What is the primary objective of **ISO 26000**?

**ISO 26000 provides international guidance on social responsibility to help organizations contribute to sustainable development through transparent and ethical behavior.** Published in November 2010 and confirmed current in 2021, it defines social responsibility as an organization's accountability for its impacts on society and the environment, guided by seven principles—**accountability**, **transparency**, **ethical behavior**, **respect for stakeholder interests**, **respect for the rule of law**, **respect for international norms of behavior**, and **respect for human rights**—applied across seven core subjects: organizational governance, human rights, labor practices, environment, fair operating practices, consumer issues, and community involvement and development.

Who is legally or professionally required to comply with **ISO 26000**?

**No organization is legally required to comply with ISO 26000, as it is voluntary guidance applicable to all types regardless of size, location, or sector.** It targets private, public, and non-profit entities, including SMEs, multinationals, hospitals, schools, and charities, encouraging contextual application through stakeholder engagement to identify relevant issues within its core subjects.

Does **ISO 26000** require an external audit or third-party certification?

**ISO 26000 explicitly prohibits external audits or third-party certification, as it contains no requirements and is guidance only.** Its Scope (Clause 1) states that certification claims would misrepresent its intent; organizations should instead use self-assessment, transparent reporting, and ISO's Communication Protocol to demonstrate application.

How often should an assessment for **ISO 26000** be performed?

**ISO 26000 recommends periodic assessments at appropriate intervals aligned with organizational needs and stakeholder expectations.** Clause 7 emphasizes ongoing integration and review through stakeholder dialogue, with reporting on objectives, achievements, shortfalls, and improvements to support continuous enhancement of social responsibility practices.

What are the consequences of non-compliance with **ISO 26000**?

**There are no direct legal consequences for non-compliance with ISO 26000, as it imposes no mandatory requirements.** However, misalignment with its principles may expose organizations to reputational damage, stakeholder distrust, or indirect risks from failing to address core subjects like human rights due diligence or environmental impacts.

An **ISO 26000** be mapped to other international frameworks?

**Yes, ISO 26000 aligns with frameworks like OECD Guidelines, UN Global Compact, GRI, and UN SDGs through special agreements and linkage documents.** IWA 26:2017 provides guidance for integration with management systems, enabling structured interoperability for ESG reporting and due diligence.

What is the first step to begin implementing **ISO 26000**?

**The first step is recognizing social responsibility and engaging stakeholders (Clause 5) to understand the organization's impacts, risks, and context.** This involves mapping stakeholders, assessing relevance across the seven core subjects, and prioritizing significant issues to inform integration throughout governance and operations.

What is the primary objective of **ISO 28000**?

**ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for supply chain security.** It provides a risk-based framework using the PDCA cycle to identify threats, vulnerabilities, and interdependencies across supply chains, select proportionate controls, evaluate performance via metrics and audits, and drive continual improvement through leadership commitment and management reviews.

Who is legally or professionally required to comply with **ISO 28000**?

**No organization is legally required to comply with ISO 28000, as it is a voluntary international standard.** Professionally, it applies to any entity managing supply chain risks, including logistics, transportation, manufacturing, retail, pharmaceuticals, energy, ports, freight forwarders, and 3PL/4PL providers of all sizes, driven by contractual obligations, customs programs, tenders, insurance demands, or strategic resilience needs.

Does **ISO 28000** require an external audit or third-party certification?

**ISO 28000 does not require external audit or third-party certification; conformity can be verified internally or externally.** Certification, conducted by accredited bodies per ISO 28003, involves Stage 1 (documentation review) and Stage 2 (implementation audit), followed by annual surveillance audits over a 3-year cycle, providing market-recognized assurance.

How often should an assessment for **ISO 28000** be performed?

**Risk assessments under ISO 28000 must be performed and maintained continuously, with formal reviews at planned intervals such as annually or upon significant changes.** Internal audits occur per a risk-based program considering prior results, while management reviews happen at planned intervals to evaluate performance, nonconformities, and context changes.

