GLOSSARY AND TERMS & DEFINITIONS
The following terms and definitions are based on ISO, IEC, and ITU standards.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
ISO Online browsing platform: available at https://www.iso.org/obp
IEC Electropedia: available at http://www.electropedia.org/
- Abnormal Operating Condition: operating condition that is not a normal operating condition and is not a single fault condition of the equipment itself. [SOURCE: IEC 62368-1:2010, 3.3.7.1]
- Acceptance (Acceptance of Conformity Assessment Results): use of a conformity assessment result provided by another person or body.
- Note 1 to entry: The general expression “conformity assessment result” is used in 902-06-04 to 902-06-09 to mean the product of any conformity assessment activity (e.g. a report or certificate) and may include a finding of nonconformity.
- [SOURCE: ISO/IEC 17000:2004, 7.6, modified]
- Access (access to a system or scheme): opportunity for an applicant to obtain conformity assessment under the rules of the system or scheme. [SOURCE: ISO/IEC 17000:2004, 2.9]
- Access Control: means to ensure that access to assets is authorized and restricted based on business and security requirements.
- Accreditation: third-party attestation related to a conformity assessment body conveying formal demonstration of its competence to carry out specific conformity assessment tasks. [SOURCE: ISO/IEC 17000:2004, 5.6]
- Accreditation Body: authoritative body that performs accreditation.
- Note 1 to entry: The authority of an accreditation body is generally derived from government. [SOURCE: ISO/IEC 17000:2004, 2.6, modified]
- Adequate Protection: protection which permits to achieve the risk reduction to a tolerable level. [SOURCE: IEC Guide 116:2010, 3.18]
- Agreement Group: bodies that are signatories to the agreement on which an arrangement is based. [SOURCE: ISO/IEC 17000:2004, 7.10]
- Appeal: request by the provider of the object of conformity assessment to the conformity assessment body or accreditation body for reconsideration by that body of a decision it has made relating to that object. [SOURCE: ISO/IEC 17000:2004, 6.4]
- Approval: permission for a product or process to be marketed or used for stated purposes or under stated conditions.
- Note 1 to entry: Approval can be based on fulfilment of specified requirements or completion of specified procedures. [SOURCE: ISO/IEC 17000:2004, 7.1]
- Attack: attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.
- Attestation: issue of a statement, based on a decision following review, that fulfilment of specified requirements has been demonstrated.
- Note 1 to entry: The resulting statement, referred to in ISO/IEC 17000 as a “statement of conformity”, conveys the assurance that the specified requirements have been fulfilled. Such an assurance does not, of itself, afford contractual or other legal guarantees.
- Note 2 to entry: First-party and third-party attestation activities are distinguished by the terms 902-04-04 to 902-04-06. For second-party attestation, no special term is available.
- [SOURCE: ISO/IEC 17000:2004, 5.2, modified]
- Audit: systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled
- Note 1 to entry: An audit can be an internal audit (first party) or an external audit (second party or third party), and it can be a combined audit (combining two or more disciplines).
- Note 2 to entry: An internal audit is conducted by the organization itself, or by an external party on its behalf.
- Note 3 to entry: External audits include those generally called second and third party audits. Second party audits are conducted by parties having an interest in the organization, such as customers, or by other individuals on their behalf. Third party audits are conducted by independent auditing organizations, such as those providing certification/registration of conformity or governmental agencies.
- [SOURCE: ISO 9000:2015, 3.13.1, modified]
- Audit Client: organization or person requesting an audit
- Note 1 to entry: In the case of internal audit, the audit client can also be the auditee or the individual(s) managing the audit program. Requests for external audit can come from sources such as regulators, contracting parties or potential or existing clients.
- [SOURCE: ISO 9000:2015, 3.13.11, modified]
- Audit Conclusion: outcome of an audit, after consideration of the audit objectives and all audit findings. [SOURCE: ISO 9000:2015, 3.13.10]
- Audit Criteria: set of requirements used as a reference against which objective evidence is compared.
- Note 1 to entry: If the audit criteria are legal (including statutory or regulatory) requirements, the words “compliance” or “non-compliance” are often used in an audit finding.
- Note 2 to entry: Requirements may include policies, procedures, work instructions, legal requirements, contractual obligations, etc.
