iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO 22342

(Main)

Security and resilience — Protective security — Guidelines for the development of a security plan for an organization

Security and resilience — Protective security — Guidelines for the development of a security plan for an organization

Sécurité et résilience — Sûreté préventive — Lignes directrices pour l'élaboration d'un plan de sûreté destiné à un organisme

General Information

Status
Not Published
ICS
03.100.01 - Company organization and management in general
13.310 - Protection against crime
Technical Committee
ISO/TC 292 - Security and resilience
Drafting Committee
ISO/TC 292/WG 6 - Protective security
Current Stage
6000 - International Standard under publication
Completion Date
29-Mar-2023
Ref Project

Buy Standard

REDLINE ISO/FDIS 22342 - Security and resilience — Protective security — Guidelines for the development of a security plan for an organization Released:1/17/2023REDLINE ISO/FDIS 22342 - Security and resilience — Protective security — Guidelines for the development of a security plan for an organization Released:1/17/2023
PreviousNext
Draft
REDLINE ISO/FDIS 22342 - Security and resilience — Protective security — Guidelines for the development of a security plan for an organization Released:1/17/2023
English language
11 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/FDIS 22342 - Security and resilience — Protective security — Guidelines for the development of a security plan for an organization Released:1/17/2023ISO/FDIS 22342 - Security and resilience — Protective security — Guidelines for the development of a security plan for an organization Released:1/17/2023
PreviousNext
Draft
ISO/FDIS 22342 - Security and resilience — Protective security — Guidelines for the development of a security plan for an organization Released:1/17/2023
English language
11 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/FDIS 22342 - Sécurité et résilience — Sûreté préventive — Lignes directrices pour l'élaboration d'un plan de sûreté destiné à un organisme Released:2/24/2023ISO/FDIS 22342 - Sécurité et résilience — Sûreté préventive — Lignes directrices pour l'élaboration d'un plan de sûreté destiné à un organisme Released:2/24/2023
PreviousNext
Draft
ISO/FDIS 22342 - Sécurité et résilience — Sûreté préventive — Lignes directrices pour l'élaboration d'un plan de sûreté destiné à un organisme Released:2/24/2023
French language
13 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

© ISO 2023 – All rights reserved
ISO/FDIS 22342:20222023(E)
Date: 2022-11-232023-01-17
ISO/TC 292
Secretariat: SIS
Security and resilience — Protective security — Guidelines for the
development of a security plan for an organization
---------------------- Page: 1 ----------------------
ISO/FDIS 22342:2023(E)
© ISO 2023

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of

this publication may be reproduced or utilized otherwise in any form or by any means, electronic or

mechanical, including photocopying, or posting on the internet or an intranet, without prior written

permission. Permission can be requested from either ISO at the address below or ISO’s member body in the

country of the requester.
ISO Copyright Office
CP 401 • CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland.
ii © ISO 2023 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/FDIS 22342:2023(E)
Contents

Foreword ................................................................................................................................................................iv

Introduction ........................................................................................................................................................... v

1 Scope .......................................................................................................................................................... 1

2 Normative references .......................................................................................................................... 1

3 Terms and definitions .......................................................................................................................... 1

4 Security planning ................................................................................................................................... 2

5 Components of the security plan ..................................................................................................... 2

5.1 General ...................................................................................................................................................... 2

5.2 Governance .............................................................................................................................................. 2

5.2.1 General ...................................................................................................................................................... 2

5.2.2 Security objectives ................................................................................................................................ 3

5.2.3 Scope of the security plan ................................................................................................................... 3

5.2.4 Leadership................................................................................................................................................ 3

5.2.5 Legal and regulatory ............................................................................................................................. 4

5.2.6 Roles, accountabilities and responsibilities ................................................................................ 4

5.2.7 Communication ...................................................................................................................................... 4

5.2.8 Documented information ................................................................................................................... 5

5.2.9 Reporting .................................................................................................................................................. 5

5.2.10 Evaluation ................................................................................................................................................. 5

5.2.11 Continuous improvement ................................................................................................................... 5

5.3 Management of risk .............................................................................................................................. 6

5.3.1 General ...................................................................................................................................................... 6

5.3.2 Security risk scope, context and criteria ....................................................................................... 6

5.3.3 Assessment .............................................................................................................................................. 6

5.3.4 Treatment ................................................................................................................................................. 7

5.3.5 Acceptance level for residual security risk .................................................................................. 7

5.3.6 Communication and consultation .................................................................................................... 7

5.3.7 Monitoring and review ........................................................................................................................ 7

5.3.8 Documentation management and recording ............................................................................... 8

5.4 Security controls .................................................................................................................................... 8

5.4.1 General ...................................................................................................................................................... 8

5.4.2 Levels of protection .............................................................................................................................. 8

5.4.3 Procedures for security controls ..................................................................................................... 8

5.4.4 Operational level controls and treatments .................................................................................. 9

5.4.5 Contingency planning for low likelihood and unforeseen situations .............................. 10

5.4.6 Timelines for security activities .................................................................................................... 10

5.5 Security controls process ................................................................................................................. 10

5.5.1 General ................................................................................................................................................... 10

5.5.2 Selection ................................................................................................................................................. 10

5.5.3 Implementation, testing and evaluation .................................................................................... 10

5.5.4 Monitoring activities ......................................................................................................................... 11

5.5.5 Determining effectiveness ............................................................................................................... 11

Bibliography ....................................................................................................................................................... 12

© ISO 2023 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/FDIS 22342:2023(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in ISO (the

International Organization for Standardization) is a worldwide federation of national standards bodies

(ISO member bodies). The work of preparing International Standards is normally carried out through ISO

technical committees. Each member body interested in a subject for which a technical committee has

been established has the right to be represented on that committee. International organizations,

governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates

closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical

standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any

patent rights identified during the development of the document will be in the Introduction and/or on

the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to the World

Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see

www.iso.org/iso/foreword.html.

