ISM3 Logo
Home arrow Get ISM3 Materials arrow Glossary
Thursday, 16 April 2009
Information Security Glossary


Glossary Definitions


Any exchange of a message between an interface, a repository or a service.

Access Control

The set formed by the User registration, Authentication, Authorization, Signing and Recording processes.

Access right

A class of access to a repository, a service or an interface that can be granted or revoked.


A class of incident with non-human natural causes. (There is no [ISO] equivalent)


A set of actions designed to achieve a particular result. Activities are usually defined as part of Processes or Plans, and are documented in Procedures.


A Document that describes a formal understanding between two or more parties. An Agreement is not legally binding, unless it forms part of a Contract.


A set of events likely to be caused by an incident.


A warning of a possible weakness or type of weakness, a new threat or a measured value of a metric going beyond defined thresholds. (Not equivalent to [ISO] Alert, Similar to [ITIL] Alert)


Checking if an organisation meets all the requirements specified in a standard or regulation to be accredited or audited.


Any valuable property of the organization.


A class of incident with an intentional human cause. (Not equivalent to [ISO] Attack “An attempt to exploit a vulnerability”)


Group of authorised users of an interface, service or repository.


Systematic, independent and documented process for obtaining Audit Evidence and evaluating it objectively to determine the extent to which the Audit Criteria are fulfilled.

Audit Criteria

Set of policies, procedures or requirements. Audit criteria are used as a reference against which Audit Evidence is compared.

Audit Evidence

Records, statements of fact or other information, which are relevant to the Audit Criteria and verifiable. Audit evidence may be qualitative or quantitative


Person external to the organization with the Skills to conduct an Audit on behalf of a Process Owner or a Customer.


Process that links the use of user accounts with their owner and manages the lifecycle of sessions.


The technical person who implements approved access requests.


Process that grants the use of services and interfaces and access to repositories to authorized&authenticated users and denies it to unauthorised users.


A delegate of an Information System Owner who can approve or deny access requests to interfaces, repositories, channels and services of an information system.


  1. The period of time when a process must performed as expected upon demand with minimal or no interruptions.

  2. The period of time when a service, interface of channel must be accessible and usable upon demand with minimal or no interruptions.


The recorded state of an information system at a specific point in time.


A boundary between two environments.


Any incident that could result in an organization’s demise.


  1. A credential based on Public Key Cryptography techniques.

  2. A credential of being compliant with some standard or regulation.

Certification Body / Registration body

A third party that assesses and certifies/ registers the ISMS of an organisation with respect to published ISMS standards, and any supplementary documentation required under the system.

Certification Document / Registration Document

Document indicating that an organisation's ISMS conforms to specified ISMS standards and any supplementary documentation required under the system.

Certification System / Registration System

System having its own rules of procedure and management for carrying out the assessment leading to the issuance of a certification/ registration document and its subsequent maintenance.


A channel is the medium used by services to exchange messages transparently, without explicit help from other lower level services. This collaboration is normally needed for creating and closing logical channels.


An information system that uses a service provided by another information system.

Common cause

An non-assignable cause for a metric going beyond current thresholds, which may be a stochastic or chance effect.

Configuration Item

A service, repository, channel, interface or set of them.

Configuration Management DataBase

A database that contains the details of configuration items and their relationships.


Any kind of measure that can prevent, detect and correct undesired events. (Equivalent to [Cobit] Control)


An item used for authentication of a user account in an access control system.


A service is critical in a time span if the interruption of the service for a that span of time cannot be replaced by alternative capabilities, and is highly likely to jeopardize business goals.


The Customer of a process who provides the resources and sets the requirements for the process.  (Equivalent to [Cobit] and [CMMI] Customer)


Instrument, software, measurement standard, reference material, auxiliary apparatus or combination thereof used to measure a process metric.

Digital Signature

A type or record that includes the will and intent of a user about a repository. It might be hidden using watermarking techniques.


See Catastrophe


A measure of whether the Objectives of a Process, Service or Activity have been achieved. An Effective Process or activity is one that achieves its agreed Objectives.


A measure of whether the right amount of resources have been used to deliver a Process, Service or Activity. An Efficient Process achieves its Objectives with the minimum amount of time, money, people or other resources.


  1. All the physical, logical and organizational factors external to the organization.

  2. A technical zone of the organization with a defined purpose, like the Server environment, User environment, Development environment, etc.

  3. Any subdivision of a logical, technical or organizational partition under a single management.


A class of incident caused by a human because of a mismatch between the intended and the effective results of a task, or because of incorrect information or missing resources needed for the task. (There is no [ISO] equivalent). (Similar to [ITIL] Error)


Any fact that can lead to the detection of an incident. (Equivalent to [ISO] Alert) (Similar to ITIL Event).


Any hope for the future state of assets, organizational processes or information systems.


Any weakness that is visible to potential attackers.


Loss of ability to Operate to Specification, or to deliver the required output. The term Failure may be used when referring to IT Services, Processes, Activities, Configuration Items etc. A Failure often causes an Incident.


Synonym for Error.

Generic Goal

A goal achieved when a set of specific goals are achieved.

Generic Practice

An auxiliary process to a specific practice to achieve a generic goal.


The direct and indirect cost of an incident including the cost of restoring the assets to the pre-incident state. (Similar to [ITIL] Impact)


A failure to meet a Information Technology objective resulting from accidents, errors or attacks. (There is no [ISO] equivalent). (Not Equivalent to [ITIL] Incident) (Not equivalent to [Cobit] Incident)

Indicative Equipment

A Device that delivers qualitative information.

Information System

A human and technical infrastructure for the storage, processing, transmission, input and output of information.

Information System Owner

The Customer [ITIL] of an information system, who has all the rights to the system, including discontinuation.

Input specifications

Procedures and policies that specify the requirements for the input of a process


The resource needed to generate the output of a process for which there are no possible alternatives.

Intellectual property

Information which an organisation has rights over under copyright, trade mark or patent law.


A means of information input or output between a user and an information system.


The theft of information about a target by an attacker.

Key Goal Indicator

A metric of success of a process or management system. (Similar to [Cobit] Key Goal Indicator)

Key Performance Indicator

A metric of performance success of a process or management system. (Similar to [Cobit] Key Performance Indicator)

Knowledge Management

The Process responsible for gathering, analysing, storing and sharing knowledge information within an Organisation. The primary purpose of Knowledge Management is to improve Efficiency by reducing the need to rediscover knowledge.


An agreement that details the rights granted by an intellectual property owner to use certain information.


The set of states that make up a series of operational conditions of an information system.


See Recording.


Beginning of a session, normally using a credential for authentication. Also called Logon.


A symbol used by a body as a form of identification, usually stylised. A logo may also be a mark.


End of a session by the user account of by expiration. Also called Logoff.


To manage something is to define and achieve goals while optimising the use of Resources.


A legally registered trade mark or otherwise protected symbol which is issued under the rules of an accreditation body or of a certification/ registration body indicating that adequate confidence in the systems operated by a body has been demonstrated or that relevant products or individuals conform to the requirements of a specified standard.

Mean Time Between Failures

The average time between a two failures of an information system.

Mean Time To Repair

The average time taken to restore an information systems after a failure.


Considers the determination of a physical quantity, magnitude or dimension (using Measuring Equipment).

Measuring Equipment

A Device that delivers quantitative information.


Meaningful data exchanged between services in a hierarchical or peer-to-peer fashion.


A quantitative measurement that can be interpreted in the context of a series of previous or equivalent measurements.


Implies observing, supervising, keeping under review (using monitoring devices); it can involve measuring or testing at intervals, especially for the purpose of regulation or control.


A set of physical or logical channels connecting repositories and interfaces.


An information system whose primary function is relay messages between channels (Not equivalent to [ISO] Node).

Non repudiation

Ability to assert the authorship of a message or information authored by a second party, preventing the author to deny his own authorship.


The absence of, or the failure to implement and maintain, one or more required management system elements, or a situation which would, on the basis of objective evidence raise significant doubt as to the capability of the ISMS to achieve the business objectives of the organisation.

Operational Level Agreement (OLA)

SLA between a process provider and a Customer from the same organisation who is a process provider to other Customers. (Equivalent to [ITIL] OLA)

Operational Process (OP)

A process that delivers the requirements set by tactical management.


The combination of an asset, a threat and an occasion that may give rise to an incident.


A group of people that agree or accept responsibilities to act together with a common purpose. Associations, Companies and public institutions, for example, are organisations.


Results of a process.

Output specifications

Procedures and policies that specify the requirements for the output of a process.


Any subdivision of a whole that does not intersect totally or partially any other subdivision


Comparison between the outputs obtained and the set goals for outputs of a process.


Documented rules to observe during implementation and maintenance that serve as governing principles when procedures are not detailed enough for a minority of cases.

Personal information

Information that can identify a person.

Private information

See Personal information.


A cause of several non-simultaneous errors or accidents.


A organized set of tasks that uses resources and inputs to produce outputs.

Process operator

Person or team that performs a process.

Process Owner

The person or team responsible for a process, including performance, prioritizing, planning for growth, and accounting for costs. (Not Equivalent to [CMM] Process Owner )

Process specification

Procedures and policies that specify the requirements for a process.


