ISO 22373:2025

International
Standard
ISO 22373
First edition
Security and resilience —
2025-11
Authenticity, integrity and trust
for products and documents
— Framework for establishing
trustworthy supply and value chains
Reference number
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative References . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Overview . 3
5.1 Generic supply and value chain .3
5.2 Trustworthiness .4
5.2.1 Trustworthiness in supply and value chains .4
5.2.2 Trustworthiness characteristics for supply and value chains .4
6 Components of a structured approach to achieve supply and value chain
trustworthiness . 6
6.1 Trust domain .6
6.2 Trust interaction point .6
6.3 Trustworthiness profile .6
6.4 Trust anchor .6
6.5 Verifiable claims .7
6.6 Threat and risk analysis .7
7 Trustworthiness concept . 7
8 Chain of trustworthiness topologies . 9
Annex A (informative) Leveraging the trustworthiness concept for in-field machine
maintenance .13
Annex B (informative) Visual example of the trustworthiness profile . 14
Annex C (informative) Leveraging the trustworthiness concept for building facility
management . 16
Annex D (informative) Determination of trustworthiness level or score for evaluation . 19
Annex E (informative) Typical considerations for trustworthiness supporting infrastructure
within supply and value chains .21
Bibliography .23

iii
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO document should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/TC 292, Security and resilience.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

iv
Introduction
This document introduces a structured way to establish and ensure trustworthiness along supply and value
chains. As economies are moving towards more digital and connected supply chains, this document intends
to support the management of trustworthiness along multiple supply and value chain stakeholders.
This document develops and elaborates an approach that supports stakeholders in a supply and value chain
to identify distinct trust domains (TDs). It includes guidelines for the identification of trustworthiness
attributes and measures to achieve the targeted and required trustworthiness attributes.
Moreover, an approach for identifying trust interaction points (TIPs) between different TDs and ensuring
that each interaction in a supply and value chain is trustworthy, is elaborated in this document. Furthermore,
this document aids the establishment of the chain of trustworthiness along supply and value chains.
This document aims to serve as an enabler for systemization and automation of trustworthiness verification
of supply and value chain participants, organizations, systems and their products. It also supports systematic
digitalization of the supply and value chains based on their business objectives.
By nature, security attacks against supply and value chains are becoming increasingly complex, regardless
of industrial verticals or business contexts. That is especially why it is essential to establish, maintain, and
protect the chain of trustworthiness along any supply and value chain by additional measures. Specific
security measures are out of the scope of this document and are determined by each specific business case.
In addition to supporting the chain of trustworthiness of supply and value chains, this document also
supports agility as it enables the exchange of trustworthiness expectations and capabilities in a flexible and
trustworthy manner. Using a unified data structure supports the achievement of several trustworthiness
relevant properties, such as interoperability, robustness, accountability, transparency while preserving
privacy and confidentiality.
Different technologies can be leveraged for the implementation of the approaches provided in this document.
This document can also be used to support existing systems. This document is technology agnostic, and the
aspects specified in this document can be implemented using various technologies such as PKI (Public Key
Infrastructure) certificates, decentralized identifiers (DID) and verifiable credentials (VC).

v
International Standard ISO 22373:2025(en)
Security and resilience — Authenticity, integrity and trust
for products and documents — Framework for establishing
trustworthy supply and value chains
1 Scope
This document establishes a framework to support stakeholders in supply and value chains to ensure the
chain of trustworthiness regarding the properties of their products and production processes.
This document provides guidelines to identify information relevant to trustworthiness to be exchanged
between supply and value chain stakeholders. It also provides an interoperable data structure that is
required for supply and value chain stakeholders to negotiate and exchange information relevant to
trustworthiness.
The guidelines set out in this document are generic and are intended to be applicable to all organizations
and products, regardless of type, size or nature.
2 Normative References
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO 22300, Security and resilience — Vocabulary
ISO/IEC TS 5723:2022, Trustworthiness — Vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 22300, ISO/IEC TS 5723 and the
following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
trust domain
TD
entity or set of entities with a specified responsible entity that determines its trustworthiness attributes (3.4)
3.2
trust interaction point
TIP
interaction interface between distinct trust domains (3.1)

3.3
trustworthiness
ability to meet stakeholders’ expectations in a verifiable way
Note 1 to entry: Depending on the context or sector, and also on the specific product or service, data, technology and
process used, different characteristics apply and need verification to ensure stakeholders’ expectations are met.
Note 2 to entry: Characteristics of trustworthiness include, for instance, accountability, accuracy, authenticity,
availability, controllability, integrity, privacy, quality, reliability, resilience, robustness, safety, security, transparency
and usability.
Note 3 to entry: Trustworthiness is an attribute that can be applied to services, products, technology, data and
information as well as to organizations.
Note 4 to entry: Verifiability includes measurability and demonstrabilit
...