- [SOURCE: ISO 9000:2015, 3.13.7, modified]
- Audit Evidence: records, statements of fact or other information, which are relevant to the audit criteria and verifiable. [SOURCE: ISO 9000:2015, 3.13.8]
- Audit Findings: results of the evaluation of the collected audit evidence against audit criteria.
- Note 1 to entry: Audit findings indicate conformity or nonconformity.
- Note 2 to entry: Audit findings can lead to the identification of risks, opportunities for improvement or recording good practices.
- Note 3 to entry: In English if the audit criteria are selected from statutory requirements or regulatory requirements, the audit finding is termed compliance or non-compliance.
- [SOURCE: ISO 9000:2015, 3.13.9, modified]
- Audit Plan: description of the activities and arrangements for an audit. [SOURCE: ISO 9000:2015, 3.13.6]
- Audit Program: arrangements for a set of one or more audits planned for a specific time frame and directed towards a specific purpose. [SOURCE: ISO 9000:2015, 3.13.4, modified]
- Audit Scope: extent and boundaries of an audit [SOURCE: ISO 19011:2011, 3.14, modified]
- Note 1 to entry: The audit scope generally includes a description of the physical and virtual-locations, functions, organizational units, activities and processes, as well as the time period covered.
- Note 2 to entry: A virtual location is where an organization performs work or provides a service using an on-line environment allowing individuals irrespective of physical locations to execute processes.
- [SOURCE: ISO 9000:2015, 3.13.5, modified]
- Audit Team: one or more persons conducting an audit, supported if needed by technical experts
- Note 1 to entry: One auditor of the audit team is appointed as the audit team leader.
- Note 2 to entry: The audit team can include auditors-in-training.
- [SOURCE: ISO 9000:2015, 3.13.14]
- Auditee: organization as a whole or parts thereof being audited [SOURCE: ISO 9000:2015, 3.13.12, modified]
- Auditor: person who conducts an audit [SOURCE: ISO 9000:2015, 3.13.15]
- Authentication: provision of assurance that a claimed characteristic of an entity is correct
- Authenticity: property that an entity is what it claims to be
- Availability: property of being accessible and usable on demand by an authorized entity
- Base Measure: measure defined in terms of an attribute and the method for quantifying it
- Note 1 to entry: A base measure is functionally independent of other measures [SOURCE: ISO/IEC/IEEE 15939:2017, 3.3, modified]
- Basic Standard: standard that has a wide-ranging coverage or contains general provisions for one particular field
- Note 1 to entry: A basic standard may function as a standard for direct application or as a basis for other standards. [SOURCE: ISO/IEC Guide 2:2004, 5.1]
- Bilateral Arrangement: arrangement whereby two parties recognize or accept each other's conformity assessment results
- Note 1 to entry: The general expression “conformity assessment result” is used in 902-06-04 to 902-06-09 to mean the product of any conformity assessment activity (e.g. a report or certificate) and may include a finding of nonconformity. [SOURCE: ISO/IEC 17000:2004, 7.8, modified]
- Certification: third-party attestation related to products, processes, systems or persons
- Note 1 to entry: Certification of a management system is sometimes also called registration.
- Note 2 to entry: Certification is applicable to all objects of conformity assessment except for conformity assessment bodies themselves, to which accreditation is applicable.
- [SOURCE: ISO/IEC 17000:2004, 5.5]
- Code of Practice: document that recommends practices or procedures for the design, manufacture, installation, maintenance or utilization of equipment, structures or products
- Note 1 to entry: A code of practice may be a standard, a part of a standard or independent of a standard. [SOURCE: ISO/IEC Guide 2:2004, 3.5]
- Combined Audit: audit carried out together at a single auditee on two or more management systems
- Note 1 to entry: When two or more discipline-specific management systems are integrated into a single management system this is known as an integrated management system. [SOURCE: ISO 9000:2015, 3.13.2, modified]
- Competence: ability to apply knowledge and skills to achieve intended results [SOURCE: ISO 9000:2015, 3.10.4, modified]
- Complaint: expression of dissatisfaction, other than appeal, by any person or organization to a conformity assessment body or accreditation body, relating to the activities of that body, where a response is expected [SOURCE: ISO/IEC 17000:2004, 6.5]
- Confidentiality: property that information is not made available or disclosed to unauthorized individuals, entities, or processes
- Conformity: fulfilment of a requirement [SOURCE: ISO 9000:2015, 3.6.11, modified]
- Conformity Assessment: demonstration that specified requirements relating to a product, process, system, person or body are fulfilled
- Note 1 to entry: The subject field of conformity assessment includes activities defined elsewhere in ISO/IEC 17000, such as testing, inspection and certification, as well as the accreditation of conformity assessment bodies.
