EN ISO/IEC 27000:2017

SLOVENSKI STANDARD
01-september-2017
Informacijska tehnologija - Varnostne tehnike - Sistemi upravljanja informacijske
varnosti - Pregled in izrazje (ISO/IEC 27000:2016)
Information technology - Security techniques - Information security management systems
- Overview and vocabulary (ISO/IEC 27000:2016)
Informationstechnik - Sicherheitsverfahren - Informationssicherheits-
Managementsysteme - Überblick und Terminologie (ISO/IEC 27000:2016)
Technologies de l'information - Techniques de sécurité - Systèmes de gestion de
sécurité de l'information - Vue d'ensemble et vocabulaire (ISO/IEC 27000:2016)
Ta slovenski standard je istoveten z: EN ISO/IEC 27000:2017
ICS:
01.040.35 Informacijska tehnologija. Information technology
(Slovarji) (Vocabularies)
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EN ISO/IEC 27000
EUROPEAN STANDARD
NORME EUROPÉENNE
February 2017
EUROPÄISCHE NORM
ICS 01.040.35; 03.100.70; 35.030
English Version
Information technology - Security techniques -
Information security management systems - Overview and
vocabulary (ISO/IEC 27000:2016)
Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -
- Systèmes de gestion de sécurité de l'information - Vue Informationssicherheits-Managementsysteme -
d'ensemble et vocabulaire (ISO/IEC 27000:2016) Überblick und Terminologie (ISO/IEC 27000:2016)
This European Standard was approved by CEN on 26 January 2017.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions
for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and United Kingdom.

EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATIO N

EUROPÄISCHES KOMITEE FÜR NORMUN G

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2017 CEN and CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27000:2017 E
reserved worldwide for CEN and CENELEC national
Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 27000:2016 has been prepared by Technical Committee ISO/IEC JTC 1 “Information
technology” of the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) and has been taken over as EN ISO/IEC 27000:2017.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by August 2017, and conflicting national standards shall
be withdrawn at the latest by August 2017.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent
rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia,
France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta,
Netherlands, Norway, Poland, Portugal, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.
Endorsement notice
The text of ISO/IEC 27000:2016 has been approved by CEN as EN ISO/IEC 27000:2017 without any
modification.
INTERNATIONAL ISO/IEC
STANDARD 27000
Fourth edition
2016-02-15
Information technology — Security
techniques — Information security
management systems — Overview
and vocabulary
Technologies de l’information — Techniques de sécurité — Systèmes de
gestion de sécurité de l’information — Vue d’ensemble et vocabulaire
Reference number
ISO/IEC 27000:2016(E)
©
ISO/IEC 2016
ISO/IEC 27000:2016(E)
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved

ISO/IEC 27000:2016(E)
Contents Page
Foreword .v
0 Introduction . 1
0.1 Overview . 1
0.2 ISMS family of standards . 1
0.3 Purpose of this International Standard . 2
1 Scope . 2
2 Terms and definitions . 2
3 Information security management systems .14
3.1 General .14
3.2 What is an ISMS? .14
3.2.1 Overview and principles .14
3.2.2 Information.15
3.2.3 Information security .15
3.2.4 Management .15
3.2.5 Management system .16
3.3 Process approach .16
3.4 Why an ISMS is important .16
3.5 Establishing, monitoring, maintaining and improving an ISMS .17
3.5.1 Overview .17
3.5.2 Identifying information security requirements .17
3.5.3 Assessing information security risks .18
3.5.4 Treating information security risks . .18
3.5.5 Selecting and implementing controls .18
3.5.6 Monitor, maintain and improve the effectiveness of the ISMS .19
3.5.7 Continual improvement .19
3.6 ISMS critical success factors .20
3.7 Benefits of the ISMS family of standards .20
4 ISMS family of standards .21
4.1 General information .21
4.2 Standards describing an overview and terminology .22
4.2.1 ISO/IEC 27000 (this International Standard) .22
4.3 Standards specifying requirements .22
4.3.1 ISO/IEC 27001 .22
4.3.2 ISO/IEC 27006 .22
4.4 Standards describing general guidelines .22
4.4.1 ISO/IEC 27002 .22
4.4.2 ISO/IEC 27003 .23
4.4.3 ISO/IEC 27004 .23
4.4.4 ISO/IEC 27005 .23
4.4.5 ISO/IEC 27007 .23
4.4.6 ISO/IEC TR 27008 .23
4.4.7 ISO/IEC 27013 .24
4.4.8 ISO/IEC 27014 .24
4.4.9 ISO/IEC TR 27016 .24
4.5 Standards describing sector-specific guidelines .25
4.5.1 ISO/IEC 27010 .25
4.5.2 ISO/IEC 27011 .25
4.5.3 ISO/IEC TR 27015 .25
4.5.4 ISO/IEC 27017 .25
4.5.5 ISO/IEC 27018 .26
4.5.6 ISO/IEC TR 27019 .26
4.5.7 ISO 27799 .26
© ISO/IEC 2016 – All rights reserved iii

