Before year’s end, we will see the launch of a new international standard for protective security.

ISO 22340:2022 Security and resilience – Protective Security – Guidelines for an enterprise protective security architecture and framework will be:

  • The first international enterprise-level protective security standard
  • The first national standard of its type if, as is intended, it is adopted by Australia as AS ISO 22340:2022.
  • Consistent with the principles and approach of the Australian Government Protective Security Policy (PSPF).

What are the implications?

In short, the implications of this new standard will be far-reaching.

In Australia, protective security principles are increasingly embedded in government thinking and practice at the Federal and State/Territory levels as a consequence of the rollout of the PSPF. Not so the private sector, which with some notable exceptions, is replete with critical, un-remediated protective security vulnerabilities. And yet, since the 1990s, the private sector has become intimately involved in areas of direct relevance to national security and the national interest in general, without commensurate adjustments in security posture. In the current ambiguous security environment, many organisations are not just limited in their ability to manage security risk. They are in fact fundamentally blind to the diversity of emerging security threat actors despite their sensitive information, valuable IP or delicate operations.

Furthermore, although the national security implications have been obvious for decades, there are signs of change, finally. As the global security environment becomes increasingly contested, organisations are realising – some more than others – that their security postures need to be adjusted accordingly: evidence the acceptance and implementation by Australian universities of government guidelines on countering foreign interference. Nothing remotely like this happened during the Cold War, even at its height.

There is a critical need here: a growing hunger for guidance on how to develop and implement the arrangements through which protective security principles and practices can be embedded and strategically aligned.

How will the new standard assist?

Readily and significantly

First and foremost, the new standard will assist simply by being available; as the reference point for any Australian organisation in rigorising and integrating their protective security. Further, as the Australian standard on protective security, it will provide a salutary incentive across the Australian community for organisations to conform with the principles it contains. Just as AS ISO 31000:2018 Risk management¾Guidelines is referenced in relevant legal, regulatory and policy frameworks, including the PSPF, so too will be the case for ISO 22340, placing protective security principles squarely in the mainstream of corporate governance. Increasingly, only the imprudent will treat security as a discretionary overhead to be ticked, flicked and minimised.

Also, for all those security professionals who have been advising ad nausiam that security management should be principles-based; and perish the thought, that organisations should, say, install a single point of truth, accountability and responsibility for managing all security risk, ISO 22340 will provide necessary guidance. Importantly as well, being consistent with the PSPF, the content of the standard will come as no great surprise to security professionals.

The new standard will be a powerful tailwind for the entire Australian community in responding to the current global and national security context.


ISO 22340:2022 is at its penultimate stage of development and will shortly be released for international ballot as a final draft international standard, or FDIS. Following resolution of the resulting commentary, the amended draft will then be ready for release.

In the meantime, from me to you all in these concerning times, best wishes in breaking down the evidence, doing the risk and advising soundly/adjusting appropriately.


As the primary author of ISO 22340 and the ISO project convener, I wish to acknowledge the collaborative work of some wonderful professionals: Jason Brown, Anna Harris, Alex Webling, Julian Talbot, Adam Incher, Matt Warmington, David Harding and Robert Gore, who assisted in the drafting and QA of the new standard. In addition, the ISO project team members have been tireless in their commitment to the project, including representatives from France, Germany, Japan, Norway, Sweden, Republic of Korea, United Kingdom, United States of America and others. In short, a great many professionals around the world consider this work to be an important enhancement to the security and safety of the international community and have been united in common cause in delivering it.


Matthew Curtis
Principal, Curtis Incorporated
Member, ISO/TC 292 Security and resilience and ISO/TC 292-06 Protective security
Project convener and primary author, ISO 22340
Convener, Standards Australia sub-committee, MB-025-06 Protective Security.

Matthew Curtis
Matthew consults in the government and corporate sectors on risk, governance and management. With extensive Foreign Service experience, Matthew has worked and led in fields ranging through diplomacy, policy development and implementation, legal and litigation matters, industry regulation and negotiation. His consulting draws on high-level strategic and relationship management skills as well as effective policy and operational experience.