Cracking the Code: A Beginner's Guide to ISO 27001:2022 Terminology and Definitions

In today's digital landscape, data security has become a critical concern for organisations worldwide. ISO 27001, developed by the International Organisation for Standardization (ISO), provides a framework for implementing an effective Information Security Management System (ISMS). As organisations aim to protect their sensitive information, understanding the key terms and definitions within ISO 27001 is crucial. Explore terms and definitions of ISO 27001 in our guide below!

ISO 27001:2022 Terms and Definitions Guide:

Access Control: means to ensure that access to assets is authorized and restricted based on business and security requirements.

Attack: attempt to destroy, expose, alter, disable, steal, or gain unauthorised access to or make unauthorised use of an asset.

Audit: systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled

An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines).

An internal audit is conducted by the organisation itself, or by an external party on its behalf.

Audit scope: extent and boundaries of an audit.

Authentication: provision of assurance that a claimed characteristic of an entity is correct.

Authenticity: property that an entity is what it claims to be.

Availability: property of being accessible and usable on demand by an authorized entity.

Base Measure: Measure is defined in terms of an attribute and the method for quantifying it.

A base measure is functionally independent of other measures.

Competence: ability to apply knowledge and skills to achieve intended results.

Confidentiality: property that information is not made available or disclosed to unauthorised individuals, entities, or processes.

Conformity: fulfilment of a requirement.

Consequence: outcome of an event affecting objectives.

An event can lead to a range of consequences.

  • A consequence can be certain or uncertain and, in the context of information security, is usually negative.

  • Consequences can be expressed qualitatively or quantitatively.

  • Initial consequences can escalate through knock-on effects.

Continual Improvement: recurring activity to enhance performance.

Control: measure that is modifying risk.

  • Controls include any process, policy, device, practice, or other actions which modify risk.

  • It is possible that controls do not always exert the intended or assumed modifying effect.

Control Objective: statement describing what is to be achieved because of implementing controls.

Correction: Action to eliminate a detected nonconformity.

Corrective action: Action to eliminate the cause of a nonconformity and to prevent recurrence.

Derived measure: Measure that is defined as a function of two or more values of base measures.

Documented information: Information required to be controlled and maintained by an organisation and the medium on which it is contained.

  • Documented information can be in any format and media and from any source.

  • Documented information can refer to the management system, including related processes, information created for the organisation to operate (documentation), and evidence of results achieved (records).

Effectiveness: extent to which planned activities are realized and planned results achieved.

Event: occurrence or change of a particular set of circumstances.

  • An event can be one or more occurrences and can have several causes.

  • An event can consist of something not happening.

  • An event can sometimes be referred to as an “incident” or “accident”.

External context: external environment in which the organisation seeks to achieve its objectives.

External context can include the following:

  • the cultural, social, political, legal, regulatory, financial, technological, economic, natural, and competitive environment, whether international, national, regional, or local.

  • key drivers and trends having impact on the objectives of the organisation.

  • relationships with, and perceptions and values of, external stakeholders.

Governance of information security: system by which an organisations information security activities are directed and controlled.

Governing body: a person or group of people who are accountable for the performance and conformity of the organisation. The governing body can, in some jurisdictions, be a board of directors.

Indicator: measure that provides an estimate or evaluation

Information need: insight necessary to manage objectives, goals, risks and problems.

Information processing facilities: any information processing system, service or infrastructure, or the physical location housing it.

Information security: preservation of confidentiality, integrity and availability of information.

In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.

Information security continuity: processes and procedures for ensuring continued information security operations.

Information security event: Identified occurrence of a system, service or network state indicating a possible breach of information security, policy or failure of controls or a previously unknown situation that can be relevant to security.

Information security incident: Single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.

Information security incident management: set of processes for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents.

Information security management system (ISMS) professional: person who establishes, implements, maintains and continuously improves one or more information security management system processes.

Information sharing community: group of organisations that agree to share information.

An organisation can be an individual.

Information system: set of applications, services, information technology assets, or other information-handling components.

Integrity: property of accuracy and completeness.

Interested party or stakeholder: person or organisation that can affect, be affected by, or perceive itself to be affected by a decision or activity.

Internal context: Internal environment in which the organisation seeks to achieve its objectives.

Internal context can include:

  • governance, organisational structure, roles, and accountabilities.

  • policies, objectives, and the strategies that are in place to achieve them.

  • the capabilities, understood in terms of resources and knowledge (e.g., capital, time, people, processes, systems, and technologies).

  • information systems, information flows and decision-making processes (both formal and informal).

  • relationships with, and perceptions and values of, internal stakeholders.

  • the organisation's culture.

  • standards, guidelines, and models adopted by the organisation.

  • form and extent of contractual relationships.

Level of risk: magnitude of a risk expressed in terms of the combination of consequences and their likelihood.

Likelihood: chance of something happening

Management system: set of interrelated or interacting elements of an organisation to establish policies and objectives and processes to achieve those objectives.

A management system can address a single discipline or several disciplines.

The system elements include the organisation’s structure, roles, and responsibilities, planning and operation.

The scope of a management system may include the whole of the organisation, specific and identified functions of the organisation, specific and identified sections of the organisation, or one or more functions across a group of organisations.

Measure: variable to which a value is assigned as the result of measurement.

Measurement: process to determine a value.

Measurement function: algorithm or calculation performed to combine two or more base measures.

Measurement method: logical sequence of operations, described generically, used in quantifying an attribute with respect to a specified scale.