ISO/IEC 27000:2016(E)
Annex A (informative) Verbal forms for the expression of provisions.28
Annex B (informative) Term and term ownership .29
Bibliography .33
iv © ISO/IEC 2016 – All rights reserved

ISO/IEC 27000:2016(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, IT
Security techniques.
This fourth edition cancels and replaces the third edition (ISO/IEC 27000:2014), which has been
technically revised.
© ISO/IEC 2016 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 27000:2016(E)
Information technology — Security techniques —
Information security management systems — Overview
and vocabulary
0 Introduction
0.1 Overview
International Standards for management systems provide a model to follow in setting up and
operating a management system. This model incorporates the features on which experts in the field
have reached a consensus as being the international state of the art. ISO/IEC JTC 1/SC 27 maintains an
expert committee dedicated to the development of international management systems standards for
information security, otherwise known as the Information Security Management System (ISMS) family
of standards.
Through the use of the ISMS family of standards, organizations can develop and implement a framework
for managing the security of their information assets including financial information, intellectual
property, and employee details, or information entrusted to them by customers or third parties. These
standards can also be used to prepare for an independent assessment of their ISMS applied to the
protection of information.
0.2 ISMS family of standards
The ISMS family of standards (see Clause 4) is intended to assist organizations of all types and sizes
to implement and operate an ISMS and consists of the following International Standards, under the
general title Information technology — Security techniques (given below in numerical order):
— ISO/IEC 27000, Information security management systems — Overview and vocabulary
— ISO/IEC 27001, Information security management systems — Requirements
— ISO/IEC 27002, Code of practice for information security controls
— ISO/IEC 27003, Information security management system implementation guidance
— ISO/IEC 27004, Information security management — Measurement
— ISO/IEC 27005, Information security risk management
— ISO/IEC 27006, Requirements for bodies providing audit and certification of information security
management systems
— ISO/IEC 27007, Guidelines for information security management systems auditing
— ISO/IEC TR 27008, Guidelines for auditors on information security controls
— ISO/IEC 27009, Sector-specific application of ISO/IEC 27001 — Requirements
— ISO/IEC 27010, Information security management for inter-sector and inter-organizational
communications
— ISO/IEC 27011, Information security management guidelines for telecommunications organizations
based on ISO/IEC 27002
— ISO/IEC 27013, Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1
© ISO/IEC 2016 – All rights reserved 1

ISO/IEC 27000:2016(E)
— ISO/IEC 27014, Governance of information security
— ISO/IEC TR 27015, Information security management guidelines for financial services
— ISO/IEC TR 27016, Information security management — Organizational economics
— ISO/IEC 27017, Code of practice for information security controls based on ISO/IEC 27002 for cloud
services
— ISO/IEC 27018, Code of practice for protection of personally identifiable information (PII) in public
clouds acting as PII processors
— ISO/IEC 27019, Information security management guidelines based on ISO/IEC 27002 for process
control systems specific to the energy utility industry
NOTE The general title “Information technology — Security techniques” indicates that these International
Standards were prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, IT Security techniques.
International Standards not under the same general title that are also part of the ISMS family of
standards are as follows:
— ISO 27799, Health informatics — Information security management in health using ISO/IEC 27002
0.3 Purpose of this International Standard
This International Standard provides an overview of information security management systems and
defines related terms.
NOTE Annex A provides clarification on how verbal forms are used to express requirements and/or guidance
in the ISMS family of standards.
The ISMS family of standards includes standards that
a) define requirements for an ISMS and for those certifying such systems,
b) provide direct support, detailed guidance and/or interpretation for the overall process to establish,
implement, maintain, and improve an ISMS,
c) address sector-specific guidelines for ISMS, and
d) address conformity assessment for ISMS.
The terms and definitions provided in this International Standard
— cover commonly used terms and definitions in the ISMS family of standards,
— do not cover all terms and definitions applied within the ISMS family of standards, and
— do not limit the ISMS family of standards in defining new terms for use.
1 Scope
This International Standard provides the overview of information security management systems, and
terms and definitions commonly used in the ISMS family of standards. This International Standard is
applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-
for-profit organizations).
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2 © ISO/IEC 2016 – All rights reserved

