ISO 22300


ISO 22300:2025 Security and resilience – Vocabulary, is an international standard developed by the International Organization for Standardization Technical Committee ISO/TC 292, Security and resilience, in collaboration with the European Committee for Standardization Technical Committee CEN/TC 391, Societal and Citizen Security. This document defines terms used in security and resilience standards and includes 130 terms and definitions. This document was first developed in 2012, with the first edition being released in May of 2012. The current edition used was published in November of 2025 and replaces the third edition from 2021.
This standard defines many relevant terms, including those pertinent to Business Continuity Management Systems. The terms serve as a common language to identify and describe BCSM processes.
This document is the first of a large series of ISO standards that focus on security, resilience, and business continuity management systems. The next document in the series, ISO 22301, focused more on writing management system standards, while the rest give more understanding to other security and system standards.

Scopes and Content

The standard is divided into the following main clauses:
  1. Scope
  2. Normative references
  3. Terms and definitions
  4. # Terms related to security and resilience
  5. # Terms related to risk
  6. # Terms related to management systems

    Clause 3.1: Terms related to security and resilience

This section establishes the generic vocabulary used in the field of security and resilience including topics like business continuity management, emergency management, protective security and crisis management.
The following terms are defined in this clause:
ISO 22300 defines the Business Impact Analysis as the process of analyzing the impact of a disruption over time. This analysis identifies any prioritized activities that need to be recovered in order to avoid any failure. Other terms such as Maximum Tolerable Period of Disruption and Recovery Time Objective are core terms of this section as they are about the different times it takes before an outage becomes irreversible and the times it would take to resume any operations. Additionally, the Recovery Point Objective is defined to measure the amount of data loss. Unlike RTO, which focuses on the time it takes to recover, RPO measures the amount of data an organization can afford to lose, which is measured in time. The standard classifies disruptive events based on their severity and the response required to recover. An incident is defined as an event that might, or could, lead to any form of disruption or loss. This is different from the definition given for emergency as that is an unexpected occurrence or event requiring immediate action to prevent any disruption or loss. The standard defines a crisis as an abnormal situation that threatens the organization's objectives and often requires strategic response. This differs from a disaster which the standard defines that as a situation where widespread human, material, economic, or environmental loss exceeds the ability of the organization to recover with its own resources.

Clause 3.2: Terms related to risk

Risk is very much related to security and resilience. ISO/TC 292 has therefore an active liaison with ISO/TC 262 Risk management which has developed ISO 31073:2022 which holds risk management vocabulary and was released in 2022. Instead of developing its own terminology on the subject, ISO 22300 endorse the work of ISO/TC 262 and repeats key terms and definitions from ISO 31073 in clause 3.2.
The following terms are defined in this clause:
  • consequence
  • consultation and communication
  • control
  • hazard
  • likelihood
  • probability
  • residual risk
  • risk
  • risk acceptance
  • risk analysis
  • risk appetite
  • risk assessment
  • risk communication
  • risk criteria
  • risk evaluation
  • risk identification
  • risk management
  • risk mitigation
  • risk owner
  • risk reduction
  • risk register
  • risk sharing
  • risk source
  • risk tolerance
  • risk treatment
Risk is defined as the effect of uncertainty on objectives. Organizations must state their risk appetite, which is the amount and type of risk that they are willing to pursue or retain. In order to judge the risks taken by organizations, risk criteria is a necessity. Risk criteria are the reference against which the significance of a risk is evaluated.
The standard goes on to list risk assessment not just as a single step, but as a process that consists of three stages of identification, analysis, and evaluation. These steps begin with risk identification in which the risk source is found. Following this, risk analysis is used to understand the nature and gravity of the risk. Finally, risk evaluation compares the result against risk criteria to determine whether the risk is tolerable.
If an evaluation shows that a risk is not acceptable, then the organization must perform risk treatment. ISO 22300:2025 defines this as the process of avoiding risk by removing the risk source, changing likelihood, changing consequence, or sharing the risk with other parties. Risk treatment rarely removes an entire risk as the standard states that risk treatment can create new risks or modify already existing risks. Residual risk follows the ending of risk management as it is the amount of risk remaining after risk treatment is completed. Residual risk, as the standard states, can contain unidentified risks and can also be known as "retained risk."

