Till innehåll på sidan

New ISO standard providing guidelines for how to develop a security plan

ISO has just published "ISO 22342 Security and resilience — Protective security — Guidelines for the development of a security plan for an organization". This new guidance standard applies to any organization wishing to manage its security risks and implement measures intended to protect its assets against malicious acts and to mitigate the associated risks.

The objective of the security plan is to ensure that all appropriate actions and controls are in place to protect the organization against threats to its security. It concerns the governance of security, the protection of people, information, cyber security, and physical assets.

Its structure includes recommendations for a preventive security architecture. In addition, while the standard is not a management system standard, the plan within is designed in a way that it can be integrated into an organization’s existing management system.

In addition, integrating the organization's security plan into its overall risk management processes contributes to appropriate security management. The security plan provides for the allocation of accountability and responsibilities.

Jean-Marc Picard ISO 22342 Project leader explains: Jean Marc Picard
“The development of ISO 22342 was kept on schedule despite COVID and an impressive number of meetings for a difficult and important subject. The goal of the standard was to be a collective work. To do this, it was necessary to ensure that everyone was able to express their point of view. It was therefore necessary to give time to time and to ensure the consensus-based agreements.”

ISO 22342 has the following essential characteristics:

  • Recalls the basics of security management
  • Emphasizes the importance of governance
  • Provides for accountability
  • Considers confidentiality
  • Suitable for all types of organizations included small and medium
  • Outlines an agile approach
  • Oriented process standard: it’s not a system standard
  • Adaptable to existing security plans and management systems
  • Not restrictive : accessible to everyone
  • Not overly prescriptive

Note: ISO 22342 does not apply to services or operations provided by private security companies.

Patrick Butor WG 6 Protective Security convenor states: Patrick Butor

“Jean-Marc did a good job at leading this project. Although several standards deal with security management, none existed on the development of a security plan. Finding a consensus on such an important subject required us to be very attentive, to listen and to work in a collective spirit."

ISO 22342:2023Security and resilience — Protective security — Guidelines for the development of a security plan for an organization, is available from ISO national member institutes. It may also be obtained directly from the ISO Central Secretariat, respectively through the ISO Store or by contacting the Marketing, Communication & Information department.