ISO/IEC 27000:2018 pdf download – Information technology — Security techniques — Information security management systems — Overview and vocabulary.
3.57 residual risk risk (3.61) remaining after risk treatment (3.72) Note 1 to entry: Residual risk can contain unidentified risk. Note 2 to entry: Residual risk can also be referred to as “retained risk”. 3.58 review activity undertaken to determine the suitability, adequacy and effectiveness (3.20) of the subject matter to achieve established objectives (3.49) [SOURCE: ISO Guide 73:2009, 3.8.2.2, modified — Note 1 to entry has been deleted.] 3.59 review object specific item being reviewed 3.60 review objective statement describing what is to be achieved as a result of a review (3.59) 3.61 risk effect of uncertainty on objectives (3.49) Note 1 to entry: An effect is a deviation from the expected — positive or negative. Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:2009, 3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these. Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence. Note 5 to entry: In the context of information security management systems, information security risks can be expressed as effect of uncertainty on information security objectives. Note 6 to entry: Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization.
4 Information security management systems 4.1 General Organizations of all types and sizes: a) collect, process, store, and transmit information; b) recognize that information, and related processes, systems, networks and people are important assets for achieving organization objectives; c) face a range of risks that can affect the functioning of assets; and d) address their perceived risk exposure by implementing information security controls. All information held and processed by an organization is subject to threats of attack, error, nature (for example, flood or fire), etc., and is subject to vulnerabilities inherent in its use. The term information security is generally based on information being considered as an asset which has a value requiring appropriate protection, for example, against the loss of availability, confidentiality and integrity. Enabling accurate and complete information to be available in a timely manner to those with an authorized need is a catalyst for business efficiency. Protecting information assets through defining, achieving, maintaining, and improving information security effectively is essential to enable an organization to achieve its objectives, and maintain and enhance its legal compliance and image. These coordinated activities directing the implementation of suitable controls and treating unacceptable information security risks are generally known as elements of information security management. As information security risks and the effectiveness of controls change depending on shifting circumstances, organizations need to: a) monitor and evaluate the effectiveness of implemented controls and procedures; b) identify emerging risks to be treated; and c) select, implement and improve appropriate controls as needed.
ISO/IEC 27000:2018 pdf download – Information technology — Security techniques — Information security management systems — Overview and vocabulary
Note:
If you can share this website on your Facebook,Twitter or others,I will share more.