What are the consequences of non-compliance with **ISO 28000**?

**Non-compliance with ISO 28000 carries no direct legal penalties, as it is voluntary, but results in operational risks like supply chain disruptions, theft, sabotage, financial losses, reputational damage, insurance premium increases, and exclusion from contracts or customs programs.** It also forfeits certification, leading to lost competitive advantages in tenders and partner ecosystems.

An **ISO 28000** be mapped to other international frameworks?

**Yes, ISO 28000:2022 aligns with the High Level Structure (HLS) shared by ISO management system standards, enabling mapping and integration.** Its PDCA cycle, risk-based approach per ISO 31000, and security plans support combined audits and unified processes with compatible frameworks.

What is the first step to begin implementing **ISO 28000**?

**The first step to implement ISO 28000 is securing executive sponsorship and conducting a gap analysis against its clauses.** This involves mapping supply chain context, interested parties, current controls, and deficiencies to produce a prioritized risk register, project charter, scope definition, and phased roadmap.

ISO 26000 vs ISO 28000

Standards Comparison

ISO 26000

Voluntary

2010

International guidance for social responsibility integration

ISO 28000

Voluntary

2022

International standard for supply chain security management systems.

Quick Verdict

ISO 26000 offers non-certifiable guidance on social responsibility principles for all organizations, while ISO 28000 provides certifiable requirements for supply chain security management. Companies adopt 26000 for holistic SR integration and 28000 for resilient, auditable security.

Social Responsibility

ISO 26000

ISO 26000:2010 Guidance on social responsibility

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Explicitly non-certifiable guidance standard
Seven principles underpinning SR behavior
Seven interconnected core subjects
Multi-stakeholder consensus from 500+ experts
Universal applicability to all organizations

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security management framework
PDCA cycle with continual improvement requirements
Integration via ISO High Level Structure
Supplier and third-party risk governance
Certification with internal/external audits

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 26000 Details

What It Is

ISO 26000:2010 is a non-certifiable international guidance standard providing a framework for social responsibility (SR). Its primary purpose is to help organizations integrate SR into governance, strategy, and operations across all sectors, sizes, and locations. It uses a principles-based, stakeholder-engaged approach emphasizing context-specific prioritization of impacts.

Key Components

Seven **core principlesaccountability, transparency, ethical behavior, respect for stakeholder interests, rule of law, international norms, human rights.
Seven **core subjectsorganizational governance, human rights, labor practices, environment, fair operating practices, consumer issues, community involvement.
No auditable requirements; focuses on holistic integration rather than certification.

Why Organizations Use It

Enhances sustainability commitment, risk management, and stakeholder trust.
Aligns with SDGs, OECD, GRI for credible reporting.
Builds resilience, reduces reputational risks, improves operational efficiency.
Provides competitive edge through transparent SR communication.

Implementation Overview

Phased approach: materiality assessment, stakeholder engagement, policy integration, training, reporting.
Integrates with ISO 14001/45001 systems.
Applicable universally; no certification, uses self-assessment and external assurance.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international management system standard titled Security and resilience — Security management systems — Requirements. It provides a risk-based framework for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain protection against threats like theft, sabotage, and disruptions.

Key Components

Core clauses follow PDCA cycle and ISO High Level Structure (context, leadership, planning, support, operation, evaluation, improvement).
Emphasizes risk assessment, controls (physical, personnel, procedural), incident response, and supplier governance.
No fixed controls; scalable to organization size.
Supports third-party certification via accredited bodies per ISO 28003.

Why Organizations Use It

Reduces incidents, insurance costs, and disruptions.
Meets contractual/regulatory demands (e.g., C-TPAT equivalents).
Enhances resilience, market access, and stakeholder trust.
Integrates with ISO 27001, ISO 22301 for efficiency.

Implementation Overview

Phased approach: scoping, gap analysis, risk assessment, deployment, audits.
Applicable to all sizes/industries in logistics, manufacturing, etc.
Involves training, supplier engagement, KPIs; certification optional but common.

