What is the primary objective of Basel III?

Basel III's primary objective is to strengthen the regulation, supervision, and risk management of banks by raising the quality, quantity, and loss-absorbing capacity of regulatory capital while introducing leverage and liquidity constraints. It addresses global financial crisis shortcomings through minimum CET1 of 4.5% RWA, Tier 1 of 6% RWA, total capital of 8% RWA, plus buffers like the 2.5% Capital Conservation Buffer (CCB), countercyclical buffer up to 2.5%, and G-SIB/D-SIB surcharges, complemented by a 3% leverage ratio, 100% LCR, and 100% NSFR.

Who is legally or professionally required to comply with Basel III?

Basel III applies primarily to internationally active banks and banking groups, with national supervisors implementing it for domestic institutions. The BCBS standards target large, complex entities including G-SIBs and D-SIBs, requiring consolidated application across group boundaries; jurisdictions extend to smaller banks via local rules, affecting boards, CROs, CFOs, treasury, and risk teams managing CET1, RWA, leverage exposures, LCR/NSFR.

Does Basel III require an external audit or third-party certification?

Basel III does not mandate external audit or third-party certification but requires robust internal processes subject to supervisory review under Pillar 2. Supervisors assess ICAAP, stress testing, and model validation; Pillar 3 disclosures (e.g., KM1, LR1/LR2, CDC templates) enable market discipline, with internal audit ensuring data integrity for RWA, leverage, and liquidity metrics.

How often should an assessment for Basel III be performed?

Basel III assessments must be performed continuously, with formal ICAAP reviews at least annually and stress testing integrated into ongoing capital planning. Pillar 2 requires regular supervisory dialogue, quarterly Pillar 3 disclosures for key metrics (CET1, leverage, LCR/NSFR), and real-time monitoring of buffers, RWA density, and distribution constraints to maintain compliance amid transitional arrangements.

What are the consequences of non-compliance with Basel III?

Non-compliance with Basel III triggers supervisory actions including capital add-ons, dividend restrictions, fines, and business limitations. Breached buffers activate automatic payout constraints (dividends, buybacks, AT1 coupons); severe cases lead to enforcement like asset caps or management changes, as seen in recent fines exceeding $100 million for data/control failures.

Can Basel III be mapped to other international frameworks?

Yes, Basel III can be mapped to other international frameworks through shared prudential principles, though jurisdictional variations apply. Its capital, leverage, and liquidity metrics align with global standards via BCBS's RCAP, enabling comparability in RWA, CET1 ratios, LCR/NSFR despite national discretions like U.S. higher leverage thresholds.

What is the first step to begin implementing Basel III?

The first step to implement Basel III is to establish executive-sponsored governance with a steering committee and conduct a gap analysis/QIS. Baseline CET1/RWA, leverage exposures, LCR/NSFR against minimums (e.g., 4.5% CET1, 3% LR), mapping to data lineage, models, and Pillar 3 templates for phased rollout.

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) with explicit relevance to supply chain security. It operationalizes a Plan-Do-Check-Act (PDCA) cycle across Clauses 4–10, requiring organizations to assess security risks (malicious acts, disruptions, interdependencies), define scope including external processes, integrate SMS into business processes, and ensure top management leadership for measurable objectives and continual improvement. The standard is sector-agnostic, applicable to all organization sizes, focusing on holistic governance rather than prescriptive controls.

Who is legally or professionally required to comply with ISO 28000?

No organization is legally required to comply with ISO 28000, as it is a voluntary international standard. Professionally, it applies to any entity influencing supply chain security—logistics providers, manufacturers, retailers, ports, and government agencies—facing contractual, customer, or insurer demands for assurance. Its broad applicability covers all types and sizes, with tailoring via context analysis (Clause 4) for outsourced processes and supplier interdependencies.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 does not require external audit or third-party certification; conformity may be verified internally or externally. Certification follows ISO 28003 guidelines via accredited bodies, typically involving Stage 1 (documentation) and Stage 2 (implementation) audits, plus surveillance. Internal audits (Clause 9.2) are mandatory at planned intervals to ensure SMS effectiveness.

