richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

clean up formatting

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-02 12:16:30 +02:00
parent 8d66fc4602
commit 90ac17a99a
1 changed files with 98 additions and 688 deletions
Download patch file Download diff file Expand all files Collapse all files

786
Corpus/Standards/ISO27x/OST/27002/EN/a-3-Terms-definitions-and-abbreviated-terms.md
View file

@ -1,777 +1,187 @@
## 3.1 Terms and definitions ## 3.1 Terms and definitions
For the purposes of this document, the following terms and definitions apply. For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses: — ISO Online browsing platform: available at https://www.iso.org/obp ISO and IEC maintain terminology databases for use in standardization at the following addresses: — ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/ — IEC Electropedia: available at https://www.electropedia.org/
3.1.1 **access control**
**3.****1.1**
**access** **control**
means to ensure that physical and logical access to _assets_ (3.1.2) is authorized and restricted based on business and information security requirements means to ensure that physical and logical access to _assets_ (3.1.2) is authorized and restricted based on business and information security requirements
3.1.2 **asset**
**3.****1.2**
**ass****et**
anything that has value to the organization anything that has value to the organization
*Note 1 to entry: In the context of information security, two kinds of assets can be distinguished:*
Note 1 to entry: In the context of information security, two kinds of assets can be distinguished:
— the primary assets: — information; — the primary assets: — information;
— business _processes_ (3.1.27) and activities; — business _processes_ (3.1.27) and activities;
— the supporting assets (on which the primary assets rely) of all types, for example: — hardware; — the supporting assets (on which the primary assets rely) of all types, for example: — hardware;
— software; — network; — software; — network;
_personnel_ (3.1.20); _personnel_ (3.1.20);
© ISO/IEC 2022 All rights reserved **1**
**ISO/IEC 27002:2022(E)**
— site; — site;
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
— organizations structure. — organizations structure.
3.1.3 **attack**
**3.****1.3**
**attack**
successful or unsuccessful unauthorized attempt to destroy, alter, disable, gain access to an _asset_ (3.1.2) or any attempt to expose, steal, or make unauthorized use of an _asset_ (3.1.2) successful or unsuccessful unauthorized attempt to destroy, alter, disable, gain access to an _asset_ (3.1.2) or any attempt to expose, steal, or make unauthorized use of an _asset_ (3.1.2)
3.1.4 **authentication**
provision of assurance that a claimed characteristic of an _entity_ (3.1.11) is correct
**3.1.4**
**aut****hentication**
provision of assurance that a claimed characteristic of an _entity_ (3.1.11) is correct
**3****.1.5**
**au****thenticity**
3.1.5 **authenticity**
property that an _entity_ (3.1.11) is what it claims to be property that an _entity_ (3.1.11) is what it claims to be
3.1.6 **chain of custody**
**3.1.6**
**chain** **of** **custody**
demonstrable possession, movement, handling and location of material from one point in time until another demonstrable possession, movement, handling and location of material from one point in time until another
*Note 1 to entry: Material includes information and other associated _assets_ (3.1.2) in the context of ISO/IEC 27002.*
3.1.7 **confidential information**
Note 1 to entry: Material includes information and other associated _assets_ (3.1.2) in the context of ISO/IEC 27002.