The type of measurement method depends on the nature of the operations used to quantify an attribute. Two types can be distinguished:

Subjective: quantification involving human judgment; and

Objective: quantification based on numerical rules.

Monitoring: determining the status of a system, a process, or an activity.

To determine the status, there may be a need to check, supervise or critically observe.

Nonconformity: non-fulfilment of a requirement.

Non-repudiation: ability to prove the occurrence of a claimed event or action and its originating entities.

Objective: result to be achieved.

An objective can be strategic, tactical, or operational.

Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels [such as strategic, organisation-wide, project, product, and process.

An objective can be expressed in other ways, e.g., as an intended outcome, a purpose, an operational criterion, as an information security objective or using other words with similar meaning (e.g., aim, goal, or target).

In the context of information security management systems, information security objectives are set by the organisation, consistent with the information security policy, to achieve specific results.

Organisation: person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives.

The concept of organisation includes but is not limited to sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public, or private.

Outsource: arrange for an external organisation to perform part(s) of an organisation’s function or process.

An external organisation is outside the scope of the management system, although the outsourced function or process is within the scope.

Performance: measurable result.

Performance can relate either to quantitative or qualitative findings.

Performance can relate to the management of activities, processes, products (including services), systems or organisations.

Policy: intentions and direction of an organisation, as formally expressed by its top management.

Process: set of interrelated or interacting activities which transforms inputs into outputs.

Reliability: property of consistent intended behaviour and results.

Requirement: need or expectation that is stated, generally implied or obligatory.

“Generally implied” means that it is custom or common practice for the organisation and interested parties that the need or expectation under consideration is implied.

A specified requirement is one that is stated, for example in documented information.

Residual risk: risk remaining after risk treatment.

  • Residual risk can contain unidentified risk.

  • Residual risk can also be referred to as “retained risk”.

Review: activity undertaken to determine the suitability, adequacy, and effectiveness of the subject matter to achieve established objectives.

Review object: specific item being reviewed.

Review objective: statement describing what is to be achieved as a result of a review.

Risk: effect of uncertainty on objectives.

  • An effect is a deviation from the expected — positive or negative.

  • Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.

  • Risk is often characterised by reference to potential “events” and “consequences” or a combination of these.

  • Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” of occurrence.

In the context of information security management systems, information security risks can be expressed as an effect of uncertainty on information security objectives.

Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organisation.

Risk acceptance: informed decision to take a particular risk.

Risk acceptance can occur without risk treatment or during the process of risk treatment.

Accepted risks are subject to monitoring and review.

Risk analysis: process to comprehend the nature of risk and to determine the level of risk.

  • Risk analysis provides the basis for risk evaluation and decisions about risk treatment.

  • Risk analysis includes risk estimation.

Risk Assessment: overall process of risk identification, risk analysis and risk evaluation.

Risk communication and consultation: set of continual and iterative processes that an organisation conducts to provide, share, or obtain information, and to engage in dialogue with stakeholders regarding the management of risk.

The information can relate to the existence, nature, form, likelihood, significance, evaluation, acceptability, and treatment of risk.

Consultation is a two-way process of informed communication between an organisation and its stakeholders on an issue prior to deciding or determining a direction on that issue. Consultation is:

  • a process which impacts on a decision through influence rather than power; and

  • an input to decision making, not joint decision making.

Risk criteria: terms of reference against which the significance of risk is evaluated.

  • Risk criteria are based on organisational objectives, and external context and internal context.

  • Risk criteria can be derived from standards, laws, policies, and other requirements.

Risk evaluation: Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.

Risk evaluation assists in the decision about risk treatment.

Risk identification: process of finding, recognising, and describing risks.

  • Risk identification involves the identification of risk sources, events, their causes, and their potential consequences.

  • Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders’ needs.

Risk management: coordinated activities to direct and control an organisation regarding risk.

Risk management process: systematic application of management policies, procedures, and practices to the activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring, and reviewing risk.

  • The term process is used to describe risk management overall. The elements within the risk management process are referred to as “activities”.

Risk owner: person or entity with the accountability and authority to manage a risk.

Risk treatment: process to modify risk.

Risk treatment can involve:

  • avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk.

  • taking or increasing risk to pursue an opportunity.

  • removing the risk source.

  • changing the likelihood

  • changing the consequences

  • sharing the risk with another party or parties (including contracts and risk financing).

  • retaining the risk by informed choice.

Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.

Risk treatment may create new risks or modify existing risks.

Security implementation standard: document specifying authorised ways for realizing security.

Threat: potential cause of an unwanted incident, which can result in harm to a system or organisation.

Top management: a person or group of people who directs and controls an organisation at the highest level.

  • Top management has the power to delegate authority and provide resources within the organisation.

  • If the scope of the management system covers only part of an organisation, then top management refers to those who direct and control that part of the organisation.

  • Top management is sometimes called executive management and can include Chief Executive Officers, Chief Financial Officers, Chief Information Officers, and similar roles.

Trusted information communication entity: autonomous organisation supporting information exchange within an information sharing community.

Vulnerability: weakness of an asset or control that can be exploited by one or more threats.

We hope our guide to ISO 27001:2022 Terminology and Definitions has helped you to understand the vocabulary used in ISO 27001. For further support with ISO 27001 Information Security Management, why not visit our ISO Resource Library and download free guides and templates for your organisation? Our cloud-based platform gives you the power to help you implement ISO standards within your business. Explore Armour today!

Previous
Previous

Understanding and Crafting an Effective Scope for ISO 27001

Next
Next

Navigating Legislation in Multiple Jurisdictions: A Guide for SMEs