Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2018)

EN ISO/IEC 27000 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards.

Informationstechnik - Sicherheitsverfahren - Informationssicherheits-Managementsysteme - Überblick und Terminologie (ISO/IEC 27000:2018)

Technologies de l'information - Techniques de sécurité - Systèmes de management de la sécurité de l'information - Vue d'ensemble et vocabulaire (ISO/IEC 27000:2018)

Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske varnosti - Pregled in izrazje (ISO/IEC 27000:2018)

General Information

Status
Published
Public Enquiry End Date
18-Sep-2019
Publication Date
09-Mar-2020
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
05-Mar-2020
Due Date
10-May-2020
Completion Date
10-Mar-2020

Relations

Buy Standard

Standard
EN ISO/IEC 27000:2020
English language
35 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Draft
prEN ISO/IEC 27000:2019
English language
32 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST EN ISO/IEC 27000:2020
01-april-2020
Nadomešča:
SIST EN ISO/IEC 27000:2017
Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske
varnosti - Pregled in izrazje (ISO/IEC 27000:2018)
Information technology - Security techniques - Information security management
systems - Overview and vocabulary (ISO/IEC 27000:2018)
Informationstechnik - Sicherheitsverfahren - Informationssicherheits-
Managementsysteme - Überblick und Terminologie (ISO/IEC 27000:2018)
Technologies de l'information - Techniques de sécurité - Systèmes de management de la
sécurité de l'information - Vue d'ensemble et vocabulaire (ISO/IEC 27000:2018)
Ta slovenski standard je istoveten z: EN ISO/IEC 27000:2020
ICS:
01.040.35 Informacijska tehnologija. Information technology
(Slovarji) (Vocabularies)
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
SIST EN ISO/IEC 27000:2020 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN ISO/IEC 27000:2020

---------------------- Page: 2 ----------------------
SIST EN ISO/IEC 27000:2020


EUROPEAN STANDARD
EN ISO/IEC 27000

NORME EUROPÉENNE

EUROPÄISCHE NORM
February 2020
ICS 01.040.35; 35.030
Supersedes EN ISO/IEC 27000:2017
English version

Information technology - Security techniques - Information
security management systems - Overview and vocabulary
(ISO/IEC 27000:2018)
Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -
- Systèmes de management de la sécurité de Informationssicherheits-Managementsysteme -
l'information - Vue d'ensemble et vocabulaire (ISO/IEC Überblick und Terminologie (ISO/IEC 27000:2018)
27000:2018)
This European Standard was approved by CEN on 20 October 2019.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.



















CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27000:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.

---------------------- Page: 3 ----------------------
SIST EN ISO/IEC 27000:2020
EN ISO/IEC 27000:2020 (E)
Contents Page
European foreword . 3

2

---------------------- Page: 4 ----------------------
SIST EN ISO/IEC 27000:2020
EN ISO/IEC 27000:2020 (E)
European foreword
The text of ISO/IEC 27000:2018 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
EN ISO/IEC 27000:2020 by Technical Committee CEN/CLC/JTC 13 “Cybersecurity and Data Protection”
the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by August 2020, and conflicting national standards shall
be withdrawn at the latest by August 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 27000:2017.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 27000:2018 has been approved by CEN as EN ISO/IEC 27000:2020 without any
modification.

3

---------------------- Page: 5 ----------------------
SIST EN ISO/IEC 27000:2020

---------------------- Page: 6 ----------------------
SIST EN ISO/IEC 27000:2020
INTERNATIONAL ISO/IEC
STANDARD 27000
Fifth edition
2018-02
Information technology — Security
techniques — Information security
management systems — Overview and
vocabulary
Technologies de l'information — Techniques de sécurité — Systèmes
de management de la sécurité de l'information — Vue d'ensemble et
vocabulaire
Reference number
ISO/IEC 27000:2018(E)
©
ISO/IEC 2018

---------------------- Page: 7 ----------------------
SIST EN ISO/IEC 27000:2020
ISO/IEC 27000:2018(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