[SOURCE: ISO/IEC 27050-1:2019, 3.1, modified — “Note 1 to entry” added]
**3.****1.7**
**confidential** **information**
information that is not intended to be made available or disclosed to unauthorized individuals, _entities_ (3.1.11) or _processes_ (3.1.27) information that is not intended to be made available or disclosed to unauthorized individuals, _entities_ (3.1.11) or _processes_ (3.1.27)
3.1.8 **control**
**3****.1.8**
**control**
measure that maintains and/or modifies risk measure that maintains and/or modifies risk
*Note 1 to entry: Controls include, but are not limited to, any _process_ (3.1.27), _policy_ (3.1.24), device, practice or other conditions and/or actions which maintain and/or modify risk.*
*Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.*
Note 1 to entry: Controls include, but are not limited to, any _process_ (3.1.27), _policy_ (3.1.24), device, practice or other conditions and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]
**3.****1.9**
**disrupti****on**
3.1.9 **disruption**
incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organizations objectives incident, whether anticipated or unanticipated, that causes an unplanned, negative deviation from the expected delivery of products and services according to an organizations objectives
3.1.10 **endpoint device**
[SOURCE: ISO 22301:2019, 3.10]
**3.1****.10**
**endpoint** **device**
network connected information and communication technology (ICT) hardware device network connected information and communication technology (ICT) hardware device
*Note 1 to entry: Endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, printers or other specialized hardware including smart meters and Internet of things (IoT) devices.*
3.1.11 **entity**
Note 1 to entry: Endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, printers or other specialized hardware including smart meters and Internet of things (IoT) devices.
**3.1.11**
**entity**
item relevant for the purpose of operation of a domain that has recognizably distinct existence item relevant for the purpose of operation of a domain that has recognizably distinct existence
*Note 1 to entry: An entity can have a physical or a logical embodiment.*
Note 1 to entry: An entity can have a physical or a logical embodiment.
**2** © ISO/IEC 2022 All rights reserved
EXAMPLE
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17
Single user licence only, copying and networking prohibited.
**ISO/IEC 27002:2022(E)**
A person, an organization, a device, a group of such items, a human subscriber to a telecom A person, an organization, a device, a group of such items, a human subscriber to a telecom
service, a SIM card, a passport, a network interface card, a software application, a service or a website. service, a SIM card, a passport, a network interface card, a software application, a service or a website.
3.1.12 **information processing facility**
any information processing system, service or infrastructure, or the physical location housing it [SOURCE: ISO/IEC 27000:2018, 3.27, modified — "facilities" has been replaced with facility.]
[SOURCE: ISO/IEC 24760-1:2019, 3.1.1] 3.1.13 **information security breach** compromise of information security that leads to the undesired destruction, loss, alteration, disclosure of, or access to, protected information transmitted, stored or otherwise processed
**3.****1.12**
**information** **processing** **facility**
any information processing system, service or infrastructure, or the physical location housing it [SOURCE: ISO/IEC 27000:2018, 3.27, modified — "facilities" has been replaced with facility.] **3****.1.13**
**information** **security** **breach**
compromise of information security that leads to the undesired destruction, loss, alteration, disclosure of, or access to, protected information transmitted, stored or otherwise processed
**3.1****.14**
**information** **security** **event**
3.1.14 **information security event**
occurrence indicating a possible _information_ _security_ _breach_ (3.1.13) or failure of _controls_ (3.1.8) occurrence indicating a possible _information_ _security_ _breach_ (3.1.13) or failure of _controls_ (3.1.8)
3.1.15 **information security incident**
[SOURCE: ISO/IEC 27035-1:2016, 3.3, modified — “breach of information security” has been replaced with “information security breach”]
**3.1****.15**
**information** **security incident**
one or multiple related and identified _information_ _security_ _events_ (3.1.14) that can harm an organizations _assets_ (3.1.2) or compromise its operations one or multiple related and identified _information_ _security_ _events_ (3.1.14) that can harm an organizations _assets_ (3.1.2) or compromise its operations
3.1.16 **information security incident management**
[SOURCE: ISO/IEC 27035-1:2016, 3.4]
