Copyright © 2009 IsecT Ltd.

ISO/IEC 27000:2009 Information technology -- Security techniques -- Information security management systems - Fundamentals and vocabulary

The scope of ISO/IEC 27000 is “to specify the fundamental principles, concepts and vocabulary for the ISO/IEC 27000 (information security management system) series of documents.”

ISO/IEC 27000 contains the fundamentals and vocabulary, in other words:

• An overview of the ISO27k standards showing how they are used collectively to plan, implement, certify and operate an ISMS, with a basic introduction to information security, risk management and management systems
• Carefully-worded definitions for the information security-related terms as they are used throughout the ISO27k standards. 

Information security, like most technical subjects, is evolving a complex web of terminology. Several core terms in information security (such as “risk”) have different meanings according to the context and the reader’s preconceptions. Few authors take the trouble to define precisely what they mean but this is unacceptable in the standards arena as it leads to confusion and devalues formal assessment and certification.

ISO/IEC 27000 is similar to other vocabulary and definitions standards and will hopefully become a generally-accepted reference for information security terms amongst the information security profession. It largely supersedes the terms and definitions embedded in ISO27k standards already published plus, to a large extent, related guidelines such as ISO/IEC Guide 2:1996 “Standardization and related activities – General vocabulary”, ISO/IEC Guide 73:2002 “Risk management – Vocabulary – Guidelines for use in standards” ISO/IEC 2382-8: “Information technology - Vocabulary Part 8: Security” and ISO 9000, the quality assurance standard.

ISO/IEC 27000 will be revised more often than most other standards in order to reflect other ISO27k standards currently being developed, plus the ongoing revision of ISO/IEC 27001, ISO/IEC 27002 and ISO Guide 73. The idea is basically to remove the definitions of most information security management terms from other ISO27k standards into ISO/IEC 27000, except for any that might have to be defined specifically as they may be used differently to the norm in particular ISO27k standards.

 ISO/IEC 27000 is available as a FREE download from the ITTF site associated with ISO: it’s a PDF inside a ZIP file.

PS Software and systems engineering terms defined in ISO/IEC and IEEE standards are searchable online. The definitions of some information security and risk-related terms differ slightly from those defined in ISO/IEC 27000, so bear this in mind when reading standards other than ISO27k.