ISO/IEC 27000
Go home

ISO/IEC 27000 Information technology -- Security techniques -- Information security management systems - Fundamentals and vocabulary (draft)

The scope of ISO/IEC 27000 is “to specify the fundamental principles, concepts and vocabulary for the ISO/IEC 27000 (information security management system) series of documents.”

ISO/IEC 27000 will contain the fundamentals and vocabulary, in other words:

  • An overview of the ISO27k standards showing how they are used collectively to plan, implement, certify and operate an ISMS, with a basic introduction to information security, risk management and management systems
  • Carefully-worded definitions for the information security-related terms as they are used throughout the ISO27k standards. 

ISO/IEC 27000 will soon be available as an FCD and is scheduled for publication by 2009, perhaps earlier during 2008 since it is close to completion already. 

When released, ISO/IEC 27000 will be free of charge since (a) it introduces and promotes ISO27k as a whole; and (b) there is value in spreading an agreed set of definitions as widely as possible to bring some stability to the field of information security.

Information security, like most technical subjects, is evolving a complex web of terminology. Several core terms in information security (such as “risk”) have different meanings according to the context and the reader’s preconceptions. Few authors take the trouble to define precisely what they mean but this is unacceptable in the standards arena as it leads to confusion and devalues formal assessment and certification.

ISO/IEC 27000 will be similar to other vocabulary and definitions standards but will hopefully become a generally-accepted reference for information security terms amongst the information security profession. It will reference or absorb and supercede related guidelines such as ISO/IEC Guide 2:1996 “Standardization and related activities – General vocabulary”, ISO/IEC Guide 73:2002 “Risk management – Vocabulary – Guidelines for use in standards” ISO/IEC 2382-8: “Information technology - Vocabulary Part 8: Security” and ISO 9000, the quality assurance standard.

A bit of red tape is complicating matters slightly. ISO standards are only supposed to reference other issued standards, which is a bit tricky for an ISO27k overview standard since only 27001, 27002 and 27006 are currently issued. Hopefully SC27/JTC1 will find a way to avoid having to revise and reissue 27000 every time another ISO27k standard is published ...

Copyright © 2008 IsecT Ltd.