In organizations today, the use and importance of information is endless. Emerging technologies and platform-based business models have made it easy to access information, process it, store it, and communicate it globally. These have also made it so difficult to protect the information. In dealing with the risks related to the organization’s information, several organizations have decided to adopt and implement security standards and frameworks, among them is ISO 27001. While implementing or considering implementing ISO 27001 in your organization, it is essential to understand some key terms and definitions relevant to the standard.

ISO 27001 is a widely recognized international standard that outlines the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

ISO 27001 key terms and definitions

Information security management system (ISMS): The framework of policies, procedures, and controls used to manage and protect an organization’s information assets and ensure the confidentiality, integrity, and availability of information through risk management processes.

Information security: The preservation of confidentiality, integrity, and availability of information.

Information security objectives: Specific, measurable goals that an organization sets to achieve concerning its information security management system.

Statement of Applicability (SoA): A document that outlines which controls from the ISO 27001 standard are applicable and how they are implemented to mitigate risks within an organization.

Information security policy: A documented statement of management’s intent or direction that defines an organization’s information security objectives, the roles and responsibilities for information security management, and the requirements for ensuring the confidentiality, integrity, and availability of information in an organization.

Procedure: A set of steps that describe how to carry out a specific activity in an organization.

Asset: Anything that has value to an organization, such as information, hardware, software, people, and facilities.

Vulnerability: A weakness in an asset or its security controls that can be exploited by a threat to compromise the confidentiality, integrity, or availability of information.

Control: A measure that is put in place and taken to manage or mitigate risk to an organization’s information assets.

Risk: The likelihood and impact of a threat exploiting a vulnerability in an asset.

Threat: Any potential cause of an unwanted incident that can result in harm to an organization’s information assets.

Risk treatment: The process of selecting and implementing measures to reduce, mitigate, or avoid identified risks.

Risk assessment: The process of identifying, analyzing, and evaluating risks to an organization’s information assets.

Risk management: The process of identifying, analyzing, and evaluating risks to an organization’s information assets and taking steps to mitigate those risks.

Information security incident: An event that results in the compromise of the confidentiality, integrity, or availability of an organization’s information assets.

Continual improvement: The ongoing process of reviewing and enhancing an organization’s information security management system – ISMS – to ensure that it remains effective and efficient.

Audit: A systematic and independent examination of an organization’s information security management system.