Access control includes
both access authorization and access restriction.
It refers to all the steps that are taken to selectively
authorize and restrict
entry, contact, or use of assets. Access
authorizations and restrictions are
often established in accordance with business and security
To make an entity accountable
means to assign actions and decisions
to that entity and to expect that entity to be answerable for
and decisions. Therefore, accountability is the state
of being answerable
for the actions and decisions that have been assigned.
An analytical model is an
algorithm or calculation that combines
one or more base or derived measures
with a set of decision criteria.
Analytical models are used to facilitate and support
An asset is any tangible or
intangible thing or characteristic that has value
to an organization. There are many types of assets.
Some of these include
obvious things like machines, facilities, patents, and software.
But the term
can also include less obvious things like services, information,
and characteristics like reputation and image or skill and
An attack is any unauthorized
attempt to access, use,
alter, expose, steal, disable, or destroy an asset.
An attribute is any
distinctive feature, characteristic, or property of an
object that can be identified or isolated quantitatively or
by either human or automated means.
is an evidence gathering process. Evidence is used
how well audit
criteria are being met. Audits must be objective,
and independent, and the audit process must be both
documented. Audits can be internal or external. Internal
audits are referred
to as first-party audits while external
audits can be either second or third
party. They can also be combined audits (when two or
systems of different disciplines are audited together at the
The scope of an audit is a
statement that specifies the focus, extent,
and boundary of a particular
audit. The scope could be specified by
defining the physical
location of the audit, the organizational units
that will be examined, the
processes and activities that will be
included, and the time
period that will be covered.
is a process that is used to confirm
that a claimed
characteristic of an entity is actually correct. To
authenticate is to verify
that a characteristic or attribute that appears to be true is
in fact true.
Authenticity is a property
or characteristic of an entity.
An entity is authentic
if it is what it claims to be.
Availability is a property
or characteristic. Something is available if it
is accessible and usable
when an authorized entity demands access.
A base measure is both an
attribute or property
of an entity and the method used to quantify it.
continuity is a corporate capability. An
organization is capable
of business continuity whenever it is capable of
delivering its products and
services at acceptable predefined levels after
disruptive incidents occur.
Organizations use business continuity procedures and processes
ensure that operations continue after disruptive incidents
Competence means being able to apply knowledge
to achieve intended results. Being competent means
knowledge and skill that you need and knowing how to apply it.
Being competent means that you know how to do your job.
Confidentiality is a
characteristic that applies to information. To protect
and preserve the confidentiality of information
means to ensure that it
is not made available or disclosed to unauthorized entities.
context, entities include both individuals and processes.
Conformity is the
"fulfillment of a requirement". To conform means to
or comply with requirements. There are many types of
are information security requirements, customer requirements,
requirements, regulatory requirements, statutory requirements,
and so on.
is the outcome of an event.
A single event can have
a range of certain or uncertain
consequences and these consequences
can influence how well an organization achieves its
objectives. In addition,
initial consequences can escalate through knock-on effects.
context includes all of the internal and
issues that are relevant to its purpose and the influence
issues could have on its ability to achieve the objectives and
outcomes that its ISMS
intends to achieve.
An organizationís internal
context includes its approach to governance,
its contractual relationships, and its capabilities, culture,
the organizationís structure, policies, objectives,
roles, accountabilities, and decision
making process; and capabilities
include its knowledge and its human, technological, capital,
resources. An organizationís external context
includes stakeholder values,
perceptions, and relationships, as well as its social,
cultural, political, legal,
regulatory, technological, economic, natural, and competitive environment.
In short, context includes
all the internal and external factors and forces that
your information security management system must be able to
27001 2013 expects you to consider your organizationís
and external context when you define the scope of its
management system and when you plan its development.
Continual improvement is a set of recurring
activities that are carried
out in order to enhance the performance of processes, products,
services, systems, and organizations.
In the context of information
security management, a control is any
administrative, managerial, technical, or legal method that is
to modify or manage information security risk.
Controls can include things
like practices, processes, policies,
procedures, programs, tools, techniques, technologies,
and organizational structures. Controls are
referred to as safeguards
27001 part 6.13 expects you to select the controls
organization needs in order to implement its risk treatment
and carry out its risk treatment plan. Your list of controls
up your Statement of Applicability. See ISO
IEC 27001 2013 Annex A
and ISO IEC 27002 2013 for a list
of security control options.
