ISMS List With Definitions
Here is our big ISMS list with definitions. Find below all of the common terms which you may need to know in order to implement and operate your Information Security Management System.
Note that the definitions contained here are our own and should be sufficient for you to gain an understanding of the term and how it plays a role in your ISMS. If you instead for some reason require the "official" definition, you will instead need to consult ISO 27000 and other relevant Standards.
Just in case it isn't completely obvious, note that this list of ISMS definitions are in alphabetical order:
-
Accept (risk): The organization is choosing not to put in place any controls and will proceed with the understanding that if the risk eventuates they will just deal with it. This action is taken most frequently when there is a risk of low consequence that is within the organization's risk appetite. It may not be cost effective or possible to implement any controls. Learn more about this in our article on ISMS Risk Assessment.
-
Consequence: The impact, or consequence, to the organization if a risk is realized. The things that we were worried about happening does actually happen. For example, you may have a risk relating to the defacement of your company website. What is the impact (consequence) to the company if that defacement does occur? There are a number of factors that need to be considered including financial, reputational and operational impacts. Learn more about this in our article on ISMS Risk Assessment.
-
Control: An action or process that we put in place in an effort to lower the likelihood or impact of a risk. For example, an employee exit checklist is in place to help ensure that employees who have left the business are no longer in control of an company-owned assets.
-
Control Objective: Think of these as the subjects, categories or topics for the controls that you are putting in place. The control objective defines the overall purpose or goal of the controls which sit underneath. For example, the Annex A control objective named "System and application access control" has the defined objective "to prevent unauthorized access to systems and applications". Any controls which are working towards this defined objective will link back to this Control Objective.
-
ISMS: Information Security Management System. The defined processes, procedures and documentation that is structured with the goal of protecting the Confidentiality, Integrity and Availability of your organization's data. For more detail, see What is an Information Security Management System (ISMS)?
-
ISO 27001 / ISO 27002 / ISO 270XX: These are ISO Standards which detail in great depth how an ISMS operates end-to-end. If you are starting out on your ISMS journey, begin by reading the ISO 27001 Standard to gain a high level understanding of the components which you will need to consider for your ISMS. You will be judged against the requirements listed in ISO 27001, so it is absolutely necessary that you are aware of what you need to do. Don't be too intimidated, the ISO 27001 document is only about a dozen pages long. There are over a dozen different ISO Standards which may also be applicable to your ISMS, we go into all of these in a separate article, ISMS ISO Standards, so have a read to gain understanding of the purpose that each of these documents serve.
-
Likelihood: What is the chance of a risk occurring. For example, you may have a risk related to the flooding of your computer room. How likely is it that this risk will come to fruition? There are different types of data that you could use as input here, such as historical internal data as maybe it has flood every year for the last 5 years, but also data from external sources such as government environmental flood data, or in the event of many cyber risks, external industry trend data. Learn more about this in our article on ISMS Risk Assessment.
-
Measure: This is what you are putting in place to monitor your controls in order to determine if they are effective. For example, you may have a monthly measure that captures the number of users who have been breached due to phishing emails, which is linked back to a control for ensuring that all of your users have received training to understand how to identify phishing. If you have 0 users who have been breached each month, this is an indication that your control may be effective. The term is largely interchangeable with widely used term of "ISMS Metric".
-
Metric: This is what you are putting in place to monitor your controls to determine if they are successful. For example, you may have a monthly measure that captures the number of users who have been breached due to phishing emails, which is linked back to a control for ensuring that all of your users have received training to understand how to identify phishing. If you have 0 users who have been breached each month, this is an indication that your control may be effective. The term is largely interchangeable with the more formal term of "ISMS Measure".
-
Mitigate (risk): Action will be taken to reduce the likelihood or consequence/impact to a level that is more acceptable. You are not choosing to just "Accept" the risk. For example, you may have an ISMS risk relating to defacement of a company website. You choose to "Mitigate" this risk by putting in place a control to ensure that regular security vulnerability scans are performed over the website. The regular security vulnerability scans should be effective in reducing the likelihood of the defacement, as there is a lower chance that vulnerabilities will exist on the website which could be potentially exploited by a malicious actor. Learn more about this in our article on ISMS Risk Assessment.
-
Risk: This is anything that could possibly go wrong and have an undesirable impact on your organization. Learn more about this in our article on ISMS Risk Assessment.
-
Risk Assessment: The process used to identify risks which may impact your environment. These risks are then analyzed and decisions are made to determine how to respond to those risks (also see: risk treatment). Learn more about this process in our article on ISMS Risk Assessment.
-
Risk Treatment: The actions taken in response to a risk in an effort to modify the likelihood or impact. Learn more about this in our article on ISMS Risk Assessment.
-
Transfer (risk): A decision has been made to shift the risk to another party. For example, a cyber insurance policy being taken out in response to the potential risk of a ransomware attack. Learn more about this in our article on ISMS Risk Assessment.
While this list is relatively comprehensive and should cover almost all of the terms you will need to get through your day-to-day ISMS operations, let us know if there is one that we need to add to this ISMS list with definitions.