^ Up a level ^ Next standard >
ISO/IEC 27000:2018 — Information technology — Security techniques — Information security management systems — Overview and vocabulary (fifth edition)
“This International Standard describes the overview and the vocabulary of information security management systems, which form the subject of the ISMS family of standards, and defines related terms and definitions.”
[Source: ISO/IEC JTC 1/SC 27 SD11]
Introduction and scope
ISO/IEC 27000 “provides an overview of information security management systems” (and hence the ISO27k standards), and “defines related terms” (i.e. a glossary that formally and explicitly defines many of the specialist terms as they are used and should be interpreted within the ISO27k standards).
ISMS/ISO27k vocabulary section
The vocabulary or glossary of carefully-worded formal definitions covers most of the specialist information security-related terms used in the ISO27k standards. Information security, like most technical subjects, uses a complex web of terminology that is continually evolving. Several core terms in information security (such as “risk”) have different meanings or interpretations according to the context, the author’s intention and the reader’s preconceptions. Few authors take the trouble to define precisely what they mean but such ambiguity is distinctly unhelpful in the standards arena as it leads to confusion. Apart from anything else, it would be awkward to assess and certify conformity with ISO/IEC 27001 if the specialist terms meant different things to the assessors and the assessed!
The vocabulary in ISO/IEC 27000 is gradually spreading throughout the global information security profession although some individuals and groups differ, sometimes with good reason, creating occasional misunderstandings, clashes, and conceptual chasms. Even if you happen to disagree with the definitions here, it’s well worth getting familiar with them as some of your professional contacts will implicitly expect the ISO/IEC versions.
ISO/IEC 27000 largely supersedes ISO/IEC Guide 2:1996 “Standardization and related activities – General vocabulary”, ISO Guide 73:2009 “Risk management – Vocabulary – Guidelines for use in standards”, and ISO/IEC 2382-8: “Information technology - Vocabulary Part 8: Security”. It also includes definitions taken from a few non-ISO27k ISO standards. Terms that are reproduced unchanged from other ISO standards such as ISO 9000 are not always entirely appropriate as such in the information security context. They are not necessarily used in the ISO27k standards in full accordance with the original definitions or intended meanings. However, as the definitions are gradually updated or superseded, the lexicon is evolving into a reasonably coherent and consistent state across the whole ISO27k suite - a remarkable achievement in its own right given the practical difficulties of coordinating the effort across a loose collection of separate committees, editing projects, editors and managers, developing the language and the concepts as we go.
ISMS/ISO27k overview section
The overview of Information Security Management Systems introduces information security, risk and security management, and management systems. It is a reasonably clear if rather wordy description of the ISO27k approach and standards, from the perspective of the committee that wrote them. There is only one diagram, unfortunately, and all that does is group similar types of ISO27k standards together, but, hey, that leaves room for supplementary guidance such as this website!
Status of the standard
ISO/IEC 27000 was published in 2009 and updated in 2012, 2014, 2016 and 2018.
The current 2018 fifth edition is available legitimately from ITTF as a free download (a single-user PDF) in English and French. This was a minor revision of the 2016 fourth edition with a section on abbreviations, and a rationalisation of the metrics-related definitions following the rewrite of ISO/IEC 27004.
Work started in 2023 on a sixth edition of ‘27000. The title may become “Information security, cybersecurity and privacy protection - the information security management systems - Overview”. The current edition’s vocabulary will be moved to an annex containing a “definition and explanation of commonly used terms in the ISO/IEC 27000 family of standards” - more specifically it seems, those ISO27k standards belonging to ISO/IEC JTC 1/SC 27/WG 1 (27001 to 270011, 27013, 17014, 27016, 27017, 27019, 27021, 27022, 27023, 27024, 27028 and 27029). Terms will be grouped conceptually rather than alphabetically.
Publication of the sixth edition is not expected until 2026. A Preliminary Work Item (skeleton document) is available to SC 27 members.
A new clause “Concepts and principles” is planned for the sixth edition - an intriguing possibility. This is an area where the standard can hopefully add real value to the field by clarifying the fundamentals underpinning information risk and security, given that there are several variants already out there, reflecting quite a variety of perspectives. It will be challenging to align the committee and reach consensus on this, so let’s see how it turns out. Judging by initial comments, there seems to be no prospect of developing a set of fundamental principles.
Given the chance, I would replace “information security risk” throughout the ISO27k standards with the shorter, simpler and more appropriate term “information risk”. “Information security risk” is not formally defined as a complete phrase and doesn’t even make sense: it is presumably trying to indicate that we are talking about risk in the context of information security, but it could be interpreted as “risk to information security” which I guess would including things such as failing to identify novel risks, and lack of management support for the function: those are risks, but they are not the focus of ISO27k. “Information risk”, in contrast, is self-evident but, if the committee feels the desperate need for an explicit definition, I suggest something as simple as “risk relating to or involving information” or even “risk pertaining to information”, where both risk and information are adequately defined in dictionaries (whereas the current ISO27k definition of risk is unhelpful). Again, this suggestion has been rejected so far, possibly because of a proposal to give various standards teams latitude to define risk in terms that suit their specialities.
^ Up a level ^ Next standard >