An information security control
objective is a statement that describes
what your information security controls are expected to
A correction is any action that is taken to
eliminate a nonconformity.
Corrections do not address causes (corrective
actions address causes).
Corrective actions are
steps that are taken to eliminate the causes
existing nonconformities in
order to prevent recurrence. The corrective
action process tries to make sure that existing
potentially undesirable situations donít happen again.
The term data is defined
as a collection or set of values assigned to
measures or indicators. A measure is a variable
made up of values
and an indicator
is a measure or variable that is used to evaluate
or estimate an attribute or property of an object.
Decision criteria are
factors like thresholds, targets, or patterns. Decision
criteria are used to determine whether action should be
taken or whether
further investigation is required before decisions can be
criteria are also used to evaluate results and to
describe confidence levels.
A derived measure is a
measure that is defined as a mathematical
function of two or more values of base measures (a base
is both an attribute of an
entity and the method used to quantify it).
documented information refers to information
must be controlled
and maintained and its supporting medium.
Documented information can be in any format and on any
and can come from any source.
Documented information includes
information about the management
system and related processes. It also includes all the
organizations need to operate and all the information that
to document the results that they achieve
In short, the term documented
information is just a new name for
what used to be called documents and records. But this change
significant. In the past, documents and records were to be
differently. Now the same set of requirements are to be
both documents and records.
Effectiveness refers to the
degree to which a planned effect is achieved.
Planned activities are effective if these activities are
actually carried out
and planned results are effective if these results are
Efficiency is a
relationship between results achieved (outputs) and
resources used (inputs).
Efficiency can be enhanced by achieving
more with the same or fewer resources. The
efficiency of a process
or system can be enhanced by achieving more
or getting better
results (outputs) with the same or fewer
An event could be one
occurrence, several occurrences, or even
(when something doesnít happen
supposed to happen). It can also be a
change in circumstances.
Events are sometimes referred to
as incidents or accidents.
Events always have
causes and usually have consequences.
The term executive management (or top
management) refers to the
people who are responsible for implementing the strategies and
needed to achieve an organization's purpose.
It includes chief executive
officers, chief financial officers, chief information officers,
and other similar
roles. Executive managers are given this
responsibility by a governing
body (sometimes referred to as a board of directors).
external context includes all of the factors and
forces that exist beyond its own boundaries
that influence how it tries
to achieve its objectives.
It includes its external stakeholders, its local,
national, and international environment, as well as key
drivers and trends
that influence its objectives. It includes stakeholder
and relationships, as well as its social, cultural, political,
financial, technological, economic, natural, and competitive
of information security
The governance of information security refers
to the system that is used
to direct and control an organization's information security
The term governing body refers to the people
who are responsible
for the overall performance and conformance of an organization.
In the context of this standard,
guidelines are the steps that are
taken to achieve objectives and implement
clarify what should be done and how.
An indicator is a measure
or variable that is used to evaluate or estimate
an attribute or property of
an object. Indicators are often derived from
analytical models and are used to address information needs.
An information need is an
insight that is necessary or required in order
to solve problems, to manage
risks, and to achieve goals and objectives.
An information processing
facility is any system, service, or infrastructure,
or any physical location that houses these things. A facility
can be either
an activity or a place and it can be either
tangible or intangible.
The purpose of information
security is to protect and preserve the
and availability of information.
It may also
involve protecting and preserving the authenticity and
information and ensuring that entities can be held
Information security continuity refers to an
integrated set of policies,
procedures, and processes that are used to ensure that a
level of security continues during a disaster or crisis (when
incidents occur or adverse situations exist). Continuity is
identifying potential threats and vulnerabilities, by analyzing
impacts, and by taking steps to build organizational resilience.
Information security event
An information security event
is a system, service, or network state,
condition, or occurrence that indicates that information
have been breached or compromised or that a security policy
have been violated or a control may have
Information security incident
An information security
incident is made up of one or more unwanted or
unexpected information security events that could possibly
the security of information and weaken or impair business
security incident management
Information security incident
management is a set of processes
that organizations use to deal with
information security incidents.
