Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ISMS > 27000:2018 > Flashcards

27000:2018 Flashcards

ISMS

1
Q

3.1 access control

A

means to ensure
that access to assets
is authorized and restricted
based on business and security requirements (3.56)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

3.2 attack

A 
attempt to destroy, 
expose, 
alter, 
disable, 
steal or 
gain unauthorized access to 
or make unauthorized
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

3.3 audit (3 notes)

A

systematic, independent and documented
process (3.54) for
obtaining audit evidence and
evaluating it objectively to determine the
extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines).

Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.

Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

3.4 audit scope

A

extent and boundaries

of an audit (3.3)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

3.5 authentication

A

provision of assurance that
a claimed characteristic of an entity
is correct

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

3.6 authenticity

A

property that
an entity is
what it claims to be

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

3.7 availability

A

property of
being accessible and
usable on demand
by an authorized entity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

3.8 base measure(1 note)

A 
measure (3.42)
 defined in terms of 
an attribute 
and the method for 
quantifying it

Note 1 to entry: A base measure is functionally independent of other measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

3.9 competence

A

ability to apply
knowledge and skills to
achieve intended results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

3.10 confidentiality

A 
property that 
information is not made 
available or 
disclosed to 
unauthorized 
individuals, 
entities, 
or processes (3.54)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

3.11 conformity

A

fulfilment of a requirement (3.56)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

3.12 consequence (4 notes)

A 
outcome of an event (3.21) 
affecting objectives (3.49)

Note 1 to entry: An event can lead to a range of consequences.

Note 2 to entry: A consequence can be certain or uncertain and, in the context of information security, is usually negative.

Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.

Note 4 to entry: Initial consequences can escalate through knock-on effects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

3.13 continual improvement

A

recurring activity

to enhance performance (3.52)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

3.14 control (2 notes)

A

measure
that is modifying risk (3.61)

Note 1 to entry: Controls include any process (3.54), policy (3.53), device, practice, or other actions which modify risk (3.61).

Note 2 to entry: It is possible that controls not always exert the intended or assumed modifying effect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

3.15 control objective

A

statement
describing what is to be
achieved as a
result of implementing controls (3.14)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

3.16 correction

A

action to
eliminate a
detected nonconformity (3.47)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

3.17 corrective action

A

action to
eliminate the
cause of a nonconformity (3.47)
and to prevent recurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

3.18 derived measure

A 
measure (3.42) 
that is defined as a 
function of two or more values of 
base measures (3.8)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

3.19 documented information (2 notes)

A

information required to be
controlled and maintained
by an organization (3.50)
and the medium on which it is contained

Note 1 to entry: Documented information can be in any format and media and from any source
.
Note 2 to entry: Documented information can refer to
— the management system (3.41), including related processes (3.54);
— information created in order for the organization (3.50) to operate (documentation);
— evidence of results achieved (records).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

3.20 effectiveness

A

extent to which
planned activities are
realized and
planned results achieved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

3.21 event (3 notes)

A

occurrence or
change of a
particular set of circumstances

Note 1 to entry: An event can be one or more occurrences, and can have several causes.

Note 2 to entry: An event can consist of something not happening.

Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

3.22 external context (1 note)

A

external environment
in which the organization
seeks to achieve
its objectives (3.49)

Note 1 to entry: External context can include the following:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectives of the organization (3.50);
— relationships with, and perceptions and values of, external stakeholders (3.37).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

3.23 governance of information security

A 
governance of 
information security system 
by which an organization’s (3.50) 
information security (3.28) activities
are directed and controlled
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

3.24 governing body (1 note)

A

person or group of people
who are accountable for the
performance (3.52) and
conformity of the organization (3.50)

Note 1 to entry: The governing body can, in some jurisdictions, be a board of directors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

3.25 indicator

A

measure (3.42)

that provides an estimate or evaluation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

3.26 information need

A 
insight necessary to 
manage objectives (3.49), 
goals, 
risks and
problems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

3.27 information processing facilities

A

any information processing system,
service or
infrastructure,
or the physical location housing it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

3.28 information security (1 note)

A

preservation of confidentiality (3.10),
integrity (3.36) and
availability (3.7) of
information

Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48), and reliability (3.55) can also be involved.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

3.29 information security continuity

A

processes (3.54) and
procedures for
ensuring continued information security (3.28) operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

3.30 information security event

A 
identified occurrence of a 
system, 
service or 
network state 
indicating a possible breach of 
information security (3.28) policy (3.53) or 
failure of controls (3.14), 
or a previously unknown situation that can be 
security relevant
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

3.31 information security incident

A 
single or 
a series of unwanted or 
unexpected 
information security events (3.30) 
that have a significant probability of 
compromising business operations and 
threatening information security (3.28)
32
Q

3.32 information security incident management

A 
set of processes (3.54) 
for detecting, 
reporting, 
assessing, 
responding to, 
dealing with,
 and learning from 
information security incidents (3.31)
33
Q

