ISO/IEC 27000

ISO/IEC 27000:2018 – Information technology – Security techniques – Information security management systems – Overview and vocabulary (5th edition)

Introduction

The ISO/IEC 27000 standard offers a comprehensive overview of information security management systems (which are the basis for the ISO27k standards), and it defines several terms (such as those used within the ISO27k standards) formally and explicitly.

A glossary of ISO27k/ISMS terms

Most of the specialist terms used in ISO27k standards have been carefully clarified in the vocabulary of the glossary of formal definitions. The terminology for information security is complex, as is the case with most technical subjects. Many of the core terms in information security (such as “risk”) are interpreted differently depending on the context and the author’s intention, as well as the reader’s preconceived notions. The lack of precise definitions is unhelpful in standards circles where the confusion arises from ambiguity. As a practical matter, it would be awkward to certify compliance with ISO/IEC 27001 if the terms used by both assessors and assessed meant different things!

Although the vocabulary in ISO/IEC 27000 is spreading through the worldwide information security professional community, there are still misunderstandings, clashes, and conceptual gaps, sometimes for good reason. While you may disagree with the definitions here, getting acquainted with them is worthwhile considering some of the versions used by your professional contacts are implicitly accepted by them.

The ISO/IEC 27000 protocol largely replaces ISO/IEC Guide 2:1996 “General vocabulary for standardization”, ISO Guide 73:2009 “Risk management – Vocabulary – Guidelines for standards use”, and ISO/IEC 2382-8: “Information technology – Vocabulary Part 8: Security”.

Several non-ISO27k ISO standards are also included. ISO 9000 standards are not always entirely appropriate in terms of information security as they are when they are reproduced unchanged from other standards. In the ISO27K standards, they are not always used exactly as they were defined or intended. Over time, as definitions are gradually updated or superseded, the lexicon becomes much more coherent and consistent across all ISO27k standards – no small feat when you consider how difficult it was to coordinate between the different committees, project editors, editors and managers while developing the language and the concepts in the process.

The overview for ISMS/ISO27k

A basic overview of Information Security Management Systems (ISMSs) presents information security, risk management, and management systems. From the perspective of the committee that wrote the standards, it is clearly described even if it is rather lengthy. Although there is only one diagram, which groups together similar types of ISO27k standards, there is still room for sites such as this one to exist!

The standard’s status

ISO/IEC 27000 has been updated four times since its publication in 2009: in 2012, 2014, 2016 and 2018.

Very interesting! The French and English versions of the fifth edition are available for free download directly from the ITTF (as a single-user PDF). The 2016 edition was slightly revised with a section on abbreviations, and the metrics-related definitions were rationalized.

Commentary

ISO27k should be renamed “information risk” throughout instead of “information security risk”. The phrase “information security risk” isn’t formally defined and is even meaningless. It may be intended to portray us as speaking about risk concerning information security, but it may also reflect risks that relate to information security, which would include things such as failure to identify novel threats and lack of management support those are risks, but not ISO27k’s concern. However, the committee may feel the need to provide an explicit definition for “information risk.”. As an alternative to ISO27k, I suggest “risk about information” or “risk relating to information” where both risk and information are comprehensively defined in dictionaries (in contrast to ISO27k’s definition of risk).

Some ISO directives (for a strange reason) seem to prohibit the standard from including both definitions and narrative, which raises doubt about the future of ISO/IEC 27000. To restore the older mechanism of ISO 27k standards containing their own set of designations, maintained by their editorial teams, a proposal has been presented. The approach wasn’t entirely successful before, and I don’t have any reason to believe it has become more effective. The glossary can also be published outside of the ISO/IEC/ITTF system, which may speed up the process. It appears ISO is proposing online glossaries. These may be based on either the ISO Online Browsing Platform or the IEC’s International Electrotechnical Vocabulary (also referred to as Electropedia).

It’s worth noting that the ISO website does not expand the abbreviation “ITTF.”. Something tells me it’s for I Think That’s Funny or International Table Tennis Foundation. Therefore, we are left with Information Technology Task Force. Most likely!

 

About Author /

Start typing and press Enter to search