ISO/IEC 27000:2012 Information technology — Security techniques — Information security management systems - Overview and vocabulary (second edition)
ISO/IEC 27000 “describes the overview and the vocabulary of information security management systems, which form the subject of the ISMS family of standards, and defines related terms and definitions”.
ISO/IEC 27000 contains both an overview and a vocabulary:
An overview of the ISO27k standards showing how they are used collectively to plan, implement, certify and operate an ISMS, with a basic introduction to information security, risk management and management systems;
A vocabulary or glossary of carefully-worded formal definitions for many of the information security-related terms used in the ISO27k standards.
ISO/IEC 27000 is similar to other vocabulary and definitions standards. Information security, like most technical subjects, is evolving a complex web of terminology. Several core terms in information security (such as “risk”) have different meanings or interpretations according to the context, the author’s intention and the reader’s preconceptions. Few authors take the trouble to define precisely what they mean but this ambiguity is unacceptable in the standards arena as it leads to confusion. Apart from anything else, it would be awkward to assess and certify compliance with ISO/IEC 27001 if the specialist terms meant different things to the assessors and the assessees!
While ISO/IEC 27000 makes a genuine attempt to define the specialist terms as precisely and unambiguously as possible, this is not an easy task hence some definitions include explanatory notes referring to other possible interpretations. Such is the nature of standards produced by international committees.
ISO/IEC 27000 is gradually becoming accepted by the information security profession as a whole.
It largely supersedes ISO/IEC Guide 2:1996 “Standardization and related activities – General vocabulary”, ISO/IEC Guide 73:2009 “Risk management – Vocabulary – Guidelines for use in standards” ISO/IEC 2382-8: “Information technology - Vocabulary Part 8: Security”. It also includes definitions taken from a few non-ISO27k ISO standards such as ISO 9000.
ISO/IEC 27000 will be revised and republished repeatedly as further ISO27k standards are published. The definitions of information security management terms are gradually being transferred from existing ISO27k standards into ISO/IEC 27000 as updated versions are published.
Status of the standard
The first edition was published in 2009.
The second edition, published at the end of 2012, is the current version. It incorporated additional and refined definitions for a number of information security-related terms used in ISO27k and other ISO standards e.g. new definitions of guideline and risk, while audit scope was one of several new addition to the glossary in 2012.
ISO/IEC 27000:2012 is available as a FREE digital download from ITTF, or if you prefer a printed version, it can be bought from the ISO/IEC webstore for about 116 Swiss Francs.
The third edition, incorporating terms used in the 2013 releases of ISO/IEC 27001 and 27002, has been cleared for publication and should emerge from the machinery soon.
Software and systems engineering terms defined in ISO/IEC and IEEE standards are searchable online. The definitions of some information security and risk-related terms differ slightly from those defined in ISO/IEC 27000, so bear this in mind when reading various standards.