This document was prepared by Technical Committee ISO/TC 292, Security and resilience.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html.
iv © ISO 2023 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/FDIS 22342:2023(E)
Introduction

All organizations seek to manage security risks in their environment to ensure appropriate protection

levels of their assets, to preserve the interests of interested parties and to achieve their objectives.

Organizations sometimes need to establish and maintain a structured approach to security.

The purpose of a security plan is to ensure that all the appropriate actions and controls are in place to

protect the organization from threats to its security.

This document guidesgives guidance on the implementation of a security plan whose structure includes

the guidance for protective security architecture. Thus, the security plan can be effectively integrated into

an existing management system.

Integrating the organization’s risk management processes into the security plan model supports proper

management of security. The security plan is designed to allocate accountability and responsibility, and

to guide the application of controls to protect the organization from security risks.

A planned approach that is adaptive and agile makes it possible to provide solutions to unplanned

situations. Security threats are dynamic and often unforeseen; therefore, this document introduces both

technical and human-related elements for an adaptive and agile planned approach.

The intent of the document is to provide the fundamental elements necessary to improve and sustain the

protection of an organization.
© ISO 2023 – All rights reserved v
---------------------- Page: 5 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/FDIS 22342:2023(E)
Security and resilience — Protective security — Guidelines for
the development of a security plan for an organization
1 Scope

This document gives guidance on developing and maintaining security plans. It is applicable to all

organizations regardless of type, size and nature, whether in the private, public, or not-for-profit sectors,

that wish to develop effective security plans in a consistent manner

The security plan describes how an organization establishes effective security planning and how it can

integrate security within organizational risk management practices.

It is applicable to all organizations regardless of type, size and nature, whether in the private, public, or

not-for-profit sectors, that wish to develop effective security plans in a consistent manner.

This document is applicable to any organization intending to implement measures designed to protect

their assets against malicious acts and mitigate their associated risks.

This document does not provide specific criteria for identifying the need to implement or enhance

prevention and protection measures against malicious acts. It does not apply to services and operations

delivered by private security companies.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 22300:2021, Security and resilience — Vocabulary
ISO 31000:2018, Risk management — Guidelines
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 22300, ISO 31000 and the

following apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1
Needneed-to-know

This expression means the need to access specific information based on a business or operational

requirement, involving an active process of determining the security level of information and who has

the right to access the information.
© ISO 2023 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/FDIS 22342:2023(E)
4 Security planning

The organization should create, implement and maintain a security plan in order to manage activities

based on security risk analysis and be aligned with the mission of the organization.

The security plan should:
— be specific to each organization;

— be based on security strategies and objectives regarding threats and vulnerabilities;

— be reviewed and formally endorsed by the top management board before implementation;

— foresee the need to face a long-term security-related incidents, incorporating special procedures, and

the need for adaptive structures to be able to adequately deal with it such disruptive events.

The organization may use a single security plan or an overarching security plan supported by more

detailed plans.

NOTE A single security plan is not always practical due to the organization’s size or complexity of business.

5 Components of the security plan
5.1 General

This clause gives recommendations on how to develop the various components of a security plan. It

consists of the following subclauses that give detailed guidance on:
— governance (see 5.2);
— management of risk (see 5.3);
— security controls (see 5.4);
— security controls process (see 5.5);.

NOTE ISO 28000:2022 clause, 8.6, also includes information regarding the content of a security plan.

5.2 Governance
5.2.1 General

The organization should determine how the security plan should be governed. This includes considering:

— Securitysecurity objectives (see 5.2.2);
— Scopescope of the security plan (See see 5.2.3);
— Leadership leadership (Seesee 5.2.4);
— Legallegal and regulatory (see 5.2.5);
— Rolesroles, accountabilities, and responsibilities (see 05.2.6);
— Communicationcommunication (see 5.2.7);
2 © ISO 2023 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/FDIS 22342:2023(E)
— Documenteddocumented information (see 5.2.8);
— Reportingreporting (see 5.2.9);
— Evaluationevaluation (see 5.2.10);
Continuous— continuous improvement (see 5.2.11).
5.2.2 Security objectives

The organization should define security objectives for the security plan that consider:

— broader business objectives and priorities;
— protective security framework;
— related security policies;
— security risk.
5.2.3 Scope of the security plan

The organization should determine the boundaries and applicability of the security plan to establish its

scope.

This includes deciding if the security plan applies to all or part of the organization or if it just applies to a

specific duration of a project.

