Who is legally or professionally required to comply with EPA?

Entities discharging pollutants to air or water, generating or managing hazardous waste, and operating major stationary sources are legally required to comply with EPA standards. This includes point source dischargers under NPDES permits (CWA), major sources exceeding 10 tpy single HAP or 25 tpy combined HAP under CAA Title V, and RCRA generators (e.g., LQGs accumulating >1,000 kg/month hazardous waste), with obligations implemented via federal, state, or tribal permits.

Does EPA require an external audit or third-party certification?

EPA does not mandate external audits or third-party certification for most standards but requires self-monitoring, recordkeeping, and state-administered inspections. NPDES programs emphasize Discharge Monitoring Reports (DMRs) and QA/QC per 40 CFR Part 136; RCRA TSDFs follow internal inspection regimes (e.g., Subparts AA/BB/CC daily/annual checks), with EPA oversight via protocols like the TSDF Audit Protocol.

How often should an assessment for EPA be performed?

Assessments for EPA compliance must align with permit-specific frequencies, typically monthly for RCRA inspections, semiannual for RCRA reporting, and quarterly/annually for NPDES DMRs. RCRA Subpart CC mandates daily equipment checks and annual closed-vent inspections; CAA Title V permits require periodic performance tests and continuous monitoring (CEMS); internal audits follow PDCA cycles, with e-reporting via ICIS-NPDES enabling real-time verification.

What are the consequences of non-compliance with EPA?

Non-compliance with EPA standards triggers civil penalties (strict liability, preponderance standard), injunctive relief, and potential criminal prosecution for knowing violations. Penalties recover economic benefit gained from noncompliance; examples include Cummins' $1.675B CAA settlement for emissions fraud and HF Sinclair's refinery fines for excess HAP emissions, with settlements often including SEPs and multi-year compliance monitoring.

An EPA be mapped to other international frameworks?

No, EPA standards cannot be directly mapped to other international frameworks as they are U.S.-specific statutes implemented via 40 CFR. Compliance focuses on domestic hierarchies: statutes (CAA/CWA/RCRA) → regulations → site-specific permits, with state variations; cross-program elections exist (e.g., RCRA Subparts AA/BB/CC via CAA Parts 60/61/63) but no external equivalencies are recognized.

What is the first step to begin implementing EPA?

The first step to implement EPA compliance is conducting a baseline audit using EPA protocols to compile a regulatory register of applicable 40 CFR requirements and permits. Review permits (NPDES, Title V, RCRA), records (DMRs, manifests), and site conditions per TSDF Audit Protocol, prioritizing high-risk areas like labeling, accumulation limits, and monitoring QA to identify gaps and quick wins.

What is the primary objective of ISO 28000?

ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for supply chain security. The 2022 edition provides a risk-based framework to identify threats, vulnerabilities, and interdependencies across supply chains, protecting people, assets, goods, infrastructure, and information through PDCA cycles (Plan-Do-Check-Act).

Who is legally or professionally required to comply with ISO 28000?

No organizations are legally required to comply with ISO 28000, as it is a voluntary international standard. Professionally, it applies to any entity in supply chains—logistics, manufacturing, retail, pharmaceuticals, energy—regardless of size, where contractual obligations, customs programs (e.g., C-TPAT equivalents), tenders, or insurance demands necessitate demonstrable security management.

Does ISO 28000 require an external audit or third-party certification?

ISO 28000 does not require external audit or third-party certification; conformity can be verified internally or externally. Certification, per ISO 28003 guidelines via accredited bodies (e.g., ANAB), involves Stage 1 (readiness) and Stage 2 (effectiveness) audits, followed by annual surveillance for three years, to provide market-recognized assurance.

How often should an assessment for ISO 28000 be performed?

Risk assessments under ISO 28000 must be maintained ongoing, with formal reviews at planned intervals or upon changes. Internal audits occur via a risk-based program (e.g., annually for high-risk processes), management reviews at least yearly, and continual monitoring of KPIs like incident rates and supplier controls.

What are the consequences of non-compliance with ISO 28000?

Non-compliance with ISO 28000 carries no direct legal penalties, as it is voluntary. Indirect consequences include supply chain disruptions from theft/sabotage, lost contracts, higher insurance premiums, regulatory scrutiny in trade programs, reputational damage, and operational outages from unmitigated risks.

