ISO 27001 AND ISO 27002*

PLAIN ENGLISH DEFINITIONS

 

*ISO IEC 27002 2005 was previously known as ISO IEC 17799 2005

Also see our ISO 27001 and 27002 Information Security Library

ISO 27001 and 17799 Information Security Definitions

Asset - Availability - Confidentiality - Control - Corrective Action - Document

Information Processing Facility - Information Security - Information Security Event

Information Security Incident - Information Security Management System (ISMS)

 Information Security Policy - Integrity - Management Review - Owner - PDCA Model

Policy - Preventive Action - Procedure - Process - Process Approach - Record

Requirement - Residual Risk - Risk - Risk Acceptance - Risk Analysis

Risk Assessment - Risk Evaluation - Risk Management - Risk Treatment

Standard - Statement of Applicability - Third Party - Threat - Vulnerability

Asset

In the context of ISO 27001 and ISO 27002, an asset is any tangible or intangible thing that has value to an organization.
Availability

Availability is a characteristic that applies to assets. An asset is available if it is accessible and usable when needed by an authorized entity. In the context of this standard, assets include things like information, systems, facilities, networks, and computers. All of these assets must be available to authorized entities when they need to access or use them.
Confidentiality

Confidentiality is a characteristic that applies to information. To protect and preserve the confidentiality of information means to ensure that it is not made available or disclosed to unauthorized entities. In this context, entities include both individuals and processes.
Control

A control is any administrative, management, technical, or legal method that is used to manage risk. Controls are safeguards or countermeasures. Controls include things like practices, policies, procedures, programs, techniques, technologies, guidelines, and organizational structures.
Corrective actions

Corrective actions are steps that are taken to address existing nonconformities and make improvements. Corrective actions deal with actual nonconformities (problems), ones that have already occurred. They solve existing problems by removing their causes. In general, the corrective action process can be thought of as a problem solving process.
Document

The term document refers to information and the medium that is used to bring it into existence. Documents can take any form or use any type of medium. The extent of your ISMS documentation will depend on the scope of your ISMS, the complexity of your security requirements, the size of your organization, and the type of activities it carries out.
Information processing facility

An information processing facility is defined as any system, service, or infrastructure, or any physical location that houses these things. A facility can be either an activity or a place; it can be either tangible or intangible.

Information security

Information security is all about protecting and preserving information. It’s all about protecting and preserving the confidentiality, integrity, authenticity, availability, and reliability of information.
Information security event

An information security event indicates that the security of an information system, service, or network may have been breached or compromised. An information security event indicates that an information security policy may have been violated or a safeguard may have failed.
Information security incident

An information security incident is made up of one or more unwanted or unexpected information security events that could very likely compromise the security of your information and weaken or impair your business operations.
Information security management system (ISMS)

An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks. An ISMS is part of a larger management system.
Information security policy

An information security policy statement expresses management’s commitment to the implementation, maintenance, and improvement of its information security management system.
Integrity

To preserve the integrity of information means to protect the accuracy and completeness of information and the methods that are used to process and manage it.
Management review

The purpose of a management review is to evaluate the overall performance of an organization's information security management system and to identify improvement opportunities.
Owner

In the context of ISO 27001 and ISO 27002, an owner is a person or entity that has been given formal responsibility for the security of an asset or asset category. It does not mean that the asset belongs to the owner in a legal sense. Asset owners are formally responsible for making sure that assets are secure while they are being developed, produced, maintained, and used.
PDCA model

PDCA stands for Plan-Do-Check- Act. ISO IEC 27001 says that every ISMS process should be structured using the PDCA model. This means that every process should be planned (Plan); implemented, operated, and maintained (Do); monitored, audited, and reviewed (Check); and improved (Act).
Policy

A policy statement defines a general commitment, direction, or intention. An information security policy statement expresses management’s commitment to the implementation, maintenance, and improvement of its information security management system.
Preventive actions

Preventive actions are steps that are taken to avoid potential nonconformities and make improvements. Preventive actions address potential nonconformities (problems), ones that haven't yet occurred. Preventive actions prevent the occurrence of problems by removing their causes. In general, the preventive action process can be thought of as a risk management process.
Procedure

Procedures control processes or activities. A well defined procedure controls a logically distinct process or activity, including the associated inputs and outputs.