The scope of the security plan should take into account any other organizational risk management

process relevant to security threats or security violations.
The scope of the security plan should consider seve
...

FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 22342
ISO/TC 292
Security and resilience — Protective
Secretariat: SIS
security — Guidelines for the
Voting begins on:
2023-01-31 development of a security plan for an
organization
Voting terminates on:
2023-03-28
Sécurité et résilience — Sûreté préventive — Lignes directrices pour
l'élaboration d'un plan de sûreté destiné à un organisme
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/FDIS 22342:2023(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO 2023
---------------------- Page: 1 ----------------------
ISO/FDIS 22342:2023(E)
FINAL
INTERNATIONAL ISO/FDIS
DRAFT
STANDARD 22342
ISO/TC 292
Security and resilience —
Secretariat: SIS
Protective security — Guidelines for
Voting begins on:
the development of a security plan
for an organization
Voting terminates on:
Sécurité et résilience — Sûreté préventive — Lignes directrices
pour l'élaboration d'un plan de sûreté destiné à un organisme
COPYRIGHT PROTECTED DOCUMENT
© ISO 2023

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
ISO copyright office
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
CP 401 • Ch. de Blandonnet 8
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
CH-1214 Vernier, Geneva
DOCUMENTATION.
Phone: +41 22 749 01 11
IN ADDITION TO THEIR EVALUATION AS
Reference number
Email: copyright@iso.org
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/FDIS 22342:2023(E)
Website: www.iso.org
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
Published in Switzerland
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
© ISO 2023 – All rights reserved
NATIONAL REGULATIONS. © ISO 2023
---------------------- Page: 2 ----------------------
ISO/FDIS 22342:2023(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction .................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ..................................................................................................................................................................................... 1

3 Terms and definitions .................................................................................................................................................................................... 1

4 Security planning ................................................................................................................................................................................................ 1

5 Components of the security plan ........................................................................................................................................................2

5.1 General ........................................................................................................................................................................................................... 2

5.2 Governance ................................................................................................................................................................................................ 2

5.2.1 General ........................................................................................................................................................................................ 2

5.2.2 Security objectives ........................................................................................................................................................... 2

5.2.3 Scope of the security plan .......................................................................................................................................... 3

5.2.4 Leadership................................................................................................................................................................................ 3

5.2.5 Legal and regulatory....................................................................................................................................................... 3

5.2.6 Roles, accountabilities and responsibilities ............................................................................................... 4

5.2.7 Communication.................................................................................................................................................................... 4

5.2.8 Documented information ........................................................................................................................................... 4

5.2.9 Reporting .................................................................................................................................................................................. 4

5.2.10 Evaluation ................................................................................................................................................................................. 4

5.2.11 Continuous improvement ........................................................................................................................................... 5

5.3 Management of risk ............................................................................................................................................................................ 5

5.3.1 General ........................................................................................................................................................................................ 5

5.3.2 Security risk scope, context and criteria ...................................................................................................... 5

5.3.3 Assessment .............................................................................................................................................................................. 6

5.3.4 Treatment ................................................................................................................................................................................. 6

5.3.5 Acceptance level for residual security risk ................................................................................................. 6

5.3.6 Communication and consultation ....................................................................................................................... 6

5.3.7 Monitoring and review ................................................................................................................................................. 7

5.3.8 Documentation management and recording ............................................................................................ 7

5.4 Security controls .................................................................................................................................................................................. 7

5.4.1 General ........................................................................................................................................................................................ 7

5.4.2 Levels of protection ......................................................................................................................................................... 7

5.4.3 Procedures for security controls ......................................................................................................................... 8

5.4.4 Operational level controls and treatments ................................................................................................. 8

5.4.5 Contingency planning for low likelihood and unforeseen situations.................................. 9

5.4.6 Timelines for security activities........................................................................................................................... 9

5.5 Security controls process ............................................................................................................................................................. 9

5.5.1 General ........................................................................................................................................................................................ 9

5.5.2 Selection ..................................................................................................................................................................................... 9

5.5.3 Implementation, testing and evaluation ....................................................................................................... 9

5.5.4 Monitoring activities ................................................................................................................................................... 10

5.5.5 Determining effectiveness ...................................................................................................................................... 10

Bibliography .............................................................................................................................................................................................................................11

iii
© ISO 2023 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/FDIS 22342:2023(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non­governmental, in liaison with ISO, also take part in ISO (the

International Organization for Standardization) is a worldwide federation of national standards bodies

(ISO member bodies). The work of preparing International Standards is normally carried out through

ISO technical committees. Each member body interested in a subject for which a technical committee

has been established has the right to be represented on that committee. International organizations,

governmental and non­governmental, in liaison with ISO, also take part in the work. ISO collaborates

closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical

standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to

the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see

www.iso.org/iso/foreword.html.

This document was prepared by Technical Committee ISO/TC 292, Security and resilience.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www.iso.org/members.html.
© ISO 2023 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/FDIS 22342:2023(E)
Introduction

All organizations seek to manage security risks in their environment to ensure appropriate protection

levels of their assets, to preserve the interests of interested parties and to achieve their objectives.

Organizations sometimes need to establish and maintain a structured approach to security.

