The international standard ISO 28001 is becoming essential in the age of hybrid threats, writes Mike Gillespie, CEO and co-founder of the information security consultancy Advent IM.
The UK’s security environment has changed fundamentally, and many organisations have yet to fully catch up with the implications. The neat distinctions that once separated war from peace, criminality from state activity, and domestic threats from foreign ones no longer hold. Instead, organisations now operate in a persistent state of ambiguity, shaped by what is commonly described as the hybrid threat environment. In this space, hostile actors deliberately operate below the threshold of armed conflict, using disruption, deniability, and pressure rather than overt force.
Recent attacks on freight and logistics networks across Europe, including the self‑igniting parcel incident at a DHL facility in Birmingham in 2024, illustrate this shift with uncomfortable clarity. Subsequent law‑enforcement and government correspondence during 2025 and into 2026 has reinforced the assessment that these events were not isolated acts of vandalism or conventional criminality. Rather, they formed part of a coordinated, multi‑country hostile‑state operation intended to test resilience, disrupt commercial logistics, and probe weaknesses within critical national infrastructure, using deniable and low‑complexity methods to operate below the threshold of traditional conflict.
For those responsible for security governance and assurance, the lesson is stark. Modern supply chains are no longer merely commercial enablers; they are frontline assets in contested spaces. Organisations that operate, manage, or depend upon those supply chains must now apply a level of discipline, governance, and maturity that reflects this reality. In an era of hybrid threats, supply chain security has become a strategic business issue rather than an operational afterthought.
At Advent IM, we have long argued that effective security is not defined by perimeter fences, access cards, or surveillance technology alone. Those controls matter, but security outcomes are ultimately shaped by governance, culture, assurance, and the ability to learn and adapt. The recent parcel attacks highlighted that the true weakness exploited was not technical sophistication, but variability and inconsistency in supply chain oversight, particularly at international boundaries where partner assurance is often weakest. High‑volume freight handling, complex multi‑party logistics arrangements, and uneven verification practices created exactly the conditions that hostile actors seek.
This is precisely the problem space that ISO 28001, the Supply Chain Security Management System standard, was designed to address. Although sometimes mischaracterised as a procedural or compliance‑driven exercise, ISO 28001 is, in reality, a practical and strategic framework for managing security risk across complex supply chains. It provides organisations with a structured, intelligence‑informed, and risk‑led approach to understanding threats, implementing proportionate controls, and assuring performance across every tier of their operations and partnerships.
At its core, ISO 28001 obliges organisations to understand their operating context in the round. This includes recognising geopolitical factors, hostile state activity, and cross‑border vulnerabilities as legitimate business risks rather than abstract externalities. It requires security risk assessments that move beyond traditional concerns such as theft or loss, and instead consider deliberate interference, sabotage, and politically motivated disruption. It also demands that security controls are consciously designed to detect and deter malicious activity, rather than simply reduce losses or improve efficiency.
Crucially, ISO 28001 extends accountability beyond an organisation’s immediate boundary. It requires due diligence, assurance, and engagement across suppliers, freight forwarders, and subcontractors, including those operating overseas. In a globalised logistics environment, this is not a bureaucratic burden; it is a fundamental resilience measure. Many of the weaknesses exploited in recent attacks existed upstream, beyond direct operational control. ISO 28001 provides the governance structure needed to identify those weak points and to close them.
The standard also places significant emphasis on preparedness and response. No security system can promise perfection, particularly in an environment characterised by low‑cost, low‑complexity attack methods. Success is therefore measured by how quickly incidents are identified, contained, and managed. ISO 28001 requires clear escalation routes, rehearsed response procedures, coordination with external authorities, and robust evidence preservation. When something does go wrong, this discipline is what prevents confusion from becoming crisis.
Equally important is the standard’s focus on review, audit, and continual improvement. Hybrid threats evolve constantly, and organisations that rely on static security models quickly fall behind. ISO 28001 embeds learning as a routine business process, ensuring that lessons from incidents, near misses, and operational changes are captured and acted upon. Over time, this builds not just stronger controls, but a more mature security culture in which risk awareness becomes part of everyday decision‑making.
For boards and senior leaders, this matters more than ever. Modern supply chains are extraordinarily fast and efficient, but that efficiency also creates fragility. A single malicious item can traverse borders and multiple facilities in hours, causing disruption, reputational damage, financial loss, and, potentially, harm to people. At the same time, hostile actors are increasingly drawn to these methods precisely because they operate in the grey zone below conventional conflict, making them harder to attribute and easier to repeat.
Against this backdrop, ISO 28001 should no longer be viewed as a “nice to have” or a specialist technical standard. For logistics operators, freight handlers, aviation‑linked organisations, and any business deeply reliant on complex supply networks, it is fast becoming a baseline expectation for resilience, assurance, and due diligence. Customers, regulators, insurers, and government stakeholders are all paying closer attention to how supply chain risks are governed.
Ultimately, the adoption of ISO 28001 is a leadership decision. The threats organisations now face are systemic, cross‑border, and persistent. They cannot be mitigated through localised operational fixes alone. Implementing this standard signals a clear commitment to sound governance, organisational resilience, and the protection of staff, partners, and the public. In a world where supply chains are no longer neutral infrastructure but contested environments, that commitment is not just prudent. It is essential.
See also the ISO website: https://www.iso.org/transport/supply-chain-reliability.
Photo by Mark Rowe: Tilbury, Essex.
