Audit Focus Areas Under ISO 28000 for 2026 (and Beyond)

-by Dr. IJ Arora

In this article on ISO 28000:2022, “Security and resilience—Security management systems—Requirements,” I want to emphasize the audit focus areas for the standard, based on what 2025 revealed and what auditors must prioritize in 2026 and beyond. This focus will allow organizations registered to the standard to go from mere compliance to resilience, leading to more secure supply chains.

The year 2025 can be seen as a watershed moment for supply chain security management systems. Global supply chains were subjected not to one dominant crisis, but to a convergence of pressures, geopolitical instability, regulatory fragmentation, cyber intrusion, logistics disruption, and heightened stakeholder scrutiny. For organizations certified to ISO 28000, and for auditors charged with assessing conformity, this past year exposed an uncomfortable truth: Many supply chain security management systems were compliant in form, but brittle in practice.

As we look toward 2026 and beyond, ISO 28000 audits must evolve to meet these challenges. Organizations should not wait for audits to ensure continual improvement, act on risks, and explore opportunities for improvement. However, the fact of the matter is that nonconformities drive corrective actions. As such, audits play a minor part in providing inputs at the check stage of the plan-do-check-act (PDCA) cycle. The question is no longer whether organizations have established a supply chain security management system, but whether that system is capable of sensing change, absorbing shocks, and adapting under stress. ISO 28001, as the supporting guidance standard, provides a valuable lens through which this shift can be framed, particularly in relation to risk assessment, security planning, and operational controls.

Lessons learned

Audits in 2025 outlined the audit focus areas that will define credible, value-adding ISO 28000 audits going forward. Following are four key audit lessons learned.

Lesson 1: Risk assessments were static in a dynamic threat environment

Audits conducted during 2025 repeatedly identified a reliance on periodic, document-driven risk assessments. Although these assessments were often well-structured and aligned with ISO 28000’s clause 4, “Security risk assessment and planning,” they frequently failed to reflect rapidly changing threat conditions.

ISO 28001 emphasizes that risk assessment should be an ongoing process, responsive to changes in threat, vulnerability, and consequence. In practice, however, many organizations treated risk reviews as annual or biennial events, disconnected from real-time intelligence, incident trends, or geopolitical developments.

The lesson for auditors was clear, conformity to the process was present, but the intent of continual risk awareness was not fully realized.

Lesson 2: Limited visibility beyond tier 1 suppliers

A second consistent audit finding in 2025 was the narrow scope of supplier security controls. Organizations could demonstrate security requirements for direct suppliers yet had little understanding or assurance of security practices deeper within the supply chain.

ISO 28001 explicitly recognizes the need to consider the full supply chain, including subcontractors and service providers, when establishing security plans and controls. Despite this guidance, audits revealed that supplier evaluation mechanisms often stopped at contractual clauses, with minimal follow-up, verification, or performance monitoring.

Security incidents originating in tier 2 or tier 3 suppliers highlighted the inadequacy of superficial supplier controls and reinforced the need for more robust assurance mechanisms.

Lesson 3: Cyber risks were poorly integrated into supply chain security

Although ISO 28000 is not a cybersecurity standard, 2025 audits increasingly revealed that cyber vulnerabilities were among the most significant enablers of supply chain disruption. Cargo tracking systems, access control platforms, vendor portals, and logistics planning tools were all identified as potential attack vectors. The use of the harmonized structure presumed that an integrated management system approach could answer this, but organizations did not generally integrate ISO 27001 and ISO 28001 with ISO/IEC 27001:2022, “Information security, cybersecurity and privacy protection—Information security management systems—Requirements.”

ISO 28001 encourages organizations to consider all relevant threats to the supply chain, including those affecting information and communication systems. Yet audits frequently found a disconnect between physical security management and information security governance, with limited coordination between security and IT functions.

This gap did not necessarily result in formal nonconformities, but it raised serious questions about the effectiveness of the overall security management system.

Lesson 4: Business continuity planning lacked supply chain realism

Many organizations could demonstrate alignment with business continuity frameworks and, in some cases, certification to ISO 22301:2019, “Security and resilience—Business continuity management systems—Requirements.” However, audits in 2025 showed that supply chain-specific disruption scenarios were rarely tested.