The purpose of a security plan is to ensure that all the appropriate actions and controls are in place to

protect the organization from threats to its security.

This document gives guidance on the implementation of a security plan whose structure includes the

guidance for protective security architecture. Thus, the security plan can be effectively integrated into

an existing management system.

Integrating the organization’s risk management processes into the security plan model supports proper

management of security. The security plan is designed to allocate accountability and responsibility, and

to guide the application of controls to protect the organization from security risks.

A planned approach that is adaptive and agile makes it possible to provide solutions to unplanned

situations. Security threats are dynamic and often unforeseen; therefore, this document introduces

both technical and human­related elements for an adaptive and agile planned approach.

The intent of the document is to provide the fundamental elements necessary to improve and sustain

the protection of an organization.
© ISO 2023 – All rights reserved
---------------------- Page: 5 ----------------------
FINAL DRAFT INTERNATIONAL STANDARD ISO/FDIS 22342:2023(E)
Security and resilience — Protective security — Guidelines
for the development of a security plan for an organization
1 Scope

This document gives guidance on developing and maintaining security plans. The security plan

describes how an organization establishes effective security planning and how it can integrate security

within organizational risk management practices.

This document is applicable to all organizations regardless of type, size and nature, whether in the

private, public or not-for-profit sectors, that wish to develop effective security plans in a consistent

manner.

This document is applicable to any organization intending to implement measures designed to protect

their assets against malicious acts and mitigate their associated risks.

This document does not provide specific criteria for identifying the need to implement or enhance

prevention and protection measures against malicious acts. It does not apply to services and operations

delivered by private security companies.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 22300, Security and resilience — Vocabulary
ISO 31000, Risk management — Guidelines
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 22300, ISO 31000 and the

following apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
need-to-know

need to access specific information based on a business or operational requirement, involving an active

process of determining the security level of information and who has the right to access the information

4 Security planning

The organization should create, implement and maintain a security plan in order to manage activities

based on security risk analysis and be aligned with the mission of the organization.

The security plan should:
— be specific to each organization;
© ISO 2023 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/FDIS 22342:2023(E)

— be based on security strategies and objectives regarding threats and vulnerabilities;

— be reviewed and formally endorsed by the top management board before implementation;

— foresee the need to face long-term security-related incidents, incorporating special procedures, and

the need for adaptive structures to be able to adequately deal with such disruptive events.

The organization may use a single security plan or an overarching security plan supported by more

detailed plans.

NOTE A single security plan is not always practical due to the organization’s size or complexity of business.

5 Components of the security plan
5.1 General

This clause gives recommendations on how to develop the various components of a security plan. It

consists of the following subclauses that give detailed guidance on:
— governance
...

PROJET
NORME ISO/FDIS
FINAL
INTERNATIONALE 22342
ISO/TC 292
Sécurité et résilience — Sûreté
Secrétariat: SIS
préventive — Lignes directrices pour
Début de vote:
2023-01-31 l'élaboration d'un plan de sûreté
destiné à un organisme
Vote clos le:
2023-03-28
Security and resilience — Protective security — Guidelines for the
development of a security plan for an organization
LES DESTINATAIRES DU PRÉSENT PROJET SONT
INVITÉS À PRÉSENTER, AVEC LEURS OBSER-
VATIONS, NOTIFICATION DES DROITS DE PRO-
PRIÉTÉ DONT ILS AURAIENT ÉVENTUELLEMENT
CONNAISSANCE ET À FOURNIR UNE DOCUMEN-
TATION EXPLICATIVE.
OUTRE LE FAIT D’ÊTRE EXAMINÉS POUR
ÉTABLIR S’ILS SONT ACCEPTABLES À DES FINS
INDUSTRIELLES, TECHNOLOGIQUES ET COM-
Numéro de référence
MERCIALES, AINSI QUE DU POINT DE VUE
ISO/FDIS 22342:2023(F)
DES UTILISATEURS, LES PROJETS DE NORMES
INTERNATIONALES DOIVENT PARFOIS ÊTRE
CONSIDÉRÉS DU POINT DE VUE DE LEUR POSSI-
BILITÉ DE DEVENIR DES NORMES POUVANT
SERVIR DE RÉFÉRENCE DANS LA RÉGLEMENTA-
TION NATIONALE. © ISO 2023
---------------------- Page: 1 ----------------------
ISO/FDIS 22342:2023(F)
PROJET
NORME ISO/FDIS
FINAL
INTERNATIONALE 22342
ISO/TC 292
Sécurité et résilience — Sûreté
Secrétariat: SIS
préventive — Lignes directrices pour
Début de vote:
2023-01-31 l'élaboration d'un plan de sûreté
destiné à un organisme
Vote clos le:
2023-03-28
Security and resilience — Protective security — Guidelines for the
development of a security plan for an organization
DOCUMENT PROTÉGÉ PAR COPYRIGHT
© ISO 2023

Tous droits réservés. Sauf prescription différente ou nécessité dans le contexte de sa mise en œuvre, aucune partie de cette

publication ne peut être reproduite ni utilisée sous quelque forme que ce soit et par aucun procédé, électronique ou mécanique,

LES DESTINATAIRES DU PRÉSENT PROJET SONT

y compris la photocopie, ou la diffusion sur l’internet ou sur un intranet, sans autorisation écrite préalable. Une autorisation peut

INVITÉS À PRÉSENTER, AVEC LEURS OBSER-
VATIONS, NOTIFICATION DES DROITS DE PRO-

être demandée à l’ISO à l’adresse ci-après ou au comité membre de l’ISO dans le pays du demandeur.

