Understanding ISO 27001 Language

One of the main rules of good communication is to adjust your speech to the target audience. ISO 27001 has its own set of terms, useful to leverage the understanding between security practitioners. However, an organization is more than its security personnel. Top management, middle management, line workers, clients, and many other people interact with the business, and they need to understand information security, too.

The problem is, if you use only ISO 27001 terms, chances are good that you get people confused, and confused people are little help in protecting business information. Therefore, you have to make security information easy to understand in their point of view. This leads us to this post, to show some ISO 27001 terms translated into more common business words that will help you in the process of explaining ISO 27001 and the certification process.

Some of the ISO 27001 main terms:
  • Audit checklist
  • Certification
  • Certification process
  • Certified company
  • Controls

ISO 27001 main terms through new words

The following are some of the most important and commonly searched terms in relation to ISO 27001, and how you can present them in a way we consider easy to explain:

Audit checklist: A set of information used to help ensure something was made or done as expected. A wish list is a good example of a checklist. A pre-flight checklist is another one. A list with a standard mandatory items (from ISO or defined by your own organization) is another example.

Certification: Confirmation that a person, process, system, or product has demonstrated that it has achieved predefined criteria. A scholarship certification confirms that a person has attended the necessary courses and demonstrated the knowledge to earn a designation or be allowed to exercise a profession. A security certification confirms that a person/process/system has achieved predefined security criteria (e.g., ISO 27001, PCI, etc.).


Certification process: A process through which a person/process/system/product goes to demonstrate it has achieved predefined criteria. Trying on shoes to find the most comfortable fit is an example of a certification process realization. If your organization systematically verifies results/products against predefined criteria, it has a certification process. If the criteria are related to security, then you have a security certification process.

Certified company: Any organization that has demonstrated it has achieved predetermined criteria. An ISO 27001 certified company has achieved the mandatory requirements defined by the ISO 27001 standard.

Controls: Methods used to avoid/minimize undesired outcomes. You look to both sides before crossing a street to avoid being hit by a car. The air bag can minimize damage in a car crash. Any practice you use at your organization to avoid problems or minimize their consequences are controls.

Some of the ISO 27001 main terms

Gap analysis: Any practice used to compare real and expected/potential performance, to identify in which items you are ok and in which ones you have to improve/comply with, helping you determine what you need to do to meet the proposed outcomes.

ISMS (Information Security Management System): Part of the overall management system with the objective to protect information security. An HR management system takes care of human resources. A financial management system takes care of the income, expenses, assets, and so on.

ISMS policy: The management statement about what it expects from those who interact with the organizations’ information, regarding its use and protection.

Lead auditor: A person who is capable of planning and executing the steps necessary to verify if a person/process/system/product achieves predefined criteria. Any person in your organization that, using predefined criteria, can plan and execute the verification of process/products can be considered a lead auditor.

Lead implementer: A person who is capable of planning and executing the steps necessary to implement a process according to predefined criteria. Any person in your organization that, using predefined criteria, can plan and execute the implementation of a process can be considered a lead implementer.

Risk assessment: Any systematic process to identify and deal with risk according to predefined criteria. Clint Eastwood’s movie Dirty Harry is one of the better examples of risk assessment. (The bad guy has to decide whether to grab the gun. Does Harry Callaghan have a bullet left in his .44 Magnum? – “Do you feel lucky? Well, do ya, punk?”). Another example is The Matrix (the red and the blue pill, do you remember?).

Standard: Any set of agreed rules about how to achieve something. The color pattern of a traffic light is an example of a standard. If your organization always uses the same practices to protect information communication, it has a communication security standard.

Statement of applicability: A document in which you declare what controls you consider relevant, and their objectives, based on your business requirements. If you do a medical checkup annually to make sure you are healthy and to improve your chances to live longer, and put that practice (control) in a document, this could be considered a health statement of applicability.

Of course, these are some examples. You can adjust them to your business industry. The important thing is that your terms must maintain the same meaning of the ISO 27001 terms. For additional information about ISO 27001 terms, see this article: Explanation of the basic terminology in ISO standards.

Choose your words wisely and make allies

Remember: communication is not about what you say, but about what your audience understands. Make sure you choose the words they are more comfortable with, and make information security easier to be part of their lives and activities.

To get step-by-step guidance and templates for all ISO 27001 required documents, try out Conformio, ISO 27001 compliance software, for free.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.