How often should an assessment for ISO 28000 be performed?

Risk assessments under ISO 28000 must be maintained continuously, with reviews at planned intervals aligned to changes and performance evaluation (Clauses 6.1, 8.3, 9). Internal audits occur per a risk-based program (Clause 9.2), management reviews at planned intervals (Clause 9.3), and full reassessments triggered by context changes, incidents, or audits to support continual improvement (Clause 10).

What are the consequences of non-compliance with ISO 28000?

Non-conformity with ISO 28000 triggers internal corrective actions, but lacks specified external penalties as a voluntary standard. Organizations must react to nonconformities (Clause 10), control consequences, eliminate causes, and document evidence; failure risks operational disruptions, loss of market access, higher insurance costs, or contractual penalties from interested parties.

An ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000 aligns with ISO high-level structure (Annex SL), enabling mapping to frameworks like ISO 31000 for risk management and ISO 22301 for business continuity. Its PDCA cycle, Clause 4 principles, and Clause 8 security plans support integrated systems, sharing documentation, audits, and reviews without duplicating governance.

What is the first step to begin implementing ISO 28000?

The first step is determining the organization's context, interested parties, and SMS scope per Clause 4. This includes internal/external issues, legal requirements, supply chain boundaries, and controls for externally provided processes, documented as foundational input for leadership policy (Clause 5) and risk planning (Clause 6).

Standards Comparison

Basel III vs ISO 28000

Basel III

Mandatory

2010

Global framework strengthening bank capital, leverage, liquidity resilience

ISO 28000

Voluntary

2022

International standard for supply chain security management systems.

Quick Verdict

Basel III enforces capital, leverage, and liquidity standards for global banks to ensure financial stability. ISO 28000 provides a voluntary security management framework for supply chains across industries. Banks adopt Basel III for regulatory compliance; others use ISO 28000 for resilience and certification.

Financial Risk Management

Basel III

Basel III: Finalising post-crisis reforms

Cost

€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Elevates CET1 capital minimum to 4.5% plus buffers
Introduces 3% non-risk-based leverage ratio backstop
Mandates LCR for 30-day HQLA stress coverage
Requires NSFR for one-year stable funding resilience
Imposes output floor constraining internal model RWAs

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain threat assessment and treatment
PDCA cycle for continual security improvement
Leadership commitment and integrated SMS policy
Controls for external providers and processes
Alignment with ISO 31000 and ISO 22301

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

Basel III Details

What It Is

Basel III is the global prudential regulatory framework issued by the Basel Committee on Banking Supervision (BCBS) post-2007-09 financial crisis. It enhances bank resilience through higher-quality capital, leverage constraints, and liquidity standards. Its risk-based approach combines Pillar 1 minimums with supervisory review and disclosures.

Key Components

**Three PillarsCapital requirements (CET1 4.5%, Tier 1 6%, Total 8% + buffers), supervisory review (Pillar 2), market discipline (Pillar 3).
Capital buffers: Conservation (2.5%), countercyclical, G-SIB/D-SIB.
Leverage ratio (3%), LCR (100% HQLA for 30-day stress), NSFR (stable funding over 1 year).
Output floor (72.5% of standardized RWAs); no formal certification, but jurisdictional compliance.

Why Organizations Use It

Banks adopt it for regulatory compliance, as jurisdictions mandate via domestic laws. It mitigates systemic risk, improves funding costs, enhances resilience against shocks, boosts investor confidence, and curbs arbitrage via comparability.

Implementation Overview

Phased enterprise transformation: gap analysis, data/system upgrades, model validation, ICAAP integration. Applies to internationally active banks; varies by jurisdiction/size. Involves PMO governance, QIS testing, ongoing reporting—no central certification, but supervisory audits.

