Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

ISMS > 27000:2018 > Flashcards

27000:2018 Flashcards

ISMS (77 cards)

Start Studying
1
Q

3.1 access control

A

means to ensure
that access to assets
is authorized and restricted
based on business and security requirements (3.56)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

3.2 attack

A 
attempt to destroy, 
expose, 
alter, 
disable, 
steal or 
gain unauthorized access to 
or make unauthorized
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

3.3 audit (3 notes)

A

systematic, independent and documented
process (3.54) for
obtaining audit evidence and
evaluating it objectively to determine the
extent to which the audit criteria are fulfilled

Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines).

Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.

Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

3.4 audit scope

A

extent and boundaries

of an audit (3.3)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

3.5 authentication

A

provision of assurance that
a claimed characteristic of an entity
is correct

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

3.6 authenticity

A

property that
an entity is
what it claims to be

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

3.7 availability

A

property of
being accessible and
usable on demand
by an authorized entity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

3.8 base measure(1 note)

A 
measure (3.42)
 defined in terms of 
an attribute 
and the method for 
quantifying it

Note 1 to entry: A base measure is functionally independent of other measures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

3.9 competence

A

ability to apply
knowledge and skills to
achieve intended results

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

3.10 confidentiality

A 
property that 
information is not made 
available or 
disclosed to 
unauthorized 
individuals, 
entities, 
or processes (3.54)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

3.11 conformity

A

fulfilment of a requirement (3.56)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

3.12 consequence (4 notes)

A 
outcome of an event (3.21) 
affecting objectives (3.49)

Note 1 to entry: An event can lead to a range of consequences.

Note 2 to entry: A consequence can be certain or uncertain and, in the context of information security, is usually negative.

Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.

Note 4 to entry: Initial consequences can escalate through knock-on effects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

3.13 continual improvement

A

recurring activity

to enhance performance (3.52)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

3.14 control (2 notes)

A

measure
that is modifying risk (3.61)

Note 1 to entry: Controls include any process (3.54), policy (3.53), device, practice, or other actions which modify risk (3.61).

Note 2 to entry: It is possible that controls not always exert the intended or assumed modifying effect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

3.15 control objective

A

statement
describing what is to be
achieved as a
result of implementing controls (3.14)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

3.16 correction

A

action to
eliminate a
detected nonconformity (3.47)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

3.17 corrective action

A

action to
eliminate the
cause of a nonconformity (3.47)
and to prevent recurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

3.18 derived measure

A 
measure (3.42) 
that is defined as a 
function of two or more values of 
base measures (3.8)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

3.19 documented information (2 notes)

A

information required to be
controlled and maintained
by an organization (3.50)
and the medium on which it is contained

Note 1 to entry: Documented information can be in any format and media and from any source
.
Note 2 to entry: Documented information can refer to
— the management system (3.41), including related processes (3.54);
— information created in order for the organization (3.50) to operate (documentation);
— evidence of results achieved (records).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

3.20 effectiveness

A

extent to which
planned activities are
realized and
planned results achieved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

3.21 event (3 notes)

A

occurrence or
change of a
particular set of circumstances

Note 1 to entry: An event can be one or more occurrences, and can have several causes.

Note 2 to entry: An event can consist of something not happening.

Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

3.22 external context (1 note)

A

external environment
in which the organization
seeks to achieve
its objectives (3.49)

Note 1 to entry: External context can include the following:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectives of the organization (3.50);
— relationships with, and perceptions and values of, external stakeholders (3.37).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

3.23 governance of information security

A 
governance of 
information security system 
by which an organization’s (3.50) 
information security (3.28) activities
are directed and controlled
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

3.24 governing body (1 note)

A

person or group of people
who are accountable for the
performance (3.52) and
conformity of the organization (3.50)

Note 1 to entry: The governing body can, in some jurisdictions, be a board of directors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
3.25 indicator
measure (3.42) | that provides an estimate or evaluation
26
3.26 information need
``` insight necessary to manage objectives (3.49), goals, risks and problems ```
27
3.27 information processing facilities
any information processing system, service or infrastructure, or the physical location housing it
28
3.28 information security (1 note)
preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48), and reliability (3.55) can also be involved.
29
3.29 information security continuity
processes (3.54) and procedures for ensuring continued information security (3.28) operations
30
3.30 information security event
``` identified occurrence of a system, service or network state indicating a possible breach of information security (3.28) policy (3.53) or failure of controls (3.14), or a previously unknown situation that can be security relevant ```
31
3.31 information security incident
``` single or a series of unwanted or unexpected information security events (3.30) that have a significant probability of compromising business operations and threatening information security (3.28) ```
32
3.32 information security incident management
``` set of processes (3.54) for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents (3.31) ```
33
3.33 information security management system (ISMS) professional
``` person who establishes, implements, maintains and continuously improves one or more information security management system processes (3.54) ```
34
3.34 information sharing community (1 note)
group of organizations (3.50) that agree to share information Note 1 to entry: An organization can be an individual
35
3.35 | information system
set of applications, services, information technology assets, or other information-handling components
36
3.36 | integrity
property of accuracy and completeness
37
3.37 interested party (preferred term) | stakeholder (admitted term)
``` person or organization (3.50) that can affect, be affected by, or perceive itself to be affected by a decision or activity ```
38
3.38 internal context (1 note)
internal environment in which the organization (3.50) seeks to achieve its objectives Note 1 to entry: Internal context can include: — governance, organizational structure, roles and accountabilities; — policies (3.53), objectives (3.49), and the strategies that are in place to achieve them; — the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes (3.54), systems and technologies); — information systems (3.35), information flows and decision-making processes (both formal and informal); — relationships with, and perceptions and values of, internal stakeholders (3.37); — the organization's culture; — standards, guidelines and models adopted by the organization; — form and extent of contractual relationships.
39
3.39 level of risk
``` magnitude of a risk (3.61) expressed in terms of the combination of consequences (3.12) and their likelihood (3.40) ```
40
3.40 likelihood
chance of something happening
41
3.41 management system(3 notes)
``` set of interrelated or interacting elements of an organization (3.50) to establish policies (3.53) and objectives (3.49) and processes (3.54) to achieve those objectives ``` Note 1 to entry: A management system can address a single discipline or several disciplines. Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning and operation. Note 3 to entry: The scope of a management system may include the whole of the organization, specific and identified functions of the organization, specific and identified sections of the organization, or one or more functions across a group of organizations.
42
3.42 measure
variable to which a value is assigned as the result of measurement (3.43)
43
3.43 measurement
process (3.54) to | determine a value
44
3.44 measurement function
algorithm or calculation performed to combine two or more base measures (3.8)
45
3.45 measurement method (1 note)
``` logical sequence of operations, described generically, used in quantifying an attribute with respect to a specified scale ``` Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an attribute (3.4). Two types can be distinguished: — subjective: quantification involving human judgment; and — objective: quantification based on numerical rules.
46
3.46 monitoring (1 note)
determining the status of a system, a process (3.54) or an activity Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.
47
3.47 nonconformity
non-fulfilment of a requirement (3.56)
48
3.48 non-repudiation
ability to prove the occurrence of a claimed event (3.21) or action and its originating entities
49
3.49 objective (4 notes)
result to be achieved Note 1 to entry: An objective can be strategic, tactical, or operational. Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels [such as strategic, organization-wide, project, product and process (3.54)]. Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as an information security objective or by the use of other words with similar meaning (e.g. aim, goal, or target). Note 4 to entry: In the context of information security management systems, information security objectives are set by the organization, consistent with the information security policy, to achieve specific results.
50
3.50 organization (1 note)
``` person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives (3.49) ``` Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.
51
3.51 outsource (1 note)
``` make an arrangement where an external organization (3.50) performs part of an organization’s function or process (3.54) ``` Note 1 to entry: An external organization is outside the scope of the management system (3.41), although the outsourced function or process is within the scope.
52
3.52 performance (2 notes)
measurable result Note 1 to entry: Performance can relate either to quantitative or qualitative findings. Note 2 to entry: Performance can relate to the management of activities, processes (3.54), products (including services), systems or organizations (3.50).
53
3.53 policy
intentions and direction of an organization (3.50), as formally expressed by its top management (3.75)
54
3.54 process
set of interrelated or interacting activities which transforms inputs into outputs
55
3.55 reliability
property of consistent intended behaviour and results
56
3.56 requirement (2 notes)
need or expectation that is stated, generally implied or obligatory Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested parties that the need or expectation under consideration is implied. Note 2 to entry: A specified requirement is one that is stated, for example in documented information.
57
3.57 residual risk (2 notes)
risk (3.61) remaining after risk treatment (3.72) Note 1 to entry: Residual risk can contain unidentified risk. Note 2 to entry: Residual risk can also be referred to as “retained risk”.
58
3.58 review
``` activity undertaken to determine the suitability, adequacy and effectiveness (3.20) of the subject matter to achieve established objectives (3.49) ```
59
3.59 review object
specific item being reviewed
60
3.60 review objective
statement describing what is to be achieved as a result of a review (3.59)
61
3.61 risk (2 notes)
effect of uncertainty on objectives (3.49) Note 1 to entry: An effect is a deviation from the expected — positive or negative. Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:2009, 3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these. Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence. Note 5 to entry: In the context of information security management systems, information security risks can be expressed as effect of uncertainty on information security objectives. Note 6 to entry: Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization.
62
3.62 risk acceptance (2 notes)
informed decision to take a particular risk (3.61) Note 1 to entry: Risk acceptance can occur without risk treatment (3.72) or during the process (3.54) of risk treatment. Note 2 to entry: Accepted risks are subject to monitoring (3.46) and review (3.58).
63
3.63 risk analysis (2 notes)
process (3.54) to comprehend the nature of risk (3.61) and to determine the level of risk (3.39) Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.67) and decisions about risk treatment (3.72). Note 2 to entry: Risk analysis includes risk estimation.
64
3.64 risk assessment
``` overall process (3.54) of risk identification (3.68), risk analysis (3.63) and risk evaluation (3.67) ```
65
3.65 risk communication and consultation (2 notes)
``` risk communication and consultation set of continual and iterative processes (3.54) that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders (3.37) regarding the management of risk (3.61) ``` Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.41), significance, evaluation, acceptability and treatment of risk. Note 2 to entry: Consultation is a two-way process of informed communication between an organization (3.50) and its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is — a process which impacts on a decision through influence rather than power; and — an input to decision making, not joint decision making.
66
3.66 risk criteria (2 notes)
terms of reference against which the significance of risk (3.61) is evaluated Note 1 to entry: Risk criteria are based on organizational objectives, and external context (3.22) and internal context (3.38). Note 2 to entry: Risk criteria can be derived from standards, laws, policies (3.53) and other requirements (3.56).
67
3.67 risk evaluation (1 note)
``` process (3.54) of comparing the results of risk analysis (3.63) with risk criteria (3.66) to determine whether the risk (3.61) and/or its magnitude is acceptable or tolerable ``` Note 1 to entry: Risk evaluation assists in the decision about risk treatment (3.72).
68
3.68 risk identification (2 notes)
process (3.54) of finding, recognizing and describing risks (3.61) Note 1 to entry: Risk identification involves the identification of risk sources, events (3.21), their causes and their potential consequences (3.12). Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders’ (3.37) needs.
69
3.69 risk management (2 notes)
coordinated activities to direct and control an organization (3.50) with regard to risk (3.61)
70
3.70 risk management process (1 notes)
``` systematic application of management policies (3.53), procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring and reviewing risk (3.61) ``` Note 1 to entry: ISO/IEC 27005 uses the term “process” (3.54) to describe risk management overall. The elements within the risk management (3.69) process are referred to as “activities”.
71
3.71 risk owner
person or entity with the accountability and authority to manage a risk (3.61)
72
3.72 risk treatment (3 notes)
``` process (3.54) to modify risk (3.61) ``` Note 1 to entry: Risk treatment can involve: — avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; — taking or increasing risk in order to pursue an opportunity; — removing the risk source; — changing the likelihood (3.40); — changing the consequences (3.12); — sharing the risk with another party or parties (including contracts and risk financing); — retaining the risk by informed choice. Note 2 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”. Note 3 to entry: Risk treatment can create new risks or modify existing risks.
73
3.73 security implementation standard
document specifying authorized ways for realizing security
74
3.74 threat
potential cause of an unwanted incident, which can result in harm to a system or organization (3.50)
75
3.75 top management (3 notes)
person or group of people who directs and controls an organization (3.50) at the highest level Note 1 to entry: Top management has the power to delegate authority and provide resources within the organization. Note 2 to entry: If the scope of the management system (3.41) covers only part of an organization, then top management refers to those who direct and control that part of the organization. Note 3 to entry: Top management is sometimes called executive management and can include Chief Executive Officers, Chief Financial Officers, Chief Information Officers, and similar roles.
76
3.76 trusted information communication entity
``` autonomous organization (3.50) supporting information exchange within an information sharing community (3.34) ```
77
3.77 vulnerability
weakness of an asset or control (3.14) that can be exploited by one or more threats (3.74)

ISMS (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions