ISO 27001 AND ISO 27002

PLAIN ENGLISH DEFINITIONS

ISO 27002 2005 was previously known as ISO 17799 2005

Asset

In the context of ISO 27001 and ISO 27002, an asset is any
tangible or intangible thing that has value to an organization.

Availability

Availability is a characteristic that applies to assets.
An asset is available if it is accessible and usable when
needed by an authorized entity. In the context of this
standard, assets include things like information, systems,
facilities, networks, and computers. All of these assets
must be available to authorized entities when they
need to access or use them.

Confidentiality

Confidentiality is a characteristic that applies to information.
To protect and preserve the confidentiality of information
means to ensure that it is not made available or disclosed
to unauthorized entities. In this context, entities include
both individuals and processes.

Control

A control is any administrative, management, technical,
or legal method that is used to manage risk. Controls are
safeguards or countermeasures. Controls include things
like practices, policies, procedures, programs, techniques,
technologies, guidelines, and organizational structures.

Corrective actions

Corrective actions are steps that are taken to address existing
nonconformities and make improvements. Corrective actions
deal with actual nonconformities (problems), ones that have
already occurred. They solve existing problems by removing
their causes. In general, the corrective action process can be
thought of as a problem solving process.

Document

The term document refers to information and the medium
that is used to bring it into existence. Documents can take
any form or use any type of medium. The extent of your ISMS
documentation will depend on the scope of your ISMS, the
complexity of your security requirements, the size of your
organization, and the type of activities it carries out.

Information processing facility

An information processing facility is defined as any system,
service, or infrastructure, or any physical location that houses
these things. A facility can be either an activity or a place;
it can be either tangible or intangible.

Information security

Information security is all about protecting and preserving
information. It’s all about protecting and preserving the
confidentiality, integrity, authenticity, availability, and
reliability of information.

Information security event

An information security event indicates that the security of
an information system, service, or network may have been
breached or compromised. An information security event
indicates that an information security policy may have
been violated or a safeguard may have failed.

Information security incident

An information security incident is made up of one or more
unwanted or unexpected information security events that
could very likely compromise the security of your information
and weaken or impair your business operations.

Information security management system (ISMS)

An information security management system (ISMS) includes
all of the policies, procedures, plans, processes, practices,
roles, responsibilities, resources, and structures that
are used to protect and preserve information. It includes all
of the elements that organizations use to manage and
control their information security risks. An ISMS is
part of a larger management system.

Information security policy

An information security policy statement expresses
management’s commitment to the implementation,
maintenance, and improvement of its information
security management system.

Integrity

To preserve the integrity of information means to protect
the accuracy and completeness of information and the
methods that are used to process and manage it.

Management review

The purpose of a management review is to evaluate the
overall performance of an organization's information
security management system and to identify
improvement opportunities.

Owner

In the context of ISO 27001 and ISO 27002, an owner is a
person or entity that has been given formal responsibility
for the security of an asset or asset category. It does not
mean that the asset belongs to the owner in a legal sense.
Asset owners are formally responsible for making sure
that assets are secure while they are being developed,
produced, maintained, and used.

PDCA model

PDCA stands for Plan-Do-Check- Act. ISO IEC 27001 says
that every ISMS process should be structured using the
PDCA model. This means that every process should be
planned (Plan); implemented, operated, and maintained (Do);
monitored, audited, and reviewed (Check); and improved (Act).

Policy

A policy statement defines a general commitment,
direction, or intention. An information security policy
statement expresses management’s commitment to
the implementation, maintenance, and improvement
of its information security management system.

Preventive actions

Preventive actions are steps that are taken to avoid
potential nonconformities and make improvements.
Preventive actions address potential nonconformities
(problems), ones that haven't yet occurred. Preventive
actions prevent the occurrence of problems by removing
their causes. In general, the preventive action process
can be thought of as a risk management process.

Procedure

Procedures control processes or activities. A well defined
procedure controls a logically distinct process or activity,
including the associated inputs and outputs.

Procedures can be very general or very detailed, or anywhere
in between. While a general procedure could take the form of a
simple flow diagram, a detailed procedure could be a one page
form or it could be several pages of text.

A detailed procedure defines the work that should be done,
and explains how it should be done, who should do it, and
under what circumstances. In addition, it explains what
authority and what responsibility has been allocated,
which supplies and materials should be used, and which
documents and records must be used to carry out the work.
While procedures may be documented or undocumented,
ISO usually expects them to be documented.

Process

In general, a process uses resources to transform inputs
into outputs. Inputs are turned into outputs because some
kind of work or activity is carried out.  

