Common terminology for information security management just revised
February 2016 by Sandrine Tranchard
All information held and processed by an organization is subject to the risks of attack, error and natural disaster, and other vulnerabilities inherent to its use. Information security is therefore at the heart of an organization’s activities and focuses on information that is considered a valuable “asset” requiring appropriate protection, for example against the loss of availability, confidentiality and integrity.
The family of standards on information security management systems (ISMS) lets organizations develop and implement a robust framework for managing the security of their information assets, including financial data, intellectual property, employee details, and information otherwise entrusted to them by customers or third parties.
Prof. Edward Humphreys, Convenor of working group ISO/IEC JTC 1/SC 27/WG 1.
The recently revised ISO/IEC 27000:2016, Information technology – Security techniques – Information security management systems – Overview and vocabulary, gives a comprehensive view of information security management systems covered by the ISMS family of standards, and defines related terms and definitions. “Every common language requires a common set of terminology, and this is provided by ISO/IEC 27000,” says Prof. Edward Humphreys, Convenor of working group ISO/IEC JTC 1/SC 27/WG 1 that developed the standard.
Protecting its information assets through defining, achieving, maintaining and improving security levels is essential for an organization to meet its objectives and strengthen its legal compliance and image. The coordinated activities needed to direct the implementation of suitable controls and mitigate unacceptable information security risks are part of what is known as information security management.
ISO/IEC 27000 gives a high-level overview of the ISMS family of standards (ISO/IEC 27001), how they support the implementation of requirements contained in ISO/IEC 27001, Information technology – Security techniques – Information security management systems – Requirements, and how they relate to each other. Elzbieta Andrukiewicz, the editor of ISO/IEC 27000, explains: “ISO/IEC 27000 provides a very brief introduction to the information security area and information security management systems, describing how to implement, operate, maintain and improve the ISMS.”
The standard lays down the key factors of a successful implementation and the numerous benefits of using the ISMS family of standards. It provides an understanding of how the ISO/IEC 27001 family fits together through its multi-faceted approach, clarifying the standards’ scopes, roles, functions and relationship to each other. In addition, ISO/IEC 27000 gathers in one place all the essential terminology used in the ISO/IEC 27001 family.
ISO/IEC 27000:2016 revises the 2010 edition; it has been updated and extended to align with the revised version of ISO/IEC 27001 and other standards of the family that are currently under review.
ISO/IEC 27000:2016 was developed by joint technical committee ISO/IEC JTC 1, Information technology, subcommittee SC 27, IT security techniques, whose secretariat is held by DIN, the ISO member for Germany. It is available from your national ISO member or through the ISO Store.