Understanding key information security concepts and terminology is essential for anyone working with or studying Information Security Management Systems (ISMS).
The ISO/IEC 27000 family of standards provides formal definitions and vocabulary used across ISO/IEC 27001 and related documents, making it easier to communicate security needs, policies, and practices clearly and accurately.
A good grasp of these terms helps to avoid misunderstandings and supports consistency in applying and auditing security controls.
Core Information Security Principles
At the heart of information security are three guiding principles—often called the C-I-A triad:
1. Confidentiality: Ensuring that only authorized individuals, processes, or systems have access to information. Protection is achieved through access controls, encryption, and authentication mechanisms. Breaches of confidentiality could occur when unauthorized parties access sensitive data.
2. Integrity: Guaranteeing the accuracy, completeness, and reliability of data throughout its lifecycle. Integrity can be compromised by accidental or malicious modifications, deletions, or errors. Controls like checksums, audit trails, and restricted access help maintain integrity.
3. Availability: Ensuring information and resources are accessible to authorized users when needed. Disruptions (such as cyberattacks or system outages) threaten availability. Strategies like redundancy, backup, and disaster recovery planning are used to safeguard availability.
These three attributes underpin every security measure in an ISMS.
Common Terms in ISO/IEC 27001
| Term | Definition |
| Asset | Anything valuable to an organization, including data, hardware, software, people, or reputation. |
| Threat | A potential cause of an unwanted incident that may harm an asset, such as cyberattacks, human error, or natural disasters. |
| Vulnerability | A weakness in an asset or control that could be exploited by threats. |
| Risk | The likelihood and impact of a threat exploiting a vulnerability; central to ISMS risk assessment and treatment. |
| Control | Policies, procedures, practices, or technical measures that reduce risks to acceptable levels—organizational, human, physical, or technological. |
| Authentication | Validating that a user or system is who it claims to be through methods like passwords, biometrics, or multi-factor authentication. |
| Business Continuity | Procedures that ensure the organization continues operating during and after disruptive incidents. |
| Incident | An information security event that could disrupt business operations or cause data loss, modification, or exposure. |
| Nonconformity | Failure to meet a requirement of the ISMS or the ISO 27001 standard. |
| Statement of Applicability (SoA) | A key ISMS document specifying which controls are implemented and the rationale for their selection. |
Control Attributes (ISO/IEC 27001:2022)
Recent updates to the standard also introduce control attributes that help classify and group security measures.
 - visual selection-Picsart-CropImage.png)
