The key terms you may need to know while navigating ISO 27001
Term | Definition |
Access Control | This means ensuring that physical and logical access to assets is authorised and restricted based on business and information security requirements. |
Annex A | Annex A of ISO 27001 lists specific security controls organisations can implement as part of their ISMS. These controls are categorised into different sections, such as information security policies, organisation of information security, human resource security, asset management, access control, cryptography, physical and environmental security, operations security, communications security, system acquisition, development and maintenance, supplier relationships, information security incident management, information security aspects of business continuity management, and compliance. Provides the controls for the Statement of Applicability. |
Asset | Anything that has value to the organisation. |
Authentication | The process of verifying the identity of a user or system. |
Authorisation | The process of granting or denying access to resources based on the user's identity and permissions. |
Clauses | ISO 27001 is structured into 10 main clauses covering an organisation's requirements to comply with the standard. These clauses provide a high-level framework for implementing, maintaining, and continually improving an ISMS. |
Confidential Information | Information not intended to be made available or disclosed to unauthorised individuals, entities, or processes. |
Context of the Organisation | It is crucial to understand internal and external issues relevant to the organisation's purpose that affect its ability to achieve the intended outcomes of its Information Security Management System (ISMS). |
Control | Controls are safeguards or countermeasures to avoid, detect, counteract, or minimise security risks to physical property, information, computer systems, or other assets. ISO 27001 provides a comprehensive set of controls outlined in Annex A that organisations can implement based on their specific risk assessment. |
Information Security Management System (ISMS) | An ISMS is a systematic approach to managing sensitive company information and ensuring its security. It includes people, processes, and IT systems and applies a risk management process. |
Information System | Set of applications, services, information technology assets, or other information-handling components. |
Interested Party | A person or organisation that can be affected by or perceive itself to be affected by a decision or activity. |
ISO 27002 | It provides guidelines for organisational information security standards and management practices, including control selection, implementation, and management. |
Nonconformity | Occurrence of a non-fulfilment of a requirement. When a nonconformity occurs, it necessitates actions to control and correct it, evaluate the need for actions to eliminate causes, and prevent recurrence. |
Policy | Intentions and direction of an organisation, as formally expressed by its top management. |
Procedure | Specified way to carry out an activity or a process. |
Process | Set of interrelated or interacting activities that use or transform inputs to deliver a result. |
Record | Information is created, received, and maintained as evidence and as an asset by an organisation or person in pursuit of legal obligations or in business transactions. |
Risk Assessment | A risk assessment identifies, evaluates, and estimates the risks involved in a situation. It then coordinates resources to minimise, monitor, and control the probability or impact of those risks. ISO 27001 involves identifying potential security risks to the organisation's information assets and evaluating their potential impact. |
Risk Treatment | Risk treatment involves selecting and implementing measures to mitigate identified risks. These measures can include avoiding the risk, reducing the risk, transferring the risk, or accepting the risk. |
Sensitive Information | Information must be protected from unavailability, unauthorised access, modification, or public disclosure because of potential adverse effects on an individual, organisation, national security, or public safety. |
Statement of Applicability | A documented statement that describes the controls determined to be necessary, their implementation status, justification for inclusion, and reasons for excluding any controls listed in Annex A. |
Comments