ISO Training FAQs

What does ISO stand for?

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO standards are the result of collaboration and consensus among a group of more than 160 countries around the globe.

What is an information asset?

Information is defined as a something which has the power to inform or provides meaning to the receiver.

An information asset is something which has the power to inform and also provides a value to an organization.  An information asset that has value needs to be protected with information security controls.

Information can exist in "any form" including:

• Electronic - email, data stored, websites, software code, etc.
• Physical - paper files, photos, USB drive, etc.
• Verbal - phone conversations, in-person conversations, meetings, etc.
• Knowledge - employee knowledge including in their heads (not physical)
• Other?

What is information security?

Information Security is defined as the process of protecting information assets against the loss or preservation of confidentiality, integrity and availability (CIA) of information in any form.

What is an Information Security Management System (ISMS)?

Information Security Management Systems (ISMS) is defined as a management system over the loss or preservation confidentiality, integrity and availability (CIA) of information in any form.  ISO 27001 is the international requirement for Information Security Management Systems (ISMS) based on the ISO 27001 Standard published by the International Organization for Standardization (ISO).

What is ISO 27001?

ISO 27001 is the international requirements for an information security management system (ISMS) based on the ISO 27001 Standard published by the International Organization for Standardization (ISO).

Information Security Management Systems (ISMS)  ISO 27001 has two main parts:

• Clauses 4-10 generic management system requirements
• Annex A controls and control objectives

What is the ISO series of standards?

All ISO standards consist of a series of standards that apply to a specific management system category. The ISO 27000 series of standards specifically address information security management systems (ISMS).

It is typically the first standard in each ISO series that contain the management system requirements. Thus, it is typically only the 1st standard in each series that is "certifiable" such as;

• ISO 27001 = Information Security Management Systems (ISMS)
• ISO 9001 = Quality Management Systems (QMS)
• ISO 22301 = Business Continuity Management Systems (BCMS)

*All of the other standards in each ISO series are typically reference / guidance to support one or more of the management system requirements. Some commonly used ISO 27000 reference standards include:

• ISO 27002 = reference / guidance for information security controls (code of practice)
• ISO 27004 = reference / guidance for information security measurement
• ISO 27005 = reference / guidance for risk assessment

*there are many more reference / guidance standards available in the 27000 series