Asset - Availability - Confidentiality - Control - Corrective Action - Document
Information Processing Facility - Information Security - Information Security Event
Information Security Incident - Information Security Management System (ISMS)
 Information Security Policy - Integrity - Management Review - Owner - PDCA Model
Policy - Preventive Action - Procedure - Process - Process Approach - Record
Requirement - Residual Risk - Risk - Risk Acceptance - Risk Analysis
Risk Assessment - Risk Evaluation - Risk Management - Risk Treatment
Standard - Statement of Applicability - Third Party - Threat - Vulnerability


An asset is any tangible or intangible thing or characteristic
that has value to an organization. There are many types of
assets. Some of these include obvious things like machines,
facilities, patents, and software. But the term can also include
less obvious things like services, information, and people,
and characteristics like reputation and image or skill and


Availability is a characteristic that applies to assets.
An asset is available if it is accessible and usable when
needed by an authorized entity. In the context of this
standard, assets include things like information, systems,
facilities, networks, and computers. All of these assets
must be available to authorized entities when they
need to access or use them.


Confidentiality is a characteristic that applies to information.
To protect and preserve the confidentiality of information
means to ensure that it is not made available or disclosed
to unauthorized entities. In this context, entities include
both individuals and processes.


A control is any administrative, management, technical,
or legal method that is used to manage risk. Controls are
safeguards or countermeasures. Controls include things
like practices, policies, procedures, programs, techniques,
technologies, guidelines, and organizational structures.

Corrective actions

Corrective actions are steps that are taken to address existing
nonconformities and make improvements. Corrective actions
deal with actual nonconformities (problems), ones that have
already occurred. They solve existing problems by removing
their causes. In general, the corrective action process can be
thought of as a problem solving process.


The term document refers to information and the medium
that is used to bring it into existence. Documents can take
any form or use any type of medium. The extent of your ISMS
documentation will depend on the scope of your ISMS, the
complexity of your security requirements, the size of your
organization, and the type of activities it carries out.

Information processing facility

An information processing facility is defined as any system,
service, or infrastructure, or any physical location that houses
these things. A facility can be either an activity or a place;
it can be either tangible or intangible.

Information security

Information security is all about protecting and preserving
information. It’s all about protecting and preserving the
confidentiality, integrity, authenticity, availability, and
reliability of information.

Information security event

An information security event indicates that the security of
an information system, service, or network may have been
breached or compromised. An information security event
indicates that an information security policy may have
been violated or a safeguard may have failed.

Information security incident

An information security incident is made up of one or more
unwanted or unexpected information security events that
could very likely compromise the security of information
and weaken or impair business operations.

Information security management system

An information security management system (ISMS) includes
all of the policies, procedures, plans, processes, practices,
roles, responsibilities, resources, and structures that
are used to protect and preserve information. It includes all
of the elements that organizations use to manage and
control their information security risks. An ISMS is
part of a larger management system

Information security policy

An information security policy statement expresses
management’s commitment to the implementation,
maintenance, and improvement of its information
security management system


To preserve the integrity of information means to protect
the accuracy and completeness of information and the
methods that are used to process and manage it.

Management review

The purpose of a management review is to evaluate the
overall performance of an organization's information
security management system and to identify
improvement opportunities.


In the context of ISO 27001 and ISO 27002, an owner is a
person or entity that has been given formal responsibility
for the security of an asset or asset category. It does not
mean that the asset belongs to the owner in a legal sense.
Asset owners are formally responsible for making sure
that assets are secure while they are being developed,
produced, maintained, and used.

PDCA model

PDCA stands for Plan-Do-Check- Act. ISO IEC 27001 says
that every ISMS process should be structured using the
PDCA model. This means that every process should be
planned (Plan); implemented, operated, and maintained (Do);
monitored, audited, and reviewed (Check); and improved (Act).


A policy statement defines a general commitment,
direction, or intention. An information security policy
statement expresses management’s commitment to
the implementation, maintenance, and improvement
of its information security management system.

Preventive actions

Preventive actions are steps that are taken to avoid
potential nonconformities and make improvements.
Preventive actions address potential nonconformities
(problems), ones that haven't yet occurred. Preventive
 prevent the occurrence of problems by removing
their causes. In general, the preventive action process
can be thought of as a risk management process.


Procedures control processes or activities. A well defined
procedure controls a logically distinct process or activity,
including the associated inputs and outputs.

Procedures can be very general or very detailed, or anywhere
in between. While a general procedure could take the form of a
simple flow diagram, a detailed procedure could be a one page

form or it could be several pages of text.

A detailed procedure defines the work that should be done,
and explains how it should be done, who should do it, and
under what circumstances. In addition, it explains what
authority and what responsibility has been allocated,
which supplies and materials should be used, and which
documents and records must be used to carry out the work.
While procedures may be documented or undocumented,
ISO usually expects them to be documented.


In general, a process uses resources to transform inputs
into outputs. Inputs are turned into outputs because some
kind of work or activity is carried out.  

ISO IEC 27001 recommends that you structure your ISMS
processes using the Plan-Do-Check-Act (PDCA) model.
This means that every process should be planned (Plan);
implemented, operated, and maintained (Do); monitored,
audited, and reviewed (Check); and improved (Act).