ISO IEC 27001 recommends that you structure your ISMS
processes using the Plan-Do-Check-Act (PDCA) model.
This means that every process should be planned (Plan);
implemented, operated, and maintained (Do); monitored,
audited, and reviewed (Check); and improved (Act).

Process approach

The process approach is a management strategy. When
managers use a process approach, it means that they control
their processes, the interaction between these processes, and
the inputs and outputs that “glue” these processes together.
It means that they manage by focusing on processes and on
inputs and outputs. ISO IEC 27001 suggests that you use
a process approach to control your ISMS processes.

Record

A record is a document that contains objective evidence
which shows how well activities are being performed or
what kind of results are actually being achieved. It always
documents what has happened in the past. Records can
take any form or use any type of medium.

Requirement

A requirement is a need, expectation, or obligation. It can be
stated or implied by an organization, its customers, or other
interested parties. There are many types of requirements.
Some of these include security requirements, contractual
requirements, management requirements, regulatory
requirements, and legal requirements.

Residual risk

Residual risk is the risk left over after you’ve implemented
a risk treatment decision. It’s the risk remaining after you’ve
done one of the following: accepted the risk, avoided the
risk, transferred the risk, or reduced the risk.

Risk

The concept of risk combines three ideas: it selects an event,
and then combines its probability with its potential impact. It
asks two questions: what is the probability that a particular
event will occur in the future? And what negative impact
would this event have if it actually occurred?

So, a high risk event would have both a high probability
of occurring and a big negative impact if it occurred. The
concept of risk is always future oriented: it worries about
the impact events could have in the future.

Risk acceptance

Risk acceptance is part of the risk treatment decision
making process. Risk acceptance means that you’ve
decided that you can live with a particular risk.

Risk analysis

Risk analysis uses information to identify possible
sources of risk. It uses information to identify threats
or events that could have a harmful impact. It then
estimates the risk by asking: what is the probability
that this event will actually occur in the future? And
what impact would it have if it actually occurred?

Risk assessment

A risk assessment combines two techniques:
a risk analysis and a risk evaluation.

Risk evaluation

A risk evaluation compares the estimated risk with a set
of risk criteria. This is done in order to determine how
significant the risk really is. The estimated risk is
established by means of a risk analysis.

Risk management

Risk management is a process that includes four activities:
risk assessment, risk acceptance, risk treatment, and risk
communication. Risk management includes all of the
activities that an organization carries out in order
to manage and control risk.

Risk treatment

Risk treatment is a decision making process. For each risk,
risk treatment involves choosing amongst at least four
options: accept the risk, avoid the risk, transfer the risk,
or reduce the risk. In general, risks are treated by selecting
and implementing measures designed to modify risk.

Standard

A standard is a document. It is a set of rules that control how
people develop and manage materials, products, services,
technologies, tasks, processes, and systems.

ISO IEC standards are agreements. ISO IEC refers to them
as agreements because its members must agree on content
and give formal approval before they are published.

ISO IEC standards are developed by technical committees.
Members of these committees come from many different
countries. Therefore, ISO standards tend to have very
broad support.

Statement of applicability

A Statement of Applicability is a document that lists your
organization’s information security control objectives and
controls. In order to figure out what your organization’s
unique information security controls and control objectives
should be, you need to carry out a risk assessment, select
risk treatments, identify all relevant legal and regulatory
requirements, study your contractual obligations, and review
your organization’s own business needs and requirements.
Once you’ve done all of this, you should be ready to prepare
your organization’s unique Statement of Applicability.

Third party

In the context of a specific issue, a third party is any person
or body that is recognized as independent of the people
directly involved with the issue in question.

Threat

A threat is a potential event. When a threat turns into
an actual event, it may cause an unwanted incident.
It is unwanted because the incident may harm an
organization or system.

Vulnerability

A vulnerability is a weakness in an asset or group
of assets. An asset’s weakness could allow it to be
exploited and harmed by one or more threats.

OTHER ISO IEC 27001 2005 PAGES

Introduction to ISO 27001 Information Security

ISO 27001 Security Standard Translated into Plain English

Comparison of ISO 27001 and ISO 27002 Security Standards

Plain English Information Security Management Control Objectives

Information Security Management System Development Plan

Information Security Management Gap Analysis Tool

OTHER ISO IEC 27002 2005 (17799) PAGES

Introduction to ISO 27002 Information Security

Overview of ISO 27002 Information Security Standard

ISO 27002 2005 Security Standard Translated into Plain English

ISO 17799 2000 Security Standard Translated into Plain English

Information Security Management Control Objectives

Information Security Management Audit Tool

Our Libraries

A to Z Index

Our Customers

Our Products

Our Prices

Our Guarantee