ISO 28000:2007 is applicable to all sizes of organizations, from small to multinational, in manufacturing, service, storage or transportation at any stage of the production or supply chain that wishes to:
a) establish, implement, maintain and improve a security management system;
b) assure conformance with stated security management policy;
c) demonstrate such conformance to others;
d) seek certification/registration of its security management system by an Accredited third party Certification Body; or
e) make a self-determination and self-declaration of conformance with ISO 28000:2007.
There are legislative and regulatory codes that address some of the requirements in ISO 28000:2007.
It is not the intention of ISO 28000:2007 to require duplicative demonstration of conformance.
Organizations that choose third party certification can further demonstrate that they are contributing significantly to supply chain security.