---------------------- Page: 8 ----------------------
SIST EN ISO/IEC 27000:2020
ISO/IEC 27000:2018(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Information security management systems .11
4.1 General .11
4.2 What is an ISMS? .11
4.2.1 Overview and principles .11
4.2.2 Information.12
4.2.3 Information security .12
4.2.4 Management .12
4.2.5 Management system .13
4.3 Process approach .13
4.4 Why an ISMS is important .13
4.5 Establishing, monitoring, maintaining and improving an ISMS .14
4.5.1 Overview .14
4.5.2 Identifying information security requirements .14
4.5.3 Assessing information security risks .15
4.5.4 Treating information security risks . .15
4.5.5 Selecting and implementing controls .15
4.5.6 Monitor, maintain and improve the effectiveness of the ISMS .16
4.5.7 Continual improvement .16
4.6 ISMS critical success factors .17
4.7 Benefits of the ISMS family of standards .17
5 ISMS family of standards .18
5.1 General information .18
5.2 Standard describing an overview and terminology: ISO/IEC 27000 (this document) .19
5.3 Standards specifying requirements .19
5.3.1 ISO/IEC 27001 .19
5.3.2 ISO/IEC 27006 .20
5.3.3 ISO/IEC 27009 .20
5.4 Standards describing general guidelines .20
5.4.1 ISO/IEC 27002 .20
5.4.2 ISO/IEC 27003 .20
5.4.3 ISO/IEC 27004 .21
5.4.4 ISO/IEC 27005 .21
5.4.5 ISO/IEC 27007 .21
5.4.6 ISO/IEC TR 27008 .21
5.4.7 ISO/IEC 27013 .22
5.4.8 ISO/IEC 27014 .22
5.4.9 ISO/IEC TR 27016 .22
5.4.10 ISO/IEC 27021 .22
5.5 Standards describing sector-specific guidelines .23
5.5.1 ISO/IEC 27010 .23
5.5.2 ISO/IEC 27011 .23
5.5.3 ISO/IEC 27017 .23
5.5.4 ISO/IEC 27018 .24
5.5.5 ISO/IEC 27019 .24
5.5.6 ISO 27799 .25
Bibliography .26
© ISO/IEC 2018 – All rights reserved iii

---------------------- Page: 9 ----------------------
SIST EN ISO/IEC 27000:2020
ISO/IEC 27000:2018(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, SC 27, IT
Security techniques.
This fifth edition cancels and replaces the fourth edition (ISO/IEC 27000:2016), which has been
technically revised. The main changes compared to the previous edition are as follows:
— the Introduction has been reworded;
— some terms and definitions have been removed;
— Clause 3 has been aligned on the high-level structure for MSS;
— Clause 5 has been updated to reflect the changes in the standards concerned;
— Annexes A and B have been deleted.
iv © ISO/IEC 2018 – All rights reserved

---------------------- Page: 10 ----------------------
SIST EN ISO/IEC 27000:2020
ISO/IEC 27000:2018(E)

Introduction
0.1  Overview
International Standards for management systems provide a model to follow in setting up and
operating a management system. This model incorporates the features on which experts in the field
have reached a consensus as being the international state of the art. ISO/IEC JTC 1/SC 27 maintains an
expert committee dedicated to the development of international management systems standards for
information security, otherwise known as the Information Security Management system (ISMS) family
of standards.
Through the use of the ISMS family of standards, organizations can develop and implement a framework
for managing the security of their information assets, including financial information, intellectual
property, and employee details, or information entrusted to them by customers or third parties. These
standards can also be used to prepare for an independent assessment of their ISMS applied to the
protection of information.
0.2  Purpose of this document
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;
b) provide direct support, detailed guidance and/or interpretation for the overall process to establish,
implement, maintain, and improve an ISMS;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
0.3  Content of this document
In this document, the following verbal forms are used:
— “shall” indicates a requirement;
— “should” indicates a recommendation;
— “may” indicates a permission;
— “can” indicates a possibility or a capability.
Information marked as "NOTE" is for guidance in understanding or clarifying the associated
requirement. “Notes to entry” used in Clause 3 provide additional information that supplements the
terminological data and can contain provisions relating to the use of a term.
© ISO/IEC 2018 – All rights reserved v