It includes a detection
process, a reporting process, an assessment
process, a response process, and a learning process.
security management system
An information security
management system (ISMS) includes all of the
policies, procedures, documents, records, plans, guidelines,
contracts, processes, practices, methods, activities, roles,
resources, and structures
that organizations use to protect and preserve information, to
control information security risks, and to achieve business
An ISMS is part of an organizationís larger management
Since the definitions section of ISO IEC 27000 2014 (section 2)
formally define the term information security management
we have used the material found in ISO IEC 27000 2014 section 3.2
(and other sources) to develop our plain English definition.
Information sharing community
An information sharing community is a group of
a group of organizations that agree to share information.
An information system is
any set of components that is used to handle
information. Information systems include
applications, services, or any
other assets that handle information.
Within the narrow context of information security, the
means to protect the accuracy and completeness of information.
An organizationís internal
context includes all of the factors and forces
within its boundaries that influence how it tries to achieve
It includes its internal stakeholders,
its approach to governance, its
contractual relationships, and its capabilities, culture, and
Governance includes the
organizationís structure, policies, objectives,
roles, accountabilities, and decision making process; and capabilities
include its knowledge and its human, technological, capital,
projects include all of the work that organizations do
security management systems (ISMSs).
The level of risk
is its magnitude. It is estimated by considering
and combining consequences
and likelihoods. A level of
be assigned to a single risk or to a
combination of risks.
Likelihood is the chance
that something might happen. Likelihood can
be defined, determined, or measured
objectively or subjectively and can
be expressed either
qualitatively or quantitatively (using mathematics).
The term management refers
to all the activities that are used to coordinate,
direct, and control
organizations. In this context, the term
does not refer to people. It refers to what managers do.
A management system is a
set of interrelated or interacting elements
that organizations use to establish policies and objectives
and all the
processes they need to ensure that policies are followed and
are achieved. These elements include structures,
plans, documents, records, methods, tools, techniques,
roles, responsibilities, relationships, agreements, and
There are many types of management
systems. Some of these include
information security management systems, quality management
environmental management systems, business continuity
systems, food safety management systems, risk management
disaster management systems, emergency management systems, and
occupational health and safety management systems.
The scope or focus of a
management system could be restricted to
a specific function or section of an organization or it could
the entire organization. It could even include a function that
across several organizations.
A measure is a variable made up of
values. When measurement
is carried out, a value
(quantity) is assigned to a variable.
Measurement is a process
that is used to determine a value. In the context
of information security management,
measurement is a process that is
used to obtain information about the effectiveness of an
management system (ISMS)
and the controls that it uses.
models, and decision
criteria are used to
evaluate measurement results and to decide whether action
should be taken
or whether further investigation is required before decisions
can be made.
A measurement function is
an algorithm or a calculation that combines
two or more base measures. (A base measure is both
an attribute or
property of an entity and the method used to quantify it.)
A measurement method is a
logical sequence of generic operations that
uses measurement scales to quantify attributes. Measurement
use either objective or subjective techniques to quantify
A measurement result addresses
an information need and consists
of one or more indicators
together with details that explain how these
indicators are to be interpreted.
To monitor means to determine the status of an
activity, process, or
system. In order to determine status, you may need to supervise
to continually check and critically observe the activity,
system that is being monitored.
Nonconformity is a
nonfulfillment or failure to meet a requirement.
A requirement is a need,
expectation, or obligation. It can be stated
or implied by an
organization or interested parties.
and services are used to provide undeniable
proof that an alleged
event actually happened or an alleged
was actually carried out and that these events and actions
carried out by a particular entity
and actually had a particular origin.
Nonrepudiation is a way of guaranteeing that people
cannot later deny
that an event happened or an action was carried out by an
In this context, an object
is any item that has attributes which can
be characterized through
measurement. Measurement is a process or
method that is used to obtain information about the
effectiveness of an
information management system (ISMS) and the controls that it
An objective is a result you wish to achieve.
Objectives can be
strategic, tactical, or operational and can apply to an
as a whole or to a system, process, project, product, or
variety of words can be used to express objectives. These
words like target, aim, goal, purpose, or intended outcome.