Procedures can be very general or very detailed,
or anywhere in between. While a general procedure
could take the form of a simple flow diagram,
a detailed procedure could be a one page
form or it could be several pages of text.

A detailed procedure defines the work that should be done, and explains how it should be done, who should do it, and under what circumstances. In addition, it explains what authority and what responsibility has been allocated, which supplies and materials should be used, and which documents and records must be used to carry out the work. While quality procedures may be documented or undocumented, ISO usually expects them to be documented.

Process

In general, a process uses resources to transform inputs into outputs. In every case, inputs are turned into outputs because some kind of work or activity is carried out. ISO IEC 27001 recommends that you structure your ISMS processes using the Plan-Do-Check-Act (PDCA) model. This means that every process should be planned (Plan); implemented, operated, and maintained (Do); monitored, audited, and reviewed (Check); and improved (Act).
Process approach

The process approach is a management strategy. When managers use a process approach, it means that they control their processes, the interaction between these processes, and the inputs and outputs that “glue” these processes together. It means that they manage by focusing on processes and on inputs and outputs. ISO IEC 27001 suggests that you use a process approach to control your ISMS processes.
Record

A record is a document that contains objective evidence which shows how well activities are being performed or what kind of results are actually being achieved. It always documents what has happened in the past. Records can take any form or use any type of medium.
Requirement

A requirement is a need, expectation, or obligation. It can be stated or implied by an organization, its customers, or other interested parties. There are many types of requirements. Some of these include security requirements, contractual requirements, management requirements, regulatory requirements, and legal requirements.
Residual risk

Residual risk is the risk left over after you’ve implemented a risk treatment decision. It’s the risk remaining after you’ve done one of the following: accepted the risk, avoided the risk, transferred the risk, or reduced the risk.
Risk

The concept of risk combines three ideas: it selects an event, and then combines its probability with its potential impact. It asks two questions: what is the probability that a particular event will occur in the future? And what negative impact would this event have if it actually occurred?

So, a high risk event would have both a high probability of occurring and a big negative impact if it occurred. The concept of risk is always future oriented: it worries about the impact events could have in the future.

Risk acceptance

Risk acceptance is part of the risk treatment decision making process. Risk acceptance means that you’ve decided that you can live with a particular risk.
Risk analysis

Risk analysis uses information to identify possible
sources of risk. It uses information to identify threats
or events that could have a harmful impact. It then estimates the risk by asking: what is the probability
that this event will actually occur in the future? And
what impact would it have if it actually occurred?
Risk assessment

A risk assessment combines two techniques:
a risk analysis and a risk evaluation.
Risk evaluation

A risk evaluation compares the estimated risk with a set of risk criteria. This is done in order to determine how significant the risk really is. The estimated risk is established by means of a risk analysis.
Risk management

Risk management is a process that includes four activities: risk assessment, risk acceptance, risk treatment, and risk communication. Risk management includes all of the activities that an organization carries out in order to manage and control risk.
Risk treatment

Risk treatment is a decision making process. For each risk, risk treatment involves choosing amongst at least four options: accept the risk, avoid the risk, transfer the risk, or reduce the risk. In general, risks are treated by selecting and implementing measures designed to modify risk.
Standard

A standard is a document. It is a set of rules that control how people develop and manage materials, products, services, technologies, tasks, processes, and systems.

ISO IEC standards are agreements. ISO IEC refers to them as agreements because its members must agree on content and give formal approval before they are published.

ISO IEC standards are developed by technical committees. Members of these committees come from many different countries. Therefore, ISO standards tend to have very broad support.