ISO 28001 stresses the importance of preparedness and response planning based on realistic threat scenarios. Yet exercises involving port closures, border restrictions, supplier insolvency, or regulatory intervention were the exception rather than the rule. The result was a gap between documented preparedness and demonstrated capability, one that became increasingly visible to experienced auditors.

Actions to consider

Based on these lessons from 2025 I think the audit focus areas for 2026 and beyond should consider the following five actions.

Action 1: Going from risk identification to risk intelligence

From 2026 onwards, auditors will need to place greater emphasis on how organizations maintain the ongoing validity of their risk assessments. Clause 4 of ISO 28000, supported by ISO 28001 guidance, implicitly requires organizations to monitor changes that could affect supply chain security risks. Audits should therefore examine:

  • The use of internal and external intelligence sources
  • Defined triggers for risk reassessment
  • Evidence that changes in risk lead to timely management action

The audit question is shifting from “Do you have a risk assessment?” to “How do you know your risk assessment reflects today’s reality?”

Action 2: Supplier security assurance, not just evaluation

ISO 28001 provides detailed guidance on supplier security planning, including differentiation based on criticality and risk exposure. In 2026, audits will increasingly probe how supplier security requirements are implemented, monitored, and enforced. Key audit considerations will include:

  • Supplier segmentation and prioritization
  • Proportionate security controls
  • Evidence of supplier audits, self-assessments, or performance reviews
  • Corrective action and escalation when requirements are not met

Supplier security must be demonstrable and sustained, not assumed.

Action 3: Integration of cyber and physical security controls

Auditors should expect to see clearer alignment between ISO 28000 systems and information security frameworks such as ISO/IEC 27001. ISO 28001 supports this integration by recognizing information flow and system integrity as essential elements of supply chain security. Audit focus areas will include:

  • Identification of cyber-enabled supply chain risks
  • Coordination between security and IT incident response
  • Protection of logistics data, tracking systems, and access controls

Although ISO 28000 audits will not become cyber audits, unmanaged cyber dependencies will increasingly undermine audit confidence.

Action 4: Testing, exercises, and demonstrated preparedness

In 2026 and beyond, documented plans will carry less weight without evidence of testing. ISO 28001 places strong emphasis on preparedness, response, and recovery capabilities. Therefore, auditors should look for:

  • Scenario-based exercises relevant to the organization’s supply chain
  • Participation by relevant internal and external stakeholders
  • Lessons learned and system improvements following exercises

Preparedness is best demonstrated through practice, not paperwork.

Action 5: Governance and leadership accountability

A notable trend emerging from late 2025 audits was increased attention to top management involvement. ISO 28000 requires leadership commitment, and ISO 28001 reinforces the importance of governance in sustaining effective security management. Audits in 2026 will increasingly examine:

  • Management review outputs related to supply chain security
  • Resource allocation decisions
  • Evidence of board or senior leadership awareness of key risks

Implications and conclusions

Supply chain security is no longer solely an operational concern; it is a matter of organizational governance. Therefore, implications for auditors and organizations are twofold.

First, for auditors, the coming years will demand deeper understanding of risk dynamics, supply chain complexity, and the convergence of physical and digital threats. Checklist-based auditing will be insufficient where resilience and adaptability are the true measures of effectiveness.

Second, for organizations, ISO 28000 should be repositioned as a strategic risk management framework. Investment in intelligence, supplier assurance, and realistic testing will not only support certification outcomes but also strengthen operational resilience.

In conclusion, I would say 2025 taught us that supply chain security management systems fail not because organizations lack procedures, but because those procedures are not designed for volatility. As we move into 2026 and beyond, ISO 28000 audits must therefore measure more than conformity—they must assess resilience.

ISO 28001 provides the guidance needed to make this transition. The challenge for both auditors and organizations are to apply that guidance with realism, discipline, and strategic intent.

Above article was recently featured in an Exemplar Global publication – ‘The Auditor’.

Keeping Your Management System ‘Ordinary’ in the Age of AI

We’re living in an era where every week seems to bring a new AI tool or software promising to “transform” your business. Predictive analytics, digital twins, algorithm-driven risk models; the buzzwords are endless. And while some of these advances do have their place, I argue that companies must not forget their basics. In a previous career as a mariner, as technology evolved and found their way on ships there was still some value to a simple visual bearing and the information it could give you.

