ISO 28001 Supply Chain Security
Organised protection of goods, people and information as cargo moves — against hijacking, theft, tampering and sabotage. Implemented with ISO 28001's supply-chain best practices, certified against ISO 28000:2022, and deliberately aligned with SARS AEO.

The whole chain, not just your gate.
A security management system makes you assess threats across the stretch of supply chain you control or influence, put documented, proportionate controls in place, and test them continually as the threat picture shifts.
Hijacking, depot theft, pilferage, tampering, insider collusion — mapped as credible scenarios.
Documented countermeasures matched to assessed risks, with clear responsibilities.
Sites, vehicles, seals, access control and handover integrity in transit.
Vetting, training and insider-risk management — without treating staff as suspects.
Routes, schedules and shipment data criminals prize, protected.
The minutes after an incident, and how the business keeps moving afterwards.
What a secured chain earns you.
- 01Fewer, smaller losses — spend where incidents actually happen
- 02Answers to the security questionnaires large shippers send
- 03Strong preparation for SARS AEO accreditation
- 04Insurer confidence on high-risk corridors
- 05One framework consolidating C-TPAT, TAPA and client demands
- 06Rehearsed response, so one hijacking isn't a lost contract
Security accreditation now opens three markets.
SARS runs a two-level Authorised Economic Operator programme, and in July 2025 signed mutual recognition arrangements with the customs authorities of the United States, United Kingdom and India — South Africa is the first African country recognised under the US C-TPAT programme.
ISO 28001's security assessments and plans map naturally onto the AEO Safety & Security criteria, making certification strong preparation — though AEO accreditation itself is granted only by SARS.
The route, step by step.
- 01Security risk assessmentThreats mapped across routes, cargo profiles, depots and information flows.
- 02Countermeasure designControls proportionate to the threat — seals, vetting, tracking, response.
- 03Documentation & trainingProcedures, incident response and awareness embedded in operations.
- 04Certification auditStage 1 and Stage 2 verification that the security plan works in practice.
- 05SurveillanceAnnual checks, plus incident-driven reviews when the threat picture shifts.
Asked before every audit.
Do we certify to ISO 28000 or ISO 28001?
The management system certificate is issued against ISO 28000:2022, the requirements standard. ISO 28001 supplies the supply-chain-specific best practices — security assessments, security plans and AEO alignment — that a credible system is built on. Talk to us about which scope fits your operation.
Will certification stop hijackings?
No system can eliminate crime. What it does is reduce how often you are the easy target and how much each incident costs — through route risk assessment, information discipline, driver procedures and rehearsed response.
Does certification give us AEO status?
No. Only SARS grants AEO accreditation. But the overlap is deliberate: ISO 28001 was written to help organisations meet AEO-style criteria under the WCO SAFE Framework, so a certified system takes you a long way towards the SARS Safety & Security requirements.
We already hold RTMS. Why add this?
RTMS governs road transport safety and compliance — loading, driver wellness, vehicle maintenance. Supply chain security addresses deliberate criminal acts against your cargo and people. They overlap in driver and vehicle procedures, so RTMS-certified operators start well ahead.
How long does certification take?
Once your security assessment and plans are operating, expect roughly three to six months through quote, Stage 1 and Stage 2, depending on the complexity of your chain.
What does it cost?
Fees depend on sites, headcount and the scope of supply chain covered. Request a quote — we price transparently, in Rand.
Ready for ISO 28001?
Describe your operation and we'll scope the work and quote clearly, in Rand — no obligation, no consulting strings attached.