3.33 information security management system (ISMS) professional

A 
person who establishes, 
implements, 
maintains and 
continuously improves one or more 
information security management system processes (3.54)
34
Q

3.34 information sharing community (1 note)

A

group of organizations (3.50)
that agree to share information

Note 1 to entry: An organization can be an individual

35
Q

3.35

information system

A

set of applications,
services,
information technology assets, or
other information-handling components

36
Q

3.36

integrity

A

property of
accuracy
and completeness

37
Q

3.37 interested party (preferred term)

stakeholder (admitted term)

A 
person or organization (3.50) 
that can affect, 
be affected by, or 
perceive itself to be 
affected by a decision or 
activity
38
Q

3.38 internal context (1 note)

A

internal environment
in which the organization (3.50)
seeks to achieve
its objectives

Note 1 to entry: Internal context can include:
— governance, organizational structure, roles and accountabilities;
— policies (3.53), objectives (3.49), and the strategies that are in place to achieve them;
— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes (3.54), systems and technologies);
— information systems (3.35), information flows and decision-making processes (both formal and informal);
— relationships with, and perceptions and values of, internal stakeholders (3.37);
— the organization’s culture;
— standards, guidelines and models adopted by the organization;
— form and extent of contractual relationships.

39
Q

3.39 level of risk

A 
magnitude of a risk (3.61) 
expressed in terms of the 
combination of 
consequences (3.12) and their
likelihood (3.40)
40
Q

3.40 likelihood

A

chance of something happening

41
Q

3.41 management system(3 notes)

A 
set of interrelated or 
interacting elements of an 
organization (3.50) 
to establish policies (3.53) 
and objectives (3.49) 
and processes (3.54) to 
achieve those objectives

Note 1 to entry: A management system can address a single discipline or several disciplines.

Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning and operation.

Note 3 to entry: The scope of a management system may include the whole of the organization, specific and identified functions of the organization, specific and identified sections of the organization, or one or more functions across a group of organizations.

42
Q

3.42 measure

A

variable to which a
value is assigned
as the result of
measurement (3.43)

43
Q

3.43 measurement

A

process (3.54) to

determine a value

44
Q

3.44 measurement function

A

algorithm or
calculation performed to
combine two or more
base measures (3.8)

45
Q

3.45 measurement method (1 note)

A 
logical sequence of 
operations,
 described generically, 
used in quantifying an 
attribute with respect to a 
specified scale

Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an attribute (3.4). Two types can be distinguished:
— subjective: quantification involving human judgment; and
— objective: quantification based on numerical rules.

46
Q

3.46 monitoring (1 note)

A

determining the status of a system,
a process (3.54) or an
activity

Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.

47
Q

3.47 nonconformity

A

non-fulfilment of a requirement (3.56)

48
Q

3.48 non-repudiation

A

ability to prove the
occurrence of a claimed event (3.21) or
action and its
originating entities

49
Q

3.49 objective (4 notes)

A

result to be achieved

Note 1 to entry: An objective can be strategic, tactical, or operational.

Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels [such as strategic, organization-wide, project, product and process (3.54)].

Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as an information security objective or by the use of other words with similar meaning (e.g. aim, goal, or target).

Note 4 to entry: In the context of information security management systems, information security objectives are set by the organization, consistent with the information security policy, to achieve specific results.

50
Q

3.50 organization (1 note)

A 
person or group of people that 
has its own functions 
with responsibilities, 
authorities and 
relationships to 
achieve its objectives (3.49)

Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.

51
Q

3.51 outsource (1 note)

A 
make an arrangement where 
an external organization (3.50)
performs part of an organization’s 
function or process (3.54)

Note 1 to entry: An external organization is outside the scope of the management system (3.41), although the outsourced function or process is within the scope.

52
Q

3.52 performance (2 notes)

A

measurable result

Note 1 to entry: Performance can relate either to quantitative or qualitative findings.

Note 2 to entry: Performance can relate to the management of activities, processes (3.54), products (including services), systems or organizations (3.50).

53
Q

3.53 policy

A

intentions and direction of an
organization (3.50), as
formally expressed by its
top management (3.75)

54
Q

3.54 process

A

set of interrelated or
interacting activities
which transforms inputs into outputs

55
Q

3.55 reliability

A

property of
consistent intended behaviour and
results

56
Q

3.56 requirement (2 notes)

A

need or
expectation that is stated,
generally implied or obligatory

Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested parties that the need or expectation under consideration is implied.

Note 2 to entry: A specified requirement is one that is stated, for example in documented information.

57
Q

3.57 residual risk (2 notes)

A

risk (3.61) remaining
after risk treatment (3.72)

Note 1 to entry: Residual risk can contain unidentified risk.

Note 2 to entry: Residual risk can also be referred to as “retained risk”.

