DZ
DefZone.Net

Kien thuc cong nghe & giai tri

Wiki Article

ISO 22300

Nguồn dữ liệu từ Wikipedia, hiển thị bởi DefZone.Net

Xem trên WikipediaBài ngẫu nhiên khác
ISO Logo

ISO 22300:2025 Security and resilience – Vocabulary, is an international standard developed by the International Organization for Standardization Technical Committee ISO/TC 292, Security and resilience, in collaboration with the European Committee for Standardization (CEN) Technical Committee CEN/TC 391, Societal and Citizen Security. This document defines terms used in security and resilience standards and includes 130 terms and definitions.[1] This document was first developed in 2012, with the first edition being released in May of 2012. [2] The current edition used was published in November of 2025 and replaces the third edition from 2021. [3]

This standard defines many relevant terms, including those pertinent to Business Continuity Management Systems (BCMS). The terms serve as a common language to identify and describe BCSM processes.[4]

This document is the first of a large series of ISO standards that focus on security, resilience, and business continuity management systems. The next document in the series, ISO 22301, focused more on writing management system standards, while the rest give more understanding to other security and system standards.[5]

Scopes and Content

[edit]

The standard is divided into the following main clauses:

  1. Scope
  2. Normative references
  3. Terms and definitions
    1. Terms related to security and resilience
    2. Terms related to risk
    3. Terms related to management systems
[edit]

This section establishes the generic vocabulary used in the field of security and resilience including topics like business continuity management, emergency management, protective security and crisis management.

The following terms are defined in this clause:

  • acute shock
  • affected area
  • after-action report
  • alert
  • all clear
  • all-hazards approach
  • business continuity
  • business continuity management
  • business continuity plan
  • business impact analysis
  • chronic stress
  • civil protection
  • civil society
  • command and control
  • command and control system
  • contingency
  • cooperation
  • coordination
  • counterfeit,verb
  • counterfeit good
  • countermeasure
  • crisis
  • crisis management
  • disaster
  • disaster risk reduction
  • disruption
  • drill
  • duty of care
  • early warning
  • emergency
  • emergency management
  • evacuation
  • event
  • exercise
  • goods
  • impact
  • impact analysis
  • incident
  • incident command
  • infrastructure
  • integrity
  • interoperability
  • landslide
  • material good
  • minimum business continuity objective, MBCO
  • maximum tolerable period of disruption, MTPD
  • mitigation
  • mutual aid agreement
  • organizational resilience
  • people at risk
  • preparedness
  • prevention
  • protection
  • public warning
  • public warning system
  • recovery
  • recovery point objective, RPO
  • recovery time objective, RTO
  • resilience
  • robustness
  • safety
  • security
  • security management
  • shelter in place
  • spontaneous volunteer, SV
  • supply chain
  • threat
  • vulnerability
  • vulnerability assessment

ISO 22300 defines the Business Impact Analysis (BIA) as the process of analyzing the impact of a disruption over time. [6] This analysis identifies any prioritized activities that need to be recovered in order to avoid any failure. Other terms such as Maximum Tolerable Period of Disruption (MTPD) and Recovery Time Objective (RTO) are core terms of this section as they are about the different times it takes before an outage becomes irreversible and the times it would take to resume any operations.[7] Additionally, the Recovery Point Objective (RPO) is defined to measure the amount of data loss.[8] Unlike RTO, which focuses on the time it takes to recover, RPO measures the amount of data an organization can afford to lose, which is measured in time. The standard classifies disruptive events based on their severity and the response required to recover. An incident is defined as an event that might, or could, lead to any form of disruption or loss. This is different from the definition given for emergency as that is an unexpected occurrence or event requiring immediate action to prevent any disruption or loss. [9] The standard defines a crisis as an abnormal situation that threatens the organization's objectives and often requires strategic response.[6] This differs from a disaster which the standard defines that as a situation where widespread human, material, economic, or environmental loss exceeds the ability of the organization to recover with its own resources.[6]

[edit]

Risk is very much related to security and resilience. ISO/TC 292 has therefore an active liaison with ISO/TC 262 Risk management which has developed ISO 31073:2022 which holds risk management vocabulary and was released in 2022. [10] Instead of developing its own terminology on the subject, ISO 22300 endorse the work of ISO/TC 262 and repeats key terms and definitions from ISO 31073 in clause 3.2.

