ISO/TC 292 - Security and resilience

This document provides guidelines for establishing, maintaining, monitoring and improving infrastructure resilience to help ensure the continuity and robustness of essential services. It supports collaborative decision-making across many stakeholders in diverse organizations. It can be used for engaging stakeholders at all levels responsible for, or having influence on, infrastructure resilience matters. This document is intended to be applicable to all types and sizes of organizations which have a role in infrastructure resilience.

This document establishes a framework to support stakeholders in supply and value chains to ensure the chain of trustworthiness regarding the properties of their products and production processes. This document provides guidelines to identify information relevant to trustworthiness to be exchanged between supply and value chain stakeholders. It also provides an interoperable data structure that is required for supply and value chain stakeholders to negotiate and exchange information relevant to trustworthiness. The guidelines set out in this document are generic and are intended to be applicable to all organizations and products, regardless of type, size or nature.

This document defines terms related to security and resilience topics.

This document provides guidelines to organizations for establishing general and specific strategies to prevent and reduce crime and the fear of crime at new or existing residential facilities, in single or multiple units. This document builds on the concepts and processes described in ISO 22341, in the context of residential facilities. It provides recommendations on countermeasures and actions to address crime and security risks to people and property, in dwellings and their immediate surroundings, by implementing crime prevention through environmental design (CPTED) strategies in an effective and efficient manner. Within this document, the term “security” is used in a broad manner to include all crime, safety and security-specific applications. Therefore, this document is applicable to public and private organizations, regardless of type, size or nature. This document applies to organizations responsible for the residential facility including a real estate company, developer or landlord.

This document provides principles, framework and guidelines on how to enhance urban resilience to protect communities, people and organizations and improve residents' quality of life. It describes: a) how to build capacity to better manage change and disruptive events, minimizing the impacts on the residents, including the most disadvantaged and vulnerable persons; b) the benefits of urban resilience; c) how to organize, assess, plan, implement and continually improve urban resilience. This document is applicable to all urban contexts, governance structures and stakeholders for all identified levels of risk. It is intended to be used by all organizations that have accountability for resilience of services in urban communities.

This document provides guidance on the enterprise protective security architecture and the framework of protective security policies, processes and types of controls necessary to mitigate and manage security risks across the protective security domains, including: a) security governance; b) personnel security; c) information security; d) cybersecurity; e) physical security. This document is applicable for any organization.

This document gives guidelines for the implementation of a community-based disaster early warning system (EWS) for landslides. It complements the generic guidelines in ISO 22328-1. It describes the methods and procedures, implementation methods and activities specifically related to landslides. This document is applicable to communities vulnerable to landslides, without taking secondary/indirect effects into consideration.

This document provides guidelines on the design and development of an organizational resilience policy and strategy. It includes: — how to design and formulate a resilience policy; — how to design strategy to achieve the objectives of a resilience policy; — how to determine priorities for implementation of the organization’s resilience initiatives; — how to establish a cooperative and coordinated capability to enhance resilience. This document is applicable to organizations seeking to enhance resilience. It is not specific to any industry or sector. It can be applied throughout the life of an organization to enhance resilience. This document does not provide guidance on the development of an organizational resilience capability.

This document provides guidelines for establishing and enforcing respective measures for brand protection. It supports the development of a brand protection strategy and describes a brand protection framework for the development, production, and distribution of products and documents. Applying these guidelines throughout the product lifecycle can facilitate interaction between individuals and organizations involved in brand protection activities and can make brand protection procedures more effective and efficient. This document is intended to support the brand owner’s business resilience, brand reputation, and brand value, by protecting products, documents, and associated services from counterfeiting and other infringements.

This document provides an outline of crisis concepts and the principles that inform and support contemporary thinking on the circumstances and conditions under which crises can develop. It specifies: — concepts and principles, governing crises; — the social-ecological system (SES) framework in which crises develop; — factors that contribute to crises; — the progression and evolution of a crisis; — a structure for classifying crises; — the relationship between issues, incidents, emergencies, disasters, and crises; — a crisis taxonomy for the systematic development of policies, strategies, and standards, relevant to crisis management (see Annex A). This document does not provide guidance on how organizations can: — manage physiological or psychological aspects of human reactions to personal crises; — manage personal health or public health crisis affecting individuals, communities, or having broader impacts on society; — design, develop or implement crisis management programs or plans; — develop a strategic capability for crisis management; — apply crisis management techniques to specific crisis situations. This document is applicable to all organizations. It can also be applied by standards users and standards writers and educators. It encourages a better understanding of crisis concepts and the interconnected characteristics of factors that contribute to crises through referencing the crisis controls and effects social-ecological system model. The application of the principles described in this document can encourage consistency in the use of crises related terms and definitions and complements other ISO standards for crisis management.

This document provides guidelines for the design, use and maintenance of hardened protective shelters (hereafter referred to as “shelters”). It specifies guidance on the layout, structures, equipment and actions related to a shelter. This document is intended for organizations or individuals responsible for or involved in decision-making, planning, implementation, administration, use or upkeep of shelters, such as local, regional and national governments, civil protection agencies, first responders and businesses such as designers, constructers and equipment suppliers. This document does not cover the minimum requirements or exact specifications for the properties of or actions related to a shelter; nor does it cover rapidly erected temporary shelters, such as lightweight canvas weather shelters, other tarp tent shelters, or metal and container shelters. Military shelters are subject to additional requirements which are outside the scope of this document.

This document gives guidance on how to secure physical documents for specifying entities of physical documents. It establishes a procedure for security design, which includes: — risk assessment; — determination of document classes; — introduction of security features; — security evaluation; — document risk mitigation. This document is applicable to secure physical documents that are used for important actions such as validating value transactions, providing access, demonstrating compliance and securing products. This document does not apply to banknotes, machine-readable travel documents, driving licences, postage stamps, tax stamps, health cards or national identity cards covered by existing standards and regulations.

This document gives guidance on the selection, installation and use of vehicle security barrier (VSBs) and describes the process of producing operational requirements (ORs). It also gives guidance on a design method for assessing the performance of a VSB. This document is applicable to end users, such as site owners and specifiers, of VSBs, where they are used to protect people in any public or private location from vehicle attacks. This document does not apply to the performance of a VSB or its control apparatus when subjected to: — slow speed encroachment; — slow speed nudging and ramming; — blast explosion; — ballistic impact; — manual attack, with the aid of the vehicle (multiple impacts at slow speed); — manual attack, with the aid of tools (excluding vehicles); — electrical manipulation; — attack on the control systems by any means. NOTE 1 For manual attack, a variety of test methods exist. For assessing intruder resistance of building components, see LPS 1175[53]. NOTE 2 The VSB is designed and tested on the basis of: a) vehicle type, mass and speed of the assessed vehicle-borne threat; b) its geographical application (e.g. climate conditions); c) intended site location (e.g. rigid or non-rigid soil/finished surface (paving, cobblestone, granite, asphalt). It does not apply to guidance on design, the operational suitability of a VSB or other impact test methods.

This document specifies impact performance requirements for a vehicle security barrier (VSB) and a test method for rating its performance when subjected to a single impact by a test vehicle not driven by a human being. It is applicable to test methods for vehicle penetration distances not exceeding 25 m. This document is applicable to all manufacturers and procurers of VSBs, where they are used to protect people in any public or private location from the impact of vehicle attacks. This document does not apply to the performance of a VSB or its control apparatus when subjected to: — slow speed encroachment; — slow speed nudging and ramming; — blast explosion; — ballistic impact; — manual attack, with the aid of the vehicle (multiple impacts at slow speed); — manual attack, with the aid of tools (excluding vehicles); — electrical manipulation; — attack on the control systems by any means. NOTE 1 For manual attack, a variety of test methods exist. For assessing intruder resistance of building components, see LPS 1175. NOTE 2 The VSB is designed and tested on the basis of: a) vehicle type, mass and speed of the assessed vehicle-borne threat; b) its geographical application (e.g. climate conditions); c) intended site location (e.g. rigid or non-rigid soil/finished surface). It does not apply to guidance on design, the operational suitability of a VSB or other impact test methods. NOTE 3 Guidance on the selection and specification of a VSB by type and operational suitability is given in ISO 22343-2.