- Note 2 to entry: The expression “object of conformity assessment” or “object” is used in ISO/IEC 17000 to encompass any particular material, product, installation, process, system, person or body to which conformity assessment is applied. A service is covered by the definition of a product (see Note 1 to IEV 902-02-03).
- [SOURCE: ISO/IEC 17000:2004, 2.1, modified]
- Conformity Assessment Body: body that performs conformity assessment services
- Note 1 to entry: An accreditation body is not a conformity assessment body. [SOURCE: ISO/IEC 17000:2004, 2.5, modified]
- Conformity Assessment System: rules, procedures and management for carrying out conformity assessment
- Note 1 to entry: Conformity assessment systems may be operated at international, regional, national or sub-national level. [SOURCE: ISO/IEC 17000:2004, 2.7, modified]
- Conformity Assessment Program/ Scheme: conformity assessment system related to specified objects of conformity assessment, to which the same specified requirements, specific rules and procedures apply
- Note 1 to entry: Conformity assessment schemes may be operated at international, regional, national or sub-national level. [SOURCE: ISO/IEC 17000:2004, 2.8, modified]
- Consequence: outcome of an event affecting objectives
- Note 1 to entry: An event can lead to a range of consequences.
- Note 2 to entry: A consequence can be certain or uncertain and, in the context of information security, is usually negative.
- Note 3 to entry: Consequences can be expressed qualitatively or quantitatively. Note 4 to entry: Initial consequences can escalate through knock-on effects.
- [SOURCE: ISO Guide 73:2009, 3.6.1.3, modified]
- Continual Improvement: recurring activity to enhance performance
- Control: measure that is modifying risk
- Note 1 to entry: Controls include any process, policy, device, practice, or other actions which modify risk.
- Note 2 to entry: It is possible that controls not always exert the intended or assumed modifying effect. [SOURCE: ISO Guide 73:2009, 3.8.1.1]
- Control Objective: statement describing what is to be achieved as a result of implementing controls
- Correction: action to eliminate a detected nonconformity
- Corrective Action: action to eliminate the cause of a nonconformity and to prevent recurrence
- Declaration: first-party attestation [SOURCE: ISO/IEC 17000:2004, 5.4]
- Derived Measure: measure that is defined as a function of two or more values of base measures [SOURCE: ISO/IEC/IEEE 15939:2017, 3.8, modified]
- Designation: governmental authorization of a conformity assessment body to perform specified conformity assessment activities [SOURCE: ISO/IEC 17000:2004, 7.2]
- Designating Authority: body established within government or empowered by government to designate conformity assessment bodies, suspend or withdraw their designation or remove their suspension from designation [SOURCE: ISO/IEC 17000:2004, 7.3]
- Documented Information: information required to be controlled and maintained by an organization and the medium on which it is contained Note 1 to entry: Documented information can be in any format and media and from any source. Note 2 to entry: Documented information can refer to the management system, including related processes; information created for the organization to operate (documentation); evidence of results achieved (records).
- Effectiveness: extent to which planned activities are realized and planned results achieved [SOURCE: ISO 9000:2015, 3.7.11, modified]
- Equal and National Treatment: treatment accorded to products or processes originating in other countries that is no less favorable than that accorded to like products or processes of national origin, or originating in any other country, in a comparable situation [SOURCE: ISO/IEC 17000:2004, 7.14]
- Equal treatment: treatment accorded to products or processes from one supplier that is no less favorable than that accorded to like products or processes from any other supplier, in a comparable situation [SOURCE: ISO/IEC 17000:2004, 7.12]
- Equivalence (Equivalence of Conformity Assessment Results): sufficiency of different conformity assessment results to provide the same level of assurance of conformity with regard to the same specified requirements
- Note 1 to entry: The general expression “conformity assessment result” is used in 902-06-04 to 902-06-09 to mean the product of any conformity assessment activity (e.g. a report or certificate) and may include a finding of nonconformity. [SOURCE: ISO/IEC 17000:2004, 7.4, modified]
- Event: occurrence or change of a particular set of circumstances
- Note 1 to entry: An event can be one or more occurrences, and can have several causes.