The following terms are defined in this clause:

  • consequence
  • consultation and communication
  • control
  • hazard
  • likelihood
  • probability
  • residual risk
  • risk
  • risk acceptance
  • risk analysis
  • risk appetite
  • risk assessment
  • risk communication
  • risk criteria
  • risk evaluation
  • risk identification
  • risk management
  • risk mitigation
  • risk owner
  • risk reduction
  • risk register
  • risk sharing
  • risk source
  • risk tolerance
  • risk treatment

Risk is defined as the effect of uncertainty on objectives. Organizations must state their risk appetite, which is the amount and type of risk that they are willing to pursue or retain. [11] In order to judge the risks taken by organizations, risk criteria is a necessity. Risk criteria are the reference against which the significance of a risk is evaluated. [6]

The standard goes on to list risk assessment not just as a single step, but as a process that consists of three stages of identification, analysis, and evaluation. [12] These steps begin with risk identification in which the risk source is found. Following this, risk analysis is used to understand the nature and gravity of the risk. Finally, risk evaluation compares the result against risk criteria to determine whether the risk is tolerable. [6]

If an evaluation shows that a risk is not acceptable, then the organization must perform risk treatment. [6] ISO 22300:2025 defines this as the process of avoiding risk by removing the risk source, changing likelihood, changing consequence, or sharing the risk with other parties. Risk treatment rarely removes an entire risk as the standard states that risk treatment can create new risks or modify already existing risks. [6] Residual risk follows the ending of risk management as it is the amount of risk remaining after risk treatment is completed. Residual risk, as the standard states, can contain unidentified risks and can also be known as "retained risk."

[edit]

This section contains generic terms common to all ISO management system standards and is based on Annex SL to the ISO directives. It also endorses definitions from ISO 9000, ISO/IEC 27000, and ISO 31073.

The following terms are defined in this clause:

  • audit
  • capacity
  • community
  • competence
  • conformity
  • continual improvement
  • corrective action
  • documented information
  • effectiveness
  • evaluation
  • interested party, stakeholder
  • internal audit
  • management
  • management system
  • measurement
  • monitoring
  • nonconformity
  • objective
  • organization
  • organizational culture
  • outsource,verb
  • owner
  • partnering
  • performance
  • performance evaluation
  • personnel
  • planning
  • policy
  • procedure
  • process
  • requirement
  • review
  • top management
  • training
  • verification
  • workforce

A core definition the standard gives is top management who is the person or group who directs and controls an organization at the highest level.[13] Following this, policy is defined as the intentions and direction of an organization. Another generic term given is requirement which is simply the need or expectation that is stated.[6]

ISO 22300:2025 definition of documented information replaces the terms "documents" and "records" and refers to information required to be controlled and maintained by an organization. [6] To ensure that all requirements are met, the standard's definition of competence emphasizes the need for personnel to have the skills to achieve intended results.[14] This is all then evaluated through audits. [6]

If any requirement is not met, the standard defines this as nonconformity. To combat this, the organization or group must implement corrective action to eliminate the cause of the failure, and also use continual improvement to enhance performance over time. [6]

Purpose

[edit]

The purpose of this standard is to provide definitions of generic terms and subject-specific terms related to documents made by ISO/TC 292. This document covers many of the standards seen throughout the ISO 223XX family. The main focus is to encourage a mutual and consistent understanding and use of uniform terms and definitions in the field of security and resilience. This standard can also be used by lawyers and companies to agree on contracts. The vocabulary in this standard solves any issues with disagreements on terms.

Application

[edit]

This document can be used as a reference by competent authorities and specialists involved in standardization systems as a way to universally and accurately understand the topics shown. This standard can also be used to solve any issues with language barriers as different countries around the world can easily use ISO 22300:2025 to agree on any definitions. This standard is also used by individuals studying for certain licenses (such as CBCP and PECB credentials), in which the definitions in this standard are a part of tests and textbooks.[15]

[edit]

All standards developed by ISO/TC 292 makes a normative reference to ISO 22300 and uses this as common terminology for the ISO 22300 family of standards including ISO 28000.

  • ISO 22301, Security and resilience — Business continuity management systems – Requirements[16]
  • ISO 22313, Security and resilience — Business continuity management systems – Guidance to the use of ISO 22301[17]
  • ISO/TS 22317, Security and resilience — Business continuity management systems — Guidelines for business impact analysis[18]
  • ISO 22320, Security and resilience — Emergency management - Guidelines for incident management[19]
  • ISO 28000, Security and resilience — Security management systems – Requirements[20]

History

[edit]

This standard was originally developed by the ISO Technical Committee ISO/TC 223 (Societal security) to set terms and definitions applicable to societal security. The committee was first formed to handle emergency management and disaster response, rather than just business risks as ISO 22300:2025 is. The original standard only had 76 terms as it was mainly focused on societal security such as governments and NGOs.

The ISO/TC 223 later dissolved in June 2014, when the Technical management board (TMB) of ISO created the new ISO technical committee ISO/TC 292 (Security and resilience). This new committee was the amalgamation of three technical committees: ISO/TC 223, ISO/TC 247, and ISO/PC 284. ISO/TC 247 focused mainly on standardization in the field of the detection, prevention and control of identity, financial, product and other forms of social and economic fraud. [21] ISO/PC 284 focused on standardization in the field of management system for private security companies. [22] These three committees all shared similar terms and applications.

All of these committees dissolved alongside ISO/TC 223 in June of 2014. The new committee's goal was to create standardization in the field of security to enhance the safety and resilience of society. Since its creation, the committee is responsible for publishing 57 ISO standards, of which 47 were directly under their responsibility. [23] Since the 2nd Edition, this new technical committee has prepared ISO 22300.

