New ISO standard providing guidelines for how to develop a security plan

ISO has just published "ISO 22342 Security and resilience — Protective security — Guidelines for the development of a security plan for an organization". This new guidance standard applies to any organization wishing to manage its security risks and implement measures intended to protect its assets against malicious acts and to mitigate the associated risks.

The objective of the security plan is to ensure that all appropriate actions and controls are in place to protect the organization against threats to its security. It concerns the governance of security, the protection of people, information, cyber security, and physical assets.

Its structure includes recommendations for a preventive security architecture. In addition, while the standard is not a management system standard, the plan within is designed in a way that it can be integrated into an organization’s existing management system.

In addition, integrating the organization's security plan into its overall risk management processes contributes to appropriate security management. The security plan provides for the allocation of accountability and responsibilities.

Jean-Marc Picard ISO 22342 Project leader explains: Jean Marc Picard
“The development of ISO 22342 was kept on schedule despite COVID and an impressive number of meetings for a difficult and important subject. The goal of the standard was to be a collective work. To do this, it was necessary to ensure that everyone was able to express their point of view. It was therefore necessary to give time to time and to ensure the consensus-based agreements.”

ISO 22342 has the following essential characteristics:

Recalls the basics of security management
Emphasizes the importance of governance
Provides for accountability
Considers confidentiality
Suitable for all types of organizations included small and medium
Outlines an agile approach
Oriented process standard: it’s not a system standard
Adaptable to existing security plans and management systems
Not restrictive : accessible to everyone
Not overly prescriptive

Note: ISO 22342 does not apply to services or operations provided by private security companies.

Patrick Butor WG 6 Protective Security convenor states:

“Jean-Marc did a good job at leading this project. Although several standards deal with security management, none existed on the development of a security plan. Finding a consensus on such an important subject required us to be very attentive, to listen and to work in a collective spirit."

ISO 22342:2023, Security and resilience — Protective security — Guidelines for the development of a security plan for an organization, is available from ISO national member institutes. It may also be obtained directly from the ISO Central Secretariat, respectively through the ISO Store or by contacting the Marketing, Communication & Information department.

Upcoming events

28 Feb, Zoom
Working Group 1

5 March, Zoom
Communication Group meeting

[tbd], 2024
11th ISO/TC 292 plenary meeting

Topics

Authenticity, integrity and trust for products and documents
Business continuity management
Community resilience
Crisis management
Emergency management
Event management
Organizational resilience
Protective security
Supply chain security
Terminology

This website has been developed by Swedish Civil Contingencies Agency in collaboration with ISO and Swedish Institute for Standards responsible for the ISO/TC 292 secretariat

An overview of ISO/TC 292 can also be found at the ISO webpage.

ISO

SIS