ISO/IEC 27000:2016(E)
2.1
access control
means to ensure that access to assets is authorized and restricted based on business and security
requirements (2.63)
2.2
analytical model
algorithm or calculation combining one or more base measures (2.10) and/or derived measures (2.22)
with associated decision criteria (2.21)
2.3
attack
attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized
use of an asset
2.4
attribute
property or characteristic of an object (2.55) that can be distinguished quantitatively or qualitatively
by human or automated means
[SOURCE: ISO/IEC 15939:2007, 2.2, modified — “entity” has been replaced by “object” in the definition.]
2.5
audit
systematic, independent and documented process (2.61) for obtaining audit evidence and evaluating it
objectively to determine the extent to which the audit criteria are fulfilled
Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party),
and it can be a combined audit (combining two or more disciplines).
Note 2 to entry: “Audit evidence” and “audit criteria” are defined in ISO 19011.
2.6
audit scope
extent and boundaries of an audit (2.5)
[SOURCE: ISO 19011:2011, 3.14, modified — Note 1 to entry has been deleted.]
2.7
authentication
provision of assurance that a claimed characteristic of an entity is correct
2.8
authenticity
property that an entity is what it claims to be
2.9
availability
property of being accessible and usable upon demand by an authorized entity
2.10
base measure
measure (2.47) defined in terms of an attribute (2.4) and the method for quantifying it
[SOURCE: ISO/IEC 15939:2007, 2.3, modified — Note 2 to entry has been deleted.]
Note 1 to entry: A base measure is functionally independent of other measures (2.47).
2.11
competence
ability to apply knowledge and skills to achieve intended results
© ISO/IEC 2016 – All rights reserved 3

ISO/IEC 27000:2016(E)
2.12
confidentiality
property that information is not made available or disclosed to unauthorized individuals, entities, or
processes (2.61)
2.13
conformity
fulfilment of a requirement (2.63)
Note 1 to entry: The term “conformance” is synonymous but deprecated.
2.14
consequence
outcome of an event (2.25) affecting objectives (2.56)
[SOURCE: ISO Guide 73:2009, 3.6.1.3, modified]
Note 1 to entry: An event (2.25) can lead to a range of consequences.
Note 2 to entry: A consequence can be certain or uncertain and in the context of information security (2.33) is
usually negative.
Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.
Note 4 to entry: Initial consequences can escalate through knock-on effects.
2.15
continual improvement
recurring activity to enhance performance (2.59)
2.16
control
measure that is modifying risk (2.68)
[SOURCE: ISO Guide 73:2009, 3.8.1.1]
Note 1 to entry: Controls include any process (2.61), policy (2.60), device, practice, or other actions which
modify risk (2.68).
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
2.17
control objective
statement describing what is to be achieved as a result of implementing controls (2.16)
2.18
correction
action to eliminate a detected nonconformity (2.53)
2.19
corrective action
action to eliminate the cause of a nonconformity (2.53) and to prevent recurrence
2.20
data
collection of values assigned to base measures (2.10), derived measures (2.22) and/or indicators (2.30)
[SOURCE: ISO/IEC 15939:2007, 2.4, modified — Note 1 to entry has been added.]
Note 1 to entry: This definition applies only within the context of ISO/IEC 27004.
4 © ISO/IEC 2016 – All rights reserved