An organization can be a single person or a
group that achieves its
objectives by using its own functions,
and relationships. It can be a company, corporation, enterprise,
partnership, charity, or institution and can be either
unincorporated and can be either privately or publicly owned. It
also be a single operating unit that is part of a larger entity.
When an organization makes an arrangement with an outside
organization to perform part of a function or process, it is
as outsourcing. To outsource means to ask an external
to perform part of a function or process usually done inhouse.
A performance is a measurable result that is
achieved by an
activity, process, product, service, system, or organization.
This definition allows us to consider performance
It allows us to think about the
measurement of organizational
performance, process performance,
product performance, service
performance, systemic performance, and so on. Such measurements
can be either quantitative or qualitative.
A policy statement defines
a general commitment, direction, or intention.
An information security
policy statement should express managementís
formal commitment to the implementation and improvement of its
information security management system (ISMS)
and should include
information security objectives or facilitate their
A procedure is a way of
carrying out a process or activity.
Procedures may or may not be
documented. ISO IEC 27001
and 27002 sometimes asks you to document a
and sometimes it leaves it
up to you to decide.
A process is a set of
activities that are interrelated or that interact with
one another. Processes use resources to transform
inputs into outputs.
Records provide evidence
that activities have been performed or
results have been
achieved. Records always document the past.
Reliability is a property
of something and means consistency. Something
is reliable if it
behaves consistently or produces
A requirement is a need, expectation, or
obligation. It can be stated or
implied by an organization, its customers, or other interested
A specified requirement is one that has been stated
(in a document for
example), whereas an implied requirement is a need,
obligation that is common practice or customary.
risk is the risk left
over after youíve implemented a risk
treatment option. Itís the risk remaining after youíve reduced
removed the source of the risk, modified the consequences,
transferred the risk, or retained the risk.
is an activity. Its purpose is
to determine how well the
thing being reviewed is capable of achieving established
Reviews ask the
following question: is the subject of the review a
suitable, adequate, effective, and efficient way of achieving
A review object is the item
or thing being reviewed.
A review objective is a
statement that describes
what a review is intended
or expected to achieve.
According to ISO
31000, risk is the ďeffect of uncertainty
and an effect is a positive or negative deviation from what is
The following paragraph will explain what this means.
ISO 31000 recognizes that all of us
operate in an uncertain world.
Whenever we try to achieve an objective, thereís always the chance
that things will not go according to
plan. Every step has an
of risk that needs to be
managed and every outcome is uncertain.
Whenever we try to achieve
an objective, we don't
always get the
results we expect. Sometimes we get positive results and
we get negative results and
occasionally we get both.
this, ISO 31000 wants us to reduce uncertainty as much as
security risk is often expressed as a
combination of two
factors: probability and consequences. It asks two basic
is the probability that a particular information security
event will occur in
the future? And what consequences would this event produce or
impact would it have if it actually occurred?
Information security risks
often emerge because potential security threats
are identified that could exploit vulnerabilities
in an information asset or
group of assets and therefore cause harm to an organization.
Risk acceptance means
that youíve deliberately decided that you can
live with or tolerate
a particular risk or that you're prepared to take a
particular risk. Accepted risks
should be monitored and periodically
While risk acceptance is normally part of the risk
decision making process it can occur outside of this process.
Risk analysis is a process
that is used to understand the nature, sources,
and causes of the risks that have been
identified and to estimate the level
of risk. Risk analysis results are used to carry out
risk evaluations and to
treatment decisions. How detailed your risk
analysis ought to
be will depend upon the risk, the purpose of the analysis, the information
you have, and the resources available.
Risk assessment is a
process that is, in turn, made up of three
processes: risk identification, risk
analysis, and risk evaluation.
identification is a process that is used to find,
describe the risks that could affect the
achievement of objectives.
analysis is a process that is used to understand
sources, and causes of the risks that you
have identified and to
estimate the level of risk.
evaluation is a process that is used to compare
results with risk criteria in order to determine
whether or not
a specified level of risk is
acceptable or tolerable.
communication and consultation
Risk communication and
consultation is a dialogue between an
organization and its stakeholders.
Discussions could be about the
existence of risks, their nature, form,
likelihood, and significance,
as well as whether or not risks are
acceptable or should be treated,
and what treatment options should be
This dialogue is both continual and
iterative. It is a two-way process that
involves both sharing and receiving information about the
of risk. However, this is not joint decision making. Once
and consultation is finished, decisions are made and
established by the organization, not by stakeholders.
