ISO/IEC 27000:2014 Information technology — Security techniques — Information security management systems - Overview and vocabulary (third edition)
Introduction and scope
ISO/IEC 27000 “provides an overview of information security management systems, and defines related terms.” The document is laid out in the opposite sequence ...
ISMS/ISO27k vocabulary section
The vocabulary or glossary of carefully-worded formal definitions covers most of the specialist information security-related terms used in the ISO27k standards, 89 of them in the current edition. Information security, like most technical subjects, uses a complex web of terminology that is evolving. Several core terms in information security (such as “risk”) have different meanings or interpretations according to the context, the author’s intention and the reader’s preconceptions. Few authors take the trouble to define precisely what they mean but such ambiguity is distinctly unhelpful in the standards arena as it leads to confusion. Apart from anything else, it would be awkward to assess and certify compliance with ISO/IEC 27001 if the specialist terms meant different things to the assessors and the assessed!
The vocabulary in ISO/IEC 27000 is gradually spreading throughout the global information security profession although some individuals and groups differ, sometimes with good reason, creating occasional misunderstandings, clashes, and conceptual chasms. Even if you happen to disagree with the definitions here, it’s well worth getting familiar with them as some of your professional contacts will implicitly accept the ISO/IEC versions.
ISO/IEC 27000 largely supersedes ISO/IEC Guide 2:1996 “Standardization and related activities – General vocabulary”, ISO Guide 73:2009 “Risk management – Vocabulary – Guidelines for use in standards”, and ISO/IEC 2382-8: “Information technology - Vocabulary Part 8: Security”. It also includes definitions taken from a few non-ISO27k ISO standards. Terms that are reproduced unchanged from other ISO standards such as ISO 9000 are not always entirely appropriate as such in the information security context. They are not necessarily used in the ISO27k standards in full accordance with the original definitions or intended meanings. However, as the definitions are gradually updated or superseded, the lexicon is evolving into a reasonably coherent and consistent state across the whole ISO27k suite - a remarkable achievement in its own right given the practical difficulties of coordinating the effort across a loose collection of separate committees, editing projects, editors and managers, developing the language and the concepts as we go.
ISMS/ISO27k overview section
The overview of Information Security Management Systems (ISMSs) introduces information security, risk and security management, and management systems. It’s a reasonably clear if wordy description of the ISO27k approach and standards, from the perspective of the committee that wrote them. There’s only one diagram, unfortunately, and all that does is group similar types of ISO27k standards together, but, hey, that leaves room for sites such as this one!
Status of the standard
The first edition was published in 2009 and the second in 2012.
The third edition, published in 2014, can be FREELY downloaded from ITTF. [If you are temporarily short of a screen or printer, and feel the desperate need to read the standard in private, you can purchase your very own printed paper copy from the ISO/IEC webstore for the princely sum of 128 Swiss Francs.]
The third edition incorporates terms used in the 2013 updates to ISO/IEC 27001 and 27002, and dropped or changed a few terms since the previous edition (e.g. accountability, asset and information asset are not currently defined, and there are updated, lengthy notes for risk).
ISO/IEC 27000 will be revised and republished repeatedly as further ISO27k standards are published or updated. The fourth edition may not be published until 2016.
The fifth edition is already planned to follow thereafter. Proposed new terms and modified definitions may include: disaster recovery, owner, risk source and traceability. The definition of policy may be dropped since the Oxford English Dictionary definition is adequate (better in fact!), while asset may yet make a triumphant reappearance, perhaps being defined in terms of primary assets (such as information) and supporting assets (such as IT systems) as if that helps ...
The SC 27 project maintaining ISO/IEC 27000 also maintains an internal Standing Document (WG1 SD2) on terminology.
I suspect the terms asset and information asset were dropped from the third edition to draw to a close the lengthy but rather unedifying SC27 discussions (OK, arguments!) around those contentious terms - well, asset is entirely straightforward so the dictionary definition suffices, but information asset is definitely ambiguous. Does information asset (as still used, for instance, in the notes to the definition of risk) refer to intangible information content, or to the tangible data storage media, both, or something else entirely? The distinction could be quite important in the context of various ISO27k standards but I guess organizations using the current standards must figure out the answers for themselves.
Removal of the term accountability from the third edition would be a backward step if it meant this extremely important and valuable concept was no longer to be a part of ISO27k. The possibility of an authority holding them to account and perhaps imposing penalties is generally what forces people and organizations to take their responsibilities to heart. It’s what makes them accept and internalize their obligations towards others. However, the dictionary definition of the term is perfectly adequate in the information security context: it is not a specialist term. The same point applies to roughly half of the 89 terms defined in the third edition: the dictionary does a better job than SC27. The editors and/or committee really ought to compare the definitions in 27000 systematically against the Oxford English Dictionary in accordance with WG1 SD2.
Although the vocabulary defines ISMS project and management system, ISMS itself is missing from the third edition but it is of course explained at some length in the remainder of ISO/IEC 27000 and the other ISO27k standards.
The sometimes extensive notes to the definitions are symptomatic of a lack of clarity in some of the actual definitions, in some cases suggesting distinct meanings or interpretations of the terms. Dictionaries don’t need separate notes: why does ISO/IEC 27000? Dictionaries sometimes present alternative definitions as separate numbered entries, emphasizing that the terms may mean different things in different contexts: why can’t ISO/IEC 27000 follow their lead? Dictionaries also distinguish types of words (e.g. verbs and nouns) - again, it seems like a good idea to be more consistent.
It may be an artificial and clumsy term but documented information means “information required to be controlled and maintained by an organization and the medium on which it is contained”. As formally defined, an awkward so-and-so like me could argue that information which the organization chooses not to ‘control’ and/or not to ‘maintain’ (whatever that means), or that it neglects, somehow ceases to exist as ‘information’. If I’m feeling obstreperous, I might also argue that knowledge, creative ideas, expertise, brands, intellectual property and so forth - i.e. intangible but often highly valuable forms of information - also fall outside the definition, calling into question the applicability and relevance of ISO27k. Just a hint there of why the definitions of asset and information asset are such bones of contention.
One national body even suggested that vocabulary is not the correct term for the title of this standard, although the alternatives they suggested were no better. And so the word-game continues.