ISO 22373:2025

International
Standard
ISO 22373
First edition
Security and resilience —
2025-11
Authenticity, integrity and trust
for products and documents
— Framework for establishing
trustworthy supply and value chains
Reference number
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative References . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Overview . 3
5.1 Generic supply and value chain .3
5.2 Trustworthiness .4
5.2.1 Trustworthiness in supply and value chains .4
5.2.2 Trustworthiness characteristics for supply and value chains .4
6 Components of a structured approach to achieve supply and value chain
trustworthiness . 6
6.1 Trust domain .6
6.2 Trust interaction point .6
6.3 Trustworthiness profile .6
6.4 Trust anchor .6
6.5 Verifiable claims .7
6.6 Threat and risk analysis .7
7 Trustworthiness concept . 7
8 Chain of trustworthiness topologies . 9
Annex A (informative) Leveraging the trustworthiness concept for in-field machine
maintenance .13
Annex B (informative) Visual example of the trustworthiness profile . 14
Annex C (informative) Leveraging the trustworthiness concept for building facility
management . 16
Annex D (informative) Determination of trustworthiness level or score for evaluation . 19
Annex E (informative) Typical considerations for trustworthiness supporting infrastructure
within supply and value chains .21
Bibliography .23

iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 292, Security and resilience.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

iv
Introduction
This document introduces a structured way to establish and ensure trustworthiness along supply and value
chains. As economies are moving towards more digital and connected supply chains, this document intends
to support the management of trustworthiness along multiple supply and value chain stakeholders.
This document develops and elaborates an approach that supports stakeholders in a supply and value chain
to identify distinct trust domains (TDs). It includes guidelines for the identification of trustworthiness
attributes and measures to achieve the targeted and required trustworthiness attributes.
Moreover, an approach for identifying trust interaction points (TIPs) between different TDs and ensuring
that each interaction in a supply and value chain is trustworthy, is elaborated in this document. Furthermore,
this document aids the establishment of the chain of trustworthiness along supply and value chains.
This document aims to serve as an enabler for systemization and automation of trustworthiness verification
of supply and value chain participants, organizations, systems and their products. It also supports systematic
digitalization of the supply and value chains based on their business objectives.
By nature, security attacks against supply and value chains are becoming increasingly complex, regardless
of industrial verticals or business contexts. That is especially why it is essential to establish, maintain, and
protect the chain of trustworthiness along any supply and value chain by additional measures. Specific
security measures are out of the scope of this document and are determined by each specific business case.
In addition to supporting the chain of trustworthiness of supply and value chains, this document also
supports agility as it enables the exchange of trustworthiness expectations and capabilities in a flexible and
trustworthy manner. Using a unified data structure supports the achievement of several trustworthiness
relevant properties, such as interoperability, robustness, accountability, transparency while preserving
privacy and confidentiality.
Different technologies can be leveraged for the implementation of the approaches provided in this document.
This document can also be used to support existing systems. This document is technology agnostic, and the
aspects specified in this document can be implemented using various technologies such as PKI (Public Key
Infrastructure) certificates, decentralized identifiers (DID) and verifiable credentials (VC).

v
International Standard ISO 22373:2025(en)
Security and resilience — Authenticity, integrity and trust
for products and documents — Framework for establishing
trustworthy supply and value chains
1 Scope
This document establishes a framework to support stakeholders in supply and value chains to ensure the
chain of trustworthiness regarding the properties of their products and production processes.
This document provides guidelines to identify information relevant to trustworthiness to be exchanged
between supply and value chain stakeholders. It also provides an interoperable data structure that is
required for supply and value chain stakeholders to negotiate and exchange information relevant to
trustworthiness.
The guidelines set out in this document are generic and are intended to be applicable to all organizations
and products, regardless of type, size or nature.
2 Normative References
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 22300, Security and resilience — Vocabulary
ISO/IEC TS 5723:2022, Trustworthiness — Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 22300, ISO/IEC TS 5723 and the
following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
trust domain
TD
entity or set of entities with a specified responsible entity that determines its trustworthiness attributes (3.4)
3.2
trust interaction point
TIP
interaction interface between distinct trust domains (3.1)

