Other Support

vsRisk customers wishing to receive a complete downloadable list of the Risk Threats and Vulnerabilities please email servicecentre@vigilantsoftware.co.uk and the PDF documents will be forwarded to you.


ISO 27001 Information Security Definitions

ISO 27001 has specific definitions for key terms, and these are relevant to those involved in carrying out risk assessments.


The procedure through which an authoritative body formally recognises a person’s or organization’s competence to carry out specified tasks. Not to be confused with certification. Third party certification (auditing) bodies become accredited and those they audit, subject to a successful outcome, become certificated.


Anything that has value to the organization.* Information assets are likely to be of the following types:

  • Information: databases and data files, other files and copies of plans, system documentation, original user manuals, original training material, operational or other support procedures, continuity plans, other fall-back arrangements, archived information, financial and accounting information;
  • Software: application software, operating and system software, development tools and utilities, e-learning assets, network tools and utilities;
  • Physical assets: computer equipment (including workstations, notebooks, PDAs, monitors, modems, scanning machines, printers), communications equipment (routers, cell phones, PABXs, fax machines, answering machines, voice conferencing units, etc.), magnetic media (tapes and disks), other technical equipment (power supplies, air conditioning units), furniture, lighting, other equipment;
  • Services: ‘groups of assets which act together to provide a particular function’, such as computing and communications services, general utilities, e.g., heating, lighting, power, air-conditioning.

Asset owner

According to ISO27001, every asset has an owner Annex A.7.1.2. the term ‘owner is not meant to convey legal ownership of the asset to the individual as defined (4.2.1-d1, footnote 2) as the ‘individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets’. This could therefore be a system administrator or a manager who is responsible for defining how an asset or group of similar assets is used.

The owner of the asset is the person – or part of the business – who is responsible for the appropriate classification and protection of the asset.


Ensuring that authorized users have access to information and associated assets when required.**


The process through which a certification body confirms that a product, process or service conforms to a specific standard or specification. For example, an organization becomes certificated to ISO 27001:2005.

Certification body

see Third Party Certification Body.


Positive answer to the question: ‘Is what is taking place in line with the pre-specified requirements for what should take place?’ Hence, non-compliance and compliance monitoring. Compliance is often used in a legal context.


The property that information is not made available or disclosed to unauthorised to unauthorised individuals, entities or processes.


Fulfilment of a requirement. A positive answer to the question: ‘Is what is taking place in line with the pre-specified requirements for what should take place?’ Hence, non-conformance and conformance monitoring. Conformance is often used in a non-legal context.


Means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be administrative, technical, management or legal nature. Control is also used as a synonym for safeguard or countermeasure.

Document control

A system whereby all documents within the system have a standard numbering system that identifies where they sit within that system, as well as a version number, an issue date and a document owner, so that the currency of the document is always clear. When a controlled document is amended, all copies of it should be simultaneously withdrawn and replaced by the new version.


The conversion of plain text into code, using a mathematical algorithm, to prevent it from being read by a third party.

Information security

The preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.

Information security event

An identified occurrence in a system, service or network indicating a possible breach of information security policy or failure of safeguards, or a previously unknown situation that may be security relevant. * (See also information security incident).

Information security incident

A single or a series of unwanted or unexpected events that have a significant probability of compromising business operations and threatening information security. *

Information security management system (ISMS)

That part of the overall management system, based on a business risk approach, that establishes, implements, operates, monitors, reviews, maintains and improves information security. **

Information security policy

The organization’s policy for securing its information assets.


The property of safeguarding the accuracy and completeness of assets.


see Information security management system.


Acronym from the Greek ‘isos’ (‘equal to’) adopted by the ‘International Organization for Standardization’: the world’s largest developer of standards. Its membership comprises the national standards bodies of countries around the world.

ISO 17799:2005

The international code of best practice for information security which underpins and provides guidance for the implementation of an ISMS, specifically, the revised version issued in 2005. It includes individual information security controls, implementation guidance and other information relating to them.

IT governance

A framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensures that the organization’s IT supports and enables the achievement of its strategies and objectives.


Overall intention and direction as formally expressed by management. *

Project governance

The framework and rules for controlling how project decisions are made and project activity monitored.


Americanism for certification body; see Certification body.


Combination of the probability of an event and its consequence. *

Risk acceptance

Decision to accept a risk. ***

Risk analysis

Systematic use of information to identify sources and to estimate the risk. *

Risk appetite

Organization’s overall attitude to risk, the balance between risk and return, and the trade-off between security and flexibility, usually a strategic decision by the organization’s board.

Risk assessment

Overall process of risk analysis and risk evaluation. *

Risk management

Coordinated activities to direct and control an organization with respect to risk (usually includes risk assessment, risk treatment, risk acceptance and risk communication). *


see Statement of Applicability.

Statement of Applicability (SoA)

Document describing the control objectives and controls that are relevant and applicable to the organization’s ISMS, based on the results and conclusions of the risk assessment and risk treatment processes. **

Third party certification body

Independent organization with the necessary competence and reliability to award certificates following verification of conformance. It is advisable to check the accreditation status of such bodies prior to appointing them.


A potential cause of an unwanted incident, which may result in harm to a system or organization. *


United Kingdom Accreditation Service: the sole national accreditation body recognised by the UK government to assess, against internationally agreed standards, organizations that provide certification, testing, inspection and calibration services.


A weakness of an asset or group of assets that can be exploited by a threat.* There are regularly updated central stores of known vulnerabilities at Bugtraq (see www.securityfocus. com/archive/1), CVE (Common Vulnerabilities and Exposures – (see http://cve.mitre.org) and in the SANS top 20 (SANS (SysAdmin, Audit, Network, Security) Institute (see www.sans.org/top20/).


* Taken from ISO/IEC 17799:2005.

** Taken from ISO/IEC 27001:2005.

*** Taken from BS 7799-3:2006.

**** Taken from ISO/IEC 20000-1:2005.