ISO 27001 AND ISO 27002*PLAIN ENGLISH DEFINITIONS
*ISO IEC 27002 2005 was previously known as ISO IEC 17799 2005 |
|
Also see our ISO 27001 and 27002 Information Security Library |
Asset - Availability - Confidentiality - Control - Corrective Action - Document
Information Processing Facility - Information Security - Information Security Event
Information Security Incident - Information Security Management System (ISMS)
Information Security Policy - Integrity - Management Review - Owner - PDCA Model
Policy - Preventive Action - Procedure - Process - Process Approach - Record
Requirement - Residual Risk - Risk - Risk Acceptance - Risk Analysis
Risk Assessment - Risk Evaluation - Risk Management - Risk Treatment
Standard - Statement of Applicability - Third Party - Threat - Vulnerability
|
Asset In the context of ISO 27001 and ISO 27002, an asset is any tangible or intangible thing that has value to an organization. |
|
Availability Availability is a characteristic that applies to assets. An asset is available if it is accessible and usable when needed by an authorized entity. In the context of this standard, assets include things like information, systems, facilities, networks, and computers. All of these assets must be available to authorized entities when they need to access or use them. |
|
Confidentiality Confidentiality is a characteristic that applies to information. To protect and preserve the confidentiality of information means to ensure that it is not made available or disclosed to unauthorized entities. In this context, entities include both individuals and processes. |
|
Control A control is any administrative, management, technical, or legal method that is used to manage risk. Controls are safeguards or countermeasures. Controls include things like practices, policies, procedures, programs, techniques, technologies, guidelines, and organizational structures. |
|
Corrective actions Corrective actions are steps that are taken to address existing nonconformities and make improvements. Corrective actions deal with actual nonconformities (problems), ones that have already occurred. They solve existing problems by removing their causes. In general, the corrective action process can be thought of as a problem solving process. |
|
Document The term document refers to information and the medium that is used to bring it into existence. Documents can take any form or use any type of medium. The extent of your ISMS documentation will depend on the scope of your ISMS, the complexity of your security requirements, the size of your organization, and the type of activities it carries out. |
|
Information processing facility An information processing facility is defined as any system, service, or infrastructure, or any physical location that houses these things. A facility can be either an activity or a place; it can be either tangible or intangible. |
|
Information security Information security is all about protecting and preserving information. It’s all about protecting and preserving the confidentiality, integrity, authenticity, availability, and reliability of information. |
|
Information security event An information security event indicates that the security of an information system, service, or network may have been breached or compromised. An information security event indicates that an information security policy may have been violated or a safeguard may have failed. |
|
Information security
incident An information security incident is made up of one or more unwanted or unexpected information security events that could very likely compromise the security of your information and weaken or impair your business operations. |
|
Information security
management system (ISMS) An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks. An ISMS is part of a larger management system. |
|
Information security policy An information security policy statement expresses management’s commitment to the implementation, maintenance, and improvement of its information security management system. |
|
Integrity To preserve the integrity of information means to protect the accuracy and completeness of information and the methods that are used to process and manage it. |
|
Management review The purpose of a management review is to evaluate the overall performance of an organization's information security management system and to identify improvement opportunities. |
|
Owner In the context of ISO 27001 and ISO 27002, an owner is a person or entity that has been given formal responsibility for the security of an asset or asset category. It does not mean that the asset belongs to the owner in a legal sense. Asset owners are formally responsible for making sure that assets are secure while they are being developed, produced, maintained, and used. |
|
PDCA model PDCA stands for Plan-Do-Check- Act. ISO IEC 27001 says that every ISMS process should be structured using the PDCA model. This means that every process should be planned (Plan); implemented, operated, and maintained (Do); monitored, audited, and reviewed (Check); and improved (Act). |
|
Policy A policy statement defines a general commitment, direction, or intention. An information security policy statement expresses management’s commitment to the implementation, maintenance, and improvement of its information security management system. |
|
Preventive actions Preventive actions are steps that are taken to avoid potential nonconformities and make improvements. Preventive actions address potential nonconformities (problems), ones that haven't yet occurred. Preventive actions prevent the occurrence of problems by removing their causes. In general, the preventive action process can be thought of as a risk management process. |
|
Procedure Procedures control processes or activities. A well defined procedure controls a logically distinct process or activity, including the associated inputs and outputs. Procedures can be very general or very
detailed, A detailed procedure defines the work that should be done, and explains how it should be done, who should do it, and under what circumstances. In addition, it explains what authority and what responsibility has been allocated, which supplies and materials should be used, and which documents and records must be used to carry out the work. While quality procedures may be documented or undocumented, ISO usually expects them to be documented. |
|
Process In general, a process uses resources to transform inputs into outputs. In every case, inputs are turned into outputs because some kind of work or activity is carried out. ISO IEC 27001 recommends that you structure your ISMS processes using the Plan-Do-Check-Act (PDCA) model. This means that every process should be planned (Plan); implemented, operated, and maintained (Do); monitored, audited, and reviewed (Check); and improved (Act). |
