ISO 27001 Definitions Flashcards
3.1 access control
means to ensure that access to assets is authorized and restricted based on business and security requirements (3.56)
3.2 attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset
3.5 authentication
provision of assurance that a claimed characteristic of an entity is correct
3.6 authenticity
property that an entity is what it claims to be
3.7 availability
property of being accessible and usable on demand by an authorized entity
3.8 base measure
measure (3.42) defined in terms of an attribute and the method for quantifying it
Note 1 to entry: A base measure is functionally independent of other measures.
3.10 confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or processes (3.54)
3.12 consequence
outcome of an event (3.21) affecting objectives (3.49)
Note 1 to entry: An event can lead to a range of consequences.
Note 2 to entry: A consequence can be certain or uncertain and, in the context of information security, is usually negative.
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on effects.
3.14 control
measure that is modifying risk (3.61)
Note 1 to entry: Controls include any process (3.54), policy (3.53), device, practice, or other actions which modify risk (3.61).
Note 2 to entry: It is possible that controls not always exert the intended or assumed modifying effect.
3.15 control objective
statement describing what is to be achieved as a result of implementing controls (3.14)
3.16 correction
action to eliminate a detected nonconformity (3.47)
3.17 corrective action
action to eliminate the cause of a nonconformity (3.47) and to prevent recurrence
3.18 derived measure
measure (3.42) that is defined as a function of two or more values of base measures (3.8)
3.19 documented information
information required to be controlled and maintained by an organization (3.50) and the medium on which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to
— the management system (3.41), including related processes (3.54);
— information created in order for the organization (3.50) to operate (documentation);
— evidence of results achieved (records).
3.21 event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can be one or more occurrences, and can have several causes.
Note 2 to entry: An event can consist of something not happening.
Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.
3.23 governance of information security
system by which an organization’s (3.50)information security (3.28) activities are directed and controlled
3.24 governing body
person or group of people who are accountable for the performance (3.52) and conformity of the organization (3.50)
Note 1 to entry: The governing body can, in some jurisdictions, be a board of directors.
3.25 indicator
measure (3.42) that provides an estimate or evaluation
3.26 information need
insight necessary to manage objectives (3.49), goals, risks and problems
3.27 information processing facilities
any information processing system, service or infrastructure, or the physical location housing it
3.28 information security
preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information
Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48), and reliability (3.55) can also be involved.
3.29 information security continuity
processes (3.54) and procedures for ensuring continued information security (3.28) operations
3.30 information security event
identified occurrence of a system, service or network state indicating a possible breach of information security (3.28) policy (3.53) or failure of controls (3.14), or a previously unknown situation that can be security relevant
3.31 information security incident
single or a series of unwanted or unexpected information security events (3.30) that have a significant probability of compromising business operations and threatening information security (3.28)
3.32 information security incident management
set of processes (3.54) for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents (3.31)
3.33 information security management system (ISMS) professional
person who establishes, implements, maintains and continuously improves one or more information security management system processes (3.54)
3.34 information sharing community
group of organizations (3.50) that agree to share information
Note 1 to entry: An organization can be an individual.
3.35 information system
set of applications, services, information technology assets, or other information-handling components
3.36 integrity
property of accuracy and completeness
3.42 measure
variable to which a value is assigned as the result of measurement (3.43)
3.43 measurement
process (3.54) to determine a value
3.44 measurement function
algorithm or calculation performed to combine two or more base measures (3.8)
3.45 measurement method
logical sequence of operations, described generically, used in quantifying an attribute with respect to a specified scale
Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an attribute (3.4). Two types can be distinguished:
— subjective: quantification involving human judgment; and
— objective: quantification based on numerical rules.
3.46 monitoring
determining the status of a system, a process (3.54) or an activity
Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.
3.48 non-repudiation
ability to prove the occurrence of a claimed event (3.21) or action and its originating entities
3.49 objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels [such as strategic, organization-wide, project, product and process (3.54)].
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as an information security objective or by the use of other words with similar meaning (e.g. aim, goal, or target).
Note 4 to entry: In the context of information security management systems, information security objectives are set by the organization, consistent with the information security policy, to achieve specific results.
3.57 residual risk
risk (3.61) remaining after risk treatment (3.72)
Note 1 to entry: Residual risk can contain unidentified risk.
Note 2 to entry: Residual risk can also be referred to as “retained risk”.
3.72 risk treatment
process (3.54) to modify risk (3.61)
Note 1 to entry: Risk treatment can involve:
— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
— taking or increasing risk in order to pursue an opportunity;
— removing the risk source;
— changing the likelihood (3.40);
— changing the consequences (3.12);
— sharing the risk with another party or parties (including contracts and risk financing);
— retaining the risk by informed choice.
Note 2 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
Note 3 to entry: Risk treatment can create new risks or modify existing risks.
3.73 security implementation standard
document specifying authorized ways for realizing security
3.74 threat
potential cause of an unwanted incident, which can result in harm to a system or organization (3.50)
3.76 trusted information communication entity
autonomous organization (3.50) supporting information exchange within an information sharing community (3.34)
3.77 vulnerability
weakness of an asset or control (3.14) that can be exploited by one or more threats (3.74)