---------------------- Page: 11 ----------------------
SIST EN ISO/IEC 27000:2020

---------------------- Page: 12 ----------------------
SIST EN ISO/IEC 27000:2020
INTERNATIONAL STANDARD ISO/IEC 27000:2018(E)
Information technology — Security techniques —
Information security management systems — Overview
and vocabulary
1 Scope
This document provides the overview of information security management systems (ISMS). It also
provides terms and definitions commonly used in the ISMS family of standards. This document is
applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-
for-profit organizations).
The terms and definitions provided in this document
— cover commonly used terms and definitions in the ISMS family of standards;
— do not cover all terms and definitions applied within the ISMS family of standards; and
— do not limit the ISMS family of standards in defining new terms for use.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
access control
means to ensure that access to assets is authorized and restricted based on business and security
requirements (3.56)
3.2
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized
use of an asset
3.3
audit
systematic, independent and documented process (3.54) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
© ISO/IEC 2018 – All rights reserved 1

---------------------- Page: 13 ----------------------
SIST EN ISO/IEC 27000:2020
ISO/IEC 27000:2018(E)

3.4
audit scope
extent and boundaries of an audit (3.3)
[SOURCE: ISO 19011:2011, 3.14, modified — Note 1 to entry has been deleted.]
3.5
authentication
provision of assurance that a claimed characteristic of an entity is correct
3.6
authenticity
property that an entity is what it claims to be
3.7
availability
property of being accessible and usable on demand by an authorized entity
3.8
base measure
measure (3.42) defined in terms of an attribute and the method for quantifying it
Note 1 to entry: A base measure is functionally independent of other measures.
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.3, modified — Note 2 to entry has been deleted.]
3.9
competence
ability to apply knowledge and skills to achieve intended results
3.10
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes (3.54)
3.11
conformity
fulfilment of a requirement (3.56)
3.12
consequence
outcome of an event (3.21) affecting objectives (3.49)
Note 1 to entry: An event can lead to a range of consequences.
Note 2 to entry: A consequence can be certain or uncertain and, in the context of information security, is usually
negative.
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on effects.
[SOURCE: ISO Guide 73:2009, 3.6.1.3, modified — Note 2 to entry has been changed after “and”.]
3.13
continual improvement
recurring activity to enhance performance (3.52)
2 © ISO/IEC 2018 – All rights reserved

---------------------- Page: 14 ----------------------
SIST EN ISO/IEC 27000:2020
ISO/IEC 27000:2018(E)

3.14
control
measure that is modifying risk (3.61)
Note 1 to entry: Controls include any process (3.54), policy (3.53), device, practice, or other actions which modify
risk (3.61).
Note 2 to entry: It is possible that controls not always exert the intended or assumed modifying effect.
[SOURCE: ISO Guide 73:2009, 3.8.1.1 — Note 2 to entry has been changed.]
3.15
control objective
statement describing what is to be achieved as a result of implementing controls (3.14)
3.16
correction
action to eliminate a detected nonconformity (3.47)
3.17
corrective action
action to eliminate the cause of a nonconformity (3.47) and to prevent recurrence
3.18
derived measure
measure (3.42) that is defined as a function of two or more values of base measures (3.8)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.8, modified — Note 1 to entry has been deleted.]
3.19
documented information
information required to be controlled and maintained by an organization (3.50) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to
— the management system (3.41), including related processes (3.54);
— information created in order for the organization (3.50) to operate (documentation);
— evidence of results achieved (records).
3.20
effectiveness
extent to which planned activities are realized and planned results achieved
3.21
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can be one or more occurrences, and can have several causes.
Note 2 to entry: An event can consist of something not happening.
Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.
[SOURCE: ISO Guide 73:2009, 3.5.1.3, modified — Note 4 to entry has been deleted.]
© ISO/IEC 2018 – All rights reserved 3

---------------------- Page: 15 ----------------------
SIST EN ISO/IEC 27000:2020
ISO/IEC 27000:2018(E)

3.22
external context
external environment in which the organization seeks to achieve its objectives (3.49)
Note 1 to entry: External context can include the following:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive
environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectives of the organization (3.50);
— relationships with, and perceptions and values of, external stakeholders (3.37).
[SOURCE: ISO Guide 73:2009, 3.3.1.1]
3.23
governance of information security
system by which an organization’s (3.50) information security (3.28) activities are directed and
controlled
3.24
governing body
person or group of people who are accountable for the performance (3.52) and conformity of the
organization (3.50)
Note 1 to entry: The governing body can, in some jurisdictions, be a board of directors.
3.25
indicator
measure (3.42) that provides an estimate or evaluation
3.26
information need
insight necessary to manage objectives (3.49), goals, risks and problems
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.12]
3.27
information processing facilities
any information processing system, service or infrastructure, or the physical location housing it
3.28
information security
preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information
Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48),
and reliability (3.55) can also be involved.
3.29
information security continuity
processes (3.54) and procedures for ensuring continued information security (3.28) operations
3.30
information security event
identified occurrence of a system, service or network state indicating a possible breach of information
security (3.28) policy (3.53) or failure of controls (3.14), or a previously unknown situation that can be
security relevant
3.31
information security incident
single or a series of unwanted or unexpected information security events (3.30) that have a significant
probability of compromising business operations and threatening information security (3.28)
4 © ISO/IEC 2018 – All rights reserved

---------------------- Page: 16 ----------------------
SIST EN ISO/IEC 27000:2020
ISO/IEC 27000:2018(E)

3.32
information security incident management
set of processes (3.54) for detecting, reporting, assessing, responding to, dealing with, and learning
from information security incidents (3.31)
3.33
information security management system (ISMS) professional
person who establishes, implements, maintains and continuously improves one or more information
security management system processes (3.54)
3.34
information sharing community
group of organizations (3.50) that agree to share information
Note 1 to entry: An organization can be an individual.
3.35
information system
set of applications, services, information technology assets, or other information-handling components
3.36
integrity
property of accuracy and completeness
3.37
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.50) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
3.38
internal context
internal environment in which the organization (3.50) seeks to achieve its objectives
Not
...

SLOVENSKI STANDARD
oSIST prEN ISO/IEC 27000:2019
01-september-2019
Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske
varnosti - Pregled in izrazje (ISO/IEC 27000:2018)
Information technology - Security techniques - Information security management
systems - Overview and vocabulary (ISO/IEC 27000:2018)
Informationstechnik - Sicherheitsverfahren - Informationssicherheits-
Managementsysteme - Überblick und Terminologie (ISO/IEC 27000:2018)
Technologies de l'information - Techniques de sécurité - Systèmes de management de
la sécurité de l'information - Vue d'ensemble et vocabulaire (ISO/IEC 27000:2018)
Ta slovenski standard je istoveten z: prEN ISO/IEC 27000
ICS:
01.040.35 Informacijska tehnologija. Information technology
(Slovarji) (Vocabularies)
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 27000:2019 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO/IEC 27000:2019

---------------------- Page: 2 ----------------------
oSIST prEN ISO/IEC 27000:2019
INTERNATIONAL ISO/IEC
STANDARD 27000
Fifth edition
2018-02
Information technology — Security
techniques — Information security
management systems — Overview and
vocabulary
Technologies de l'information — Techniques de sécurité — Systèmes
de management de la sécurité de l'information — Vue d'ensemble et
vocabulaire
Reference number
ISO/IEC 27000:2018(E)
©
ISO/IEC 2018

---------------------- Page: 3 ----------------------
oSIST prEN ISO/IEC 27000:2019
ISO/IEC 27000:2018(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