This document defines the conditions necessary for the interoperable deployment of visible digital seals (VDSs). It describes the structure, possible forms of representation, production process and verification process applicable to VDSs, for any type of document or object to which they relate. This document does not establish requirements for users that issue and verify documents or for users that implement and deploy VDSs. This document does not apply to detailed response formatting functions (RFFs). These requirements and functions are defined by the trust service operator (TSO) and generally cover functionalities such as the security levels of certificates and governance rules to be applied to document issuers and trust service providers (TSPs) intervening in the VDS ecosystem. This document does not apply to the governance related to the operation of the VDS scheme. It is not intended to replace the specifications from Agence Nationale des Titres Sécurisés (ANTS), Bundesamt für Sicherheit in der Informationstechnik (BSI) and International Civil Aviation Organization (ICAO) documents.

This document gives guidance on developing and maintaining security plans. The security plan describes how an organization establishes effective security planning and how it can integrate security within organizational risk management practices. This document is applicable to all organizations regardless of type, size and nature, whether in the private, public or not-for-profit sectors, that wish to develop effective security plans in a consistent manner. This document is applicable to any organization intending to implement measures designed to protect their assets against malicious acts and mitigate their associated risks. This document does not provide specific criteria for identifying the need to implement or enhance prevention and protection measures against malicious acts. It does not apply to services and operations delivered by private security companies.

This document gives guidance on how to develop meaningful recovery activities and renewal initiatives from any type of major emergency, disaster or crisis, no matter what type of impact or damage it has. It provides guidelines on how to identify the short-term, transactional activities needed to reflect and learn, review preparedness of parts of the system impacted by the crisis, and reinstate operations to build preparedness to future emergencies. It distinguishes a longer-term perspective, called “renewal”, and provides guidelines on how to identify visionary initiatives to be addressed through transformation to change lives and futures. The guidelines cover how, in both recovery and renewal, there is a need to identify scalable activity on people, places, processes, power and partners. This document is applicable to all organizations, particularly those involved in recovery and renewal and that are responsible for human welfare and community development (e.g. public, voluntary, community and social enterprise sectors).

This document establishes a framework for a trustworthy environment for information processing and communication that protects integrity along the supply chain of physical and related electronic documents, products, software and services life cycle to mitigate product fraud and counterfeit goods, by using object identification techniques. This document gives guidelines to establish a framework for ensuring trust, interoperability and interoperation via secure and reliable electronically signed encoded data set (ESEDS) schemes for multi-actor applications which are even applicable in multi-sector environment. This document does not interfere with existing traceability and identification and authentication systems but is able to support interoperations between them by introducing an ESEDS scheme.

This document gives guidelines for the implementation of a community-based disaster early warning system (EWS) for tsunamis. It complements the generic guidelines in ISO 22328-1[5]. It describes the methods, procedures, implementation measures and activities specifically related to tsunamis. This document is applicable to communities vulnerable to tsunamis, without taking secondary/indirect effects into consideration.

This document gives guidance on developing, managing and implementing public warning before, during and after incidents. This document is applicable to any organization responsible for public warning. It is applicable at all levels, from local up to international. Before planning and implementing the public warning system, the risks and consequences of potential hazards are assessed. This process is not part of this document.

This document gives guidance on the use of colour codes to inform people at risk as well as first response personnel about danger and to express the severity of a situation. This document is applicable to all types of hazard in any location. This document does not apply to the method for displaying colour codes, detailed ergonomic considerations related to viewing displays or safety signs covered by ISO 3864-1.

This document specifies a process to qualify the suitability, reliability and effectiveness of artefact metrics as well as artefact metric recognition principles for identification and verification. The artefact metric recognition described in this document can be used to identify or verify artefacts using one or more measurements of their characteristics, each of which is unique to an individual artefact and is supposedly impossible to reproduce. This document is applicable to artefact metrics throughout the life cycle processes of products. Measurement of the resilience of the system where the distinguishing characteristic is degraded is out of the scope of this document. This document is applicable to performance testing of artefact metric systems and algorithms through analysis of the comparison scores and decisions output by the system, without requiring detailed knowledge of the system’s algorithms or of the underlying distribution of characteristics in the objects of interest. This document excludes performance testing where deliberate attacks undermine the artefact metric system.