Call me old-school, but I still believe in systems that are owned by people, not platforms. In fact, I’d argue that now more than ever, we need to protect the ordinariness of our management systems, because that’s where the real strength lies.

Don’t Mistake “Ordinary” for “Outdated”

I’ve worked on ships and in boardrooms, with multinationals and mom-and-pop shops. Across the board, the systems that work best are not the flashiest, they’re the ones that are understood, used, and respected. I’ve used fancy preventive/planned maintenance systems and then a simple excel spreadsheet with macros built in. Perhaps surprisingly, the company using the ordinary excel spreadsheet had better maintained equipment.

An “ordinary” system means:

  • Everyone knows their roles and responsibilities.
  • Processes are documented clearly, not buried in folders.
  • Documentation is clear and concise.
  • Records are maintained and can be trusted.

You don’t need artificial intelligence to tell you your maintenance wasn’t done. You need a culture where someone owns the task, completes it, and checks the box honestly.

When the Tool Becomes the Boss

I’ve seen organizations spend small fortunes on digital platforms that promise complete “management system automation.” These platforms often come with dashboards no one reads, workflows no one updates (because they don’t know how to), and training modules people click through just to make them go away. (Let’s be honest, you know how effective your CBT program are!)

Compare that to a simple 8D form built in Excel, yes, plain old Excel. When it’s used properly by a team that understands the process, it becomes a great tool for problem-solving. No licenses, no AI, no data scientists required.

If you’re curious, QMII’s Root Cause Analysis workshop teaches this practical approach. And it works because it’s rooted in thinking, not tech.

PDCA: Still the Smartest Loop in the Room

You don’t need AI to plan, do, check, and act. You need discipline. In a world full of reactive fixes and AI-generated insights, PDCA still calls on people to pause, observe, think, and improve. And frankly, we could all use more of that.

A well-run PDCA cycle doesn’t care whether your data comes from a sensor or a clipboard. What matters is how your team reflects, learns, and adjusts. If you want to sharpen that loop, QMII’s ISO 9001 Lead Auditor Training doesn’t just teach clauses. It teaches systems thinking, real auditing skills, and how to see the story behind the numbers.

Use AI? Sure. But Stay in the Driver’s Seat

I’m not against AI. Let me be clear on that. It’s a tool that, when used wisely, can absolutely support your management system. It can help you analyze patterns in data and generate reports that are helpful. But that’s exactly the point. AI is a tool, not the system itself, and certainly not the leader of it.

I’ve seen organizations fall into the trap of trusting algorithms more than their own people. They install AI to identify when personnel are not using PPE, to generate solutions based on data analysis and when errors occur. But no one stops to ask the most important questions: Does this make sense? Is this what’s really happening? Who validated this? Why did the person not use PPE?

The danger is that we start to mistake output for understanding. AI doesn’t know your organizational culture. It doesn’t know that one department always closes their nonconformities just to get them off the list. Only your team, using their judgment and grounded in your process reality, can make those distinctions.

If you’re going to use AI, integrate it into the PDCA cycle. Feed its outputs into your management review. Use it to inform, but not to dictate. And perhaps most importantly, teach your team to question it. Train them to ask, Where did this data come from? What assumptions are built into this model? What’s missing from the picture?

Own Your System. Keep It Ordinary.

There’s something refreshing about an audit checklist that an auditor actually helped write. Not an AI generate one. That’s real ownership. That’s engagement.

Management systems aren’t meant to be high-tech puzzles. They’re meant to be frameworks that help people do their jobs better. They are not a compliance burden, they’re a strategic asset, but only when they belong to the people who use them.

So here’s my message in conclusion: Keep your system ordinary. And make it extraordinary in how well it’s embraced and used.


About the Author
This article was written by Dr. Julius, Senior Consultant at QMII. With over 25 years of experience in ISO and aerospace quality systems, Dr. Julius has trained and advised hundreds of U.S. defense contractors in aligning with AS9100 and DoD requirements. He specializes in turning certification into a competitive advantage for suppliers.