**3.1.16**
**information** **security** **incident** **management**
exercise of a consistent and effective approach to the handling of _information_ _security_ _incidents_ (3.1.15) [SOURCE: ISO/IEC 27035-1:2016, 3.5] exercise of a consistent and effective approach to the handling of _information_ _security_ _incidents_ (3.1.15) [SOURCE: ISO/IEC 27035-1:2016, 3.5]
**3****.1.17** 3.1.17 **information system** set of applications, services, information technology _assets_ (3.1.2), or other information-handling components
**information** **system**
set of applications, services, information technology _assets_ (3.1.2), or other information-handling components
[SOURCE: ISO/IEC 27000:2018, 3.35]
**3.1.18**
**interested** **party** stakeholder
3.1.18 **interested party stakeholder**
person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity
3.1.19 **non-repudiation**
[SOURCE: ISO/IEC 27000:2018, 3.37]
3.1.19
**non-repudiation**
ability to prove the occurrence of a claimed event or action and its originating _entities_ (3.1.11) ability to prove the occurrence of a claimed event or action and its originating _entities_ (3.1.11)
3.1.20 3.1.20 **personnel**
**personnel**
persons doing work under the organizations direction persons doing work under the organizations direction
*Note 1 to entry: The concept of personnel includes the organizations members, such as the governing body, top management, employees, temporary staff, contractors and volunteers.* *Note 1 to entry: The concept of personnel includes the organizations members, such as the governing body, top management, employees, temporary staff, contractors and volunteers.*
3.1.21 3.1.21 **personally identifiable information / PII**
**personally identifiable information**
**PII**
any information that (a) can be used to establish a link between the information and the natural person to whom such information relates, or (b) is or can be directly or indirectly linked to a natural person. any information that (a) can be used to establish a link between the information and the natural person to whom such information relates, or (b) is or can be directly or indirectly linked to a natural person.
*Note 1 to entry: The “natural person” in the definition is the PII principal (3.1.22). To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural person.* *Note 1 to entry: The “natural person” in the definition is the PII principal (3.1.22). To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural person.*
[SOURCE: ISO/IEC 29100:2011/Amd.1:2018, 2.9] 3.1.22 **PII principal**
© ISO/IEC 2022 All rights reserved **3**
**ISO/IEC 27002:2022(E)**
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
**3.1.22**
**PII** **principal**
natural person to whom the _personally identifiable_ _information_ _(PII)_ (3.1.21) relates natural person to whom the _personally identifiable_ _information_ _(PII)_ (3.1.21) relates
*Note 1 to entry: Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data subject” can also be used instead of the term “PII principal”.*
3.1.23 **PII processor**
Note 1 to entry: Depending on the jurisdiction and the particular data protection and privacy legislation, the synonym “data subject” can also be used instead of the term “PII principal”.
[SOURCE: ISO/IEC 29100:2011, 2.11]
**3.1.23**
**PII** **processor**
privacy stakeholder that processes _personally_ _identifiable_ _information_ _(PII)_ (3.1.21) on behalf of and in accordance with the instructions of a PII controller privacy stakeholder that processes _personally_ _identifiable_ _information_ _(PII)_ (3.1.21) on behalf of and in accordance with the instructions of a PII controller
3.1.24 **policy**
intentions and direction of an organization, as formally expressed by its top management
[SOURCE: ISO/IEC 29100:2011, 2.12] [SOURCE: ISO/IEC 27000:2018, 3.53]
**3.1****.24**
**policy**
intentions and direction of an organization, as formally expressed by its top management [SOURCE: ISO/IEC 27000:2018, 3.53]
**3.1.25**
**privacy** **impact** **assessment** **PIA**
3.1.25 **privacy impact assessment PIA**
overall _process_ (3.1.27) of identifying, analysing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of _personally_ _identifiable_ _information_ _(PII)_ (3.1.21), framed within an organizations broader risk management framework overall _process_ (3.1.27) of identifying, analysing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of _personally_ _identifiable_ _information_ _(PII)_ (3.1.21), framed within an organizations broader risk management framework
3.1.26 **procedure**
[SOURCE: ISO/IEC 29134:2017, 3.7, modified — Note 1 to entry removed.]
**3.1.26**
**procedure**
specified way to carry out an activity or a _process_ (3.1.27) specified way to carry out an activity or a _process_ (3.1.27)
3.1.27 **process**
[SOURCE: ISO 30000:2009, 3.12]
**3.1.27**
**proce****ss**
set of interrelated or interacting activities that uses or transforms inputs to deliver a result set of interrelated or interacting activities that uses or transforms inputs to deliver a result
3.1.28 **record**
[SOURCE: ISO 9000:2015, 3.4.1, modified— Notes to entry removed.]
**3.1****.28**
**re****cord**
information created, received and maintained as evidence and as an _asset_ (3.1.2) by an organization or person, in pursuit of legal obligations or in the transaction of business information created, received and maintained as evidence and as an _asset_ (3.1.2) by an organization or person, in pursuit of legal obligations or in the transaction of business
*Note 1 to entry: Legal obligations in this context include all legal, statutory, regulatory and contractual requirements.*
3.1.29 **recovery point objective** / **RPO**
point in time to which data are to be recovered after a _disruption_ (3.1.9) has occurred [SOURCE: ISO/IEC 27031:2011, 3.12, modified — "must" replaced by "are to be".]
**4** © ISO/IEC 2022 All rights reserved
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
**ISO/IEC 27002:2022(E)**
Note 1 to entry: Legal obligations in this context include all legal, statutory, regulatory and contractual requirements.
[SOURCE: ISO 15489-1:2016, 3.14, modified— “Note 1 to entry” added.]
**3.1.29**
**recovery** **point** **objective**
**RPO**
point in time to which data are to be recovered after a _disruption_ (3.1.9) has occurred [SOURCE: ISO/IEC 27031:2011, 3.12, modified — "must" replaced by "are to be".] **3.1.30**
**recovery** **time** **objective** **RTO**
3.1.30 **recovery time objective RTO**
period of time within which minimum levels of services and/or products and the supporting systems, applications, or functions are to be recovered after a _disruption_ (3.1.9) has occurred period of time within which minimum levels of services and/or products and the supporting systems, applications, or functions are to be recovered after a _disruption_ (3.1.9) has occurred
3.1.31 **reliability**
[SOURCE: ISO/IEC 27031:2011, 3.13, modified — "must" replaced by "are to be".]
**3.1****.31**
**reliability**
property of consistent intended behaviour and results property of consistent intended behaviour and results
3.1.32 **rule**
**3.1.32**
**rule**
accepted principle or instruction that states the organizations expectations on what is required to be done, what is allowed or not allowed accepted principle or instruction that states the organizations expectations on what is required to be done, what is allowed or not allowed
*Note 1 to entry: Rules can be formally expressed in _topic-specific policies_ (3.1.35) and in other types of documents.*
3.1.33 **sensitive information**
information that needs to be protected from unavailability, unauthorized access, modification or public disclosure because of potential adverse effects on an individual, organization, national security or public safety
Note 1 to entry: Rules can be formally expressed in _topic-specific policies_ (3.1.35) and in other types of documents. 3.1.34 **threat** potential cause of an unwanted incident, which can result in harm to a system or organization [SOURCE: ISO/IEC 27000:2018, 3.74]
**3.1.33**
**sensitive** **information**
information that needs to be protected from unavailability, unauthorized access, modification or public disclosure because of potential adverse effects on an individual, organization, national security or public safety
**3****.1.34**
**thr****eat**
potential cause of an unwanted incident, which can result in harm to a system or organization [SOURCE: ISO/IEC 27000:2018, 3.74]
**3.1.35**
**topic-specific** **policy**
3.1.35 **topic-specific policy**
intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management
*Note 1 to entry: Topic-specific policies can formally express _rules_ (3.1.32) or organization standards. Note 2 to entry: Some organizations use other terms for these topic-specific policies.*
*Note 3 to entry: The topic-specific policies referred to in this document are related to information security.*
3.1.36 **user**
Note 1 to entry: Topic-specific policies can formally express _rules_ (3.1.32) or organization standards. Note 2 to entry: Some organizations use other terms for these topic-specific policies.
Note 3 to entry: The topic-specific policies referred to in this document are related to information security.
EXAMPLE Topic-specific policy on _access_ _control_ (3.1.1), topic-specific policy on clear desk and clear screen.
