Security diagnosis
We analyse your current supply chain: goods flows, transfer points, physical and logical access, existing controls and historical incidents. We identify gaps against ISO 28000:2022 and prioritise risks by impact and probability.
The international standard that protects your supply chain against theft, fraud, sabotage and operational disruptions. Applicable to any organisation that moves or manages goods, regardless of size or sector.
The 2022 edition of ISO 28000 broadened the scope of the original standard (2007): it is no longer limited to the supply chain in the strict sense, but covers every aspect of organisational security — people, physical assets, information, critical facilities and operational continuity. It adopts the High-Level Structure (HLS) shared by ISO 9001, ISO 27001 and ISO 22301, which makes integration with management systems already in place considerably easier. Transitioning from the 2007 edition is, in most cases, a process of documentary and scope adaptation, not a complete overhaul.
The problem it solves is concrete: companies that operate complex supply chains — logistics operators, distributors, manufacturers with multiple suppliers, freight forwarders, cargo transport companies — accumulate security risks that conventional quality audits do not cover. Theft in transit, cargo tampering, unauthorised access to warehouses, identity fraud in deliveries, or pressure from major clients who require security standards from their suppliers: all of these risk vectors receive a systematic response in ISO 28000:2022. For many medium-sized companies in the logistics sector, holding the certificate is also an explicit requirement to access large-account clients or public transport contracts.
Summum Calidad guides the entire process: from the initial gap diagnosis and risk assessment specific to your operation, through to implementation of the documentary system, training of internal teams, and preparation for the external audit with an accredited certification body (AENOR, Bureau Veritas, SGS or another of your choice). We are consultants, not certification bodies; the certificate is issued by a third party accredited by ENAC. With offices in Castilla y León (Valladolid, Burgos, Palencia, Aranda de Duero) and Las Palmas, and more than ~200 ISO certifications supported since 2007, we bring the standard to companies that need results, not bureaucracy.
We analyse your current supply chain: goods flows, transfer points, physical and logical access, existing controls and historical incidents. We identify gaps against ISO 28000:2022 and prioritise risks by impact and probability.
We define the security policy, system scope and operational controls: access control procedures, critical supplier management, incident response plans, asset classification, and security team roles and responsibilities.
We roll out the documentary system, train the staff involved — warehouse managers, logistics, procurement, physical security — and support the first round of incident response exercises and drills as required by the standard.
We carry out a full internal audit to detect non-conformities before the certification audit. We prepare the dossier, coordinate with the certification body and accompany the Stage 1 and Stage 2 audits through to certificate issuance.
The operational detail: what we deliver as part of the work and what we keep alive afterwards.
Security risk analysis
Threat and vulnerability assessment methodology specific to your type of operation: transport, warehousing, manufacturing or logistics intermediation.
Security policy and objectives
Framework document aligned with the business strategy and applicable legal requirements (private security, data protection, transport regulations).
Operational control procedures
Physical and logical access control, identity verification at delivery, visitor management, sealing and custody of high-value goods.
Supplier and subcontractor management
Security-focused supplier selection and evaluation criteria, contractual clauses and performance monitoring across the extended supply chain.
Incident response plan
Action protocols for theft, fraud, accidents or security threats, including internal communication channels, notification to authorities and incident recording.
Internal audit and management review
Annual internal audit programme and formal management review of the system, with security performance indicators and continuous improvement plans.
Supply chain security is strengthened by combining ISO 28000 with business continuity management (ISO 22301, also at Summum Calidad) and, where digital assets are involved, with managed cybersecurity from Summum Sistemas.
Business continuity: when a security incident halts operations, ISO 22301 ensures recovery within the timeframes your business can sustain.
View service → calidadInformation security: protect the data flowing through your supply chain — orders, delivery notes, customer data — with the world's most widely deployed management system.
View service →The 2022 edition adopts the ISO High-Level Structure (HLS), making integration with other standards such as ISO 9001 or ISO 27001 much easier. The scope is broadened: it is no longer limited to the supply chain strictly defined, but covers every aspect of organisational security. The substantive requirements do not change radically, but the structure is clearer and the language is harmonised with the rest of the ISO ecosystem.
Logistics operators, cargo transport companies (road, sea, air), distributors, manufacturers with complex supply chains, freight forwarders, customs agents, and companies handling high-value or sensitive goods. It is also relevant for industrial companies that require documented security standards from their suppliers.
It is not a legally mandatory standard in Spain as a general rule. However, many major clients — especially in the automotive, pharmaceutical or defence sectors — require it as a supplier approval condition. It can also be a differentiating factor in public transport and logistics tenders.
It depends on the size and complexity of the organisation and the security systems already in place. For a medium-sized company (50-200 employees) with no prior system, the full process through to the certification audit typically takes between 4 and 8 months. If ISO 9001 or ISO 22301 is already implemented, the timeline can be reduced significantly.
No. Summum Calidad is an implementation consultancy: we guide your organisation through the entire process until you are ready for the audit. The certificate is issued by a certification body accredited by ENAC (AENOR, Bureau Veritas, SGS, TÜV Rheinland or others). You choose the certifier; we prepare you to pass with confidence.