 

Can We Trust AI? 

We see the use of Artificial Intelligence or AI all around us in uses that may be visible to us as also in uses not directly visible to us. It is here to stay and as we learn to live with it, however, there remains a concern about whether we can totally trust AI. Hollywood may have painted a picture of the rise of machines that may instill fear in some of us. Fear of AI taking over jobs, of AI reducing intelligent human beings, and of AI being used for illegal purposes. In this article we discuss what actions can be taken by organizations to build trust in AI, so it becomes an effective asset. The idea is as old as 1909, EM Foster’s “The Machine Stops”. 

What does it mean to trust an AI system? 

For people to begin to trust AI there must be sufficient transparency of what information AI has access to, what is the capability of the AI and what is the programming that the AI is basing its outputs on. While I may not be the guru in AI systems, I have been following its development over the last seven to eight years delving into several types of AI. IBM has an article that outlines the several types of AI that may be helpful. I recently tried to use ChatGPT to provide me with information and realized the information was outdated by at least a year. To better understand how we can trust AI, let us look at the factors that contribute to AI trust issues.  

Factors Contributing to AI Trust Issues 

A key trust issue arises in the algorithm used within the neural network that is delivering the outputs. Another key factor is the data itself that the outputs are based upon. Knowing the data that the AI is using is important in being able to trust the output. It is also important to know how well the algorithm was tested and validated prior release. AI systems are run through a test data set to determine if the neural network will produce the desired results. The system is then tested on real world data and refined. AI systems may also have biases based on the programming and data set. Companies face security and data privacy challenges too when using AI applications. Additionally, as stated earlier there remains the issue of misuse of AI just as cryptocurrency was in its initial phases.  

What can companies do to improve trust in AI? 

While there is much to be done by organizations to address the issues listed above and it may take a few years to improve public trust in AI, companies developing and using AI systems can use a system-based approach to implementing these systems. The International Organization for Standardization (ISO) recently published ISO/IEC 42001 – Management System Requirements for Information Technology AI systems. The standard provides a process-based framework to identify and address AI risks effectively with the commitment of personnel at all levels of the organization.  

The standard follows the harmonized structure of other ISO management system requirement standards such as ISO 9001 and ISO 14001. It also outlines 10 control objectives and 38 controls. The controls based on industry best practices asks the organization to consider a lifecycle approach to developing and implementing AI systems including conducting an impact assessment, systems design (to include verification and validation), control of quality of data used and processes for responsible use of AI to name a few. Perhaps one of the first requirements that organizations can do to protect themselves is to consider developing an AI policy that outlines how AI is used within the ecosystem of their business operations.  

Using a globally accepted standard can deliver confidence to customers (and address trust issues) that the organization is using a process-based approach to responsibly perform their role with respect to AI systems. 

To learn more about how QMII can support your journey should you decide to use ISO/IEC 42001, or to learn about our training options, contact our solutions team at 888-357-9001 or email us at info@qmii.com.  

-by Julius DeSilva, Senior Vice-President

10 Steps to Safeguard Maritime Property from Cybersecurity Threats

IJ Arora, Ph.D

Cybersecurity threats have become a pressing concern in the modern era due to our lives becoming increasingly dependent on computerization. However, with the convenience of technology comes vulnerability to malicious attacks. The maritime industry, with a growing reliance on technology, faces significant cybersecurity threats. Dr. Jekyll and Mr. Hyde (i.e., good and bad) exist and have always existed. Protecting against cyberattacks is crucial to ensuring the industry’s stability and security.

Understanding cybersecurity in the maritime industry

Cybersecurity in the maritime sector involves safeguarding systems, information, and assets from unauthorized access, disruptions, or manipulations. The industry’s growing reliance on technology, including networks controlling essential functions like navigation and communication, makes it an attractive target for cybercriminals. To maintain business continuity, it is crucial that companies assess their current cybersecurity posture and act to proactively improve it. The maritime industry supports trade and the economy at large, so a cyberattack can have broader consequences beyond just affecting a single vessel or company. For this reason, the intent of the attackers might be broader than simply affecting a specific entity for ransom.