---------------------- Page: 4 ----------------------
oSIST prEN ISO/IEC 27000:2019
ISO/IEC 27000:2018(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Information security management systems .11
4.1 General .11
4.2 What is an ISMS? .11
4.2.1 Overview and principles .11
4.2.2 Information.12
4.2.3 Information security .12
4.2.4 Management .12
4.2.5 Management system .13
4.3 Process approach .13
4.4 Why an ISMS is important .13
4.5 Establishing, monitoring, maintaining and improving an ISMS .14
4.5.1 Overview .14
4.5.2 Identifying information security requirements .14
4.5.3 Assessing information security risks .15
4.5.4 Treating information security risks . .15
4.5.5 Selecting and implementing controls .15
4.5.6 Monitor, maintain and improve the effectiveness of the ISMS .16
4.5.7 Continual improvement .16
4.6 ISMS critical success factors .17
4.7 Benefits of the ISMS family of standards .17
5 ISMS family of standards .18
5.1 General information .18
5.2 Standard describing an overview and terminology: ISO/IEC 27000 (this document) .19
5.3 Standards specifying requirements .19
5.3.1 ISO/IEC 27001 .19
5.3.2 ISO/IEC 27006 .20
5.3.3 ISO/IEC 27009 .20
5.4 Standards describing general guidelines .20
5.4.1 ISO/IEC 27002 .20
5.4.2 ISO/IEC 27003 .20
5.4.3 ISO/IEC 27004 .21
5.4.4 ISO/IEC 27005 .21
5.4.5 ISO/IEC 27007 .21
5.4.6 ISO/IEC TR 27008 .21
5.4.7 ISO/IEC 27013 .22
5.4.8 ISO/IEC 27014 .22
5.4.9 ISO/IEC TR 27016 .22
5.4.10 ISO/IEC 27021 .22
5.5 Standards describing sector-specific guidelines .23
5.5.1 ISO/IEC 27010 .23
5.5.2 ISO/IEC 27011 .23
5.5.3 ISO/IEC 27017 .23
5.5.4 ISO/IEC 27018 .24
5.5.5 ISO/IEC 27019 .24
5.5.6 ISO 27799 .25
Bibliography .26
© ISO/IEC 2018 – All rights reserved iii

---------------------- Page: 5 ----------------------
oSIST prEN ISO/IEC 27000:2019
ISO/IEC 27000:2018(E)

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following
URL: www .iso .org/ iso/ foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, SC 27, IT
Security techniques.
This fifth edition cancels and replaces the fourth edition (ISO/IEC 27000:2016), which has been
technically revised. The main changes compared to the previous edition are as follows:
— the Introduction has been reworded;
— some terms and definitions have been removed;
— Clause 3 has been aligned on the high-level structure for MSS;
— Clause 5 has been updated to reflect the changes in the standards concerned;
— Annexes A and B have been deleted.
iv © ISO/IEC 2018 – All rights reserved

---------------------- Page: 6 ----------------------
oSIST prEN ISO/IEC 27000:2019
ISO/IEC 27000:2018(E)

Introduction
0.1  Overview
International Standards for management systems provide a model to follow in setting up and
operating a management system. This model incorporates the features on which experts in the field
have reached a consensus as being the international state of the art. ISO/IEC JTC 1/SC 27 maintains an
expert committee dedicated to the development of international management systems standards for
information security, otherwise known as the Information Security Management system (ISMS) family
of standards.
Through the use of the ISMS family of standards, organizations can develop and implement a framework
for managing the security of their information assets, including financial information, intellectual
property, and employee details, or information entrusted to them by customers or third parties. These
standards can also be used to prepare for an independent assessment of their ISMS applied to the
protection of information.
0.2  Purpose of this document
The ISMS family of standards includes standards that:
a) define requirements for an ISMS and for those certifying such systems;
b) provide direct support, detailed guidance and/or interpretation for the overall process to establish,
implement, maintain, and improve an ISMS;
c) address sector-specific guidelines for ISMS; and
d) address conformity assessment for ISMS.
0.3  Content of this document
In this document, the following verbal forms are used:
— “shall” indicates a requirement;
— “should” indicates a recommendation;
— “may” indicates a permission;
— “can” indicates a possibility or a capability.
Information marked as "NOTE" is for guidance in understanding or clarifying the associated
requirement. “Notes to entry” used in Clause 3 provide additional information that supplements the
terminological data and can contain provisions relating to the use of a term.
© ISO/IEC 2018 – All rights reserved v

---------------------- Page: 7 ----------------------
oSIST prEN ISO/IEC 27000:2019

---------------------- Page: 8 ----------------------
oSIST prEN ISO/IEC 27000:2019
INTERNATIONAL STANDARD ISO/IEC 27000:2018(E)
Information technology — Security techniques —
Information security management systems — Overview
and vocabulary
1 Scope
This document provides the overview of information security management systems (ISMS). It also
provides terms and definitions commonly used in the ISMS family of standards. This document is
applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-
for-profit organizations).
The terms and definitions provided in this document
— cover commonly used terms and definitions in the ISMS family of standards;
— do not cover all terms and definitions applied within the ISMS family of standards; and
— do not limit the ISMS family of standards in defining new terms for use.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
access control
means to ensure that access to assets is authorized and restricted based on business and security
requirements (3.56)
3.2
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized
use of an asset
3.3
audit
systematic, independent and documented process (3.54) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.
Note 3 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
© ISO/IEC 2018 – All rights reserved 1