ISO 28000 Details

What It Is

ISO 28000:2022 — Security management systems — Requirements is an international certification standard specifying requirements for a security management system (SMS) to manage supply chain security risks. It employs a risk-based PDCA (Plan-Do-Check-Act) cycle, aligned with ISO 31000 and ISO 22301.

Key Components

Clauses 4–10: context, leadership, planning, support, operation, evaluation, improvement.
Risk assessment/treatment processes.
Operational controls for processes, suppliers, equipment.
Internal audits, management reviews; certification per ISO 28003.

Why Organizations Use It

Mitigate threats like theft, sabotage, disruptions.
Meet contractual, regulatory demands.
Reduce incidents, insurance costs.
Enhance resilience, market access, stakeholder trust.

Implementation Overview

Phased: gap analysis, risk assessment, controls deployment, audits.
Scalable for all sizes/industries.
Certification via accredited bodies (6–36 months typical).

Key Differences

Aspect	Basel III	ISO 28000
Scope	Bank capital, leverage, liquidity ratios	Supply chain security management system
Industry	Banking sector globally	All industries, supply chain focused
Nature	Global prudential regulatory standards	Voluntary management system certification
Testing	Pillar 2 supervisory review, stress tests	Internal audits, management reviews, certification
Penalties	Regulatory enforcement, capital restrictions	Loss of certification, no legal penalties

Scope

Basel III

Bank capital, leverage, liquidity ratios

ISO 28000

Supply chain security management system

Industry

Basel III

Banking sector globally

ISO 28000

All industries, supply chain focused

Nature

Basel III

Global prudential regulatory standards

ISO 28000

Voluntary management system certification

Testing

Basel III

Pillar 2 supervisory review, stress tests

ISO 28000

Internal audits, management reviews, certification

Penalties

Basel III

Regulatory enforcement, capital restrictions

ISO 28000

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about Basel III and ISO 28000

Basel III FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

Asset-Backed Issuers and SEC Cybersecurity Rules: Applicability, Disclosures, and Compliance Roadmap

How SEC cybersecurity rules apply to asset-backed issuers (ABS): Form 10-D disclosures, ABS-EE risk management, Inline XBRL tagging, exemptions. Roadmap for tru

Beyond the Checkbox: Why Maturity Assessments are the Secret to Sustainable Compliance

Discover why maturity assessments beat binary compliance checks by uncovering hidden gaps and enabling continuous improvement for sustainable success. Read now!

ISO 27701 Implementation Roadmap: Extending Your ISMS to PIMS in 12 Months or Less

Extend ISO 27001 ISMS to ISO 27701 PIMS in 12 months with our phased roadmap. Templates, checklists & infographics for RoPA, DSARs & audit-ready privacy complia

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how Basel III and ISO 28000 compare against other standards

Other Basel III Comparisons

Other ISO 28000 Comparisons

Quick Verdict

What It Is

Key Components

**Three PillarsCapital requirements (CET1 4.5%, Tier 1 6%, Total 8% + buffers), supervisory review (Pillar 2), market discipline (Pillar 3).

Capital buffers: Conservation (2.5%), countercyclical, G-SIB/D-SIB.

Leverage ratio (3%), LCR (100% HQLA for 30-day stress), NSFR (stable funding over 1 year).

Output floor (72.5% of standardized RWAs); no formal certification, but jurisdictional compliance.

What It Is

Aspect

Basel III

ISO 28000

Scope

Bank capital, leverage, liquidity ratios

Supply chain security management system

Industry

Banking sector globally

All industries, supply chain focused

Nature

Global prudential regulatory standards

Voluntary management system certification

Testing

Pillar 2 supervisory review, stress tests

Internal audits, management reviews, certification

Penalties

Regulatory enforcement, capital restrictions

Loss of certification, no legal penalties