3.3
trustworthiness
ability to meet stakeholders’ expectations in a verifiable way
Note 1 to entry: Depending on the context or sector, and also on the specific product or service, data, technology and
process used, different characteristics apply and need verification to ensure stakeholders’ expectations are met.
Note 2 to entry: Characteristics of trustworthiness include, for instance, accountability, accuracy, authenticity,
availability, controllability, integrity, privacy, quality, reliability, resilience, robustness, safety, security, transparency
and usability.
Note 3 to entry: Trustworthiness is an attribute that can be applied to services, products, technology, data and
information as well as to organizations.
Note 4 to entry: Verifiability includes measurability and demonstrability by means of objective evidence.
[SOURCE: ISO/IEC TS 5723:2022, 3.1.1]
3.4
trustworthiness attribute
TW attribute
characteristic that can be used to specify trustworthiness
3.5
trustworthiness profile
TW profile
technology-agnostic data structure containing trustworthiness expectations (3.10) and capabilities (3.11)
that are exchanged between communicating trust domains (3.1)
3.6
trustworthy interaction
interaction between trust domains (3.1) based on the evaluation of the exchanged trustworthiness
expectations (3.10) and capabilities (3.11)
3.7
product
article or substance that is offered for sale or is part of a service delivered by an organization
[SOURCE: ISO 26000:2010, 2.15]
3.8
supply chain
linked set of resources and processes that upon placement of a purchase order begins with the sourcing
of raw material and extends through the manufacturing, processing, handling and delivery of goods and
related services to the purchaser
Note 1 to entry: The supply chain can include vendors, manufacturing facilities, logistics providers, internal
distribution centres, distributors, wholesalers and other entities involved in the manufacturing, processing, handling
and delivery of the goods and their related services.
[SOURCE: ISO 28001:2007, 3.24]
3.9
value chain
entire sequence of activities or parties that provide or receive value in the form of products (3.7) or services
Note 1 to entry: Parties that provide value include suppliers, outsourced workers, contractors, and others.
Note 2 to entry: Parties that receive value include customers, consumers, clients, members and other users.
[SOURCE: ISO 26000:2010, 2.25]

3.10
trustworthiness expectations
TWE
list of requirements to fulfil desired trustworthiness attributes (3.4)
Note 1 to entry: Requirements can include conformance to applicable standards or company-specific questionnaires,
or a desired specification of a product.
3.11
trustworthiness capabilities
TWC
list of verifiable intrinsic or extrinsic properties corresponding to trustworthiness expectations (3.10)
4 Abbreviated terms
DID decentralized identifier
TD trust domain
TIP trust interaction point
TRA threat and risk assessment
TW trustworthiness
TWE trustworthiness expectation
TWC trustworthiness capability
VC verifiable credential
5 Overview
5.1 Generic supply and value chain
Supply and value chains are generally very complex, comprising several entities that can be located at
different locations and leveraging different management systems. Different regulations, norms and
standards can apply to different supply and value chain entities based on their use case, business contexts
and country of origin. Moreover, some use cases will focus on upstream entities, for instance, propagating
properties from customer to supplier via retailer and manufacturer. Likewise, some use cases will apply to
downstream entities, for instance, propagating from supplier to customer via retailer and manufacturer.
Key
physical
digital
Figure 1 — Typical roles of supply and value chain stakeholders

Typical roles of supply and value chain stakeholders are shown in Figure 1. They comprise two main sorts
of actors: one that adds value and another that provides support and services to other stakeholders. Typical
actors in the supply and value chain are listed below.
— Supplier of raw materials, components (software, hardware, or both), and their related data and services.
— Manufacturer or the integrator of the final product that can be consumed or utilized directly by the
customer. The manufacturer produces or integrates one or more components to form a final product and
sell it to the customer.
— Governance entity:
— Regulatory authority enforces compliance with applicable legislation upon different supply and
value chain stakeholders, their products and processes.
— Certification authority either authenticates or certifies supply and value chain stakeholders, their
products, and processes, according to applicable standards. They issue certificates proving that the
subject of the certificate has the properties required by the relevant standard.
— Retailer, logistics and distributor ensures the flow of products along the supply and value chain.
Stakeholders such as suppliers and manufacturers can take up the role of distribution of their products
by themselves or outsource this function to a third party. They can also leverage marketplaces (on-site
or online) for the sale of their products and services.
— Customer utilizes the products that have gone through the supply and value chain. Customers can have
any role within a supply and value chain, such as manufacturer or integrator. Customers can also be
consumers, who usually do not add any further value to the product in a supply chain.
Depending on the business context, the roles of supply and value chain stakeholders can change. For
example, a supplier can be a manufacturer when its products are directly consumed. Using another example,
a supplier can be a manufacturer when it can use the component from another supplier to manufacture its
product and then supply it to the next manufacturer.
5.2 Trustworthiness
5.2.1 Trustworthiness in supply and value chains
This document leverages the definition of trustworthiness from ISO/IEC TS 5723 to establish a common
understanding of supply and value chain trustworthiness. Therefore, trustworthiness in supply and value
chains implies the ability of a stakeholder to provide assurances and make its claims verifiable between
immediate or along multiple trust domains.
For instance, trustworthiness corresponds to the supplier’s ability to meet the trustworthiness expectations
of the potential business partner in a verifiable way.
Depending on the use case, business context or intended use, varying characteristics to attain
trustworthiness would apply to fulfil the stakeholder’s claims. Some of these characteristics are described
in 5.2.2.
5.2.2 Trustworthiness characteristics for supply and value chains
Trustworthiness characteristics applicable to different supply and value chain stakeholders differ based on
different use cases and business contexts. Some of these characteristics (as defined in ISO/IEC TS 5723)
include the following.
a) Availability: the property of an item (system, product, data) being accessible and usable upon demand
by its owner or by entities that are responsible for it.
b) Resilience: the capability of an item (system, product) to maintain its functions and structure in the face
of internal and external change, and to degrade when necessary.

