46 terms

ISO 27000 Vocabulary


Terms in this set (...)

access control
to ensure that access to assets is authorized and restricted based on business and security requirements
responsibility of an entity for its actions and decisions
anything that has value in the organization such as information, software, physical (such as a computer), services, people and their qualifications, skills and experience, intangibles such as reputation and image.
to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset
provision of assurance that a claimed characteristic of an entity is correct
property that an entity is what it claims to be
property of being accessible and usable upon demand by an authorized entity
business continuity
processes and/or procedures for ensuring continued business operations
property that information is not made available or disclosed to unauthorized individuals, entities or processes
means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be administrative, technical management or legal in nature
control objectives
statement describing what is to be achieved as a result of implementing controls
corrective action
action to eliminate the cause of a detected nonconformity or the undesirable situation
exent to which planned activities are realized and planned results achieved
relationship between the results achieved and how well the resources have been used
occurence of a particular set of circumstances
recommendation of what is expected to be done to achieve an objective
adverse change to the level of business objectives achieved
information asset
knowledge or data that has value to the organization
information security
preservation of confidentiality, integrity and availability of information. Athenticity, accountability, non-repudiation and reliability can also be involved.
information security event
identified occurence of a system, service or network state indicating a possible breach of information security policy or failure of controls or a previously unknown situation that may be security relevant.
information security incident
single or series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.
information security incident management
processes for detecting, reporting, assessing, repsonding to, dealing with, and learning from information security incidents
information security management system
part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security
information security risk
potential that a threat will exploit a vulnerability of an asset or group of assets and thereby cause harm to the organization
property of protecting the accuracy and completeness of assets
management system
framework of policies, procedures, guidelines and associated resources to achive the objectives of the organization
ability to prove the occurence of a claimed event or action and its originating entities, in order to resolve disputes about the occurrence or non-occurrence of the event or action and involvement of entities in the event
overall intention and direction as formally expressed by management
preventative action
action to eliminate the cause of a potential nonconformity or other undesirable potential situation
specified way to carry out an activity or a process
set of interrelated or interacting activities which transforms inputs into outputs
document stating results achieved or providing evidence of activities performed
property of consistent intended behavior and results
combo of the probability of an event and its consequence
risk acceptance
decision to accept a risk
risk analysis
systematic use of information to identify sources and to esitmate risk. Provides a basis for risk evaluation, risk treatment, and risk acceptance.
risk assessment
overall process of risk analysis and risk evlauation
risk communication
exchange or sharing of information about risk between the decision-maker and other stakeholders
risk criteria
terms of reference by which the significance of risk is assessed
risk estimation
activity to assign values to the probability and consequences of risk
risk evaluation
process of comparing the estimated risk against given risk criteria to determine the significance of the risk
risk management
coordinated activities to direct and control an orgnization with regard to risk. Usually includes risk assessment, risk treatment, risk acceptance, risk communication, risk monitoring and risk review.
risk treatment
process of selection and implementation of measures to modify risk
statement of applicability
documented statement describing the control objectives and controls that are relevant and applicable to the organization's ISMS
potential cause of an unwanted incident, which may result in harm to a system or organization
weakness of an asset or control that can be exploted by a threat