MarketISO 22300
Company Profile

ISO 22300

ISO 22300:2025 Security and resilience – Vocabulary, is an international standard developed by the International Organization for Standardization Technical Committee ISO/TC 292, Security and resilience, in collaboration with the European Committee for Standardization (CEN) Technical Committee CEN/TC 391, Societal and Citizen Security. This document defines terms used in security and resilience standards and includes 130 terms and definitions. This document was first developed in 2012, with the first edition being released in May 2012. The current edition used was published in November 2025 and replaces the third edition from 2021.

Scopes and Content
The standard is divided into the following main clauses: • Scope • Normative references • Terms and definitions • Terms related to security and resilience • Terms related to risk • Terms related to management systems Clause 3.1: Terms related to security and resilience This section establishes the generic vocabulary used in the field of security and resilience including topics like business continuity management, emergency management, protective security and crisis management. The following terms are defined in this clause: • acute shock • affected area • after-action report • alert • all clear • all-hazards approach • business continuity • business continuity management • business continuity plan • business impact analysis • chronic stress • civil protection • civil society • command and control • command and control system • contingency • cooperation • coordination • counterfeit, verb • counterfeit good • countermeasure • crisis • crisis management • disaster • disaster risk reduction • disruption • drill • duty of care • early warning • emergency • emergency management • evacuation • event • exercise • goods • impact • impact analysis • incident • incident command • infrastructure • integrity • interoperability • landslide • material good • minimum business continuity objective, MBCO • maximum tolerable period of disruption, MTPD • mitigation • mutual aid agreement • organizational resilience • people at risk • preparedness • prevention • protection • public warning • public warning system • recovery • recovery point objective, RPO • recovery time objective, RTO • resilience • robustness • safety • security • security management • shelter in place • spontaneous volunteer, SV • supply chain • threat • vulnerability • vulnerability assessment ISO 22300 defines the Business Impact Analysis (BIA) as the process of analyzing the impact of a disruption over time. This analysis identifies any prioritized activities that need to be recovered in order to avoid any failure. Other terms such as Maximum Tolerable Period of Disruption (MTPD) and Recovery Time Objective (RTO) are core terms of this section as they are about the different times it takes before an outage becomes irreversible and the times it would take to resume any operations. Additionally, the Recovery Point Objective (RPO) is defined to measure the amount of data loss. Unlike RTO, which focuses on the time it takes to recover, RPO measures the amount of data an organization can afford to lose, which is measured in time. The standard classifies disruptive events based on their severity and the response required to recover. An incident is defined as an event that might, or could, lead to any form of disruption or loss. This is different from the definition given for emergency as that is an unexpected occurrence or event requiring immediate action to prevent any disruption or loss. The standard defines a crisis as an abnormal situation that threatens the organization's objectives and often requires strategic response. Instead of developing its own terminology on the subject, ISO 22300 endorse the work of ISO/TC 262 and repeats key terms and definitions from ISO 31073 in clause 3.2. The following terms are defined in this clause: • consequence • consultation and communication • control • hazard • likelihood • probability • residual risk • risk • risk acceptance • risk analysis • risk appetite • risk assessment • risk communication • risk criteria • risk evaluation • risk identification • risk management • risk mitigation • risk owner • risk reduction • risk register • risk sharing • risk source • risk tolerance • risk treatment Risk is defined as the effect of uncertainty on objectives. Organizations must state their risk appetite, which is the amount and type of risk that they are willing to pursue or retain. In order to judge the risks taken by organizations, risk criteria is a necessity. Risk criteria are the reference against which the significance of a risk is evaluated. These steps begin with risk identification in which the risk source is found. Following this, risk analysis is used to understand the nature and gravity of the risk. Finally, risk evaluation compares the result against risk criteria to determine whether the risk is tolerable. Following this, policy is defined as the intentions and direction of an organization. Another generic term given is requirement which is simply the need or expectation that is stated. This is all then evaluated through audits. If any requirement is not met, the standard defines this as nonconformity. To combat this, the organization or group must implement corrective action to eliminate the cause of the failure, and also use continual improvement to enhance performance over time. == Purpose ==
Purpose
The purpose of this standard is to provide definitions of generic terms and subject-specific terms related to documents made by ISO/TC 292. This document covers many of the standards seen throughout the ISO 223XX family. The main focus is to encourage a mutual and consistent understanding and use of uniform terms and definitions in the field of security and resilience. This standard can also be used by lawyers and companies to agree on contracts. The vocabulary in this standard solves any issues with disagreements on terms. == Application ==
Application
This document can be used as a reference by competent authorities and specialists involved in standardization systems as a way to universally and accurately understand the topics shown. This standard can also be used to solve any issues with language barriers as different countries around the world can easily use ISO 22300:2025 to agree on any definitions. This standard is also used by individuals studying for certain licenses (such as CBCP and PECB credentials), in which the definitions in this standard are a part of tests and textbooks. == Related standards ==
Related standards
All standards developed by ISO/TC 292 makes a normative reference to ISO 22300 and uses this as common terminology for the ISO 22300 family of standards including ISO 28000. • ISO 22301, Security and resilience — Business continuity management systems – Requirements • ISO 22313, Security and resilience — Business continuity management systems – Guidance to the use of ISO 22301 • ISO/TS 22317, Security and resilience — Business continuity management systems — Guidelines for business impact analysis • ISO 22320, Security and resilience — Emergency management - Guidelines for incident management • ISO 28000, Security and resilience — Security management systems – Requirements == History ==
History
This standard was originally developed by the ISO Technical Committee ISO/TC 223 (Societal security) to set terms and definitions applicable to societal security. The committee was first formed to handle emergency management and disaster response, rather than just business risks as ISO 22300:2025 is. The original standard only had 76 terms as it was mainly focused on societal security such as governments and NGOs. The ISO/TC 223 later dissolved in June 2014, when the Technical management board (TMB) of ISO created the new ISO technical committee ISO/TC 292 (Security and resilience). This new committee was the amalgamation of three technical committees: ISO/TC 223, ISO/TC 247, and ISO/PC 284. ISO/TC 247 focused mainly on standardization in the field of the detection, prevention and control of identity, financial, product and other forms of social and economic fraud. ISO/PC 284 focused on standardization in the field of management system for private security companies. These three committees all shared similar terms and applications. All of these committees dissolved alongside ISO/TC 223 in June 2014. The new committee's goal was to create standardization in the field of security to enhance the safety and resilience of society. Since its creation, the committee is responsible for publishing 57 ISO standards, of which 47 were directly under their responsibility. Since the 2nd Edition, this new technical committee has prepared ISO 22300. The latest version, the 4th Edition, was released on November 6 of 2025 and is currently set to enter its review stage next. The 4th Edition was proposed in October 2022 and entered multiple stages in order to get to its publication. The latest version replaces the edition released in 2021. == See also ==
Source: Wikipedia ↗
tickerdossier.comtickerdossier.substack.com