This document establishes a framework for identification and authentication systems. It provides recommendations and best practice that include: — management and verification of identifiers; — physical representation of identifiers; — participants’ due diligence; — vetting of all participants within the system; — relationship between the unique identifier (UID) and possible authentication elements related to it; — questions that deal with the identification of the inspector and any authorized access to privileged information about the object; — inspector access history (logs). The model described in this document is intended to determine the common functions of different systems. This document describes processes, functions and functional units of a generic model. It does not specify any specific technical solutions. Object identification systems can incorporate other functions and features such as supply chain traceability, quality traceability, marketing activities and others, but these aspects are out of scope of this document. NOTE This document does not refer to industry-specific requirements such as GS1 Global Trade Item Number (GTIN).

This document provides guidance on crisis management to help organizations plan, establish, maintain, review and continually improve a strategic crisis management capability. This guidance can help any organization to identify and manage a crisis. Elements for consideration include: — context, core concepts, principles and challenges (see Clause 4); — developing an organization’s crisis management capability (see Clause 5); — crisis leadership (see Clause 6); — the decision-making challenges and complexities facing a crisis team in action (see Clause 7); — crisis communication (see Clause 8); — training, validation and learning from crises (see Clause 9). It is applicable to top management with strategic responsibilities for the delivery of a crisis management capability in any organization. It can also be used by those who operate under the direction of top management. This document acknowledges the relationship and interdependencies with various disciplines but is distinct from these topics.

This document gives guidance on hosting and organizing citywide or regional events. It provides principles applicable to any host and organizer of citywide or regional events. This document will help hosts and organizers to plan and execute a safe, secure and sustainable event by: — introducing a process for cooperation between the host and organizer; — identifying and involving relevant interested parties; — identifying the economic, environmental and societal impact caused by the event; — establishing necessary measures to manage risks introduced by or affecting the event; — establishing necessary measures to deliver the event; — providing critical services to the public and to the event; — providing interested parties and the public with information; — providing future hosts and organizers of similar events with lessons identified; — introducing an event legacy plan consistent with the long-term objectives for the city or region. This document is general and strategic and does not include detailed descriptions or how to plan and execute specific tasks.

This document specifies requirements for a security management system, including aspects relevant to the supply chain. This document is applicable to all types and sizes of organizations (e.g. commercial enterprises, government or other public agencies and non-profit organizations) which intend to establish, implement, maintain and improve a security management system. It provides a holistic and common approach and is not industry or sector specific. This document can be used throughout the life of the organization and can be applied to any activity, internal or external, at all levels.

This document gives guidance on methods for understanding and extending the principles of business continuity embodied in ISO 22301 and ISO 22313 to the management of supplier relationships. It enables an organization to develop and document the strategy to be better prepared to manage supply chain continuity. This document is generic and applicable to all organizations. It is applicable to suppliers of products, services and resources, both upstream and downstream. Supply chain continuity management (SCCM) specifically considers the issues faced by an organization which relies on the continuity of supply of resources as well as the ability to continue delivery of its products and services. The objective of SCCM is to protect the organization’s business activities from supply chain disruption.

This document gives guidelines for an organization to implement and maintain a formal and documented business impact analysis (BIA) process appropriate to its needs. It does not prescribe a uniform process for performing a BIA. This document is applicable to all organizations regardless of type, size and nature, whether in the private, public or not-for-profit sectors. The guidance can be adapted to the needs, objectives, resources and constraints of the organization.

This document gives guidance on the use of social media in emergency management. It gives guidance on how organizations and the public can use, and interact through, social media before, during and after an incident as well as how social media can support the work of emergency services. This document is applicable to governmental and non-governmental organizations involved in emergency management and crisis communication.

This document provides guidelines for developing and maintaining business continuity plans and procedures. It is applicable to all organizations regardless of type, size and nature, whether in the private, public, or not-for-profit sectors, that wish to develop effective business continuity plans and procedures in a consistent manner.

This document defines terms used in security and resilience standards.

