This document intent is to provide the fundamental elements to improve the protection of the organization. The omission of a protective security measure from this standard does not mean that such a measure is not valid and/or irrelevant. This document does not provide specific criteria for identifying the need to implement or enhance prevention and protection measures against malicious acts. It is not the intent to provide a comprehensive list of all protective security measures/devices nor all technical protective security equipment. This document is not intended to cover services and operations delivered by private security companies
Jean-Marc Picard (France), the project leader responsable for the development of ISO 22342 explains:
"In a world that has become complex and uncertain, it is difficult today for organizations to deal with ever more numerous, protean and interlaced threats (such as terrorism, industrial espionage, cybercrime, theft against assets. Today, the question for an organization is no longer whether it will be impacted by a malicious act but when it will be.
Malicious acts against organizations impact people (e.g. employees, visitors, customers…), physical assets (facilities and equipment), intangible assets (e.g. strategic information, reputation, finance capital), and even jeopardize their survival. It is therefore essential today for organizations to protect themselves against malicious acts.
However, to date, there is only a variety of fuzzy or nonexistent practices, and there is not a common frame of reference for any organization, including small and medium-sized organizations, supporting them to develop a security plan. Such a plan allows them to reduce the occurrence and consequences of malicious acts to which they may be or are confronted, and thus improving their overall security."
ISO 22342 has the following essential characteristics:
- Recalls the basics of security management
- Emphasizes the importance of governance
- Provides for accountability
- Considers confidentiality
- Suitable for all types of organizations included small and medium
- Outlines an agile approach
- Oriented process standard: it’s not a system standard
- Adaptable to existing security plans and management systems
- Not restrictive : accessible to everyone
- Not overly prescriptive
ISO 22342:2023, Security and resilience — Protective security — Guidelines for the development of a security plan for an organization, is available from ISO national member institutes. It may also be obtained directly from the ISO Central Secretariat, respectively through the ISO Store or by contacting the Marketing, Communication & Information department.