Clause 3.3 Terms related to management systems

This section contains generic terms common to all ISO management system standards and is based on Annex SL to the ISO directives. It also endorses definitions from ISO 9000, ISO/IEC 27000, and ISO 31073.
The following terms are defined in this clause:
  • audit
  • capacity
  • community
  • competence
  • conformity
  • continual improvement
  • corrective action
  • documented information
  • effectiveness
  • evaluation
  • interested party, stakeholder
  • internal audit
  • management
  • management system
  • measurement
  • monitoring
  • nonconformity
  • objective
  • organization
  • organizational culture
  • outsource,verb
  • owner
  • partnering
  • performance
  • performance evaluation
  • personnel
  • planning
  • policy
  • procedure
  • process
  • requirement
  • review
  • top management
  • training
  • verification
  • workforce
A core definition the standard gives is top management who is the person or group who directs and controls an organization at the highest level. Following this, policy is defined as the intentions and direction of an organization. Another generic term given is requirement which is simply the need or expectation that is stated.
ISO 22300:2025 definition of documented information replaces the terms "documents" and "records" and refers to information required to be controlled and maintained by an organization. To ensure that all requirements are met, the standard's definition of competence emphasizes the need for personnel to have the skills to achieve intended results. This is all then evaluated through audits.
If any requirement is not met, the standard defines this as nonconformity. To combat this, the organization or group must implement corrective action to eliminate the cause of the failure, and also use continual improvement to enhance performance over time.

Purpose

The purpose of this standard is to provide definitions of generic terms and subject-specific terms related to documents made by ISO/TC 292. This document covers many of the standards seen throughout the ISO 223XX family. The main focus is to encourage a mutual and consistent understanding and use of uniform terms and definitions in the field of security and resilience. This standard can also be used by lawyers and companies to agree on contracts. The vocabulary in this standard solves any issues with disagreements on terms.

Application

This document can be used as a reference by competent authorities and specialists involved in standardization systems as a way to universally and accurately understand the topics shown. This standard can also be used to solve any issues with language barriers as different countries around the world can easily use ISO 22300:2025 to agree on any definitions. This standard is also used by individuals studying for certain licenses, in which the definitions in this standard are a part of tests and textbooks.

Related standards

All standards developed by ISO/TC 292 makes a normative reference to ISO 22300 and uses this as common terminology for the ISO 22300 family of standards including ISO 28000.
This standard was originally developed by the ISO Technical Committee ISO/TC 223 to set terms and definitions applicable to societal security. The committee was first formed to handle emergency management and disaster response, rather than just business risks as ISO 22300:2025 is. The original standard only had 76 terms as it was mainly focused on societal security such as governments and NGOs.
The ISO/TC 223 later dissolved in June 2014, when the Technical management board of ISO created the new ISO technical committee ISO/TC 292. This new committee was the amalgamation of three technical committees: ISO/TC 223, ISO/TC 247, and ISO/PC 284. ISO/TC 247 focused mainly on standardization in the field of the detection, prevention and control of identity, financial, product and other forms of social and economic fraud. ISO/PC 284 focused on standardization in the field of management system for private security companies. These three committees all shared similar terms and applications.
All of these committees dissolved alongside ISO/TC 223 in June of 2014. The new committee's goal was to create standardization in the field of security to enhance the safety and resilience of society. Since its creation, the committee is responsible for publishing 57 ISO standards, of which 47 were directly under their responsibility. Since the 2nd Edition, this new technical committee has prepared ISO 22300.
The latest version, the 4th Edition, was released on November 6th of 2025 and is currently set to enter its review stage next. The 4th Edition was proposed in October of 2022 and entered multiple stages in order to get to its publication. The latest version replaces the edition released in 2021.
DescriptionReleasedMain Changes From Previous EditionsNumber of TermsProject leader
ISO 22300:2012 May 2012
N/A		76-
ISO 22300:2018 February 2018
  • Terms added from recent published documents and documents transferred to ISO/TC 292
277Norma McGormick
ISO 22300:2021 February 2021
  • Terms added from recent published documents and documents transferred to ISO/TC 292
  • Terminological entries separated into subclauses by subject matter
    		• 360Norma McGormick
    ISO 22300:2025 November 2025
  • Removal of terms that are not commonly used across the portfolio of ISO/TC 292 standards and are very specific to particular standards
  • Definitions for some terms have been modified to be more generic and applicable across the portfolio of ISO/TC 292 standards;
  • Inclusion of new terms and definitions from recent published documents and documents transferred to ISO/TC 292
  • The structure of the document has been revised to make the document more concise and user friendly.
    		• 130Stefan Tangen