ISO/IEC 27000:2016(E)
2.21
decision criteria
thresholds, targets, or patterns used to determine the need for action or further investigation, or to
describe the level of confidence in a given result
[SOURCE: ISO/IEC 15939:2007, 2.7]
2.22
derived measure
measure (2.47) that is defined as a function of two or more values of base measures (2.10)
[SOURCE: ISO/IEC 15939:2007, 2.8, modified — Note 1 to entry has been deleted.]
2.23
documented information
information required to be controlled and maintained by an organization (2.57) and the medium on
which it is contained
Note 1 to entry: Documented information can be in any format and media and from any source.
Note 2 to entry: Documented information can refer to
— the management system (2.46), including related processes (2.61);
— information created in order for the organization (2.57) to operate (documentation);
— evidence of results achieved (records).
2.24
effectiveness
extent to which planned activities are realized and planned results achieved
2.25
event
occurrence or change of a particular set of circumstances
[SOURCE: ISO Guide 73:2009, 3.5.1.3, modified — Note 4 to entry has been deleted.]
Note 1 to entry: An event can be one or more occurrences, and can have several causes.
Note 2 to entry: An event can consist of something not happening.
Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.
2.26
executive management
person or group of people who have delegated responsibility from the governing body (2.29) for
implementation of strategies and policies to accomplish the purpose of the organization (2.57)
Note 1 to entry: Executive management is sometimes called top management (2.84) and can include Chief
Executive Officers, Chief Financial Officers, Chief Information Officers, and similar roles.
2.27
external context
external environment in which the organization seeks to achieve its objectives (2.56)
[SOURCE: ISO Guide 73:2009, 3.3.1.1]
Note 1 to entry: External context can include the following:
— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive
environment, whether international, national, regional or local;
— key drivers and trends having impact on the objectives (2.56) of the organization (2.57);
© ISO/IEC 2016 – All rights reserved 5

ISO/IEC 27000:2016(E)
— relationships with, and perceptions and values of, external stakeholders (2.82).
2.28
governance of information security
system by which an organization’s (2.57) information security (2.33) activities are directed and controlled
2.29
governing body
person or group of people who are accountable for the performance (2.59) and conformance of the
organization (2.57)
Note 1 to entry: Governing body can in some jurisdictions be a board of directors.
2.30
indicator
measure (2.47) that provides an estimate or evaluation of specified attributes (2.4) derived from an
analytical model (2.2) with respect to defined information needs (2.31)
2.31
information need
insight necessary to manage objectives (2.56), goals, risks and problems
[SOURCE: ISO/IEC 15939:2007, 2.12]
2.32
information processing facilities
any information processing system, service or infrastructure, or the physical location housing it
2.33
information security
preservation of confidentiality (2.12), integrity (2.40) and availability (2.9) of information
Note 1 to entry: In addition, other properties, such as authenticity (2.8), accountability, non-repudiation (2.54),
and reliability (2.62) can also be involved.
2.34
information security continuity
processes (2.61) and procedures for ensuring continued information security (2.33) operations
2.35
information security event
identified occurrence of a system, service or network state indicating a possible breach of information
security (2.33) policy (2.60) or failure of controls (2.16), or a previously unknown situation that may be
security relevant
2.36
information security incident
single or a series of unwanted or unexpected information security events (2.35) that have a significant
probability of compromising business operations and threatening information security (2.33)
2.37
information security incident management
processes (2.61) for detecting, reporting, assessing, responding to, dealing with, and learning from
information security incidents (2.36)
2.38
information sharing community
group of organizations (2.57) that agree to share information
Note 1 to entry: An organization (2.57) can be an individual.
6 © ISO/IEC 2016 – All rights reserved

