Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ISO Standards > ISO 27001 Definitions > Flashcards

ISO 27001 Definitions Flashcards

1
Q

3.1 access control

A

means to ensure that access to assets is authorized and restricted based on business and security requirements (3.56)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

3.2 attack

A

attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

3.5 authentication

A

provision of assurance that a claimed characteristic of an entity is correct

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

3.6 authenticity

A

property that an entity is what it claims to be

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

3.7 availability

A

property of being accessible and usable on demand by an authorized entity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

3.8 base measure

A

measure (3.42) defined in terms of an attribute and the method for quantifying it

Note 1 to entry: A base measure is functionally independent of other measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

3.10 confidentiality

A

property that information is not made available or disclosed to unauthorized individuals, entities, or processes (3.54)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

3.12 consequence

A

outcome of an event (3.21) affecting objectives (3.49)

Note 1 to entry: An event can lead to a range of consequences.

Note 2 to entry: A consequence can be certain or uncertain and, in the context of information security, is usually negative.

Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.

Note 4 to entry: Initial consequences can escalate through knock-on effects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

3.14 control

A

measure that is modifying risk (3.61)

Note 1 to entry: Controls include any process (3.54), policy (3.53), device, practice, or other actions which modify risk (3.61).

Note 2 to entry: It is possible that controls not always exert the intended or assumed modifying effect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

3.15 control objective

A

statement describing what is to be achieved as a result of implementing controls (3.14)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

3.16 correction

A

action to eliminate a detected nonconformity (3.47)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

3.17 corrective action

A

action to eliminate the cause of a nonconformity (3.47) and to prevent recurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

3.18 derived measure

A

measure (3.42) that is defined as a function of two or more values of base measures (3.8)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

3.19 documented information

A

information required to be controlled and maintained by an organization (3.50) and the medium on which it is contained

Note 1 to entry: Documented information can be in any format and media and from any source.

Note 2 to entry: Documented information can refer to
— the management system (3.41), including related processes (3.54);
— information created in order for the organization (3.50) to operate (documentation);
— evidence of results achieved (records).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

3.21 event

A

occurrence or change of a particular set of circumstances

Note 1 to entry: An event can be one or more occurrences, and can have several causes.

Note 2 to entry: An event can consist of something not happening.

Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

3.23 governance of information security

A

system by which an organization’s (3.50)information security (3.28) activities are directed and controlled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

3.24 governing body

A

person or group of people who are accountable for the performance (3.52) and conformity of the organization (3.50)

Note 1 to entry: The governing body can, in some jurisdictions, be a board of directors.

18
Q

3.25 indicator

A

measure (3.42) that provides an estimate or evaluation

19
Q

3.26 information need

A

insight necessary to manage objectives (3.49), goals, risks and problems

20
Q

3.27 information processing facilities

A

any information processing system, service or infrastructure, or the physical location housing it

21
Q

3.28 information security

A

preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information

Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48), and reliability (3.55) can also be involved.

22
Q

3.29 information security continuity

A

processes (3.54) and procedures for ensuring continued information security (3.28) operations

23
Q

3.30 information security event

A

identified occurrence of a system, service or network state indicating a possible breach of information security (3.28) policy (3.53) or failure of controls (3.14), or a previously unknown situation that can be security relevant

24
Q

3.31 information security incident

A

single or a series of unwanted or unexpected information security events (3.30) that have a significant probability of compromising business operations and threatening information security (3.28)

25
Q

3.32 information security incident management

A

set of processes (3.54) for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents (3.31)

26
Q

3.33 information security management system (ISMS) professional

A

person who establishes, implements, maintains and continuously improves one or more information security management system processes (3.54)

27
Q

3.34 information sharing community

A

group of organizations (3.50) that agree to share information

Note 1 to entry: An organization can be an individual.

28
Q

3.35 information system

A

set of applications, services, information technology assets, or other information-handling components

29
Q

3.36 integrity

A

property of accuracy and completeness

30
Q

3.42 measure

A

variable to which a value is assigned as the result of measurement (3.43)

31
Q

3.43 measurement

A

process (3.54) to determine a value

32
Q

3.44 measurement function

A

algorithm or calculation performed to combine two or more base measures (3.8)

33
Q

3.45 measurement method

A

logical sequence of operations, described generically, used in quantifying an attribute with respect to a specified scale
Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an attribute (3.4). Two types can be distinguished:
— subjective: quantification involving human judgment; and
— objective: quantification based on numerical rules.

34
Q

3.46 monitoring

A

determining the status of a system, a process (3.54) or an activity
Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.

35
Q

3.48 non-repudiation

A

ability to prove the occurrence of a claimed event (3.21) or action and its originating entities

36
Q

3.49 objective

A

result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels [such as strategic, organization-wide, project, product and process (3.54)].
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as an information security objective or by the use of other words with similar meaning (e.g. aim, goal, or target).
Note 4 to entry: In the context of information security management systems, information security objectives are set by the organization, consistent with the information security policy, to achieve specific results.

37
Q

3.57 residual risk

A

risk (3.61) remaining after risk treatment (3.72)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risk can also be referred to as “retained risk”.

38
Q

3.72 risk treatment

A

process (3.54) to modify risk (3.61)

Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source;
— changing the likelihood (3.40);
— changing the consequences (3.12);
— sharing the risk with another party or parties (including contracts and risk financing);
— retaining the risk by informed choice.

Note 2 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.

Note 3 to entry: Risk treatment can create new risks or modify existing risks.

39
Q

3.73 security implementation standard

A

document specifying authorized ways for realizing security

40
Q

3.74 threat

A

potential cause of an unwanted incident, which can result in harm to a system or organization (3.50)

41
Q

3.76 trusted information communication entity

A

autonomous organization (3.50) supporting information exchange within an information sharing community (3.34)

42
Q

3.77 vulnerability

A

weakness of an asset or control (3.14) that can be exploited by one or more threats (3.74)

ISO Standards (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions