CHAPTER 3:
DEFINITIONS
ISO27001 has specific definitions6 for key terms, and these are relevant to those involved in carrying out risk assessments.
Asset: anything that has value to the organization.
Availability: the property of being accessible and usable upon demand by an authorized entity.
Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities or processes.
Control: means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management or legal nature. Control is also used as a synonym for safeguard or countermeasure.
Information processing facilities: any information processing system, service or infrastructure, or the physical locations housing them.
Information security: the preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.
6 See also ISO/IEC Guide 73:2002 Risk Management Vocabulary (www.itgovernance.co.uk/products/539) and the Dictionary of Information Security Terms, Abbreviations and Acronyms (ITGP, 2007, www.itgovernance.co.uk/products/748).
Integrity: the property of safeguarding the accuracy and completeness of assets.
Policy: overall intention and direction as formally expressed by management.
Risk: combination of the probability of an event and its consequence.
Risk analysis: systematic use of information to identify sources and to estimate the risk.
Risk assessment: overall process of risk analysis and risk evaluation.
Risk evaluation: process of comparing estimated risk against given risk criteria to determine the significance of the risk.
Risk management: coordinated activities to direct and control an organization with regard to risk. Risk management typically includes risk assessment, risk treatment, risk acceptance and risk communication.
Risk treatment: process of selection and implementation of measures to modify risk.
Third party: that person or body that is recognised as being independent of the parties involved, as concerns the issue in question.
Threat: a potential cause of an unwanted incident, which may result in harm to a system or organization.
Vulnerability: a weakness of an asset or group of assets that can be exploited by one or more threats.