Home Resources Glossary of Terms

Information Security

Risk Assessment, Statement of Applicability and Annex A – what do they mean?

Read on to find the answers to these and other terms used within ISO 27001:2013.

Information Security Management System Terms and Definitions

  • ISO 27001:2013. The international standard for Information Security Management Systems (ISMS), a suite of activities concerning the management of information risks (called ‘information security risks’ in the standard). The ISMS is an overarching management framework through which the organization identifies, analyses and addresses its information risks

  • ISO 27002:2013. Indicates suitable information security controls within the ISMS. Organizations are free to select and implement other controls as they see fit

  • ISO 27003:2013. This document provides guidance for those implementing the ISO 27001:2013 standard, covering the management system aspects in particular. Its scope is simply to “provide explanation and guidance on ISO 27001:2013

  • Information. Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected.

  • Information Security. Information security ensures the confidentiality, availability and integrity of information

  • Confidentiality. Information is not made available or disclosed to unauthorised individuals, entities or processes

  • Integrity. This term refers to the accuracy and completeness of information

  • Availability. Defined as information being accessible and usable upon demand by an authorized entity

  • Risk Assessment. This is the overall process of risk identification, risk analysis and risk evaluation

  • Risk Treatment. Defined as the process to modify risk. Risk treatment can involve the following; avoiding the risk by deciding not to start or continue with the activity, taking or increasing the risk in order to pursue an opportunity, removing the risk, changing the likelihood, changing the consequences, sharing the risk or retaining the risk.

  • Risk Owner. The person or entity with the accountability and authority to manage a risk or risks

  • Information Security Event. This term describes an identified occurrence of a system, service or network state indicating possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant

  • Information Security Incident. Defined as a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security

  • Information Security Continuity. Details  the processes and procedures for ensuring continued information security operations

  • Documented Information. This is information required to be controlled and maintained by an organization and the medium on which it is contained. It may be in any format and media and from any source and can relate to; the management system, including related processes. Information created in order for the organization to operate and evidence of results achieved

  • Statement of Applicability. The Statement of Applicability or SoA refers to the output from the information risk assessments and, in particular, the decisions around treating those risks. The SoA may, for instance, take the form of a matrix identifying various types of information risks on one axis and risk treatment options on the other, showing how the risks are to be treated in the body, and perhaps who is accountable for them. It usually references the relevant controls from ISO/IEC 27002 but the organization may use a completely different framework

  • Annex A. Little more in fact than a list of titles of the control sections in ISO27002 The annex is ‘normative’, implying that certified organizations are expected to use it, but the main body says they are free to deviate from or supplement it in order to address their particular information risks

  • Interested Party. Defined as a person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity

  • Internal Context. This is the internal environment in which the organization seeks to achieve its objectives. Internal context can include the following:

    • Governance, organizational structure, roles and accountabilities
    • Policies, objectives and the strategies that are in place to achieve them
    • The capabilities, understood din terms of resources and knowledge
    • Information systems, information flows and decision making processes
    • Relationships with, and perceptions and values of, internal stakeholders
    • The organizations culture
    • Standards, guidelines and models adopted by the organization
    • Form and extent of contractual relationships

  • External Context. This is the external environment in which the organization seeks to achieve its objectives. External context can include the following:

    • The cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local
    • Key drivers and trends having impact on the objectives of the organization
    • Relationship with, and perceptions and values of, external stakeholders
  • Access Control. Defined as the means to ensure that access to assets is authorised and restricted based on business and security requirements.