Current challenges in maritime cybersecurity

Before delving into the 10 essential steps to fortify against cyberthreats, it’s crucial to acknowledge the prevalent challenges faced by the maritime industry, which include:

  • Business continuity disruption due to breaches
  • Lack of comprehensive response plans
  • Growing reliance on automation
  • Insufficient awareness
  • Vulnerabilities in cloud computing
  • Rise in phishing and social engineering attacks
  • Internal threats and attacks

Controlling both information technology and operational technology systems is critical to fortifying cybersecurity. Various systems within the small passenger-vessel sector are susceptible to cyberthreats, including bridge systems, access control systems, passenger servicing and management systems, and communication systems.

The 10 steps

When addressing cybersecurity, organizations must consider protecting information itself as well as the asset on which that information is stored. Control of both information technology (IT) and operational technology (OT) systems is critical to fortifying cybersecurity. Additionally, management must consider the confidentiality, integrity, and availability of information and how these three aspects may potentially be compromised.

Step 1: Leadership commitment

Leaders must drive the need for cybersecurity and ensure that it is baked in (not buttoned on) to processes. They need to engage the workforce to contribute to the system. To do this, they can:

  • Appoint a cybersecurity manager to ensure accountability and garner buy-in.
  • Make cybersecurity integral to business processes and consider risks vs. rewards.

Step 2: Use a system framework

Employ the plan, do, check, act (PDCA) cycle as the foundation for a robust cybersecurity approach. This is also the approach prescribed by the Passenger Vessel Association (PVA) safety management system (SMS) framework.

  • Develop and regularly update cybersecurity policies aligning with organizational needs and threat landscape changes.
  • Identify clear roles and responsibilities for all concerned with cybersecurity aspects of the SMS.

Step 3: Contextualize risk

  • Consider the broader context of operations, trade patterns, technology, and legislative factors.
  • Identify stakeholders, online networks, assets, critical components, and business-sensitive information.

Step 4: Risk assessment (3D framework)

Leaving hazards in uncertain states is a drawback for proper risk assessment. It is the responsibility of leadership to convert uncertainty into clearly defined risks within the context of the organization and then prioritize those risks.

  • Organizations must assess hazards in terms of probability, severity, and the likelihood of detection.
  • Risks should be prioritized with consideration given toward confidentiality, integrity, and the availability of information.

Step 5: Build controls into processes

Controls can be split into various categories, including administrative, physical, human, and technological. In some cases one control may suffice, but for the most part a combination of controls must be applied. Identified controls should be implemented based on the feasibility rule, meaning that although they may look good in a vacuum, ease of implementation must be considered. Information security should be a part of everything the organization does—not an add-on. This includes:

  • Implementing technical security controls like firewalls and intrusion-detection systems.
  • Adopting a layered security approach (i.e., “defense in depth”) to effectively mitigate against various threats. This entails creating multiple barriers to prevent access to information—physical, passwords, firewalls, VPNs etc.

Step 6: Maintain basic measures

Basic safety measures are easy to implement and, for the most part, they are cost-effective. This can include cybersecurity awareness training for personnel, physical security, and password security. Below are a few more, although this is not an exhaustive list:

  • Keep hardware and software updated.
  • Enable automated antivirus and anti-malware updates.
  • Limit administrator privileges and control removable media.
  • Avoid public network connections without a VPN.
  • Regularly backup and test information-restoration capabilities.

Step 7: Employee awareness

It is important to make employees aware of the need for good cybersecurity protocols. Employees are often the weakest link in the security chain. Statistics show that almost 36 percent of data breaches are caused by employee negligence. Immediate actions organization can take include:

  • Educate employees on cybersecurity best practices to minimize human error.
  • Train personnel to identify phishing attacks and report incidents promptly.

Step 8: Emergency preparedness

No organization is immune to cyberattacks. It is important to have a plan in place for responding to attacks quickly and effectively. The plan should include steps for mitigating the damage, containing the attack, and investigating the incident. You can use ISO 22301: 2019, “Business continuity,” to develop this plan.

  • Your plan should include comprehensive processes for responding to cyberattacks swiftly and efficiently, including reporting mechanisms.
  • Test and improve your business continuity plan regularly.

