.svg){kind=small}
.png){kind=icon}
Australia adopts world-first security standard
Statements
In a major leap forward for national and commercial security, Australia has adopted a world-first international standard that aims to reshape how organisations protect their people, infrastructure, and information.
This change is led by Standards Australia’s Security and Resilience expert technical committee, MB-025, who have published AS ISO 22340, an adoption of an international standard1 .
By adopting this standard, Australia is setting itself up to enhance its security posture and provide a clear practical guide for all organisations to continuously improve their protective security through risk management principles and governance arrangements designed to ensure coordinated and strategically aligned implementation.
Benefits of AS ISO 22340 – A Coordinated Approach to Security
The term ‘security‘ evokes different meanings and connotations across organisations and nations. Without clear, well defined and coordinated security controls, organisations are at risk of security breaches or potential impacts of inefficient processes such as duplication or waste.
While there are many standards about the varying elements of security, ISO 22340 is the world’s first international standard which provides guidance on coordinating and integrating protective security: in other words it sets out key processes and activities that protect assets from malicious acts, the impact of unintentional incidents and other events that can cause harm.
It provides guidance on how to build protective security under a documented structure, detailing governance arrangements and accountabilities, and the framework of policies, processes, and specifications designed to support an organisations’ security objectives.
AS ISO 22340 covers five security domains: security governance, personnel security, information security, cybersecurity, and physical security. These domains are not mutually exclusive, and when managed and coordinated effectively, organisations can improve their security processes and outcomes. The standard demonstrates how to understand, plan for, and respond to security risks within these domains across all assets, including people, infrastructure, and information. Importantly, it is intended to integrate effectively with widely adopted standards such as ISO/IEC 270012 and AS 48113 .
To help manage these domains effectively, they are guided by the following principles:
- Security is everyone’s responsibility.
- Security enables business.
- Security management is based on risk management principles.
- Top management is accountable for the organisation’s security.
- Security is integrated into all levels of the organisation’s activity.
- Security is delivered within a life cycle of continual improvement.
A Framework for Continuous Security Improvement
The standard provides a framework for continuous improvement of security systems. It emphasises the importance of regularly assessing and enhancing security maturity.
Organisations can use the framework to evaluate their security posture, grade their maturity across the five security domains, and identify areas for improvement. This helps equip organisations to adapt to changing security environments and threats, fostering a culture of continuous improvement.
Matthew Curtis, a member of MB-025 and convener of the ISO 22340 project and its lead author, highlights the empowering nature of this standard: “This is a singularly enabling standard. It provides a common language and conceptual framework that any organisation can use to understand and manage their security threats and associated risks. Critically, it also outlines enterprise governance arrangements that among other things include a single point of truth and accountability for all matters security at the enterprise level. Together these attributes will be a powerful tailwind for the Australian community in responding to the current global and national security context.”
Consistency with the Protective Security Policy Framework
AS ISO 22340 is closely aligned with the principles and processes of the Australian Government’s Protective Security Policy Framework (PSPF), which addresses security requirements across key domains, such as personnel, information (including cyber) and physical security and the governance arrangements that align each domain with the interests of the organisation.
Similarly, the principles outlined in AS ISO 22340 aim to assist all organisations regardless of sector by bolstering their resilience and addressing a widening range of threats and risks.
“Prioritising security and resilience has numerous benefits for an organisation, including safeguarding data, ensuring the safety of its people, and contributing to its overall longevity,” says Standards Australia’s Chief Operating Officer, Kareen Riley-Takos.
AS ISO 22340 is available via the Standards Australia Store and our distribution partners.
1 ISO 22340, Security and resilience - Protective security - Guidelines for an enterprise protective security architecture and framework.
2 ISO/IEC 27001, Information security, cybersecurity and privacy protection - Information security management systems – Requirements.
3 AS 4811, Workforce screening.
In a major leap forward for national and commercial security, Australia has adopted a world-first international standard that aims to reshape how organisations protect their people, infrastructure, and information.
This change is led by Standards Australia’s Security and Resilience expert technical committee, MB-025, who have published AS ISO 22340, an adoption of an international standard1 .
By adopting this standard, Australia is setting itself up to enhance its security posture and provide a clear practical guide for all organisations to continuously improve their protective security through risk management principles and governance arrangements designed to ensure coordinated and strategically aligned implementation.
Benefits of AS ISO 22340 – A Coordinated Approach to Security
The term ‘security‘ evokes different meanings and connotations across organisations and nations. Without clear, well defined and coordinated security controls, organisations are at risk of security breaches or potential impacts of inefficient processes such as duplication or waste.
While there are many standards about the varying elements of security, ISO 22340 is the world’s first international standard which provides guidance on coordinating and integrating protective security: in other words it sets out key processes and activities that protect assets from malicious acts, the impact of unintentional incidents and other events that can cause harm.
It provides guidance on how to build protective security under a documented structure, detailing governance arrangements and accountabilities, and the framework of policies, processes, and specifications designed to support an organisations’ security objectives.
AS ISO 22340 covers five security domains: security governance, personnel security, information security, cybersecurity, and physical security. These domains are not mutually exclusive, and when managed and coordinated effectively, organisations can improve their security processes and outcomes. The standard demonstrates how to understand, plan for, and respond to security risks within these domains across all assets, including people, infrastructure, and information. Importantly, it is intended to integrate effectively with widely adopted standards such as ISO/IEC 270012 and AS 48113 .
To help manage these domains effectively, they are guided by the following principles:
- Security is everyone’s responsibility.
- Security enables business.
- Security management is based on risk management principles.
- Top management is accountable for the organisation’s security.
- Security is integrated into all levels of the organisation’s activity.
- Security is delivered within a life cycle of continual improvement.
A Framework for Continuous Security Improvement
The standard provides a framework for continuous improvement of security systems. It emphasises the importance of regularly assessing and enhancing security maturity.
Organisations can use the framework to evaluate their security posture, grade their maturity across the five security domains, and identify areas for improvement. This helps equip organisations to adapt to changing security environments and threats, fostering a culture of continuous improvement.
Matthew Curtis, a member of MB-025 and convener of the ISO 22340 project and its lead author, highlights the empowering nature of this standard: “This is a singularly enabling standard. It provides a common language and conceptual framework that any organisation can use to understand and manage their security threats and associated risks. Critically, it also outlines enterprise governance arrangements that among other things include a single point of truth and accountability for all matters security at the enterprise level. Together these attributes will be a powerful tailwind for the Australian community in responding to the current global and national security context.”
Consistency with the Protective Security Policy Framework
AS ISO 22340 is closely aligned with the principles and processes of the Australian Government’s Protective Security Policy Framework (PSPF), which addresses security requirements across key domains, such as personnel, information (including cyber) and physical security and the governance arrangements that align each domain with the interests of the organisation.
Similarly, the principles outlined in AS ISO 22340 aim to assist all organisations regardless of sector by bolstering their resilience and addressing a widening range of threats and risks.
“Prioritising security and resilience has numerous benefits for an organisation, including safeguarding data, ensuring the safety of its people, and contributing to its overall longevity,” says Standards Australia’s Chief Operating Officer, Kareen Riley-Takos.
AS ISO 22340 is available via the Standards Australia Store and our distribution partners.
1 ISO 22340, Security and resilience - Protective security - Guidelines for an enterprise protective security architecture and framework.
2 ISO/IEC 27001, Information security, cybersecurity and privacy protection - Information security management systems – Requirements.
3 AS 4811, Workforce screening.