Risk criteria are terms
of reference and are used to evaluate the
significance or importance of an
organizationís risks. They are used to
determine whether a specified level of risk
is acceptable or tolerable.
Risk criteria should
reflect your organizationís values, policies, and
objectives, should be based on its external
and internal context,
should consider the views of stakeholders,
and should be derived
from standards, laws, policies, and other
Risk evaluation is a
process that is used to compare risk
results with risk
criteria in order to determine whether or not a risk
or a specified level of
risk is acceptable or tolerable. Risk evaluation
results are used to help select risk
Risk identification is a
process that involves finding, recognizing,
and describing the risks that could affect the
achievement of an
organizationís objectives. It involves discovering possible
of risk in addition to the events and
circumstances that could affect
the achievement of objectives; it also
includes the identification of
possible causes and potential consequences.
You may use historical data,
theoretical analysis, informed opinion,
expert advice, and stakeholder input to identify your risks.
management refers to a coordinated set of
techniques that organizations
use to deal with the risk
uncertainty that influences how well they achieves their
A risk management process
is one that systematically uses management
policies, procedures, and practices to establish context, to
and consult with stakeholders, and to identify, analyze,
monitor, and review risk.
A risk owner is a person or entity that has been
given the authority
to manage a particular risk and is accountable for doing so.
Risk treatment is a risk
modification process. It involves selecting
and implementing one or more
treatment options. Once
treatment option has been implemented, it
becomes a control
or it modifies an existing control.
You have many risk
treatment options. You can avoid the risk,
you can reduce the risk, you can remove the
source of the risk, you
can modify the
consequences, you can change the probabilities,
you can share the
risk with others, you can simply retain
or you can even increase the
risk in order to pursue an opportunity.
A scale is an ordered set
of values. Scales can be distinguished
from one another based on how values on the
same scale are
interrelated. There are at least four types of scales:
ordinal, interval, and ratio.
Nominal scales use
categories as values (e.g. female vs. male),
ordinal scales rank values (1st,
2nd, 3rd, 4th, etc.), interval scales
use equal quantities
as values (e.g., dates and temperatures),
and ratio scales use values that
specify how much or how many
(e.g. duration and length).
Ratio scales are possible
because they exploit the fact that
sometimes it makes sense to use zero as a
value. Being able
to use a zero value allows you to do
calculations and to say
that something is twice as far as something
else or takes
three times as long as
something else, for example.
A security implementation
standard is a document that
officially or formally authorized ways in
which security can be achieved or realized.
A stakeholder is a person
or an organization that can affect or be
affected by a decision or an activity.
Stakeholders also include those
who have the perception
that a decision or an activity can affect them.
A third party is any
person or body that is recognized as
independent of the people
directly involved with an issue.
A threat is a potential
event. When a threat turns into an actual
event, it may cause an unwanted incident.
It is unwanted because
the incident may harm an
organization or system.
The term top management
normally refers to the people at
the top of an organization; it refers to the people
resources and delegate authority and
who coordinate, direct,
and control organizations. However, if the scope of a management
system covers only part of an
organization, then the term top
management refers, instead, to the people who direct and
control that part of the organization.
information communication entity
A trusted information communication entity is
organization that supports the exchange of information between
members of an information sharing community.
A unit of measurement is
a particular quantity or magnitude that is
used as a standard for comparing measurements
of the same kind.
A standard unit of measurement is
one that has been defined and
adopted by convention, by agreement, or officially established
Validation is a process. It
uses objective evidence to confirm that the
requirements which define an intended use or application have
met. Whenever all requirements
have been met, a validated status is
achieved. The process of validation can be carried out under
use conditions or within a
simulated use environment.
Verification is a process
that uses objective evidence to confirm
that specified requirements have actually
been met. Verification
is sometimes referred to
as compliance testing.
A vulnerability is a
weakness of an asset or control that
could potentially be exploited by one or
An asset is any tangible
or intangible thing or characteristic
that has value to an organization, a control
is any administrative,
managerial, technical, or legal method that can be used to
or manage risk, and a threat is
any potential event that could
harm an organization or