12 << 5555

In part, the current (fifth, 2018) edition of ISO/IEC 27000 defines key terms of art used throughout the ISO27k standards. The standard is available as a legitimate free download from ISO. If you haven't already seen it, go ahead - download the standard for a good look at these 77 terms defined in clause 3:

1. access control

2. attack

3. audit

4. audit scope

5. authentication

6. authenticity

7. availability

8. base measure

9. competence

10. confidentiality

11. conformity

12. consequence

13. continual improvement

14. control

15. control objective

16. correction

17. corrective action

18. derived measure

19. documented information

20. effectiveness

21. event

22. external context

23. governance of information security

24. governing body

25. indicator

26. information need

27. information processing facilities

28. information security

29. information security continuity

30. information security event

31. information security incident

32. information security incident management

33. information security management system (ISMS) professional

34. information sharing community

35. information system

36. integrity

37. interested party (preferred term) or stakeholder (admitted term)

38. internal context

39. level of risk

40. likelihood

41. management system

42. measure

43. measurement

44. measurement function

45. measurement method

46. monitoring

47. nonconformity

48. non-repudiation

49. objective

50. organization

51. outsource

52. performance

53. policy

54. process

55. reliability

56. requirement

57. residual risk

58. review

59. review object

60. review objective

61. risk

62. risk acceptance

63. risk analysis

64. risk assessment

65. risk communication and consultation

66. risk criteria

67. risk evaluation

68. risk identification

69. risk management

70. risk management process

71. risk owner

72. risk treatment

73. security implementation standard

74. threat

75. top management

76. trusted information communication entity

77. vulnerability

Due to a change of policy within ISO, the forthcoming sixth edition of ISO/IEC 27000 (currently at FDIS stage) is expected to define just a dozen (12) terms i.e. the 10 orange ones from the fifth edition plus two additions - specified requirement and conformity assesment.

The remaining 67 terms from the fifth edition, plus various other terms introduced into ISO27k since 2018, are (presumably) all defined within the current or forthcoming editions of various ISO27k standards. I don't have the patience to list and count them all, but I believe the grand total would be less than 200 definitions, some of which are variants to suit the particular context of a given standard. Generally the variations modify the supplementary notes or make trivial changes to the definitions - no surprise, given that this is all about standardisation.

So, that's <200 formally-defined ISO27k terms.

Oh boy!

Tomorrow sees the release of the Cybersecurity Hyperglossary defining five thousand, five hundred and fifty-five terms of art in this area. Admittedly not all 5.555 terms are used in ISO27k, but even so I'm struck by the marked disparity here.

How can we possibly standardise such a highly technical and specialised field without defining our terms?