ISO IEC 27000:2018 pdf download.Information technology一Security techniques一Information security management systems一Overview and vocabulary
4.1 General
Organizations of all types and sizes:
a) collect, process, store, and transmit information;
b) recognize that information, and related processes, systems, networks and people are important assets for achieving organization objectives;
c) face a range of risks that can affect the functioning of assets; and
d) address their perceived risk exposure by implementing information security controls.
All information held and processed by an organization is subject to threats of attack, error, nature (for example, flood or fire), etc., and is subject to vulnerabilities inherent in its use. The term information security is generally based on information being considered as an asset which has a value requiring appropriate protection, for example, against the loss of availability, confidentiality and integrity.Enabling accurate and complete information to be available in a timely manner to those with an authorized need is a catalyst for business efficiency.
Protecting information assets through defining, achieving, maintaining, and improving information security effectively is essential to enable an organization to achieve its objectives, and maintain and enhance its legal compliance and image. These coordinated activities directing the implementation of suitable controls and treating unacceptable information security risks are generally known as elements of information security management.
4.2.2 Information
Information is an asset that, like other important business assets, is essential to an organization's business and, consequently, needs to be suitably protected. Information can be stored in many forms,including: digital form (e.g. data files stored on electronic or optical media), material form (e.g. on paper), as well as unrepresented information in the form of knowledge of the employees. Information can be transmitted by various means including: courier, electronic or verbal communication. Whatever form information takes, or the means by which it is transmitted, it always needs appropriate protection.
In many organizations, information is dependent on information and communications technology. This technology is often an essential element in the organization and assists in facilitating the creation,processing, storing, transmitting, protection and destruction of information.
4.2.3 Information security
Information security ensures the confidentiality, availability and integrity of information. Information security involves the application and management of appropriate controls that involves consideration of a wide range of threats, with the aim of ensuring sustained business success and continuity, and minimizing consequences of information security incidents.
Information security is achieved through the implementation of an applicable set of controls, selected through the chosen risk management process and managed using an ISMS, including policies, processes,procedures, organizational structures, software and hardware to protect the identified information assets. These controls need to be specified, implemented, monitored, reviewed and improved where necessary, to ensure that the specific information security and business objectives of the organization are met. Relevant information security controls are expected to be seamlessly integrated with an organization's business processes.ISO IEC 27000 pdf download.