Key Differences

Aspect	ISO 26000	ISO 28000
Scope	Social responsibility core subjects, principles	Supply chain security risks, resilience
Industry	All organizations, all sectors globally	Supply chain, logistics, manufacturing worldwide
Nature	Non-certifiable guidance standard	Certifiable management system standard
Testing	Self-assessment, stakeholder reporting	Internal/external audits, certification audits
Penalties	No formal penalties, reputational risk	Loss of certification, no legal penalties

Scope

ISO 26000

Social responsibility core subjects, principles

ISO 28000

Supply chain security risks, resilience

Industry

ISO 26000

All organizations, all sectors globally

ISO 28000

Supply chain, logistics, manufacturing worldwide

Nature

ISO 26000

Non-certifiable guidance standard

ISO 28000

Certifiable management system standard

Testing

ISO 26000

Self-assessment, stakeholder reporting

ISO 28000

Internal/external audits, certification audits

Penalties

ISO 26000

No formal penalties, reputational risk

ISO 28000

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about ISO 26000 and ISO 28000

ISO 26000 FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

The DORA 'Hot Seat' Blueprint: Preparing Leadership and the Management Body for Regulatory Interviews

Prepare your Board & Management Body for DORA audits. Master the human element: demonstrate active oversight & accountability in regulatory interviews. Get the

Top 5 Reasons NIST SP 800-53 Rev 5 Overlays Unlock AI Risk Management for Private Sector Enterprises in 2025

Top 5 reasons NIST SP 800-53 Rev 5 AI overlays unlock risk management for private enterprises. Tailorable controls combat model poisoning & data leakage. CISO i

NIST CSF 2.0 Plain English Decoder: Translating Govern, Supply Chain, and Core Functions from Jargon to Actionable Insights

Demystify NIST CSF 2.0 jargon with plain English tables for Govern, Supply Chain & Core Functions. Actionable steps for risk oversight & vendor management. Empo

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

PMBOK vs COBIT

PMBOK vs COBIT: Compare project management standards vs IT governance frameworks. Unlock strategies, pitfalls, benefits for value delivery, compliance & success. Discover now!

ISO 9001 vs APPI

Uncover ISO 9001 vs APPI: Compare global QMS excellence with Japan's data privacy law. Boost compliance, efficiency & trust. Essential insights for business leaders.

NIST 800-53 vs NERC CIP

Compare NIST 800-53 vs NERC CIP: Key differences in controls, baselines & risk management for federal & grid security. Boost compliance—expert insights await!

ISO 26000

ISO 28000

Quick Verdict

ISO 26000

Key Features

ISO 28000

Key Features

Detailed Analysis

ISO 26000 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 28000 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

ISO 26000 FAQ

What is the primary objective of ISO 26000?

Who is legally or professionally required to comply with ISO 26000?

Does ISO 26000 require an external audit or third-party certification?

How often should an assessment for ISO 26000 be performed?

What are the consequences of non-compliance with ISO 26000?

An ISO 26000 be mapped to other international frameworks?

What is the first step to begin implementing ISO 26000?

ISO 28000 FAQ

What is the primary objective of ISO 28000?

Who is legally or professionally required to comply with ISO 28000?

Does ISO 28000 require an external audit or third-party certification?

How often should an assessment for ISO 28000 be performed?

What are the consequences of non-compliance with ISO 28000?

An ISO 28000 be mapped to other international frameworks?

What is the first step to begin implementing ISO 28000?

You Might also be Interested in These Articles...

The DORA 'Hot Seat' Blueprint: Preparing Leadership and the Management Body for Regulatory Interviews

Top 5 Reasons NIST SP 800-53 Rev 5 Overlays Unlock AI Risk Management for Private Sector Enterprises in 2025

NIST CSF 2.0 Plain English Decoder: Translating Govern, Supply Chain, and Core Functions from Jargon to Actionable Insights

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

PMBOK vs COBIT

ISO 9001 vs APPI

NIST 800-53 vs NERC CIP