrusion, logistics disruption, and heightened stakeholder scrutiny. For organizations certified to ISO 28000, and for auditors charged with assessing conformity, this period exposed an uncomfortable truth, many supply chain security management systems were compliant in form, but brittle in practice.
As we look toward 2026 and beyond, ISO 28000 audits must evolve to meet these challenges. Agreed organizations must not wait for audits to ensure continual improvement, act on risks and to use the opportunities for improvement (OFI). However, this too is true that NCs (nonconformities) drive correction and CA (corrective action). As such audits play a minor part in providing inputs at the check stage of the PDCA (plan-do-check-act) cycle. Therefore, the question is no longer whether organizations have established a supply chain security management system, but whether that system is capable of sensing change, absorbing shocks, and adapting under stress. ISO 28001, as the supporting guidance standard, provides a valuable lens through which this shift can be framed, particularly in relation to risk assessment, security planning, and operational controls.
This article reflects on what audits in 2025 revealed and outlines the audit focus areas that will define credible, value-adding ISO 28000 audits from 2026 onwards. Let us first dwell on what 2025 taught the industry and look at the key audit lessons:
- Risk assessments were static in a dynamic threat environment. Audits conducted during 2025 repeatedly identified a reliance on periodic, document-driven risk assessments. While these assessments were often well-structured and aligned with ISO 28000 Clause 4 (Security risk assessment and planning), they frequently failed to reflect rapidly changing threat conditions.
ISO 28001 emphasizes that risk assessment should be an ongoing process, responsive to changes in threat, vulnerability, and consequence. In practice, however, many organizations treated risk reviews as annual or biennial events, disconnected from real-time intelligence, incident trends, or geopolitical developments.
The lesson for auditors was clear, conformity to the process was present, but the intent of continual risk awareness was not fully realized.
- Limited visibility beyond tier-1 suppliers. A second consistent audit finding in 2025 was the narrow scope of supplier security controls. Organizations could demonstrate security requirements for direct suppliers yet had little understanding or assurance of security practices deeper within the supply chain.
ISO 28001 explicitly recognizes the need to consider the full supply chain, including subcontractors and service providers, when establishing security plans and controls. Despite this guidance, audits revealed that supplier evaluation mechanisms often stopped at contractual clauses, with minimal follow-up, verification, or performance monitoring.
Security incidents originating in Tier-2 or Tier-3 suppliers highlighted the inadequacy of superficial supplier controls and reinforced the need for more robust assurance mechanisms.
- Cyber risks were poorly integrated into the supply chain Security. Although ISO 28000 is not a cybersecurity standard, 2025 audits increasingly revealed that cyber vulnerabilities were among the most significant enablers of supply chain disruption. Cargo tracking systems, access control platforms, vendor portals, and logistics planning tools were all identified as potential attack vectors. With harmonized structure (HS) it was presumed that an integrated management system approach could answer this but organizations did not integrate ISO 27001 and ISO 28001 by and large.
ISO 28001 encourages organizations to consider all relevant threats to the supply chain, including those affecting information and communication systems. Yet audits frequently found a disconnect between physical security management and information security governance, with limited coordination between security and IT functions.
This gap did not necessarily result in formal nonconformities, but it raised serious questions about the effectiveness of the overall security management system.
- Business continuity planning lacked supply chain realism. Many organizations could demonstrate alignment with business continuity frameworks and, in some cases, certification to ISO 22301 (Business Continuity). However, audits in 2025 showed that supply-chain-specific disruption scenarios were rarely tested.
ISO 28001 stresses the importance of preparedness and response planning based on realistic threat scenarios. Yet exercises involving port closures, border restrictions, supplier insolvency, or regulatory intervention were the exception rather than the rule. The result was a gap between documented preparedness and demonstrated capability, one that became increasingly visible to experienced auditors.
Based on these lessons from 2025 I think the audit focus areas for 2026 and beyond should consider:
- Going from risk identification to risk intelligence. From 2026 onwards, auditors will need to place greater emphasis on how organizations maintain the ongoing validity of their risk assessments. ISO 28000 Clause 4, supported by ISO 28001 guidance, implicitly requires organizations to monitor changes that could affect supply chain security risks. Audits should therefore examine:
- The use of internal and external intelligence sources.
- Defined triggers for risk reassessment.
- Evidence that changes in risk lead to timely management action.
The audit question is shifting from “Do you have a risk assessment?” to “How do you know your risk assessment reflects today’s reality?”
- Supplier security assurance, not just evaluation. ISO 28001 provides detailed guidance on supplier security planning, including differentiation based on criticality and risk exposure. In 2026, audits will increasingly probe how supplier security requirements are implemented, monitored, and enforced. Key audit considerations will include:
- Supplier segmentation and prioritization.
- Proportionate security controls.
- Evidence of supplier audits, self-assessments, or performance reviews.
- Corrective action and escalation when requirements are not met.
Supplier security must be demonstrable and sustained, not assumed.
- Integration of cyber and physical security controls. Auditors should expect to see clearer alignment between ISO 28000 systems and information security frameworks such as ISO/IEC 27001. ISO 28001 supports this integration by recognizing information flow and system integrity as essential elements of supply chain security. Audit focus areas will include:
- Identification of cyber-enabled supply chain risks.
- Coordination between security and IT incident response.
- Protection of logistics data, tracking systems, and access controls.
While ISO 28000 audits will not become cyber audits, unmanaged cyber dependencies will increasingly undermine audit confidence.
- Testing, exercises, and demonstrated preparedness. In 2026 and beyond, documented plans will carry less weight without evidence of testing. ISO 28001 places strong emphasis on preparedness, response, and recovery capabilities. Therefore, auditors should look for:
- Scenario-based exercises relevant to the organization’s supply chain.
- Participation by relevant internal and external stakeholders.
- Lessons learned and system improvements following exercises.
Preparedness is best demonstrated through practice, not paperwork.
- Governance and leadership accountability. A notable trend emerging from late-2025 audits was increased attention to top management involvement. ISO 28000 requires leadership commitment, and ISO 28001 reinforces the importance of governance in sustaining effective security management. Audits in 2026 will increasingly examine:
- Management review outputs related to supply chain security.
- Resource allocation decisions.
- Evidence of board or senior leadership awareness of key risks.
Supply chain security is no longer solely an operational concern; it is a matter of organizational governance. Therefore, implications for auditors and organizations are:
- For auditors, the coming years will demand deeper understanding of risk dynamics, supply chain complexity, and the convergence of physical and digital threats. Checklist-based auditing will be insufficient where resilience and adaptability are the true measures of effectiveness.
- For organizations, ISO 28000 should be repositioned as a strategic risk management framework. Investment in intelligence, supplier assurance, and realistic testing will not only support certification outcomes but also strengthen operational resilience.
In conclusion I would say, based on QMII experience that what 2025 has taught us is that supply chain security management systems fail not because organizations lack procedures, but because those procedures are not designed for volatility. As we move into 2026 and beyond, ISO 28000 audits must therefore measure more than conformity, they must assess resilience.
ISO 28001 provides the guidance needed to make this transition. The challenge for both auditors and organizations are to apply that guidance with realism, discipline, and strategic intent.
—
This article was written by IJ, Principal Consultant at QMII. With extensive experience in ISO standards, auditing, and organizational transformation, IJ has guided global organizations in strengthening their management systems. His approach focuses on aligning ISO implementation with strategic business objectives to drive long-term performance improvement.