---------------------- Page: 9 ----------------------
oSIST prEN ISO/IEC 27000:2019
ISO/IEC 27000:2018(E)

3.4
audit scope
extent and boundaries of an audit (3.3)
[SOURCE: ISO 19011:2011, 3.14, modified — Note 1 to entry has been deleted.]
3.5
authentication
provision of assurance that a claimed characteristic of an entity is correct
3.6
authenticity
property that an entity is what it claims to be
3.7
availability
property of being accessible and usable on demand by an authorized entity
3.8
base measure
measure (3.42) defined in terms of an attribute and the method for quantifying it
Note 1 to entry: A base measure is functionally independent of other measures.
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.3, modified — Note 2 to entry has been deleted.]
3.9
competence
ability to apply knowledge and skills to achieve intended results
3.10
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes (3.54)
3.11
conformity
fulfilment of a requirement (3.56)
3.12
consequence
outcome of an event (3.21) affecting objectives (3.49)
Note 1 to entry: An event can lead to a range of consequences.
Note 2 to entry: A consequence can be certain or uncertain and, in the context of information security, is usually
negative.
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on effects.
[SOURCE: ISO Guide 73:2009, 3.6.1.3, modified — Note 2 to entry has been changed after “and”.]
3.13
continual improvement
recurring activity to enhance performance (3.52)
2 © ISO/IEC 2018 – All rights reserved

---------------------- Page: 10 ----------------------
oSIST prEN ISO/IEC 27000:2019
ISO/IEC 27000:2018(E)

3.14
control
measure that is modifying risk (3.61)
Note 1 to entry: Controls include any process (3.54), policy (3.53), device, practice, or other actions which modify
risk (3.61).
Note 2 to entry: It is possible that controls not always exert the intended or assumed modifying effect.
[SOURCE: ISO Guide 73:2009, 3.8.1.1 — Note 2 to entry has been changed.]
3.15
control objective
statement describing what is to be achieved as a result of implementing controls (3.14)
3.16
correction
action to eliminate a detected nonconformity (3.47)
3.17
corrective action
action to eliminate the cause of a nonconformity (3.47) and to prevent recurrence
3.18
derived measure
measure (3.42) that is defined as a function of two or more values of base measures (3.8)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.8, modified — Note 1 to entry has been deleted.]
3.19
documented information
information required to be controlled and maintained by an organization (3.50) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to
— the management system (3.41), including related processes (3.54);
— information created in order for the organization (3.50) to operate (documentation);
— evidence of results achieved (records).
3.20
effectiveness
extent to which planned activities are realized and planned results achieved
3.21
event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can be one or more occurrences, and can have several causes.
Note 2 to entry: An event can consist of something not happening.
Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.
[SOURCE: ISO Guide 73:2009, 3.5.1.3, modified — Note 4 to entry has been deleted.]
© ISO/IEC 2018 – All rights reserved 3

---------------------- Page: 11 ----------------------
oSIST prEN ISO/IEC 27000:2019
ISO/IEC 27000:2018(E)

3.22
external context
external environment in which the organization seeks to achieve its objectives (3.49)
Note 1 to entry: External context can include the following:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive
environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectives of the organization (3.50);
— relationships with, and perceptions and values of, external stakeholders (3.37).
[SOURCE: ISO Guide 73:2009, 3.3.1.1]
3.23
governance of information security
system by which an organization’s (3.50) information security (3.28) activities are directed and
controlled
3.24
governing body
person or group of people who are accountable for the performance (3.52) and conformity of the
organization (3.50)
Note 1 to entry: The governing body can, in some jurisdictions, be a board of directors.
3.25
indicator
measure (3.42) that provides an estimate or evaluation
3.26
information need
insight necessary to manage objectives (3.49), goals, risks and problems
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.12]
3.27
information processing facilities
any information processing system, service or infrastructure, or the physical location housing it
3.28
information security
preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information
Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48),
and reliability (3.55) can also be involved.
3.29
information security continuity
processes (3.54) and procedures for ensuring continued information security (3.28) operations
3.30
information security event
identified occurrence of a system, service or network state indicating a possible breach of information
security (3.28) policy (3.53) or failure of controls (3.14), or a previously unknown situation that can be
security relevant
3.31
information security incident
single or a series of unwanted or unexpected information security events (3.30) that have a significant
probability of compromising business operations and threatening information security (3.28)
4 © ISO/IEC 2018 – All rights reserved