PRIÉTÉ DONT ILS AURAIENT ÉVENTUELLEMENT
ISO copyright office
CONNAISSANCE ET À FOURNIR UNE DOCUMEN-
TATION EXPLICATIVE.
Case postale 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Genève OUTRE LE FAIT D’ÊTRE EXAMINÉS POUR
ÉTABLIR S’ILS SONT ACCEPTABLES À DES FINS
Tél.: +41 22 749 01 11
INDUSTRIELLES, TECHNOLOGIQUES ET COM-
Numéro de référence
E-mail: copyright@iso.org
MERCIALES, AINSI QUE DU POINT DE VUE
ISO/FDIS 22342:2023(F)
Web: www.iso.org
DES UTILISATEURS, LES PROJETS DE NORMES
INTERNATIONALES DOIVENT PARFOIS ÊTRE
Publié en Suisse
CONSIDÉRÉS DU POINT DE VUE DE LEUR POSSI-
BILITÉ DE DEVENIR DES NORMES POUVANT
SERVIR DE RÉFÉRENCE DANS LA RÉGLEMENTA-
© ISO 2023 – Tous droits réservés
TION NATIONALE. © ISO 2023
---------------------- Page: 2 ----------------------
ISO/FDIS 22342:2023(F)
Sommaire Page

Avant-propos .............................................................................................................................................................................................................................iv

Introduction .................................................................................................................................................................................................................................v

1 Domaine d'application ...................................................................................................................................................................................1

2 Références normatives ..................................................................................................................................................................................1

3 Termes et définitions ...................................................................................................................................................................................... 1

4 Planification de la sûreté ............................................................................................................................................................................ 2

5 Composants du plan de sûreté .............................................................................................................................................................. 2

5.1 Généralités ................................................................................................................................................................................................. 2

5.2 Gouvernance ............................................................................................................................................................................................. 2

5.2.1 Généralités ............................................................................................................................................................................... 2

5.2.2 Objectifs de sûreté ............................................................................................................................................................ 3

5.2.3 Domaine d'application du plan de sûreté ..................................................................................................... 3

5.2.4 Direction .................................................................................................................................................................................... 3

5.2.5 Aspect réglementaire et juridique ...................................................................................................................... 4

5.2.6 Rôles, imputabilités et responsabilités .......................................................................................................... 4

5.2.7 Communication.................................................................................................................................................................... 4

5.2.8 Informations documentées ....................................................................................................................................... 4

5.2.9 Établissement des rapports ...................................................................................................................................... 5

5.2.10 Évaluation ................................................................................................................................................................................. 5

5.2.11 Amélioration continue ................................................................................................................................................... 5

5.3 Management du risque .................................................................................................................................................................... 5

5.3.1 Généralités ............................................................................................................................................................................... 5

5.3.2 Domaine d'application, contexte et critères du risque de sûreté ............................................ 6

5.3.3 Appréciation ........................................................................................................................................................................... 6

5.3.4 Traitement ................................................................................................................................................................................ 6

5.3.5 Niveaux d'acceptation du risque de sûreté résiduel ........................................................................... 7

5.3.6 Communication et consultation ............................................................................................................................ 7

5.3.7 Surveillance et revue ...................................................................................................................................................... 7

5.3.8 Gestion et enregistrement de la documentation ................................................................................... 7

5.4 Contrôles de sûreté ............................................................................................................................................................................. 8

5.4.1 Généralités ............................................................................................................................................................................... 8

5.4.2 Niveaux de protection .................................................................................................................................................... 8

5.4.3 Procédures relatives aux contrôles de sûreté .......................................................................................... 8

5.4.4 Contrôles et traitements au niveau opérationnel.................................................................................. 8

5.4.5 Planification d'urgence pour les situations peu vraisemblables et

inattendues .............................................................................................................................................................................. 9

5.4.6 Calendriers des activités de sûreté ................................................................................................................. 10

5.5 Processus relatif aux contrôles de sûreté ................................................................................................................... 10

5.5.1 Généralités ............................................................................................................................................................................ 10

5.5.2 Sélection .................................................................................................................................................................................. 10

5.5.3 Implémentation, essai et évaluation .............................................................................................................. 10

5.5.4 Activités de surveillance .......................................................................................................................................... 10

5.5.5 Détermination de l'efficacité ................................................................................................................................ 11

Bibliographie ...........................................................................................................................................................................................................................12

iii
© ISO 2023 – Tous droits réservés
---------------------- Page: 3 ----------------------
ISO/FDIS 22342:2023(F)
Avant-propos

L'ISO (Organisation internationale de normalisation) est une fédération mondiale d'organismes

nationaux de normalisation (comités membres de l'ISO). L'élaboration des Normes internationales est

en général confiée aux comités techniques de l'ISO. Chaque comité membre intéressé par une étude

a le droit de faire partie du comité technique créé à cet effet. Les organisations internationales,

gouvernementales et non gouvernementales, en liaison avec l'ISO participent également aux travaux.