|
Process approach The process approach is a management strategy. When managers use a process approach, it means that they control their processes, the interaction between these processes, and the inputs and outputs that “glue” these processes together. It means that they manage by focusing on processes and on inputs and outputs. ISO IEC 27001 suggests that you use a process approach to control your ISMS processes. |
|
Record A record is a document that contains objective evidence which shows how well activities are being performed or what kind of results are actually being achieved. It always documents what has happened in the past. Records can take any form or use any type of medium. |
|
Requirement A requirement is a need, expectation, or obligation. It can be stated or implied by an organization, its customers, or other interested parties. There are many types of requirements. Some of these include security requirements, contractual requirements, management requirements, regulatory requirements, and legal requirements. |
|
Residual risk Residual risk is the risk left over after you’ve implemented a risk treatment decision. It’s the risk remaining after you’ve done one of the following: accepted the risk, avoided the risk, transferred the risk, or reduced the risk. |
|
Risk The concept of risk combines three ideas: it selects an event, and then combines its probability with its potential impact. It asks two questions: what is the probability that a particular event will occur in the future? And what negative impact would this event have if it actually occurred? So, a high risk event would have both a high probability of occurring and a big negative impact if it occurred. The concept of risk is always future oriented: it worries about the impact events could have in the future. |
|
Risk acceptance Risk acceptance is part of the risk treatment decision making process. Risk acceptance means that you’ve decided that you can live with a particular risk. |
|
Risk analysis Risk analysis uses information to identify possible sources of risk. It uses information to identify threats or events that could have a harmful impact. It then estimates the risk by asking: what is the probability that this event will actually occur in the future? And what impact would it have if it actually occurred? |
|
Risk assessment A risk assessment combines two techniques: a risk analysis and a risk evaluation. |
|
Risk evaluation A risk evaluation compares the estimated risk with a set of risk criteria. This is done in order to determine how significant the risk really is. The estimated risk is established by means of a risk analysis. |
|
Risk management Risk management is a process that includes four activities: risk assessment, risk acceptance, risk treatment, and risk communication. Risk management includes all of the activities that an organization carries out in order to manage and control risk. |
|
Risk treatment Risk treatment is a decision making process. For each risk, risk treatment involves choosing amongst at least four options: accept the risk, avoid the risk, transfer the risk, or reduce the risk. In general, risks are treated by selecting and implementing measures designed to modify risk. |
|
Standard A standard is a document. It is a set of rules that control how people develop and manage materials, products, services, technologies, tasks, processes, and systems. ISO IEC standards are agreements. ISO IEC refers to them as agreements because its members must agree on content and give formal approval before they are published. ISO IEC standards are developed by technical committees. Members of these committees come from many different countries. Therefore, ISO standards tend to have very broad support. |
|
Statement of applicability A Statement of Applicability is a document that lists your organization’s information security control objectives and controls. In order to figure out what your organization’s unique information security controls and control objectives should be, you need to carry out a risk assessment, select risk treatments, identify all relevant legal and regulatory requirements, study your contractual obligations, and review your organization’s own business needs and requirements. Once you’ve done all of this, you should be ready to prepare your organization’s unique Statement of Applicability. |
|
Third party In the context of a specific issue, a third party is any person or body that is recognized as independent of the people directly involved with the issue in question. |
|
Threat A threat is a potential event. When a threat turns into an actual event, it may cause an unwanted incident. It is unwanted because the incident may harm an organization or system. |
|
Vulnerability A vulnerability is a weakness in an asset or group of assets. An asset’s weakness could allow it to be exploited and harmed by one or more threats. |
| Home Page | Alphabetical Index | Detailed Site Map | Product License |
| How to Order | Our Products | Our Prices | Our Guarantee |
| CONTACT INFORMATION |
| Praxiom Research Group Limited 9619 - 100A Street, Edmonton, Alberta, T5K 0V7, Canada Phone: (780)461-4514 Fax: (780)463-6034 info@praxiom.com |
Legal
Restrictions on the Use of this Page
Thank you
for visiting this page. You are, of course, welcome to view our
material as often as you wish, free of charge. And as long as you keep
intact
all copyright notices, you are also welcome to print or make one copy of
this
page for your own personal, noncommercial, home use. But, you
are not
legally authorized to print or produce additional copies, or to copy and
paste
any of our material onto another web site. If you would like to
purchase our
material, please contact our Sales Desk. Our staff would be very pleased to
take your order or to answer any questions you might have.
Copyright © 2006 - 2008 by Praxiom Research Group Limited. All Rights Reserved.
Disclaimer
and Limitation of Liability
The
publisher and authors have used their best efforts in designing and
developing this electronic publication. We make no representation or
warranties
with respect to accuracy or completeness of the contents of
this publication and
specifically disclaim any implied warranties or
merchantability or fitness for any
particular purpose and shall in no
event be liable for any loss of profit or any
other commercial damage,
including but not limited to special, incidental,
consequential, or
other damages.
This web page was updated on April 28, 2008
On the Web since May 25, 1997