c) Security: a state of being protected against the effects of threats and attacks. In IT environments, it is
usually achieved by a combination of confidentiality, integrity, and availability.
d) Confidentiality: a characteristic of information or data that is not made available or disclosed to
unauthorized individuals, entities, or processes.
e) Privacy: the right of supply and value chain entities to control what information related to them may be
collected and stored and by whom that information may be disclosed.
f) Safety: a characteristic of a system that it does not, under defined conditions, lead to a state in which
human life, health, property, or the environment are endangered.
g) Accountability: the obligation of a stakeholder or system to account for its activities, for completion of
a deliverable or task, accept the responsibility for those activities, deliverables, or tasks, and to disclose
the results in a transparent manner.
h) Integrity: a property whereby data have not been altered in an unauthorized manner during
transmission and storage, without being recognized. For systems, integrity refers to the state of being
not modified or manipulated by unauthorized entities.
i) Authenticity: a property whereby an entity is what it claims to be, especially in terms of its originality
and provenance.
j) Quality: the degree to which the characteristics of an item (system, product, data) satisfy the stated and
implied needs when used under specified conditions. For example:
1) Reliability, i.e. the ability of an item (system, product, data) to perform consistently as required and
pre-determined, for a given time interval and under given conditions.
2) Usability. i.e. the extent to which an item (system, service, data) can be used by intended users
to achieve specified goals with simplicity, effectiveness, efficiency, and satisfaction in a specified
context of the use case.
k) Accuracy: the level of precision of results of observations, computations, or estimates to the true values
or the values accepted as being true.
l) Environmental indicators such as carbon footprint, KPIs for circularity, etc.
m) Compliance to applicable requirements depending on the business context or use case.
n) Sustainability properties such as circular economy and recycling.
Depending on the business context or the use case, different characteristics are used to elaborate supply
and value chain trustworthiness. For example, a sensor measuring and communicating temperature is
trustworthy if its measurements are accurate and it is reliably taking the measurements at the configured
time intervals.
In use cases relevant to establish and ensure trustworthiness of data, in addition to accuracy or reliability
listed above, 15 data quality characteristics from ISO/IEC 25012 including traceability or precision can
also be leveraged to identify data quality relevant trustworthiness characteristics. The selection of
trustworthiness characteristics depends on the specific use case and business contexts.
Moreover, this document introduces components of a concept that are essential for establishing
trustworthiness along supply and value chains in a structured and systematic manner.

6 Components of a structured approach to achieve supply and value chain
trustworthiness
6.1 Trust domain
The specified responsible entity of the trust domain (TD) specifies the applicable trustworthiness
characteristics for all the entities in the TD and their specified products. The trustworthiness characteristics
can depend on a particular business case and the requirements of the involved stakeholders, such as
suppliers, buyers and regulators. The specified responsible entity includes entities that are recognized as
authoritative bodies in their respective business areas.
Figure 2 — Example of different trust domains
A supply and value chain comprises several TDs that can negotiate and establish contracts to conduct
business. Each TD has a defined responsible entity for managing and establishing contracts with entities
external to its TD. An exemplary scenario with different TDs is illustrated in Figure 2 and in Annex A.
6.2 Trust interaction point
At each TIP, the communicating TDs exchange, negotiate, and verify their expected trustworthiness
characteristics. In this way, the interaction between two TDs will have its defined trustworthiness
characteristics and the future interactions via the TIP will adopt measures to fulfil the defined
trustworthiness characteristics.
6.3 Trustworthiness profile
The TW profile comprises:
— identification information of the communicating entities,
— context of interaction (i.e. business context, contract, product type, product ID),
— trustworthiness expectations (TWEs), and
— trustworthiness capabilities (TWCs).
While realizing the TW profile, it is essential to ensure its integrity during communication and storage.
6.4 Trust anchor
A typical supply and value chain comprises the flow of material goods and products from different entities
to the customer. The digital information regarding products is essential to manage them along the supply
chain. Therefore, a strong and persistent binding is required between the digital information and its
corresponding physical world material goods or product. This persistent binding requires at least a trust
anchor on the product, especially for its identification and sometimes also authentication. The trust anchor

can be realized in several ways, such as unique verifiable artefacts, secure elements, physical unclonable
functions, visible digital seal (see ISO 22376), or data provided by a trusted interface.
6.5 Verifiable claims
To fulfil targeted supply and value chain trustworthiness characteristics, stakeholders have certain
properties that are derived by the processes and tools that they have in-place. To negotiate and exchange
information regarding the fulfilment of trustworthiness characteristics, stakeholders make claims that can
be verified by other stakeholders. Different technologies can be leveraged to realize verifiable claims that
can be provided as proof to the verifier.
It is essential that a trustworthy verifiable claim revocation mechanism is also realized. A reliable claim
revocation is especially necessary for conditional claims, for instance,
...