L'ISO collabore étroitement avec la Commission électrotechnique internationale (IEC) en ce qui

concerne la normalisation électrotechnique.

Les procédures utilisées pour élaborer le présent document et celles destinées à sa mise à jour sont

décrites dans les Directives ISO/IEC, Partie 1. Il convient, en particulier, de prendre note des différents

critères d'approbation requis pour les différents types de documents ISO. Le présent document

a été rédigé conformément aux règles de rédaction données dans les Directives ISO/IEC, Partie 2

(voir www.iso.org/directives).

L'attention est attirée sur le fait que certains des éléments du présent document peuvent faire l'objet de

droits de propriété intellectuelle ou de droits analogues. L'ISO ne saurait être tenue pour responsable

de ne pas avoir identifié de tels droits de propriété et averti de leur existence. Les détails concernant

les références aux droits de propriété intellectuelle ou autres droits analogues identifiés lors de

l'élaboration du document sont indiqués dans l'Introduction et/ou dans la liste des déclarations de

brevets reçues par l'ISO (voir www.iso.org/brevets).

Les appellations commerciales éventuellement mentionnées dans le présent document sont données

pour information, par souci de commodité, à l'intention des utilisateurs et ne sauraient constituer un

engagement.

Pour une explication de la nature volontaire des normes, la signification des termes et expressions

spécifiques de l'ISO liés à l'évaluation de la conformité, ou pour toute information au sujet de l'adhésion

de l'ISO aux principes de l’Organisation mondiale du commerce (OMC) concernant les obstacles

techniques au commerce (OTC), voir le lien suivant: www.iso.org/iso/fr/avant-propos.

Le présent document a été élaboré par le comité technique ISO/TC 292, Sécurité et résilience.

Il convient que l'utilisateur adresse tout retour d'information ou toute question concernant le présent

document à l'organisme national de normalisation de son pays. Une liste exhaustive desdits organismes

se trouve à l'adresse www.iso.org/fr/members.html.
© ISO 2023 – Tous droits réservés
---------------------- Page: 4 ----------------------
ISO/FDIS 22342:2023(F)
Introduction

Tous les organismes cherchent à gérer les risques de sûreté dans leur environnement afin d'assurer des

niveaux de protection appropriés de leurs actifs, de préserver les intérêts des parties intéressées et

d'atteindre leurs objectifs.

Les organismes ont parfois besoin d'établir et de tenir à jour une approche structurée de la sûreté.

L'objectif d'un plan de sûreté est d'assurer que toutes les actions et tous les contrôles appropriés sont en

place pour protéger l'organisme contre les menaces à sa sécurité.

Le présent document donne des lignes directrices pour l'implémentation d'un plan de sûreté dont la

structure inclut les recommandations pour une architecture de sûreté préventive. Ainsi, le plan de

sûreté peut être intégré efficacement dans un système de management existant.

L'intégration des processus de management du risque de l'organisme au modèle de plan de sûreté,

contribue à une gestion appropriée de la sûreté. Ce plan de sûreté est conçu pour attribuer l'imputabilité

et la responsabilité de même pour guider la mise en œuvre des contrôles afin de protéger l'organisme

contre les risques de sûreté.

Une approche planifiée, adaptative et agile permet d'apporter des solutions à des situations non

anticipées. Les menaces pour la sûreté sont dynamiques et souvent inattendues; par conséquent, le

présent document introduit des éléments à la fois techniques et humains pour une approche planifiée

adaptative et agile.

L'objet de ce document est de fournir les éléments fondamentaux nécessaires pour améliorer et soutenir

la protection d'un organisme.
© ISO 2023 – Tous droits réservés
---------------------- Page: 5 ----------------------
PROJET FINAL DE NORME INTERNATIONALE ISO/FDIS 22342:2023(F)
Sécurité et résilience — Sûreté préventive — Lignes
directrices pour l'élaboration d'un plan de sûreté destiné à
un organisme
1 Domaine d'application

Le présent document fournit des recommandations pour l'élaboration et la tenue à jour des plans de

sûreté.

Le plan de sûreté décrit comment un organisme établit une planification de la sûreté efficace et

comment il peut intégrer la sûreté dans les pratiques organisationnelles de management du risque.

Le présent document s'applique à tous les organismes, quels que soient leur type, leur taille et leur

nature, qu'ils appartiennent au secteur privé, au secteur public ou au secteur non lucratif, qui souhaitent

élaborer des plans de sûreté efficaces de manière cohérente.

Le présent document s'applique à tout organisme qui souhaite implémenter des mesures destinées à

protéger ses actifs contre les actes de malveillance et à atténuer les risques associés.

Le présent document ne fournit pas de critères spécifiques permettant d'identifier la nécessité

d'implémenter ou d'améliorer les mesures de prévention et de protection contre les actes de malveillance.

Il ne s'applique ni aux services ni aux opérations fournis par les sociétés de sécurité privées.