This document provides guidelines to organizations for establishing the basic elements, strategies and processes for preventing and reducing crime and the fear of crime at a new or existing built environment. It recommends the establishment of countermeasures and actions to treat crime and security risks in an effective and efficient manner by leveraging environmental design. Within this document, the term "security" is used in a broad manner to include all crime, safety and security-specific applications, so it is applicable to public and private organizations, regardless of type, size or nature. While this document provides general examples of implementation strategies and best practices, it is not intended to provide an exhaustive listing of detailed design, architectural or physical security crime prevention through environmental design (CPTED) implementation strategies or restrict the potential applications to only those examples provided in this document.

This document gives guidelines for the implementation of a community-based disaster early warning system (EWS). It describes the methods and procedures to be implemented and provides examples. This document is applicable to communities vulnerable to disasters, without taking secondary/indirect effects into consideration.

This document gives guidelines for assessing product security-related threats, risks and countermeasures by developing a suitable protection plan, supporting its implementation and monitoring its effectiveness after implementation. This includes consideration of impacts and modifications to, for example, product life cycle, supply chain, manufacturing, data management, brand perception and costs so as to adapt the protection plan accordingly. This document is applicable to all types and sizes of organizations that want to ensure authenticity and integrity in order to support the trustworthiness of products, including documents, data and services related to products. This document supports organizations setting up a process to assess risks and to select and combine individual measures for developing a product protection plan.

This document gives guidelines for performance criteria and an evaluation methodology for authentication solutions that aim to unambiguously establish material good authenticity and integrity throughout an entire material good's life cycle. It focuses on the authentication of a material good and, if appropriate, its components, parts and related data: — covered by intellectual property rights; — covered by relevant international, regional or national regulations; — with counterfeiting-related implications; — otherwise with a distinctive identity. This document is applicable to all types and sizes of organizations that require the ability to validate the authenticity and integrity of material goods. It will help organizations to determine the categories of authentication elements they need in order to combat counterfeiting-related risks, and the criteria for selecting authentication elements, after having undertaken a counterfeiting risk assessment. Authentication solutions can be used in areas such as anti-counterfeiting, prevention of product fraud and prevention of diversion. This document does not specify economic criteria aiming to correlate performance and costs of the authentication solutions.

This document describes a framework and principles that are coherent with the 2030 Agenda for Sustainable Development, including the New Urban Agenda, Paris Agreement and Sendai Framework, that can be applied to enhance urban resilience. This document proposes the use of metrics and models as the framework upon which to structure urban resilience to assist local authorities and other urban stakeholder's efforts to build more resilient human settlements. This document is primarily intended for use by organizations with responsibility for urban governance. However, it is equally applicable to all types and sizes of organizations that represent the community of stakeholders noted above, and in particular those organizations that have a role in urban planning, development and management processes in urban areas around the world.

This document gives guidelines for organizations to design, organize, conduct, receive feedback from and learn from a peer review of their disaster risk reduction (DRR) policies and practices. It is also applicable to other community resilience activities. It is intended for use by organizations with the responsibility for, or involvement in, managing such activities including policy and preparedness, response and recovery operations, and designing preventative measures (e.g. for the effects of environmental changes such as those from climate change). It is applicable to all types, structures and sizes of organizations, such as local, regional and national governments, statutory bodies, non-governmental organizations, businesses, and public and community groups. It is applicable before or after an incident or exercise.

This document gives guidance and recommendations for applying the requirements of the business continuity management system (BCMS) given in ISO 22301. The guidance and recommendations are based on good international practice. This document is applicable to organizations that: a) implement, maintain and improve a BCMS; b) seek to ensure conformity with stated business continuity policy; c) need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption; d) seek to enhance their resilience through the effective application of the BCMS. The guidance and recommendations are applicable to all sizes and types of organizations, including large, medium and small organizations operating in industrial, commercial, public and not-for-profit sectors. The approach adopted depends on the organization's operating environment and complexity.

This document gives guidelines for information exchange. It includes principles, a framework and a process for information exchange. It identifies mechanisms for information exchange that allow a participating organization to learn from others' experiences, mistakes and successes. It can be used to guide the maintenance of the information exchange arrangement in order to increase commitment and engagement. It provides measures that enhance the ability of participating organizations to cope with disruption risk. This document is applicable to private and public organizations that require guidance on establishing the conditions to support information exchange. This document does not apply to technical aspects but focuses on methodology issues. NOTE Legislation can differ from jurisdiction to jurisdiction. It is the user's responsibility to determine how applicable legal requirements relate to this document.