ISO/IEC 27000:2016(E)
2.39
information system
applications, services, information technology assets, or other information handling components
2.40
integrity
property of accuracy and completeness
2.41
interested party
person or organization (2.57) that can affect, be affected by, or perceive themselves to be affected by a
decision or activity
2.42
internal context
internal environment in which the organization (2.57) seeks to achieve its objectives
[SOURCE: ISO Guide 73:2009, 3.3.1.2]
Note 1 to entry: Internal context can include the following:
— governance, organizational structure, roles and accountabilities;
— policies (2.60), objectives (2.56), and the strategies that are in place to achieve them;
— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes (2.61),
systems and technologies);
— information systems (2.39), information flows and decision-making processes (2.61) (both formal and informal);
— relationships with, and perceptions and values of, internal stakeholders (2.82);
— the organization’s (2.57) culture;
— standards, guidelines and models adopted by the organization (2.57);
— form and extent of contractual relationships.
2.43
ISMS project
structured activities undertaken by an organization (2.57) to implement an ISMS
2.44
level of risk
magnitude of a risk (2.68) expressed in terms of the combination of consequences (2.14) and their
likelihood (2.45)
[SOURCE: ISO Guide 73:2009, 3.6.1.8, modified — “or combination of risks” has been deleted in the
definition.]
2.45
likelihood
chance of something happening
[SOURCE: ISO Guide 73:2009, 3.6.1.1, modified — Notes 1 and 2 to entry have been deleted.]
2.46
management system
set of interrelated or interacting elements of an organization (2.57) to establish policies (2.60) and
objectives (2.56) and processes (2.61) to achieve those objectives
Note 1 to entry: A management system can address a single discipline or several disciplines.
© ISO/IEC 2016 – All rights reserved 7

ISO/IEC 27000:2016(E)
Note 2 to entry: The system elements include the organization’s structure, roles and responsibilities,
planning, operation.
Note 3 to entry: The scope of a management system may include the whole of the organization (2.57), specific and
identified functions of the organization (2.57), specific and identified sections of the organization (2.57), or one
or more functions across a group of organizations (2.57).
2.47
measure
variable to which a value is assigned as the result of measurement (2.48)
[SOURCE: ISO/IEC 15939:2007, 2.15, modified]
Note 1 to entry: The term “measures” is used to refer collectively to base measures (2.10), derived measures (2.22),
and indicators (2.30).
2.48
measurement
process (2.61) to determine a value
Note 1 to entry: In the context of information security (2.33), the process (2.61) of determining a value requires
information about the effectiveness (2.24) of an information security (2.33) management system (2.46) and its
associated controls (2.16) using a measurement method (2.50), a measurement function (2.49), an analytical model
(2.2), and decision criteria (2.21).
2.49
measurement function
algorithm or calculation performed to combine two or more base measures (2.10)
[SOURCE: ISO/IEC 15939:2007, 2.20]
2.50
measurement method
logical sequence of operations, described generically, used in quantifying an attribute (2.4) with respect
to a specified scale (2.80)
[SOURCE: ISO/IEC 15939:2007, 2.22, modified — Note 2 to entry has been deleted.]
Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an
attribute (2.4). Two types can be distinguished as follows:
— subjective: quantification involving human judgment;
— objective: quantification based on numerical rules.
2.51
measurement results
one or more indicators (2.30) and their associated interpretations that address an information need (2.31)
2.52
monitoring
determining the status of a system, a process (2.61) or an activity
Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.
2.53
nonconformity
non-fulfilment of a requirement (2.63)
2.54
non-repudiation
ability to prove the occurrence of a claimed event (2.25) or action and its originating entities
8 © ISO/IEC 2016 – All rights reserved

ISO/IEC 27000:2016(E)
2.55
object
item characterized through the measurement (2.48) of its attributes (2.4)
2.56
objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical, or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and
environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and
process (2.61).
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an
operational criterion, as an information security (2.33) objective or by the use of other words with similar
meaning (e.g. aim, goal, or target).
Note 4 to entry: In the context of information security (2.33) management systems (2.46), information security
(2.33) objectives are set by the organization, consistent with the information security (2.33) policy (2.60), to
achieve specific results.
2.57
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives (2.56)
Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm,
enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated
or not, public or private.
2.58
outsource
make an arrangement where an external organization (2.57) performs part of an organization’s (2.57)
function or process (2.61)
Note 1 to entry: An external organization is outside the scope of the management system (2.46), although the
outsourced function or process (2.61) is within the scope.
2.59
performance
measurable result
Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
Note 2 to entry: Performance can relate to the management of activities, processes (2.61), products (including
services), systems or organizations (2.57).
2.60
policy
intentions and direction of an organization (2.57) as formally expressed by its top management (2.84)
2.61
process
set of interrelated or interacting activities which transforms inputs into outputs
2.62
reliability
property of consistent intended behaviour and results
© ISO/IEC 2016 – All rights reserved 9

