ISO/IEC 27000:2014 Information technology — Security techniques — Information security management systems - Overview and vocabulary (third edition)
Introduction and scope
ISO/IEC 27000 “provides an overview of information security management systems, and defines related terms.” The document is laid out in the opposite sequence ...
ISMS/ISO27k vocabulary section
The vocabulary or glossary of carefully-worded formal definitions covers most of the specialist information security-related terms used in the ISO27k standards, 89 of them in the current edition. Information security, like most technical subjects, uses a complex web of terminology that is evolving. Several core terms in information security (such as “risk”) have different meanings or interpretations according to the context, the author’s intention and the reader’s preconceptions. Few authors take the trouble to define precisely what they mean but such ambiguity is distinctly unhelpful in the standards arena as it leads to confusion. Apart from anything else, it would be awkward to assess and certify compliance with ISO/IEC 27001 if the specialist terms meant different things to the assessors and the assessed!
The vocabulary in ISO/IEC 27000 is gradually spreading throughout the global information security profession although some individuals and groups differ, sometimes with good reason, creating occasional misunderstandings, clashes, and conceptual chasms. Even if you happen to disagree with the definitions here, it’s well worth getting familiar with them as some of your professional contacts will implicitly accept the ISO/IEC versions.
ISO/IEC 27000 largely supersedes ISO/IEC Guide 2:1996 “Standardization and related activities – General vocabulary”, ISO Guide 73:2009 “Risk management – Vocabulary – Guidelines for use in standards”, and ISO/IEC 2382-8: “Information technology - Vocabulary Part 8: Security”. It also includes definitions taken from a few non-ISO27k ISO standards. Terms that are reproduced unchanged from other ISO standards such as ISO 9000 are not always entirely appropriate as such in the information security context. They are not necessarily used in the ISO27k standards in full accordance with the original definitions or intended meanings. However, as the definitions are gradually updated or superseded, the lexicon is evolving into a reasonably coherent and consistent state across the whole ISO27k suite - a remarkable achievement in its own right given the practical difficulties of coordinating the effort across a loose collection of separate committees, editing projects, editors and managers, developing the language and the concepts as we go.
ISMS/ISO27k overview section
The overview of Information Security Management Systems (ISMSs) introduces information security, risk and security management, and management systems. It’s a reasonably clear if wordy description of the ISO27k approach and standards, from the perspective of the committee that wrote them. There’s only one diagram, unfortunately, and all that does is group similar types of ISO27k standards together, but, hey, that leaves room for sites such as this one!
Status of the standard
The first edition was published in 2009 and the second in 2012.
The third edition, published in January 2014, is available legitimately as a FREE PDF download from ITTF. If you are temporarily short of a screen or printer, and feel the desperate need to read the standard in the Little Room, you can purchase your very own paper copy from the ISO/IEC webstore for the princely sum of 128 Swiss Francs.
The third edition incorporates terms used in the 2013 updates to ISO/IEC 27001 and 27002, and has dropped or changed a few terms since the previous edition (e.g. ”Accountability”, “Asset” and “Information asset” are no longer defined, and there are updated, lengthy notes for “Risk”).
ISO/IEC 27000 will be revised and republished repeatedly as further ISO27k standards are published or updated. A study period is under way concerning how further updates to 27000 will be handled. A number of changes have been discussed already, such as grouping/categorizing the terms in some way to “improve their presentation”. Comments are welcome by SC 27 via your national standards body.
I suspect the terms “Asset” and “Information asset” were dropped from the third edition primarily in order to draw to a close the lengthy but rather unedifying SC27 discussions (OK, arguments!) around those contentious terms - well, “Asset” is entirely straightforward so the dictionary definition suffices, but “Information asset” is ambiguous. Does “information asset” (as still used, for instance, in the notes to the definition of “Risk”) refer to intangible information content, tangible data storage media, both, or something else entirely? The distinction could be quite important in the context of various ISO27k standards, but I guess organizations using the standards will have to figure out the answers for themselves.
Removal of the term “Accountability” from the vocabulary would be a backward step if it meant this extremely important and valuable concept was no longer to be a part of ISO27k. The possibility of an authority holding them to account and perhaps imposing penalties is generally what forces people and organizations to take their responsibilities to heart. It’s what makes them accept and internalize their obligations towards others. However, the dictionary definition of the term is perfectly adequate in the information security context: it is not a specialist term - a statement that also applies, however, to roughly half of the 89 terms defined in the vocabulary.
Although the vocabulary defines “ISMS project” and “Management system”, “ISMS” itself is missing from the list but it is of course explained at some length in the remainder of ISO/IEC 27000 and the other ISO27k standards.
The sometimes extensive notes to the definitions are symptomatic of a lack of clarity in some of the actual definitions, in some cases suggesting distinct meanings or interpretations of the terms. Dictionaries don’t need separate notes: why does ISO/IEC 27000? Dictionaries sometimes present alternative definitions as separate numbered entries, emphasizing that the terms may mean different things in different contexts: why can’t ISO/IEC 27000 follow their lead? Dictionaries also distinguish types of words (e.g. verbs and nouns) - again, seems like a good idea to me to be more consistent.
A note to the definition of “Outsource” states categorically that “an external organization is outside the scope of the management system, although the outsourced function or process is within the scope”, which pre-empts the organization’s ISMS scoping decisions. I suspect that was unintentional.
It may be an artificial and clumsy term but “Documented information” is now defined, meaning “information required to be controlled and maintained by an organization and the medium on which it is contained”. As formally defined, an awkward so-and-so like me could argue that information which the organization chooses not to ‘control’ and/or not to ‘maintain’ (whatever that means), or that it neglects, somehow ceases to exist as ‘information’. If I’m feeling obstreperous, I might also argue that knowledge, creative ideas, expertise, brands and so forth - i.e. intangible but often highly valuable forms of information - also fall outside the definition, calling into question the applicability and relevance of ISO27k. [Just a hint there of why the definitions of “asset” and “information asset” were such bones of contention. One national body even suggested that ‘vocabulary’ is not the correct term, although the alternatives they suggested were no better. And so the game continues.]