- Note 2 to entry: An event can consist of something not happening.
- Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.
- [SOURCE: ISO Guide 73:2009, 3.5.1.3, modified]
- External Context: external environment in which the organization seeks to achieve its objectives
- Note 1 to entry: External context can include the following: the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local; key drivers and trends having impact on the objectives of the organization; relationships with, and perceptions and values of, external stakeholders. [SOURCE: ISO Guide 73:2009, 3.3.1.1]
- First-Party Conformity Assessment Activity: conformity assessment activity that is performed by the person or organization that provides the object
- Note 1 to entry: The first-, second- and third-party descriptors used to characterize conformity assessment activities with respect to a given object are not to be confused with the legal identification of the relevant parties to a contract. [SOURCE: ISO/IEC 17000:2004, 2.2]
- Governance of Information Security: system by which an organization’s information security activities are directed and controlled
- Governing Body: person or group of people who are accountable for the performance and conformity of the organization
- Note 1 to entry: The governing body can, in some jurisdictions, be a board of directors.
- Harm: physical injury or damage to persons, property, and livestock [ISO/IEC Guide 51:1999, definition 3.3, modified] [SOURCE: IEC Guide 116:2010, 3.2]
- Hazard: potential source of harm
- Note 1 to entry: In English, the term “hazard” can be qualified in order to define the origin of the hazard or the nature of the expected harm (e.g. “electric shock hazard”, “crushing hazard”, “cutting hazard”, “toxic hazard”, “fire hazard”, “drowning hazard”).
- Note 2 to entry: In French, the synonym “risque” is used together with a qualifier or a complement to define the origin of the hazard or the nature of the expected harm (e.g. “risque de choc électrique”, “risque d'écrasement”, “risque de coupure”, “risque toxique”, “risque d'incendie”, “risque de noyade”).
- Note 3 to entry: In French, the term “risque” also denotes the combination of the probability of occurrence of harm and the severity of that harm, in English “risk” (see 903-01-07). [SOURCE: ISO/IEC Guide 51:1999, definition 3.5, modified]
- Hazard Zone: any space within and/or around a product, process or service in which persons, or livestock can be exposed to a hazard [SOURCE: IEC Guide 116:2010, 3.4, modified]
- Hazardous Event: event that can cause harm
- Note 1 to entry: A hazardous event can occur over a short period of time or over an extended period of time. [SOURCE: IEC Guide 116:2010, 3.5]
- Hazardous Situation: circumstance in which persons, property and livestock or the environment are exposed to at least one hazard.
- Note 1 to entry: The exposure can immediately or over a period of time result in harm. [ISO/IEC Guide 51:1999, definition 3.6, modified] [SOURCE: IEC Guide 116:2010, 3.6, modified]
- Horizontal Standard: standard on fundamental principles, concepts, terminology or technical characteristics, relevant to a number of technical committees and of crucial importance to ensure the coherence of the corpus of standardization documents. [SOURCE: IEC Guide 108:2006, 3.1]
- Incident: past hazardous event
- Note 1 to entry: An incident that has occurred and resulted in harm can be referred to as an accident. Whereas an incident that has occurred and that did not result in harm can be referred to as a near miss occurrence. [SOURCE: IEC Guide 116:2010, 3.7]
- Indicator: measure that provides an estimate or evaluation
- Information Need: insight necessary to manage objectives, goals, risks and problems [SOURCE: ISO/IEC/IEEE 15939:2017, 3.12]
- Information Processing Facilities: any information processing system, service or infrastructure, or the physical location housing it
- Information Security: preservation of confidentiality, integrity and availability of information
- Note 1 to entry: In addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.
- Information Security Continuity: processes and procedures for ensuring continued information security operations
- Information Security Event: identified occurrence of a system, service or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that can be security relevant
- Information Security Incident: single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security
- Information Security Incident Management: set of processes for detecting, reporting, assessing, responding to, dealing with, and learning from information security incidents
- Information Security Management System (ISMS) Professional: person who establishes, implements, maintains and continuously improves one or more information security management system processes
- Information Sharing Community: group of organizations that agree to share information
- Note 1 to entry: An organization can be an individual.