An ISO 28000 be mapped to other international frameworks?

Yes, ISO 28000:2022 aligns with the High Level Structure (HLS) for seamless mapping to compatible frameworks. Its PDCA and clauses (4-10) enable integration with standards sharing Annex SL structure, facilitating unified risk registers, audits, and governance without violating ISO 28000's standalone requirements.

What is the first step to begin implementing ISO 28000?

The first step is securing executive commitment and conducting a diagnostic gap analysis. Appoint a Senior Responsible Owner, map supply chain context (internal/external issues, interested parties), and baseline against clauses to produce a prioritized risk register and project charter.

Standards Comparison

EPA vs ISO 28000

EPA

Mandatory

1970

U.S. regulatory framework for air, water, waste protection

ISO 28000

Voluntary

2022

International standard for supply chain security management systems.

Quick Verdict

EPA enforces mandatory U.S. environmental standards for pollution control across industries, while ISO 28000 is a voluntary global framework for supply chain security management. Companies adopt EPA for legal compliance; ISO 28000 for resilience and certification.

Environmental Protection

EPA

EPA Standards (40 CFR Environmental Regulations)

Cost

€€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Legally binding regulations codified in 40 CFR Title 40
Facility-specific permits from national baseline standards
Evidence-driven compliance via monitoring and reporting
Hybrid technology-based and health-based controls
Federal-state enforcement with predictable penalties

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain threat assessment and treatment
PDCA cycle for continual security improvement
Supplier and third-party security governance
Integration with ISO HLS standards like 27001, 22301
Scalable certification for resilience assurance

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

EPA Details

What It Is

EPA standards comprise a family of enforceable regulations implementing statutes like Clean Air Act (CAA), Clean Water Act (CWA), and Resource Conservation and Recovery Act (RCRA). Codified in 40 CFR Title 40, this regulatory framework protects human health and environment across air, water, waste media. It employs a risk-based approach blending health-protective ambient criteria with technology-feasible performance standards, operationalized through permitting and data verification.

Key Components

Numeric limits, thresholds, performance criteria (e.g., NAAQS, effluent guidelines)
Permitting mechanisms (NPDES, Title V, RCRA TSDF)
Monitoring, recordkeeping, reporting (DMRs, QA/QC)
Enforcement pathways (civil penalties, SEPs) Built on statutory-regulations-permits hierarchy; no central certification but inspection/audit compliance.

Why Organizations Use It

Mandatory for regulated entities to avert multimillion penalties, shutdowns, liabilities. Drives defensible compliance, operational efficiency, ESG value. Mitigates enforcement risk, builds regulator/stakeholder trust via ECHO transparency.

Implementation Overview

Phased: governance, gap analysis, controls/SOPs, training, digital tools (NetDMR), audits. Targets industrial sectors U.S.-wide; state variations apply. Ongoing adaptation to rulemakings via Regulations.gov.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international management system standard specifying requirements for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain security and resilience. It uses a risk-based, PDCA (Plan-Do-Check-Act) approach, not prescriptive controls, applicable across supply chains.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, improvement.
Emphasizes risk assessment, security policy, operational controls, supplier governance.
Built on ISO High Level Structure (HLS) for integration with ISO 9001, 22301, 27001.
Optional third-party certification via accredited bodies per ISO 28003.

Why Organizations Use It

Mitigates theft, sabotage, disruptions; reduces insurance costs, enables trade facilitation.
Meets contractual/regulatory expectations (e.g., C-TPAT equivalents).
Builds resilience, stakeholder trust, competitive edge in logistics, manufacturing.

Implementation Overview

Phased: scoping, gap analysis, risk assessment, controls deployment, audits.
Scalable for SMEs to multinationals; industries like logistics, pharma.
Involves supply chain mapping, training, internal audits, management reviews.