58
Q

3.58 review

A 
activity undertaken to 
determine the suitability, 
adequacy and 
effectiveness (3.20) 
of the subject matter to 
achieve established objectives (3.49)
59
Q

3.59 review object

A

specific item being reviewed

60
Q

3.60 review objective

A

statement describing what is
to be achieved as a
result of a review (3.59)

61
Q

3.61 risk (2 notes)

A

effect of uncertainty on objectives (3.49)

Note 1 to entry: An effect is a deviation from the expected — positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:2009, 3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.

Note 5 to entry: In the context of information security management systems, information security risks can be expressed as effect of uncertainty on information security objectives.

Note 6 to entry: Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization.

62
Q

3.62 risk acceptance (2 notes)

A

informed decision to
take a particular risk (3.61)

Note 1 to entry: Risk acceptance can occur without risk treatment (3.72) or during the process (3.54) of risk treatment.

Note 2 to entry: Accepted risks are subject to monitoring (3.46) and review (3.58).

63
Q

3.63 risk analysis (2 notes)

A

process (3.54) to
comprehend the nature of risk (3.61)
and to determine the level of risk (3.39)

Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.67) and decisions about risk treatment (3.72).

Note 2 to entry: Risk analysis includes risk estimation.

64
Q

3.64 risk assessment

A 
overall process (3.54) 
of risk identification (3.68), 
risk analysis (3.63) and 
risk evaluation (3.67)
65
Q

3.65 risk communication and consultation (2 notes)

A 
risk communication
and consultation set of 
continual and iterative processes (3.54) that 
an organization conducts to 
provide, 
share or 
obtain information, and
 to engage in dialogue with 
stakeholders (3.37) 
regarding the management of risk (3.61)

Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.41), significance, evaluation, acceptability and treatment of risk.

Note 2 to entry: Consultation is a two-way process of informed communication between an organization (3.50) and its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is
— a process which impacts on a decision through influence rather than power; and
— an input to decision making, not joint decision making.

66
Q

3.66 risk criteria (2 notes)

A

terms of reference
against which the
significance of risk (3.61)
is evaluated

Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.22) and internal context (3.38).

Note 2 to entry: Risk criteria can be derived from standards, laws, policies (3.53) and other requirements (3.56).

67
Q

3.67 risk evaluation (1 note)

A 
process (3.54) of 
comparing the results of 
risk analysis (3.63) with
risk criteria (3.66) to 
determine whether the risk (3.61) and/or 
its magnitude is acceptable or tolerable

Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.72).

68
Q

3.68 risk identification (2 notes)

A

process (3.54) of
finding,
recognizing and
describing risks (3.61)

Note 1 to entry: Risk identification involves the identification of risk sources, events (3.21), their causes and their potential consequences (3.12).

Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders’ (3.37) needs.

69
Q

3.69 risk management (2 notes)

A

coordinated activities to
direct and control
an organization (3.50) with
regard to risk (3.61)

70
Q

3.70 risk management process (1 notes)

A 
systematic application of 
management policies (3.53), 
procedures and 
practices to the 
activities of 
communicating, 
consulting, 
establishing the 
context and identifying,
 analysing, 
evaluating, 
treating, 
monitoring and 
reviewing risk (3.61)

Note 1 to entry: ISO/IEC 27005 uses the term “process” (3.54) to describe risk management overall. The elements within the risk management (3.69) process are referred to as “activities”.

71
Q

3.71 risk owner

A

person or entity with the
accountability and authority to
manage a risk (3.61)

72
Q

3.72 risk treatment (3 notes)

A 
process (3.54) to 
modify risk (3.61)

Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source;
— changing the likelihood (3.40);
— changing the consequences (3.12);
— sharing the risk with another party or parties (including contracts and risk financing);
— retaining the risk by informed choice.

Note 2 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.

Note 3 to entry: Risk treatment can create new risks or modify existing risks.

73
Q

3.73 security implementation standard

A

document
specifying authorized ways for
realizing security

74
Q

3.74 threat

A

potential cause of an
unwanted incident,
which can result in harm to a
system or organization (3.50)

75
Q

3.75 top management (3 notes)

A

person or group of people who
directs and controls an
organization (3.50) at
the highest level

Note 1 to entry: Top management has the power to delegate authority and provide resources within the organization.

Note 2 to entry: If the scope of the management system (3.41) covers only part of an organization, then top management refers to those who direct and control that part of the organization.

Note 3 to entry: Top management is sometimes called executive management and can include Chief Executive Officers, Chief Financial Officers, Chief Information Officers, and similar roles.

76
Q

3.76 trusted information communication entity

A 
autonomous organization (3.50) 
supporting information exchange within an 
information sharing community (3.34)
77
Q

3.77 vulnerability

A

weakness of an
asset or control (3.14)
that can be exploited by one or more
threats (3.74)

ISMS (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions