ISO 27001 Definitions

Question 1

3.1 access control

Answer 1

means to ensure that access to assets is authorized and restricted based on business and security requirements (3.56)

Question 2

3.2 attack

Answer 2

attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset

Question 3

3.5 authentication

Answer 3

provision of assurance that a claimed characteristic of an entity is correct

Question 4

3.6 authenticity

Answer 4

property that an entity is what it claims to be

Question 5

3.7 availability

Answer 5

property of being accessible and usable on demand by an authorized entity

Question 6

3.8 base measure

Answer 6

measure (3.42) defined in terms of an attribute and the method for quantifying it

Note 1 to entry: A base measure is functionally independent of other measures.

Question 7

3.10 confidentiality

Answer 7

property that information is not made available or disclosed to unauthorized individuals, entities, or processes (3.54)

Question 8

3.12 consequence

Answer 8

outcome of an event (3.21) affecting objectives (3.49)

Note 1 to entry: An event can lead to a range of consequences.

Note 2 to entry: A consequence can be certain or uncertain and, in the context of information security, is usually negative.

Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.

Note 4 to entry: Initial consequences can escalate through knock-on effects.

Question 9

3.14 control

Answer 9

measure that is modifying risk (3.61)

Note 1 to entry: Controls include any process (3.54), policy (3.53), device, practice, or other actions which modify risk (3.61).

Note 2 to entry: It is possible that controls not always exert the intended or assumed modifying effect.

Question 10

3.15 control objective

Answer 10

statement describing what is to be achieved as a result of implementing controls (3.14)

Question 11

3.16 correction

Answer 11

action to eliminate a detected nonconformity (3.47)

Question 12

3.17 corrective action

Answer 12

action to eliminate the cause of a nonconformity (3.47) and to prevent recurrence

Question 13

3.18 derived measure

Answer 13

measure (3.42) that is defined as a function of two or more values of base measures (3.8)

Question 14

3.19 documented information

Answer 14

information required to be controlled and maintained by an organization (3.50) and the medium on which it is contained

Note 1 to entry: Documented information can be in any format and media and from any source.

Note 2 to entry: Documented information can refer to
— the management system (3.41), including related processes (3.54);
— information created in order for the organization (3.50) to operate (documentation);
— evidence of results achieved (records).

Question 15

3.21 event

Answer 15

occurrence or change of a particular set of circumstances

Note 1 to entry: An event can be one or more occurrences, and can have several causes.

Note 2 to entry: An event can consist of something not happening.

Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.

Question 16

3.23 governance of information security

Answer 16

system by which an organization’s (3.50)information security (3.28) activities are directed and controlled

Question 17

3.24 governing body

Answer 17

person or group of people who are accountable for the performance (3.52) and conformity of the organization (3.50)

Note 1 to entry: The governing body can, in some jurisdictions, be a board of directors.

Question 18

3.25 indicator

Answer 18

measure (3.42) that provides an estimate or evaluation

Question 19

3.26 information need

Answer 19

insight necessary to manage objectives (3.49), goals, risks and problems

Question 20

3.27 information processing facilities

Answer 20

any information processing system, service or infrastructure, or the physical location housing it

Question 21

3.28 information security

Answer 21

preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information

Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48), and reliability (3.55) can also be involved.

Question 22

3.29 information security continuity

Answer 22

processes (3.54) and procedures for ensuring continued information security (3.28) operations

Question 23

3.30 information security event

Answer 23

identified occurrence of a system, service or network state indicating a possible breach of information security (3.28) policy (3.53) or failure of controls (3.14), or a previously unknown situation that can be security relevant

Question 24

3.31 information security incident

Answer 24

single or a series of unwanted or unexpected information security events (3.30) that have a significant probability of compromising business operations and threatening information security (3.28)

Question 25

3.32 information security incident management

Answer 25

set of processes (3.54) for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents (3.31)

Question 26

3.33 information security management system (ISMS) professional

Answer 26

person who establishes, implements, maintains and continuously improves one or more information security management system processes (3.54)

Question 27

3.34 information sharing community

Answer 27

group of organizations (3.50) that agree to share information Note 1 to entry: An organization can be an individual.

Question 28

3.35 information system

Answer 28

set of applications, services, information technology assets, or other information-handling components

Question 29

3.36 integrity

Answer 29

property of accuracy and completeness

Question 30

3.42 measure

Answer 30

variable to which a value is assigned as the result of measurement (3.43)

Question 31

3.43 measurement

Answer 31

process (3.54) to determine a value

Question 32

3.44 measurement function

Answer 32

algorithm or calculation performed to combine two or more base measures (3.8)

Question 33

3.45 measurement method

Answer 33

logical sequence of operations, described generically, used in quantifying an attribute with respect to a specified scale Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an attribute (3.4). Two types can be distinguished: — subjective: quantification involving human judgment; and — objective: quantification based on numerical rules.

Question 34

3.46 monitoring

Answer 34

determining the status of a system, a process (3.54) or an activity Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.

Question 35

3.48 non-repudiation

Answer 35

ability to prove the occurrence of a claimed event (3.21) or action and its originating entities

Question 36

3.49 objective

Answer 36

result to be achieved Note 1 to entry: An objective can be strategic, tactical, or operational. Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels [such as strategic, organization-wide, project, product and process (3.54)]. Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as an information security objective or by the use of other words with similar meaning (e.g. aim, goal, or target). Note 4 to entry: In the context of information security management systems, information security objectives are set by the organization, consistent with the information security policy, to achieve specific results.

Question 37

3.57 residual risk

Answer 37

risk (3.61) remaining after risk treatment (3.72) Note 1 to entry: Residual risk can contain unidentified risk. Note 2 to entry: Residual risk can also be referred to as “retained risk”.

Question 38

3.72 risk treatment

Answer 38

process (3.54) to modify risk (3.61) Note 1 to entry: Risk treatment can involve: — avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; — taking or increasing risk in order to pursue an opportunity; — removing the risk source; — changing the likelihood (3.40); — changing the consequences (3.12); — sharing the risk with another party or parties (including contracts and risk financing); — retaining the risk by informed choice. Note 2 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”. Note 3 to entry: Risk treatment can create new risks or modify existing risks.

Question 39

3.73 security implementation standard

Answer 39

document specifying authorized ways for realizing security

Question 40

3.74 threat

Answer 40

potential cause of an unwanted incident, which can result in harm to a system or organization (3.50)

Question 41

3.76 trusted information communication entity

Answer 41

autonomous organization (3.50) supporting information exchange within an information sharing community (3.34)

Question 42

3.77 vulnerability

Answer 42

weakness of an asset or control (3.14) that can be exploited by one or more threats (3.74)