What is the primary objective of **Basel III**?

**Basel III's primary objective is to strengthen the regulation, supervision, and risk management of banks by raising the quality, quantity, and loss-absorbing capacity of regulatory capital while introducing leverage and liquidity constraints.** It addresses global financial crisis shortcomings through minimum CET1 of **4.5%** RWA, Tier 1 of **6%** RWA, total capital of **8%** RWA, plus buffers like the **2.5%** Capital Conservation Buffer (CCB), countercyclical buffer up to **2.5%**, and G-SIB/D-SIB surcharges, complemented by a **3%** leverage ratio, **100%** LCR, and **100%** NSFR.

Who is legally or professionally required to comply with **Basel III**?

**Basel III applies primarily to internationally active banks and banking groups, with national supervisors implementing it for domestic institutions.** The BCBS standards target large, complex entities including G-SIBs and D-SIBs, requiring consolidated application across group boundaries; jurisdictions extend to smaller banks via local rules, affecting boards, CROs, CFOs, treasury, and risk teams managing CET1, RWA, leverage exposures, LCR/NSFR.

Does **Basel III** require an external audit or third-party certification?

**Basel III does not mandate external audit or third-party certification but requires robust internal processes subject to supervisory review under Pillar 2.** Supervisors assess ICAAP, stress testing, and model validation; Pillar 3 disclosures (e.g., KM1, LR1/LR2, CDC templates) enable market discipline, with internal audit ensuring data integrity for RWA, leverage, and liquidity metrics.

How often should an assessment for **Basel III** be performed?

**Basel III assessments must be performed continuously, with formal ICAAP reviews at least annually and stress testing integrated into ongoing capital planning.** Pillar 2 requires regular supervisory dialogue, quarterly Pillar 3 disclosures for key metrics (CET1, leverage, LCR/NSFR), and real-time monitoring of buffers, RWA density, and distribution constraints to maintain compliance amid transitional arrangements.

What are the consequences of non-compliance with **Basel III**?

**Non-compliance with Basel III triggers supervisory actions including capital add-ons, dividend restrictions, fines, and business limitations.** Breached buffers activate automatic payout constraints (dividends, buybacks, AT1 coupons); severe cases lead to enforcement like asset caps or management changes, as seen in recent fines exceeding $100 million for data/control failures.

Can **Basel III** be mapped to other international frameworks?

**Yes, Basel III can be mapped to other international frameworks through shared prudential principles, though jurisdictional variations apply.** Its capital, leverage, and liquidity metrics align with global standards via BCBS's RCAP, enabling comparability in RWA, CET1 ratios, LCR/NSFR despite national discretions like U.S. higher leverage thresholds.

What is the first step to begin implementing **Basel III**?

**The first step to implement Basel III is to establish executive-sponsored governance with a steering committee and conduct a gap analysis/QIS.** Baseline CET1/RWA, leverage exposures, LCR/NSFR against minimums (e.g., **4.5%** CET1, **3%** LR), mapping to data lineage, models, and Pillar 3 templates for phased rollout.

What is the primary objective of **ISO 28000**?

**ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) with explicit relevance to supply chain security.** It operationalizes a **Plan-Do-Check-Act (PDCA)** cycle across Clauses 4–10, requiring organizations to assess security risks (malicious acts, disruptions, interdependencies), define scope including external processes, integrate SMS into business processes, and ensure top management leadership for measurable objectives and continual improvement. The standard is sector-agnostic, applicable to all organization sizes, focusing on holistic governance rather than prescriptive controls.

Who is legally or professionally required to comply with **ISO 28000**?

**No organization is legally required to comply with ISO 28000, as it is a voluntary international standard.** Professionally, it applies to any entity influencing supply chain security—logistics providers, manufacturers, retailers, ports, and government agencies—facing contractual, customer, or insurer demands for assurance. Its broad applicability covers all types and sizes, with tailoring via context analysis (Clause 4) for outsourced processes and supplier interdependencies.

Does **ISO 28000** require an external audit or third-party certification?

**ISO 28000 does not require external audit or third-party certification; conformity may be verified internally or externally.** Certification follows ISO 28003 guidelines via accredited bodies, typically involving Stage 1 (documentation) and Stage 2 (implementation) audits, plus surveillance. Internal audits (Clause 9.2) are mandatory at planned intervals to ensure SMS effectiveness.

How often should an assessment for **ISO 28000** be performed?

**Risk assessments under ISO 28000 must be maintained continuously, with reviews at planned intervals aligned to changes and performance evaluation (Clauses 6.1, 8.3, 9).** Internal audits occur per a risk-based program (Clause 9.2), management reviews at planned intervals (Clause 9.3), and full reassessments triggered by context changes, incidents, or audits to support continual improvement (Clause 10).

What are the consequences of non-compliance with **ISO 28000**?

**Non-conformity with ISO 28000 triggers internal corrective actions, but lacks specified external penalties as a voluntary standard.** Organizations must react to nonconformities (Clause 10), control consequences, eliminate causes, and document evidence; failure risks operational disruptions, loss of market access, higher insurance costs, or contractual penalties from interested parties.

An **ISO 28000** be mapped to other international frameworks?

**Yes, ISO 28000 aligns with ISO high-level structure (Annex SL), enabling mapping to frameworks like ISO 31000 for risk management and ISO 22301 for business continuity.** Its PDCA cycle, Clause 4 principles, and Clause 8 security plans support integrated systems, sharing documentation, audits, and reviews without duplicating governance.

What is the first step to begin implementing **ISO 28000**?

**The first step is determining the organization's context, interested parties, and SMS scope per Clause 4.** This includes internal/external issues, legal requirements, supply chain boundaries, and controls for externally provided processes, documented as foundational input for leadership policy (Clause 5) and risk planning (Clause 6).

Basel III vs ISO 28000

Standards Comparison

Basel III

Mandatory

2010

Global framework strengthening bank capital, leverage, liquidity resilience

ISO 28000

Voluntary

2022

International standard for supply chain security management systems.

Quick Verdict

Basel III enforces capital, leverage, and liquidity standards for global banks to ensure financial stability. ISO 28000 provides a voluntary security management framework for supply chains across industries. Banks adopt Basel III for regulatory compliance; others use ISO 28000 for resilience and certification.

Financial Risk Management

Basel III

Basel III: Finalising post-crisis reforms

Cost

€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Elevates CET1 capital minimum to 4.5% plus buffers
Introduces 3% non-risk-based leverage ratio backstop
Mandates LCR for 30-day HQLA stress coverage
Requires NSFR for one-year stable funding resilience
Imposes output floor constraining internal model RWAs

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain threat assessment and treatment
PDCA cycle for continual security improvement
Leadership commitment and integrated SMS policy
Controls for external providers and processes
Alignment with ISO 31000 and ISO 22301

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

Basel III Details

What It Is

Basel III is the global prudential regulatory framework issued by the Basel Committee on Banking Supervision (BCBS) post-2007-09 financial crisis. It enhances bank resilience through higher-quality capital, leverage constraints, and liquidity standards. Its risk-based approach combines Pillar 1 minimums with supervisory review and disclosures.

Key Components

**Three PillarsCapital requirements (CET1 4.5%, Tier 1 6%, Total 8% + buffers), supervisory review (Pillar 2), market discipline (Pillar 3).
Capital buffers: Conservation (2.5%), countercyclical, G-SIB/D-SIB.
Leverage ratio (3%), LCR (100% HQLA for 30-day stress), NSFR (stable funding over 1 year).
Output floor (72.5% of standardized RWAs); no formal certification, but jurisdictional compliance.

Why Organizations Use It

Banks adopt it for regulatory compliance, as jurisdictions mandate via domestic laws. It mitigates systemic risk, improves funding costs, enhances resilience against shocks, boosts investor confidence, and curbs arbitrage via comparability.

Implementation Overview

Phased enterprise transformation: gap analysis, data/system upgrades, model validation, ICAAP integration. Applies to internationally active banks; varies by jurisdiction/size. Involves PMO governance, QIS testing, ongoing reporting—no central certification, but supervisory audits.

ISO 28000 Details

What It Is

ISO 28000:2022 — Security management systems — Requirements is an international certification standard specifying requirements for a security management system (SMS) to manage supply chain security risks. It employs a risk-based PDCA (Plan-Do-Check-Act) cycle, aligned with ISO 31000 and ISO 22301.