The latest version, the 4th Edition, was released on November 6th of 2025 and is currently set to enter its review stage next. The 4th Edition was proposed in October of 2022 and entered multiple stages in order to get to its publication. The latest version replaces the edition released in 2021.

Description Released Main Changes From Previous Editions Number of Terms Project leader
ISO 22300:2012 (1st Edition)[2] May 2012

N/A

76
ISO 22300:2018 (2nd Edition)[3] February 2018
  • Terms added from recent published documents and documents transferred to ISO/TC 292
 277 Norma McGormick
ISO 22300:2021 (3rd Edition)[1] February 2021
  • Terms added from recent published documents and documents transferred to ISO/TC 292
  • Terminological entries separated into subclauses by subject matter
 360 Norma McGormick
ISO 22300:2025 (4th Edition)[1] November 2025
  • Removal of terms that are not commonly used across the portfolio of ISO/TC 292 standards and are very specific to particular standards
  • Definitions for some terms have been modified to be more generic and applicable across the portfolio of ISO/TC 292 standards;
  • Inclusion of new terms and definitions from recent published documents and documents transferred to ISO/TC 292
  • The structure of the document has been revised to make the document more concise and user friendly.
 130 Stefan Tangen

See also

[edit]

References

[edit]
  1. ^ a b c "ISO 22300:2025(en) Security and resilience — Vocabulary". www.iso.org. Retrieved 2025-10-27.
  2. ^ a b "ISO 22300:2012(en) Societal security — Terminology". www.iso.org. Retrieved 2025-10-27.
  3. ^ a b "ISO 22300:2018(en) Security and resilience — Vocabulary". www.iso.org. Retrieved 2025-10-27.
  4. ^ Arias Aranda, Daniel; Huafe, Knut; Dzombeta, Srdan; Vladimir, Stantchev (19 February 2025). "Business Continuity Management – a Process Reference Model". ssrn.com. SSRN 5144558. Retrieved 26 October 2025.
  5. ^ "ISO publishes new standard for business continuity management". ISO. 2012-06-05. Retrieved 2025-10-27.
  6. ^ a b c d e f g h i j k www.iso.org https://www.iso.org/obp/ui/en/#iso:std:iso:22300:ed-4:v1:en. Retrieved 2025-11-29. {{cite web}}: Missing or empty |title= (help)
  7. ^ Kosutic, Dejan. "RTO vs. RPO: Key Differences Explained | Advisera". Retrieved 2025-11-29.
  8. ^ Editor, CSRC Content. "Recovery Time Objective - Glossary | CSRC". csrc.nist.gov. Retrieved 2025-12-01. {{cite web}}: |last= has generic name (help)
  9. ^ "ISO 22320 Emergency Management & Incident Response". AlertMedia. 2025-03-31. Retrieved 2025-12-01.
  10. ^ www.iso.org https://www.iso.org/obp/ui/en/#iso:std:iso:31073:ed-1:v1:en. Retrieved 2025-12-01. {{cite web}}: Missing or empty |title= (help)
  11. ^ "Institute of Risk Management (IRM)". www.theirm.org. Retrieved 2025-12-01.
  12. ^ "What is a Risk Assessment? | Definition from TechTarget". Search Security. Retrieved 2025-12-01.
  13. ^ "What is the Annex SL System Structure? | NQA". www.nqa.com. Retrieved 2025-12-01.
  14. ^ "Competence Development and ISO 9001". PECB. Retrieved 2025-12-01.
  15. ^ "ISO 22301 Business Continuity Management System — Training Courses". PECB. Retrieved 2025-12-01.
  16. ^ "ISO 22301:2019(en) Security and resilience — Business continuity management systems — Requirements". www.iso.org. Retrieved 2025-10-27.
  17. ^ "ISO 22313:2020(en) Security and resilience — Business continuity management systems — Guidance on the use of ISO 22301". www.iso.org. Retrieved 2025-10-27.
  18. ^ "ISO/TS 22317:2021(en) Security and resilience — Business continuity management systems — Guidelines for business impact analysis". www.iso.org. Retrieved 2025-10-27.
  19. ^ "ISO 22320:2018(en) Security and resilience — Emergency management — Guidelines for incident management". www.iso.org. Retrieved 2025-10-27.
  20. ^ "ISO 28000:2022(en) Security and resilience — Security management systems — Requirements". www.iso.org. Retrieved 2025-10-27.
  21. ^ "iTeh Standards". iTeh Standards. Retrieved 2025-12-01.
  22. ^ "iTeh Standards". iTeh Standards. Retrieved 2025-12-01.
  23. ^ "About". committee.iso.org. Retrieved 2025-12-01.
[edit]
  • ISO 22300:2018 — Security and resilience — Vocabulary (Withdrawn, revised by ISO 22300:2021)
  • ISO 22300:2021 — Security and resilience — Vocabulary