The process owner of a process that delivers its outputs.


The meeting or surpassing of expectations.


An particular instance result of logging, including details like Interface ID and Location, User account or certificate ID, Signature, Type, Date and Time of Access attempt, Access attempt result, Repository, Interface, Service or Message accessed, etc.


The process that registers the results of the user registration, authentication, authorization, use of systems and signing processes, so these can be investigated and will and intent or responsibilities determined.

Recovery Point

Point in time when business processes or information systems can fall back in case of an incident.

Registration Body

See Certification Body.

Registration Document

See Certification Document.

Registration System

See Certification System.


The percentage of the Availability time a service, interface of channel must behave and produce results as intended.


Any permanent or transient storage of information.


The ratio between the MTBF of a functionally equivalent redundancy free system and the MTBF of the system.


A resource is anything needed to complete a task. Most resources stop being available to other tasks while they are being used. Some resources are exhausted after the task and can not be reused.

  • Energy;

  • Hardware, Software, Communication;

  • Information (Logistic, Organizational, Procedimental, Technical, Policies, Contracts).

  • Logistics and Infrastructure;

  • Money;

  • People;

  • Some fundamental resources are:

  • Space;

  • Time;


An assignment of a task, with power and resources, to a competent individual or a team accountable for the proper execution of the task.


See Performance


The loss expectancy as a function of a set of incidents’ vulnerability and impact, measured in monetary units per year. The maximum risk the certainty of losing the total value of the organization within a year or less.


A set of responsibilities. (Equivalent to [ISO/IEC 15408-1] Role)


The ability of an IT Service, Process, Configuration Item etc. to perform its agreed Function when the Workload or Scope changes.


Information shared in a controlled way between a group of people.


The repeated meeting of security objectives. (Not equivalent to [ISO] Security)

Security Objective

A business expectation or requirement that is dependent on a security process.

Security Target

A frequency and financial threshold for a metric derived from a security objective. (Not equivalent to [ISO] Security Target)


Any code or program that provides value for users, via messages exchanged with other services and access to repositories. (Similar to [ITIL] Service)

Service Level Agreement (SLA)

Quality agreement between a process provider and a Customer specified using a set of metrics. (Similar to SLA [ITIL])

Service Level Objective (SLO)

See Threshold


The set of successful and failed accesses to repositories and uses of services between the time a user account is authenticated and the time the authentication expires or the authentication is terminated.


Demonstrated personal attributes and demonstrated ability to apply knowledge and competence


Process that records the will and intent about a repository of the owner of the user account or certificate concerning a repository, such as agreeing, witnessing or claiming authorship of repositories and messages like original works, votes, contracts and agreements.

Special cause

An assignable cause for a metric going beyond current thresholds

Specific Goal

An objective of a set of specific practices.

Specific Practice

A process.


A person, team or organisation with interest in the success of a process, a management system or an organisation.

Strategic Processes (SP)

Processes that determine the objectives of lower level processes.


See Provider

Tactical Processes (TP)

Processes that provide a framework for operational delivery. These processes normally involve resources management (people, time, money, information, infrastructure, etc).


The information asset which may be the victim or potential victim of an attack.


An interface that is used directly by a User.


Someone in the organization testing on behalf of a Process Owner


Any potential cause of an Attack, an Accident or an Error.


Value against which a measurement is benchmarked or evaluated. In the context of Service Level Agreements is called a Service Level Objective. (Equivalent to [ITIL] Threshold)


Acronym for Transparency, Partitioning, Supervision, Rotation and Separation of Responsibilities.


A discrete Function performed by an IT Service. For example transferring money from one bank account to another. A single Transaction may involve numerous additions, deletions and modifications of data. Either all of these complete successfully or none of them is carried out.

Underpinning contract (UC)

A Service Level Agreement between a external process or product provider with a Customer


The person who uses an information system.

User account

Representation of a user in an information system. A user account can be linked to a person or a group of persons.

User Registration

Process that links user accounts and certificates to identifiable users, and manages the lifecycle of user accounts, certificates and access rights.


The degree to which information assets at a border present an interfaces or provide services to information systems outside the organization.


The likelihood of an incident, measured as real instances against possible attacks, accidents and errors per year. These attacks, accidents and errors can be triggered by one or several threats. (Not equivalent to [ISO] Vulnerability) (Similar to [Cobit] Risk)


See Alert


Any fault in services, messages, channels, repositories, interfaces, organizational processes or responsibilities assignment that provides an opportunity for an error, attack or accident. (Equivalent to [ISO] Vulnerability)