Statement of applicability

A Statement of Applicability is a document that lists your organization’s information security control objectives and controls. In order to figure out what your organization’s unique information security controls and control objectives should be, you need to carry out a risk assessment, select risk treatments, identify all relevant legal and regulatory requirements, study your contractual obligations, and review your organization’s own business needs and requirements. Once you’ve done all of this, you should be ready to prepare your organization’s unique Statement of Applicability.
Third party

In the context of a specific issue, a third party is any person or body that is recognized as independent of the people directly involved with the issue in question.

Threat

A threat is a potential event. When a threat turns into an actual event, it may cause an unwanted incident. It is unwanted because the incident may harm an organization or system.
Vulnerability

A vulnerability is a weakness in an asset or group of assets. An asset’s weakness could allow it to be exploited and harmed by one or more threats.

ISO 27001 Information Security Management Definitions

OTHER ISO 27001 WEB PAGES

Introduction to the ISO 27001 2005 Security Standard

Overview of ISO 27001 2005 Information Security Standard

ISO IEC 27001 2005 Standard Translated into Plain English

ISO IEC 27001 2005 Information Security Gap Analysis Tool

ISO IEC 27001 Plain English Information Security Definitions

ISO IEC 27001 2005 in Plain English - Table of Contents

Our Plain English Approach to ISO IEC 27001 2005

HOW TO ORDER OUR PLAIN ENGLISH PRODUCTS

ISO 27001 ISO 17799 Security Definitions

OTHER ISO 27002 (17799) WEB PAGES

Introduction to ISO 27002 2005 Security Standard

Brief Comparison of ISO 27001 2005 and ISO 27002 2005

Overview of ISO 27002 2005 Information Security Standard

ISO 27002 2005 Standard Translated into Plain English

Complete list of ISO 27002 2005 Security Objectives

ISO 27002 2005 Information Security Audit Tool

ISO 17799 2000 Overview

Detailed ISO 17799 2000 Standard

ISO 17799 2000 - Section 3: Security Policy

ISO 17799 2000 - Section 4: Organizational Structure

ISO 17799 2000 - Section 5: Asset Classification and Control

ISO 17799 2000 - Section 6: Personnel Security Management

ISO 17799 2000 - Section 7: Physical and Environmental Security

ISO 17799 2000 - Section 8: Communications and Operations

ISO 17799 2000 - Section 9: Access Control Management

ISO 17799 2000 - Section 10: Systems Development and Maintenance

ISO 17799 2000 - Section 11: Business Continuity Management

ISO 17799 2000 - Section 12: Compliance Management

HOW TO ORDER OUR PLAIN ENGLISH PRODUCTS

ISO 27001 17799 Information Security Definitions

ISO 27001 NAVIGATION GUIDE

       
Home Page Alphabetical Index Detailed Site Map Product License
       
How to Order Our Products Our Prices Our Guarantee
       
 

ISO 27001 ISO 17799 Security Definitions

 
CONTACT INFORMATION
 
Praxiom Research Group Limited
9619 - 100A Street, Edmonton,
Alberta, T5K 0V7, Canada
Phone: (780)461-4514
Fax: (780)463-6034

info@praxiom.com
 

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use.   But, you are not
 legally authorized to print or produce additional copies, or to copy and paste
 any of our material onto another web site.  If you would like to purchase our
 material, please contact our Sales Desk. Our staff would be very pleased to
 take your order or to answer any questions you might have.

Copyright © 2006 - 2008 by Praxiom Research Group Limited. All Rights Reserved.

Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing and
  developing this electronic publication. We make no representation or warranties
  with respect to accuracy or completeness of the contents of this publication and
  specifically disclaim any implied warranties or merchantability or fitness for any
  particular purpose and shall in no event be liable for any loss of profit or any
  other commercial damage, including but not limited to special, incidental,
  consequential, or other damages.

This web page was updated on April 28, 2008

On the Web since May 25, 1997