**3.1.36**
**u****ser**
_interested_ _party_ (3.1.18) with access to the organizations _information_ _systems_ (3.1.17) _interested_ _party_ (3.1.18) with access to the organizations _information_ _systems_ (3.1.17)
3.1.37 **user endpoint device**
EXAMPLE _Personnel_ (3.1.20), customers, suppliers.
© ISO/IEC 2022 All rights reserved
**5**
**ISO/IEC 27002:2022(E)**
**3.1.37**
**user** **endpoint** **device**
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
_endpoint_ _device_ (3.1.10) used by users to access information processing services _endpoint_ _device_ (3.1.10) used by users to access information processing services
*Note 1 to entry: User endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, etc.*
3.1.38 **vulnerability**
Note 1 to entry: User endpoint device can refer to desktop computers, laptops, smart phones, tablets, thin clients, etc.
**3.1****.38**
**vu****lnerability**
weakness of an _asset_ (3.1.2) or _control_ (3.1.8) that can be exploited by one or more _threats_ (3.1.34) [SOURCE: ISO/IEC 27000:2018, 3.77] weakness of an _asset_ (3.1.2) or _control_ (3.1.8) that can be exploited by one or more _threats_ (3.1.34) [SOURCE: ISO/IEC 27000:2018, 3.77]
### 3.2 Abbreviated terms
**3.2** **Abbreviated** **terms**
ABAC attribute-based access control
ACL access control list
BIA business impact analysis
BYOD bring your own device
CAPTCHA completely automated public Turing test to tell computers and humans apart
CPU central processing unit
DAC discretionary access control
DNS domain name system
GPS global positioning system
ABAC attribute-based access control
ACL access control list
BIA business impact analysis
BYOD bring your own device
CAPTCHA completely automated public Turing test to tell computers and humans apart
CPU central processing unit
DAC discretionary access control
DNS domain name system
GPS global positioning system
IAM identity and access management IAM identity and access management
ICT information and communication technology
ID identifier IDE integrated development environment
IDS intrusion detection system IoT internet of things
ICT information and communication technology IP internet protocol
ID identifier
IDE integrated development environment
IDS intrusion detection system
IoT internet of things
IP internet protocol
IPS intrusion prevention system IPS intrusion prevention system
IT information technology
ISMS information security management system
MAC mandatory access control
IT information technology NTP network time protocol
PIA privacy impact assessment
PII personally identifiable information
PIN personal identification number
ISMS information security management system PKI public key infrastructure
PTP precision time protocol
RBAC role-based access control
RPO recovery point objective
MAC mandatory access control RTO recovery time objective
SAST static application security testing
SD secure digital
SDN software-defined networking
NTP network time protocol SD-WAN software-defined wide area networking
SIEM security information and event management
SMS short message service
SQL structured query language
PIA privacy impact assessment SSO single sign on
SWID software identification
UEBA user and entity behaviour analytics
UPS uninterruptible power supply
PII personally identifiable information URL uniform resource locator
USB universal serial bus
VM virtual machine
VPN virtual private network
WiFi wireless fidelity
**6** © ISO/IEC 2022 All rights reserved
Licensed to ISO27DIY / Richard Kranendonk (rkranendonk@mac.com)
ISO Store Order: OP-582678 / Downloaded: 2022-02-17 Single user licence only, copying and networking prohibited.
**ISO/IEC 27002:2022(E)**
PIN personal identification number
PKI public key infrastructure
PTP precision time protocol
RBAC role-based access control
RPO recovery point objective
RTO recovery time objective
SAST static application security testing
SD secure digital
SDN software-defined networking
SD-WAN software-defined wide area networking
SIEM security information and event management
SMS short message service
SQL structured query language
SSO single sign on
SWID software identification
UEBA user and entity behaviour analytics
UPS uninterruptible power supply
URL uniform resource locator
USB universal serial bus
VM virtual machine
VPN virtual private network
WiFi wireless fidelity