Process approach

The process approach is a management strategy. When
managers use a process approach, it means that they control
their processes, the interaction between these processes, and
the inputs and outputs that “glue” these processes together.
It means that they manage by focusing on processes and on
inputs and outputs. ISO IEC 27001 suggests that you use
a process approach to control your ISMS processes.


A record is a document that contains objective evidence
which shows how well activities are being performed or
what kind of results are actually being achieved. It always
documents what has happened in the past. Records can
take any form or use any type of medium.


A requirement is a need, expectation, or obligation. It can be
stated or implied by an organization, its customers, or other
interested parties. There are many types of requirements.
Some of these include security requirements, contractual
requirements, management requirements, regulatory
requirements, and legal requirements.

Residual risk

Residual risk is the risk left over after you’ve implemented
risk treatment decision. It’s the risk remaining after you’ve
done one of the following: accepted the risk, avoided the
risk, transferred the risk, or reduced the risk.


The concept of risk combines three ideas: it selects an event,
and then combines its probability with its potential impact. It
asks two questions: what is the probability that a particular
event will occur in the future? And what negative impact
would this event have if it actually occurred?

So, a high risk event would have both a high probability
of occurring and a big negative impact if it occurred. The
concept of risk is always future oriented: it worries about
the impact events could have in the future.

Risk acceptance

Risk acceptance is part of the risk treatment decision
making process. Risk acceptance means that you’ve
decided that you can live with a particular risk.

Risk analysis

Risk analysis uses information to identify possible
sources of risk. It uses information to identify threats
or events that could have a harmful impact. It then
estimates the risk by asking: what is the probability
that this event will actually occur in the future? And
what impact would it have if it actually occurred?

Risk assessment

A risk assessment combines two techniques:
a risk analysis and a risk evaluation.

Risk evaluation

A risk evaluation compares the estimated risk with a set
of risk criteria. This is done in order to determine how
significant the risk really is. The estimated risk is
established by means of a risk analysis.

Risk management

Risk management is a process that includes four activities:
risk assessment, risk acceptance, risk treatment, and risk
communication. Risk management includes all of the
activities that an organization carries out in order
to manage and control risk.

Risk treatment

Risk treatment is a decision making process. For each risk,
risk treatment involves choosing amongst at least four
options: accept the risk, avoid the risk, transfer the risk,
or reduce the risk. In general, risks are treated by selecting
and implementing measures designed to modify risk.


A standard is a document. It is a set of rules that control how
people develop and manage materials, products, services,
technologies, tasks, processes, and systems.

ISO IEC standards are agreements. ISO IEC refers to them
as agreements because its members must agree on content
and give formal approval before they are published.

ISO IEC standards are developed by technical committees.
Members of these committees come from many different
countries. Therefore, ISO standards tend to have very
broad support.

Statement of applicability

A Statement of Applicability is a document that lists your
organization’s information security control objectives and
controls. In order to figure out what your organization’s
unique information security controls and control objectives
should be, you need to carry out a risk assessment, select
risk treatments, identify all relevant legal and regulatory
requirements, study your contractual obligations, and review
your organization’s own business needs and requirements.
Once you’ve done all of this, you should be ready to prepare
your organization’s unique Statement of Applicability

Third party

In the context of a specific issue, a third party is any person
or body that is recognized as independent of the people
directly involved with the issue in question.


A threat is a potential event. When a threat turns into
an actual event, it may cause an unwanted incident.
It is unwanted because the incident may harm an
organization or system.


A vulnerability is a weakness in an asset or group
of assets. An asset’s weakness could allow it to be
exploited and harmed by one or more threats.

ISO IEC 27001 2013 PAGES

Introduction to ISO IEC 27001 2013

Plain English Outline of ISO IEC 27001 2013

Plain English Overview of ISO IEC 27001 2013

ISO IEC 27000 2012 Definitions in Plain English

ISO IEC 27001 2013 versus ISO IEC 27001 2005

ISO IEC 27001 2013 Translated into Plain English

Overview of ISO IEC 27001 Annex A Security Controls

ISO IEC 27001 2013 Information Security Gap Analysis Tool

ISO IEC 27002 2013 PAGES

ISO IEC 27002 2013 Introduction

Overview of ISO IEC 27002 2013 Standard

Information Security Control Objectives

How to Use ISO IEC 27002 2013 Standard

ISO IEC 27002 2013 versus ISO IEC 27002 2005

ISO IEC 27002 2013 Translated into Plain English

ISO IEC 27002 2013 Information Security Audit Tool

Plain English ISO IEC 27002 2013 Security Checklist

Home Page

Our Libraries

A to Z Index

Our Customers

How to Order

Our Products

Our Prices

Our Guarantee

Praxiom Research Group Limited       780-461-4514

Updated on April 23, 2014. First published on June 12, 2006.

Legal Restrictions on the Use of this Page
Thank you for visiting this webpage. You are, of course, welcome to view our material as often
as you wish, free of charge. And as long as you keep intact all copyright notices, you are also
welcome to print or make one copy of this page for your own personal, noncommercial,
home use. But, you are not legally authorized to print or produce additional copies or to
copy and paste any of our material onto another web site or to republish it in any way.

Copyright 2006 - 2014 by Praxiom Research Group Limited. All Rights Reserved.

Praxiom Research Group Limited