2 Références normatives

Les documents suivants sont cités dans le texte de sorte qu'ils constituent, pour tout ou partie de leur

contenu, des exigences du présent document. Pour les références datées, seule l'édition citée s'applique.

Pour les références non datées, la dernière édition du document de référence s'applique (y compris les

éventuels amendements).
ISO 22300, Sécurité et résilience — Vocabulaire
ISO 31000, Management du risque — Lignes directrices
3 Termes et définitions

Pour les besoins du présent document, les termes et définitions de l'ISO 22300 et l'ISO 31000 ainsi que

les suivants, s'appliquent.

L'ISO et l'IEC tiennent à jour des bases de données terminologiques destinées à être utilisées en

normalisation, consultables aux adresses suivantes:

— ISO Online browsing platform: disponible à l'adresse https:// www .iso .org/ obp

— IEC Electropedia: disponible à l'adresse https:// www .electropedia .org/
3.1
besoin d'en connaître

besoin d'avoir accès à des informations spécifiques sur la base d’une exigence fonctionnelle ou

opérationnelle, impliquant un processus actif de détermination du niveau de sûreté des informations,

et des droits d'accès à ces informations
© ISO 2023 – Tous droits réservés
---------------------- Page: 6 ----------------------
ISO/FDIS 22342:2023(F)
4 Planification de la sûreté

Il convient que l'organisme crée, implémente et tienne à jour un plan de sûreté pour gérer les activités

sur la base d'une analyse du risque de sûreté en phase avec sa mission.
Il convient que le plan de sûreté:
— soit propre à chaque organisme;

— soit basé sur des stratégies et des objectifs de sûreté concernant les menaces et les vulnérabilités;

— soit passé en revue et approuvé officiellement par la direction avant son implémentation;

— anticipe la nécessité de faire face à long terme à des incidents relatifs à la sûreté, en intégrant des

procédures spéciales et des structures adaptatives afin d'être en mesure de faire face de façon

adéquate à pareils événements perturbateurs.

L'organisme peut utiliser un unique plan de sûreté ou un plan de sûreté global comportant des plans

plus détaillés.

NOTE Un plan de sûreté unique n'est pas toujours réalisable en raison de la taille de l'organisme ou de la

complexité de son activité.
5 Composants du plan de sûreté
5.1 Généralités

Le présent article fournit des recommandations sur la façon d’élaborer les différents composants d'un

plan de sûreté. Il se compose des paragraphes suivants, qui fournissent des recommandations détaillées

relatives:
— à la gouvernance (voir 5.2);
— au management du risque (voir 5.3);
— aux contrôles de sûreté (voir 5.4);
— au processus relatif aux contrôles de sûreté (voir 5.5);

NOTE L'ISO 28000:2022, 8.6 contient également des informations concernant le contenu d'un plan de sûreté.

5.2 Gouvernance
5.2.1 Généralités

Il convient que l'organisme détermine comment administrer le plan de sûreté. Cela inclut la prise en

compte des aspects suivants:
— objectifs de sûreté (voir 5.2.2);
— domaine d'application du plan de sûreté (voir 5.2.3);
— direction (voir 5.2.4);
— impact réglementaire et juridique (voir 5.2.5);
— rôles, imputabilités et responsabilités (voir 5.2.6);
— communication (voir 5.2.7);
— information documentée (voir 5.2.8);
© ISO 2023 – Tous droits réservés
---------------------- Page: 7 ----------------------
ISO/FDIS 22342:2023(F)
— établissement des rapports (voir 5.2.9);
— évaluation (voir 5.2.10);
— amélioration continue (voir 5.2.11).
5.2.2 Objectifs de sûreté

Il convient que l'organisme définisse les objectifs sûreté du plan, prenant en compte:

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO 22341:2021(Main)
Security and resilience — Protective security — Guidelines for crime prevention through environmental design

This document provides guidelines to organizations for establishing the basic elements, strategies and processes for preventing and reducing crime and the fear of crime at a new or existing built environment. It recommends the establishment of countermeasures and actions to treat crime and security risks in an effective and efficient manner by leveraging environmental design. Within this document, the term "security" is used in a broad manner to include all crime, safety and security-specific applications, so it is applicable to public and private organizations, regardless of type, size or nature. While this document provides general examples of implementation strategies and best practices, it is not intended to provide an exhaustive listing of detailed design, architectural or physical security crime prevention through environmental design (CPTED) implementation strategies or restrict the potential applications to only those examples provided in this document.

  • Standard
    23 pages
    English language
    sale 15% off
  • Standard
    25 pages
    French language
    sale 15% off
  • Standard
    25 pages
    French language
    sale 15% off
  • Draft
    23 pages
    English language
    sale 15% off
ISO
ISO 22341:2021(Main)
Security and resilience — Protective security — Guidelines for crime prevention through environmental design

This document provides guidelines to organizations for establishing the basic elements, strategies and processes for preventing and reducing crime and the fear of crime at a new or existing built environment. It recommends the establishment of countermeasures and actions to treat crime and security risks in an effective and efficient manner by leveraging environmental design. Within this document, the term "security" is used in a broad manner to include all crime, safety and security-specific applications, so it is applicable to public and private organizations, regardless of type, size or nature. While this document provides general examples of implementation strategies and best practices, it is not intended to provide an exhaustive listing of detailed design, architectural or physical security crime prevention through environmental design (CPTED) implementation strategies or restrict the potential applications to only those examples provided in this document.