Step 9: Assess effectiveness

The check stage of the PDCA cycle is vital to instill confidence in the effectiveness of the organization’s cybersecurity measures.

  • Conduct regular cybersecurity assessments, including third-party evaluations for objectivity.
  • Evaluate assets, vulnerabilities, IT/OT risks, physical access, and breach potentials.

Step 10: Continual improvement

  • Embrace continual improvement through the PDCA cycle to maintain vigilance.
  • Invest in training personnel on cybersecurity standards like ISO 27001.

Conclusion

Taking cybersecurity seriously and implementing these 10 steps can significantly mitigate the risk of cyberattacks. Begin the process by conducting a gap assessment using a qualified person to assess where your system currently stands and what actions need to be taken.

Your action plan should identify risks, gaps, and the controls needed. These controls can easily be integrated into the existing safety management system. Investing in cybersecurity today will better prepare your organization to manage future risks. Leadership involvement is crucial, and these steps serve as a solid foundation to effectively fortify cybersecurity measures.

About the author

Inderjit (IJ) Arora, Ph.D., is the President and CEO of QMII. He serves as a team leader for consulting, advising, auditing, and training regarding management systems. He has conducted many courses for the United States Coast Guard and is a popular speaker at several universities and forums on management systems. Arora is a Master Mariner who holds a Ph.D., a master’s degree, an MBA, and has a 33-year record of achievement in the military, mercantile marine, and civilian industry.

Above article is featured in the following:-

Foghorn Magazine

Exemplar Global Publication “The Auditor”

ISO 27001:2022 – what are the changes?

ISO 27001:2022, the international standard for information security management systems (ISMS), was updated in October of 2022 to reflect the latest developments in the field of cybersecurity. These changes are aimed at helping organizations better manage their information security risks and protect their sensitive data.

What are the key changes?

The majority of changes to the standard were in the Annex A controls which went through a re-structuring to include a change to how the controls were organized and the controls in total were reduced from 114 to 93.

Of the old 114 controls, 35 controls remained unchanged, 23 controls were renamed, 57 controls were merged to form 24 controls, and 11 new controls were added. The controls are split into the following domains: Organizational (37 controls), People (8 controls), Physical (14 controls) and Technology (34 controls).

ISO 27001:2022 introduced new requirements for managing the risks associated with emerging technologies such as cloud computing and Internet of Things (IoT). These technologies bring significant benefits to organizations but also introduce new risks that must be managed.

The updated standard also has a new control on threat intelligence that will enable organizations to remain proactive in their approach to information security as also controls to address data masking and web filtering.

The order of the main mandatory clauses remains the same with clauses from 4 through 10 and the structure aligning with the harmonized structure of other ISO management system standards. The clauses with significant changes include those to:

  • Clause 4.2 requires the ISMS to conduct an analysis of which of the interested party requirements are relevant to the system and will be addressed by it.
  • Clause 4.4 aligns with that of ISO 9001 to require the organization to identify necessary processes and their interactions within the ISMS. As such, those essential for the organization to achieve ISMS objectives.
  • Clause 6.2 provides further clarity about planning to achieve objectives and documenting them.
  • Clause 6.3 was added to reflect the need to systematically plan for system changes.
  • Clause 8.1 now requires the ISMS to establish criteria for mitigating action for risk identified in Clause 6 and to implement control in accordance with the criteria set.

There are a few more minor changes to the wording of some of the mandatory clauses

How can you upgrade your system to conform?

The first step would be to gain an understanding of the changes and the new requirements. Consider taking an updated Lead Auditor training or transition course that has been recognized by a personnel certification body. In choosing your training provider consider their reputation, the experience of the instructor, as also virtual course options.

With the new knowledge conduct a gap analysis of your existing system against the requirements of ISO 27001:2022 and draw up a list of priorities and owners for each. Assign deadlines for the items to be completed and conduct at least one internal audit and management review before approaching a certification body.

Update your existing SoA, should one exist, to reflect the new/updated controls. Train all system personnel in the changes to the system and drive awareness of information security among all personnel.

In conclusion, the changes to ISO 27001:2022 reflect the changing context in the field of information security. The QMII team would like to understand your system needs and support your goals of attaining conformity to ISO 27001 and a competent workforce trained in the requirements.