A Gap Analysis of Supply Chain Security Against ISO 28000 at a Defense Industry Company: A Case Study of Governance, Formalisation and Alignment

Abstract

Supply chain security has emerged as a strategically significant governance challenge for organisations operating in security sensitive industries. As hostile actors increasingly target supply chain dependencies to exploit vulnerabilities below the threshold of armed conflict, the need for structured and formalised governance of supply chain security has become a strategic imperative rather than a compliance obligation. This examination investigates the degree of alignment between existing supply chain security practices at an established defence and security industry organisation and the requirements of ISO 28000, with the aim of identifying areas of compliance, partial alignment and significant nonconformance across relevant organisational processes and supplier interfaces. A mixed methods approach within a single case study framework is applied, combining semi-structured interviews with employees across relevant organisational functions and an analysis of internal company documentation. ISO 28000 serves as the analytical reference framework through which empirical material is systematically assessed. The gap analysis reveals substantial alignment in several foundational areas where existing organisational structures and processes reflect the underlying governance logic of the standard. However, these structures are developed primarily in relation to ISO 27001 and are not configured to address supply chain security as a distinct governance domain. Partial alignment is identified across areas where relevant structures exist but fall short of the formalisation and institutional embeddedness required by the standard. Significant nonconformances are identified in the absence of formally designated compliance ownership, the reliance on informal coordination as a substitute for formal governance, the absence of measurable supply chain security objectives and the lack of a context analysis oriented towards the supply chain security environment. The assessment concludes that the overall correspondence with ISO 28000 is partial rather than substantive. Supply chain security must be constituted as a governed domain in its own right, with formally designated compliance ownership, measurable objectives and structured verification mechanisms, before the organisation meaningfully pursues alignment with the standard.