ISO/IEC 27000:2016 Information technology — Security techniques — Information security management systems - Overview and vocabulary (fourth edition)
Introduction and scope
ISO/IEC 27000 is a ‘technical specification’ that “provides an overview of information security management systems, and defines related terms.”
ISMS/ISO27k vocabulary section
The vocabulary or glossary of carefully-worded formal definitions covers most of the specialist information security-related terms used in the ISO27k standards. Information security, like most technical subjects, uses a complex web of terminology that is continually evolving. Several core terms in information security (such as “risk”) have different meanings or interpretations according to the context, the author’s intention and the reader’s preconceptions. Few authors take the trouble to define precisely what they mean but such ambiguity is distinctly unhelpful in the standards arena as it leads to confusion. Apart from anything else, it would be awkward to assess and certify compliance with ISO/IEC 27001 if the specialist terms meant different things to the assessors and the assessed!
The vocabulary in ISO/IEC 27000 is gradually spreading throughout the global information security profession although some individuals and groups differ, sometimes with good reason, creating occasional misunderstandings, clashes, and conceptual chasms. Even if you happen to disagree with the definitions here, it’s well worth getting familiar with them as some of your professional contacts will implicitly accept the ISO/IEC versions.
ISO/IEC 27000 largely supersedes ISO/IEC Guide 2:1996 “Standardization and related activities – General vocabulary”, ISO Guide 73:2009 “Risk management – Vocabulary – Guidelines for use in standards”, and ISO/IEC 2382-8: “Information technology - Vocabulary Part 8: Security”. It also includes definitions taken from a few non-ISO27k ISO standards. Terms that are reproduced unchanged from other ISO standards such as ISO 9000 are not always entirely appropriate as such in the information security context. They are not necessarily used in the ISO27k standards in full accordance with the original definitions or intended meanings. However, as the definitions are gradually updated or superseded, the lexicon is evolving into a reasonably coherent and consistent state across the whole ISO27k suite - a remarkable achievement in its own right given the practical difficulties of coordinating the effort across a loose collection of separate committees, editing projects, editors and managers, developing the language and the concepts as we go.
ISMS/ISO27k overview section
The overview of Information Security Management Systems (ISMSs) introduces information security, risk and security management, and management systems. It is a reasonably clear if wordy description of the ISO27k approach and standards, from the perspective of the committee that wrote them. There’s only one diagram, unfortunately, and all that does is group similar types of ISO27k standards together, but, hey, that leaves room for sites such as this one!
Status of the standard
ISO/IEC 27000 was first published in 2009 and updated in 2012 and 2014. The 2014 third edition, currently still available as a FREE download from ITTF, incorporated terms used in the 2013 updates to ISO/IEC 27001 and 27002.
The 2016 fourth edition was published at the end of February. We are anxiously awaiting the release of the free version ... hopefully. Meanwhile, if you can’t bear the suspense and have 138 Swiss Francs (=US$138) going spare, you can buy it from the ISO/IEC webstore and other outlets.
ISO/IEC 27000 will be revised and republished repeatedly as further ISO27k standards are published or updated. The fifth edition will follow, probably in 2017. Proposed new terms and modified definitions may include: disaster recovery, owner, risk source and traceability. The definition of policy may be dropped since the Oxford English Dictionary definition is adequate (better in fact!), while asset may yet make a triumphant reappearance, perhaps being defined in terms of primary assets (such as information) and supporting assets (such as IT systems) as if that helps ...
The SC 27 project maintaining ISO/IEC 27000 also maintains an internal Standing Document (WG1 SD2) on terminology.