ISO/IEC 27000:2016(E)
2.63
requirement
need or expectation that is stated, generally implied or obligatory
Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization (2.57) and
interested parties that the need or expectation under consideration is implied.
Note 2 to entry: A specified requirement is one that is stated, for example in documented information (2.23).
2.64
residual risk
risk (2.68) remaining after risk treatment (2.79)
Note 1 to entry: Residual risk can contain unidentified risk (2.68).
Note 2 to entry: Residual risk can also be known as “retained risk”.
2.65
review
activity undertaken to determine the suitability, adequacy and effectiveness (2.24) of the subject matter
to achieve established objectives (2.54)
[SOURCE: ISO Guide 73:2009, 3.8.2.2, modified — Note 1 to entry has been deleted.]
2.66
review object
specific item being reviewed
2.67
review objective
statement describing what is to be achieved as a result of a review (2.65)
2.68
risk
effect of uncertainty on objectives
[SOURCE: ISO Guide 73:2009, 1.1, modified]
Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or
knowledge of, an event (2.25), its consequence (2.14), or likelihood (2.45).
Note 3 to entry: Risk is often characterized by reference to potential events (2.25) and consequences (2.14), or a
combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences (2.14) of an event (2.25)
(including changes in circumstances) and the associated likelihood (2.45) of occurrence.
Note 5 to entry: In the context of information security (2.33) management systems (2.46), information security
(2.33) risks can be expressed as effect of uncertainty on information security (2.33) objectives (2.56).
Note 6 to entry: Information security (2.33) risk is associated with the potential that threats (2.83) will exploit
vulnerabilities (2.89) of an information asset or group of information assets and thereby cause harm to an
organization (2.57).
2.69
risk acceptance
informed decision to take a particular risk (2.68)
[SOURCE: ISO Guide 73:2009, 3.7.1.6]
Note 1 to entry: Risk acceptance can occur without risk treatment (2.79) or during the process (2.61) of risk
treatment (2.79).
10 © ISO/IEC 2016 – All rights reserved

ISO/IEC 27000:2016(E)
Note 2 to entry: Accepted risks (2.68) are subject to monitoring (2.52) and review (2.65).
2.70
risk analysis
process (2.61) to comprehend the nature of risk (2.68) and to determine the level of risk (2.44)
[SOURCE: ISO Guide 73:2009, 3.6.1]
Note 1 to entry: Risk analysis provides the basis for risk evaluation (2.74) and decisions about risk treatment (2.79).
Note 2 to entry: Risk analysis includes risk estimation.
2.71
risk assessment
overall process (2.61) of risk identification (2.75), risk analysis (2.70) and risk evaluation (2.74)
[SOURCE: ISO Guide 73:2009, 3.4.1]
2.72
risk communication and consultation
continual and iterative processes (2.61) that an organization conducts to provide, share or obtain
information, and to engage in dialogue with stakeholders (2.82) regarding the management of risk (2.68)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (2.45), significance,
evaluation, acceptability and treatment of risk (2.68).
Note 2 to entry: Consultation is a two-way process (2.51) of informed communication between an organization
(2.57) and its stakeholders (2.82) on an issue prior to making a decision or determining a direction on that issue.
Consultation is
— a process (2.61) which impacts on a decision through influence rather than power and
— an input to decision making, not joint decision making.
2.73
risk criteria
terms of reference against which the significance of risk (2.68) is evaluated
[SOURCE: ISO Guide 73:2009, 3.3.1.3]
Note 1 to entry: Risk criteria are based on organizational objectives, and external (2.27) and internal context (2.42).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies (2.60) and other requirements (2.63).
2.74
risk evaluation
process (2.61) of comparing the results of risk analysis (2.70) with risk criteria (2.73) to determine
whether the risk (2.68) and/or its magnitude is acceptable or tolerable
[SOURCE: ISO Guide 73:2009, 3.7.1]
Note 1 to entry: Risk evaluation assists in the decision about risk treatment (2.79).
2.75
risk identification
process (2.61) of finding, recognizing and describing risks (2.68)
[SOURCE: ISO Guide 73:2009, 3.5.1]
Note 1 to entry: Risk identification involves the identification of risk sources, events (2.25), their causes and their
potential consequences (2.14).
Note 2 t
...