This document specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise. The requirements specified in this document are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization's operating environment and complexity. This document is applicable to all types and sizes of organizations that: a) implement, maintain and improve a BCMS; b) seek to ensure conformity with stated business continuity policy; c) need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption; d) seek to enhance their resilience through the effective application of the BCMS. This document can be used to assess an organization's ability to meet its own business continuity needs and obligations.

This document gives guidelines for incident management, including — principles that communicate the value and explain the purpose of incident management, — basic components of incident management including process and structure, which focus on roles and responsibilities, tasks and management of resources, and — working together through joint direction and cooperation. This document is applicable to any organization involved in responding to incidents of any type and scale. This document is applicable to any organization with one organizational structure as well as for two or more organizations that choose to work together while continuing to use their own organizational structure or to use a combined organizational structure.

This document gives guidelines for a landslide early warning system. It provides a definition, aims to improve understanding, describes methods and procedures to be implemented, and gives examples of types of activities. It is applicable to communities vulnerable to landslides, without taking secondary effects into consideration. It recognizes population behaviour response planning as a key part of the preparedness. It takes into account the approach of ISO 22315 and provides additional specifications for landslides.

This document gives guidelines for the content, security, issuance and examination of physical tax stamps and marks used to indicate that the required excise duty or other applicable taxes identified with an item have been paid and to signify that the item is legitimately on the intended market. Specifically, this document gives guidance on: — defining the functions of a tax stamp; — identifying and consulting with stakeholders; — planning the procurement process and selection of suppliers; — the design and construction of tax stamps; — the overt and covert security features that provide protection of the tax stamp; — the finishing and application processes for the tax stamp; — security of the tax stamp supply chain; — serialization and unique identifier (UID) codes for tax stamps; — examination of tax stamps; — monitoring and assessing tax stamp performance. This document is applicable only to tax stamps that are physical in nature and apparent to the human senses of sight (with the aid of a revealing tool if necessary) or touch, applied to a consumer good or its packaging and which allow material authentication. When the term "authentication" is used in this document, it refers only to the authentication of the tax stamp, not to the product on which the tax stamp is affixed. This document does not apply to systems or procedures that an issuing authority has in place to control and monitor its excise revenue collection, except by reference to them where they have an impact on the design or specification of tax stamps.

This document gives guidelines for monitoring hazards within a facility as a part of an overall emergency management and continuity programme by establishing the process for hazard monitoring at facilities with identified hazards. It includes recommendations on how to develop and operate systems for the purpose of monitoring facilities with identified hazards. It covers the entire process of monitoring facilities. This document is generic and applicable to any organization. The application depends on the operating environment, the complexity of the organization and the type of identified hazards.

This document gives guidelines for the application of principles and a process for a complexity assessment of an organization's systems to improve security and resilience. A complexity assessment process allows an organization to identify potential hidden vulnerabilities of its system and to provide an early indication of risk resulting from complexity. This document is generic and applicable to all sizes and types of organization systems, such as critical assets, strategic networks, supply chains, industrial plants, community infrastructures, banks and business companies.

This document gives guidelines for organizations to identify, involve, communicate with and support individuals who are the most vulnerable to natural and human-induced (both intentional and unintentional) emergencies. It also includes guidelines for continually improving the provision of support to vulnerable persons in an emergency. It is intended for use by organizations with the responsibility for, or involvement in, part or all of the planning for working with vulnerable persons in an emergency. It is applicable to all types and sizes of organizations involved in emergency preparation, response and recovery activities, such as local, regional and national governments; statutory bodies; international and non-governmental organizations; businesses; and public and community groups. The focus of this document is on vulnerable individuals and their needs in relation to an emergency.

This document gives guidelines for establishing interoperability among independently functioning product identification and related authentication systems, as described in ISO 16678. The permanent transfer of data from one system to another is out of the scope of this document. It also gives guidance on how to specify an environment open to existing or new methods of identification and authentication of objects, and which is accessible for legacy systems that may need to remain active. It is applicable to any industry, stakeholder or user group requiring object identification and authentication systems. It can be used on a global scale, or in limited environments. This document supports those involved in planning and establishing interoperation.