Key Components

Clauses 4–10: context, leadership, planning, support, operation, evaluation, improvement.
Risk assessment/treatment processes.
Operational controls for processes, suppliers, equipment.
Internal audits, management reviews; certification per ISO 28003.

Why Organizations Use It

Mitigate threats like theft, sabotage, disruptions.
Meet contractual, regulatory demands.
Reduce incidents, insurance costs.
Enhance resilience, market access, stakeholder trust.

Implementation Overview

Phased: gap analysis, risk assessment, controls deployment, audits.
Scalable for all sizes/industries.
Certification via accredited bodies (6–36 months typical).

Key Differences

Aspect	Basel III	ISO 28000
Scope	Bank capital, leverage, liquidity ratios	Supply chain security management system
Industry	Banking sector globally	All industries, supply chain focused
Nature	Global prudential regulatory standards	Voluntary management system certification
Testing	Pillar 2 supervisory review, stress tests	Internal audits, management reviews, certification
Penalties	Regulatory enforcement, capital restrictions	Loss of certification, no legal penalties

Scope

Basel III

Bank capital, leverage, liquidity ratios

ISO 28000

Supply chain security management system

Industry

Basel III

Banking sector globally

ISO 28000

All industries, supply chain focused

Nature

Basel III

Global prudential regulatory standards

ISO 28000

Voluntary management system certification

Testing

Basel III

Pillar 2 supervisory review, stress tests

ISO 28000

Internal audits, management reviews, certification

Penalties

Basel III

Regulatory enforcement, capital restrictions

ISO 28000

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about Basel III and ISO 28000

Basel III FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

Top 10 NIST CSF 2.0 Myths Busted: Separating Hype from Reality for Smarter Adoption

Bust 10 NIST CSF 2.0 myths like 'only for critical infrastructure' or 'Govern replaces Identify'. Plain-English breakdowns, evidence, and fixes for flexible ris

SOC 2 Trust Services Criteria in Plain English: Side-by-Side Decoder for Security, Availability, and Beyond

Decode AICPA Trust Services Criteria from auditor jargon to plain English with side-by-side tables, analogies & TL;DRs. CISOs & founders: implement SOC 2 contro

The Tool Landscape for Reaching and Maintaining ISO 27701 Compliance

Discover the top tools for ISO 27701 compliance. Compare functionality, complexity, costs, and benefits to choose the best solution for your privacy program. Ac

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

ISO 20000 vs LEED

ISO 20000 vs LEED: Compare IT service management certification with green building standards. Boost reliability, trust, risk reduction & sustainability. Dive in now!

TISAX vs ISO/IEC 42001:2023

Explore TISAX vs ISO/IEC 42001:2023—automotive cybersecurity meets AI management. Uncover differences, overlaps & strategies for supply chain excellence. Boost compliance today!

ISO 27001 vs ISO 37301

Compare ISO 27001 vs ISO 37301: InfoSec mastery vs full compliance systems. Uncover differences, benefits, risks & implementation guide to choose wisely. Boost resilience now!

Basel III

ISO 28000

Quick Verdict

Basel III

Key Features

ISO 28000

Key Features

Detailed Analysis

Basel III Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 28000 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

Basel III FAQ

What is the primary objective of Basel III?

Who is legally or professionally required to comply with Basel III?

Does Basel III require an external audit or third-party certification?

How often should an assessment for Basel III be performed?

What are the consequences of non-compliance with Basel III?

Can Basel III be mapped to other international frameworks?

What is the first step to begin implementing Basel III?

ISO 28000 FAQ

What is the primary objective of ISO 28000?

Who is legally or professionally required to comply with ISO 28000?

Does ISO 28000 require an external audit or third-party certification?

How often should an assessment for ISO 28000 be performed?

What are the consequences of non-compliance with ISO 28000?

An ISO 28000 be mapped to other international frameworks?

What is the first step to begin implementing ISO 28000?

You Might also be Interested in These Articles...

Top 10 NIST CSF 2.0 Myths Busted: Separating Hype from Reality for Smarter Adoption

SOC 2 Trust Services Criteria in Plain English: Side-by-Side Decoder for Security, Availability, and Beyond

The Tool Landscape for Reaching and Maintaining ISO 27701 Compliance

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

ISO 20000 vs LEED

TISAX vs ISO/IEC 42001:2023

ISO 27001 vs ISO 37301