Key Differences

Aspect	EPA	ISO 28000
Scope	Environmental pollution control (air, water, waste)	Supply chain security management system
Industry	All industrial sectors (manufacturing, energy)	Logistics, manufacturing, any supply chain
Nature	Mandatory U.S. federal regulations	Voluntary international certification standard
Testing	Monitoring, sampling, DMR reporting	Internal audits, management reviews
Penalties	Civil/criminal fines, enforcement actions	Loss of certification, no legal penalties

Scope

EPA

Environmental pollution control (air, water, waste)

ISO 28000

Supply chain security management system

Industry

EPA

All industrial sectors (manufacturing, energy)

ISO 28000

Logistics, manufacturing, any supply chain

Nature

EPA

Mandatory U.S. federal regulations

ISO 28000

Voluntary international certification standard

Testing

EPA

Monitoring, sampling, DMR reporting

ISO 28000

Internal audits, management reviews

Penalties

EPA

Civil/criminal fines, enforcement actions

ISO 28000

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about EPA and ISO 28000

EPA FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

SOC 2 Trust Services Criteria in Plain English: Side-by-Side Decoder for Security, Availability, and Beyond

Decode AICPA Trust Services Criteria from auditor jargon to plain English with side-by-side tables, analogies & TL;DRs. CISOs & founders: implement SOC 2 contro

Decoding Tomorrow's Regulations: How Advanced Compliance Tools Predict and Prepare for Future Shifts

Advanced compliance tools use AI, analytics & real-time monitoring to predict regulatory shifts, cut non-compliance costs 3x, and ensure audit readiness. Stay p

Cyber Essentials on a Shoestring: Filling the Microsoft 365 Security Gaps with Free and Low-Cost Tools

Close Cyber Essentials 2026 gaps in basic Microsoft 365 plans using free and low-cost tools. Achieve MFA, patching, and audit readiness without enterprise spend

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how EPA and ISO 28000 compare against other standards

Other EPA Comparisons

Other ISO 28000 Comparisons

What It Is

Key Components

Numeric limits, thresholds, performance criteria (e.g., NAAQS, effluent guidelines)

Permitting mechanisms (NPDES, Title V, RCRA TSDF)

Monitoring, recordkeeping, reporting (DMRs, QA/QC)

Enforcement pathways (civil penalties, SEPs) Built on statutory-regulations-permits hierarchy; no central certification but inspection/audit compliance.

What It Is

Key Components

Clauses 4-10 cover context, leadership, planning, support, operation, evaluation, improvement.

Emphasizes risk assessment, security policy, operational controls, supplier governance.

Built on ISO High Level Structure (HLS) for integration with ISO 9001, 22301, 27001.

Optional third-party certification via accredited bodies per ISO 28003.

Aspect

EPA

ISO 28000

Scope

Environmental pollution control (air, water, waste)

Supply chain security management system

Industry

All industrial sectors (manufacturing, energy)

Logistics, manufacturing, any supply chain

Nature

Mandatory U.S. federal regulations

Voluntary international certification standard

Testing

Monitoring, sampling, DMR reporting

Internal audits, management reviews

Penalties

Civil/criminal fines, enforcement actions

Loss of certification, no legal penalties

EPA vs ISO 28000

EPA

ISO 28000

Quick Verdict

EPA

Key Features

ISO 28000

Key Features

Detailed Analysis

EPA Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 28000 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

EPA FAQ

What is the primary objective of EPA?

Who is legally or professionally required to comply with EPA?

Does EPA require an external audit or third-party certification?

How often should an assessment for EPA be performed?

What are the consequences of non-compliance with EPA?

An EPA be mapped to other international frameworks?

What is the first step to begin implementing EPA?

ISO 28000 FAQ

What is the primary objective of ISO 28000?

Who is legally or professionally required to comply with ISO 28000?

Does ISO 28000 require an external audit or third-party certification?

How often should an assessment for ISO 28000 be performed?

What are the consequences of non-compliance with ISO 28000?

An ISO 28000 be mapped to other international frameworks?

What is the first step to begin implementing ISO 28000?

You Might also be Interested in These Articles...

SOC 2 Trust Services Criteria in Plain English: Side-by-Side Decoder for Security, Availability, and Beyond

Decoding Tomorrow's Regulations: How Advanced Compliance Tools Predict and Prepare for Future Shifts

Cyber Essentials on a Shoestring: Filling the Microsoft 365 Security Gaps with Free and Low-Cost Tools

Run Maturity Assessments with GRADUM

Explore More Comparisons

Other EPA Comparisons

Other ISO 28000 Comparisons

EPA vs ISO 28000

EPA

ISO 28000

Quick Verdict

EPA

Key Features

ISO 28000

Key Features

Detailed Analysis

EPA Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 28000 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

EPA FAQ

What is the primary objective of EPA?

Who is legally or professionally required to comply with EPA?

Does EPA require an external audit or third-party certification?