  • Standard
    23 pages
    English language
    sale 15% off
  • Standard
    25 pages
    French language
    sale 15% off
  • Standard
    25 pages
    French language
    sale 15% off
  • Draft
    23 pages
    English language
    sale 15% off
ISO
ISO/IEC DIS 23090-9(Main)
Information technology -- Coded representation of immersive media
  • Standard
    185 pages
    English language
    sale 15% off
  • Draft
    186 pages
    English language
    sale 15% off
  • Draft
    186 pages
    English language
    sale 15% off
ISO
ISO 24131-1:2023(Main)
Internal protection by polymeric lining for ductile iron pipes — Requirements and test methods — Part 1: Polyurethane lining

This document specifies the requirements and test methods applicable to factory applied internal polyurethane lining for ductile iron pipes according to ISO 2531, ISO 7186 and ISO 16631. It covers internal linings for use in the conveyance of raw water, potable water and sewage water for operating temperature up to 50 °C.

  • Standard
    14 pages
    English language
    sale 15% off
  • Draft
    14 pages
    English language
    sale 15% off
  • Draft
    14 pages
    English language
    sale 15% off
ISO
ISO 24131-2:2023(Main)
Internal protection by polymeric lining for ductile iron pipes — Requirements and test methods — Part 2: Epoxy lining

This document specifies the requirements and test methods applicable to factory applied internal epoxy lining for ductile iron pipes according to ISO 2531, ISO 7186 and ISO 16631. It covers internal linings for use in the conveyance of raw water, potable water and sewage water for operating temperature up to 50 °C.

  • Standard
    14 pages
    English language
    sale 15% off
  • Draft
    14 pages
    English language
    sale 15% off
  • Draft
    14 pages
    English language
    sale 15% off
ISO
ISO 283:2023(Main)
Textile conveyor belts — Full thickness tensile strength, elongation at break and elongation at the reference load — Test method

This document specifies a test method for the determination of the full thickness tensile strength in the longitudinal direction and the elongation at the reference force and breaking point of conveyor belts having a textile carcass. The method can also be used for the determination of full thickness tensile strength in the transverse direction and the elongation at the breaking point, for use when the manufacturer is requested by the purchaser to state values for these properties. This document does not apply to light conveyor belts as described in ISO 21183‑1.

  • Standard
    10 pages
    English language
    sale 15% off
  • Standard
    11 pages
    French language
    sale 15% off
  • Draft
    10 pages
    English language
    sale 15% off
  • Draft
    10 pages
    English language
    sale 15% off
  • Draft
    10 pages
    French language
    sale 15% off
ISO
ISO/IEC/IEEE 8802-1BA:2023(Main)
Information technology — Telecommunications and information exchange between systems — Local and metropolitan area networks — Specific requirements — Part 1BA: Audio video bridging (AVB) systems

Profiles that select features, options, configurations, defaults, protocols and procedures of bridges, stations and LANs that are necessary to build networks that are capable of transporting time-sensitive audio and/or video data streams are defined in this standard.

  • Standard
    31 pages
    English language
    sale 15% off
  • Draft
    31 pages
    English language
    sale 15% off
ISO
ISO/TS 4240-1:2023(Main)
Fine bubble technology — Environmental applications — Part 1: Inspection method using online particle counter in dissolved air flotation (DAF) plant

This document specifies the bubble volume concentration and bubble bed depth measurement methods by online particle counter for checking DAF process performance in plant. The test method of bubble volume concentration is made by measuring bubble size distribution in contact zone of DAF tank and calculating using formula. And bubble bed depth is evaluated by measuring the number of bubbles and particles according to the depth at five points in separation zone of DAF tank. This document provides the advantages and limitations of using online particle counter in plant.

  • Technical specification
    18 pages
    English language
    sale 15% off
  • Draft
    18 pages
    English language
    sale 15% off
  • Draft
    18 pages
    English language
    sale 15% off
ISO
ISO 6055:2023(Main)
Industrial trucks — Overhead guards — Specification and testing

This document specifies the requirements and testing of overhead guards, operator’s leg(s)/feet protection for industrial trucks and overturning testing of industrial variable-reach trucks with operator position not protected by the boom (hereafter referred to as "trucks") requiring an overhead guard according to ISO 3691‑1 and ISO 3691‑2. This document is not applicable to rough-terrain variable-reach trucks and slewing rough-terrain variable-reach trucks.

  • Standard
    13 pages
    English language
    sale 15% off
  • Draft
    13 pages
    English language
    sale 15% off
  • Draft
    13 pages
    English language
    sale 15% off
ISO
ISO/IEC/IEEE 8802-1AC:2018/Amd 1:2023(Amendment)
Information technology — Telecommunications and information exchange between systems — Local and metropolitan area networks — Part 1AC: Media access control (MAC) service definition — Amendment 1: Support for ISO/IEC/IEEE 8802-15-3
  • Standard
    4 pages
    English language
    sale 15% off
  • Draft
    4 pages
    English language
    sale 15% off