An asset is any tangible or
intangible thing or characteristic
value to an organization. There are many types of
Some of these include obvious things like machines,
patents, and software. But the term can also include
things like services, information, and people,
like reputation and image or skill and
Availability is a characteristic that applies to assets.
An asset is available if it is accessible and usable when
needed by an authorized entity.
In the context of this
standard, assets include things like
facilities, networks, and computers. All of
must be available to authorized entities when they
need to access or use them.
Confidentiality is a characteristic that applies to information.
To protect and preserve the confidentiality of information
ensure that it is not made available or disclosed
to unauthorized entities. In
this context, entities include
both individuals and processes.
control is any administrative, management, technical,
or legal method
that is used to manage risk. Controls are
safeguards or countermeasures.
Controls include things
like practices, policies, procedures, programs,
technologies, guidelines, and organizational structures.
Corrective actions are steps that are taken to address existing
nonconformities and make improvements. Corrective actions
deal with actual
nonconformities (problems), ones that have
already occurred. They solve existing
problems by removing
their causes. In general, the corrective action process can
thought of as a
problem solving process.
document refers to information and the medium
that is used to
bring it into existence. Documents can take
any form or use any type of
medium. The extent of your
documentation will depend on the scope of your
complexity of your security requirements, the size of your
organization, and the type of activities it carries out.
information processing facility is defined as
service, or infrastructure, or any physical location that houses
these things. A
facility can be either an activity or a place;
it can be
either tangible or intangible.
Information security is all about protecting and preserving
It’s all about protecting and preserving the
authenticity, availability, and
reliability of information.
information security event indicates that the security of
an information system, service, or network may have been
compromised. An information security event
indicates that an
security policy may have
been violated or a safeguard may have failed.
information security incident is made up of one or more
unwanted or unexpected
security events that
could very likely compromise the security of information
and weaken or impair business operations.
information security management system (ISMS) includes
all of the
procedures, plans, processes, practices,
roles, responsibilities, resources, and structures that
are used to
protect and preserve information. It includes all
of the elements that
organizations use to manage and
control their information security
part of a larger
information security policy statement expresses
commitment to the implementation,
maintenance, and improvement
of its information
security management system.
To preserve the
integrity of information means to protect
and completeness of information and the
methods that are used to process and
The purpose of a
management review is to evaluate the
of an organization's
security management system and to
In the context of ISO 27001 and ISO 27002, an
owner is a
person or entity that has
been given formal responsibility
for the security of an
asset or asset category.
It does not
mean that the asset belongs to the owner in a legal sense.
are formally responsible for making sure
that assets are secure while
they are being developed,
produced, maintained, and used.
PDCA stands for
Plan-Do-Check- Act. ISO IEC 27001 says
process should be structured using
PDCA model. This means that
every process should be
implemented, operated, and maintained (Do);
(Check); and improved (Act).
policy statement defines a general commitment,
direction, or intention.
An information security policy
statement expresses management’s
the implementation, maintenance, and improvement
of its information security management system.
Preventive actions are steps that are taken to avoid
potential nonconformities and make improvements.
address potential nonconformities
(problems), ones that haven't yet occurred.
actions prevent the occurrence of problems by removing
In general, the preventive action process
can be thought of as a
Procedures control processes or activities. A well defined
controls a logically distinct process or activity,
including the associated
inputs and outputs.
Procedures can be very general or very detailed, or anywhere
in between. While a general procedure could take the form of a
flow diagram, a detailed procedure could be a one page
form or it could be several pages
A detailed procedure defines the work that should
and explains how it should be done, who should do it, and
circumstances. In addition, it
authority and what responsibility has been
materials should be used, and which
documents and records must be used to carry out the work.
procedures may be documented or undocumented,
ISO usually expects
them to be documented.
In general, a
process uses resources to transform inputs
outputs. Inputs are turned into outputs because
activity is carried out.
ISO IEC 27001
recommends that you structure your ISMS
This means that every
process should be planned (Plan);
and maintained (Do); monitored,
audited, and reviewed
(Check); and improved (Act).
process approach is a management strategy. When
managers use a
process approach, it means that they control
their processes, the
interaction between these processes, and
the inputs and outputs that “glue”
these processes together.
It means that they manage by focusing on processes and
inputs and outputs. ISO IEC 27001 suggests that you use
a process approach to
control your ISMS processes.
record is a document that contains objective evidence
which shows how
well activities are being performed or
what kind of results are actually being
achieved. It always
documents what has happened in the past.
take any form or use any type of medium.
requirement is a need, expectation, or obligation. It can be
implied by an organization, its customers, or other
interested parties. There
are many types of requirements.
Some of these include security
requirements, management requirements, regulatory
requirements, and legal requirements.
Residual risk is the risk left over after you’ve implemented
treatment decision. It’s the risk remaining after you’ve
done one of the
following: accepted the risk, avoided the
risk, transferred the risk, or reduced
The concept of
risk combines three ideas: it selects an event,
combines its probability with its potential impact. It
asks two questions: what
is the probability that a particular
event will occur in the future? And what
would this event have if it actually occurred?
high risk event would have both a high
of occurring and a big negative impact if it occurred. The
concept of risk
is always future oriented: it worries about
the impact events could have in the
Risk acceptance is part of the
risk treatment decision
Risk acceptance means that you’ve
decided that you can live with a
uses information to identify possible
risk. It uses information to identify
or events that could have a harmful impact. It then
estimates the risk by
asking: what is the probability
that this event will actually occur in the future? And
what impact would it have if it actually occurred?
risk assessment combines two techniques:
risk analysis and a
risk evaluation compares the estimated
risk with a set
criteria. This is done in order to determine how
significant the risk really is.
The estimated risk is
established by means of a
Risk management is a process that includes four activities:
risk treatment, and risk
management includes all of the
activities that an organization carries out
to manage and control
Risk treatment is a decision making process. For each risk,
risk treatment involves
choosing amongst at least four
accept the risk,
avoid the risk, transfer the risk,
or reduce the risk. In general, risks are treated by selecting
measures designed to modify risk.
standard is a document. It is a set of rules that control how
develop and manage materials, products, services,
processes, and systems.
standards are agreements. ISO IEC refers
as agreements because its members must agree on content
and give formal
approval before they are published.
ISO IEC standards are developed by technical
Members of these committees come from many different
Therefore, ISO standards tend to have very
Statement of Applicability is a document that lists your
control objectives and
controls. In order to figure out what your
security controls and control objectives
should be, you need to carry out a
identify all relevant
requirements, study your
contractual obligations, and review
your organization’s own business needs and
Once you’ve done all of this, you should be ready to prepare
organization’s unique Statement of Applicability.
In the context of a specific issue, a
is any person
or body that is recognized as independent of the people
involved with the issue in question.
threat is a potential event. When a
threat turns into
an actual event, it may cause an unwanted incident.
It is unwanted because the
incident may harm an
organization or system.
vulnerability is a weakness in an
asset or group
of assets. An asset’s
weakness could allow it to be
exploited and harmed by one or more threats.