![[Level:2]](http://www.vietnamesetestingboard.org/zbxe/modules/point/icons/default/2.gif "Point:140point (13%), Level:2/30"){kind=icon}
꾸루ISO/IEC 27000:2009 Information technology — Security techniques — Information security management systems - Overview and vocabulary
The scope of ISO/IEC 27000 is “to specify the fundamental principles, concepts and vocabulary for the ISO/IEC 27000 (information security management system) series of documents.”
ISO/IEC 27000 contains the overview and vocabulary, in other words:
-
An overview of the ISO27k standards showing how they are used collectively to plan, implement, certify and operate an ISMS, with a basic introduction to information security, risk management and management systems
-
Carefully-worded definitions for the information security-related terms as they are used throughout the ISO27k standards.
Information security, like most technical subjects, is evolving a complex web of terminology. Several core terms in information security (such as “risk”) have different meanings according to the context and the reader’s preconceptions. Few authors take the trouble to define precisely what they mean but this is unacceptable in the standards arena as it leads to confusion and devalues formal assessment and certification.
ISO/IEC 27000 is similar to other vocabulary and definitions standards and will hopefully become a generally-accepted reference for information security terms amongst the information security profession. It largely supersedes the terms and definitions embedded in ISO27k standards already published plus, to a large extent, related guidelines such as ISO/IEC Guide 2:1996 “Standardization and related activities – General vocabulary”, ISO/IEC Guide 73:2002 “Risk management – Vocabulary – Guidelines for use in standards” ISO/IEC 2382-8: “Information technology - Vocabulary Part 8: Security” and ISO 9000, the quality assurance standard.
ISO/IEC 27000 is available as a FREE download.
Revision of the standard
ISO/IEC 27000 will be revised more often than most other standards in order to reflect other ISO27k standards currently being developed, plus the ongoing revision of ISO/IEC 27001, ISO/IEC 27002 and ISO Guide 73. The idea is basically to remove the definitions of most information security management terms from other ISO27k standards across into ISO/IEC 27000, except for any that are defined and used differently in particular ISO27k standards.
A revised version of ISO/IEC 27000 is currently in the works. It will be based on the existing/current versions of ISO/IEC 27001 and 27002. A further revision later will pick up the revised versions of 27001 and 27002, plus ISO 27799. The editing team is making an effort to collect terms from the teams working on other ISO27k standards in a comprehensive and systematic way, using a separate internal document to collate, compare and align current and proposed definitions. This is quite a job since the contexts in which certain word or terms are used often differ between the standards.
The terms “management system”, “policy” and “stakeholder” have been defined by JTC1’s Technical Management Board as part of the ongoing alignment of the management systems standards. This may cause problems for ISO27k but work continues to address this issue.
A third WD of ISO/IEC 27000 will be released soon to members of SC27.
PS Software and systems engineering terms defined in ISO/IEC and IEEE standards are searchable online. The definitions of some information security and risk-related terms differ slightly from those defined in ISO/IEC 27000, so bear this in mind when reading various ISO27k and non-ISO27k standards.
![[Level:8]](http://www.vietnamesetestingboard.org/zbxe/modules/point/icons/default/8.gif "Point:2360point (86%), Level:8/30"){kind=icon}
thanks