---------------------- Page: 12 ----------------------
oSIST prEN ISO/IEC 27000:2019
ISO/IEC 27000:2018(E)

3.32
information security incident management
set of processes (3.54) for detecting, reporting, assessing, responding to, dealing with, and learning
from information security incidents (3.31)
3.33
information security management system (ISMS) professional
person who establishes, implements, maintains and continuously improves one or more information
security management system processes (3.54)
3.34
information sharing community
group of organizations (3.50) that agree to share information
Note 1 to entry: An organization can be an individual.
3.35
information system
set of applications, services, information technology assets, or other information-handling components
3.36
integrity
property of accuracy and completeness
3.37
interested party (preferred term)
stakeholder (admitted term)
person or organization (3.50) that can affect, be affected by, or perceive itself to be affected by a decision
or activity
3.38
internal context
internal environment in which the organization (3.50) seeks to achieve its objectives
Note 1 to entry: Internal context can include:
— governance, organizational structure, roles and accountabilities;
— policies (3.53), objectives (3.49), and the strategies that are in place to achieve them;
— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes (3.54),
systems and technologies);
— information systems (3.35), information flows and decision-making processes (both formal and informal);
— relationships with, and perceptions and values of, internal stakeholders (3.37);
— the organization's culture;
— standards, guidelines and models adopted by the organization;
— form and extent of contractual relationships.
[SOURCE: ISO Guide 73:2009, 3.3.1.2]
3.39
level of risk
magnitude of a risk (3.61) expressed in terms of the combination of consequences (3.12) and their
likelihood (3.40)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — “or combination of risks” has been deleted in the
definition.]
© ISO/IEC 2018 – All rights reserved 5

---------------------- Page: 13 ----------------------
oSIST prEN ISO/IEC 27000:2019
ISO/IEC 27000:2018(E)

3.40
likelihood
chance of something happening
[SOURCE: ISO Guide 73:2009, 3.6.1.1, modified — Notes 1 and 2 to entry have been deleted.]
3.41
management system
set of interrelated or interacting elements of an organization (3.50) to establish policies (3.53) and
objectives (3.49) and processes (3.54) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities, planning
and operation.
Note 3 to entry: The scope of a management system may include the whole of the organization, specific and
identified functions of the organization, specific and identified sections of the organization, or one or more
functions across a group of organizations.
3.42
measure
variable to which a value is assigned as the result of measurement (3.43)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.15, modified — Note 2 to entry has been deleted.]
3.43
measurement
process (3.54) to determine a value
3.44
measurement function
algorithm or calculation performed to combine two or more base measures (3.8)
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.20]
3.45
measurement method
logical sequence of operations, described generically, used in quantifying an attribute with respect to a
specified scale
Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an
attribute (3.4). Two types can be distinguished:
— subjective: quantification involving human judgment; and
— objective: quantification based on numerical rules.
[SOURCE: ISO/IEC/IEEE 15939:2017, 3.21, modified — Note 2 to entry has been deleted.]
3.46
monitoring
determining the status of a system, a process (3.54) or an activity
Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.
3.47
nonconformity
non-fulfilment of a requirement (3.56)
3.48
non-repudiation
ability to prove the occurrence of a claimed event (3.21) or action and its originating entities
6 © ISO/IEC 2018 – All rights reserved

---------------------- Page: 14 ----------------------
oSIST prEN ISO/IEC 27000:2019
ISO/IEC 27000:2018(E)

3.49
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and
environmental goals) and can apply at different levels [such as strategic, organization-wide, project, product and
process (3.54)].
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an
operational criterion, as an information security objective or by the use of other words with similar meaning (e.g.
aim, goal, or target).
Note 4 to entry: In the context of information security management systems, information security objectives are
set by the organization, consistent with the information security policy, to achieve specific results.
3.50
organization
person or group of people that has its own functions with responsibilities, authorities a
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.