- Information System: set of applications, services, information technology assets, or other information-handling components
- Inspection: examination of a product design, product, process or installation and determination of its conformity with specific requirements or, on the basis of professional judgement, with general requirements
- Note 1 to entry: Inspection of a process may include inspection of persons, facilities, technology and methodology. [SOURCE: ISO/IEC 17000:2004, 4.3, modified]
- Integrity: property of accuracy and completeness
- Intended Use: use of a product, process or service in accordance with the information for use provided by the supplier [SOURCE: ISO/IEC Guide 51:1999, 3.13, modified]
- Interested Party (Preferred Term): stakeholder (admitted term); person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity
- Interface Standard: standard that specifies requirements concerned with the compatibility of products or systems at their points of interconnection [SOURCE: ISO/IEC Guide 2:2004, 5.7]
- Internal Context: internal environment in which the organization seeks to achieve its objectives
- Note 1 to entry: Internal context can include: governance, organizational structure, roles and accountabilities; policies, objectives, and the strategies that are in place to achieve them; the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies); information systems, information flows and decision-making processes (both formal and informal); relationships with, and perceptions and values of, internal stakeholders; the organization's culture; standards, guidelines and models adopted by the organization; form and extent of contractual relationships. [SOURCE: ISO Guide 73:2009, 3.3.1.2]
- International Standard: standard that is adopted by an international standardizing/standards organization and made available to the public [SOURCE: ISO/IEC Guide 2:2004, 3.2.1.1]
- Joint Audit: audit carried out at a single auditee by two or more auditing organizations
- Level of Risk: magnitude of a risk expressed in terms of the combination of consequences and their likelihood [SOURCE: ISO Guide 73:2009, 3.6.1.8, modified]
- Likelihood: chance of something happening [SOURCE: ISO Guide 73:2009, 3.6.1.1, modified]
- Malfunction: situation for which the electrical equipment does not perform the intended function due to a variety of reasons, including: variation of a property or of a dimension of the processed material or of the work piece; failure of one (or more) of its component parts or services; external disturbances (e.g. shocks, vibration, electromagnetic interference); design error or deficiency (e.g. software errors); disturbance of its power supply; surrounding conditions (e.g. condensation due to temperature change). [SOURCE: IEC Guide 116:2010, 3.9]
- Management System: set of interrelated or interacting elements of an organization to establish policies and objectives and processes to achieve those objectives.
- Note 1 to entry: A management system can address a single discipline or several disciplines, e.g. quality management, financial management or environmental management.
- Note 2 to entry: The management system elements establish the organization’s structure, roles and responsibilities, planning, operation, policies, practices, rules, beliefs, objectives and processes to achieve those objectives.
- Note 3 to entry: The scope of a management system may include the whole of the organization, specific and identified functions of the organization, specific and identified sections of the organization, or one or more functions across a group of organizations.
- [SOURCE: ISO 9000:2015, 3.5.3, modified]
- Measure: variable to which a value is assigned as the result of measurement. [SOURCE: ISO/IEC/IEEE 15939:2017, 3.15, modified]
- Measurement: process to determine a value.
- Measurement Function: algorithm or calculation performed to combine two or more base measures. [SOURCE: ISO/IEC/IEEE 15939:2017, 3.20]
- Measurement Method: logical sequence of operations, described generically, used in quantifying an attribute with respect to a specified scale.
- Note 1 to entry: The type of measurement method depends on the nature of the operations used to quantify an attribute. Two types can be distinguished: subjective: quantification involving human judgment; and objective: quantification based on numerical rules. [SOURCE: ISO/IEC/IEEE 15939:2017, 3.21, modified]
- Member (Member Of A System Or Scheme): body that operates under the applicable rules and has the opportunity to take part in the management of the system or scheme. [SOURCE: ISO/IEC 17000:2004, 2.11]
- Monitoring: determining the status of a system, a process or an activity.
- Note 1 to entry: To determine the status, there may be a need to check, supervise or critically observe.
- Multilateral Arrangement: arrangement whereby more than two parties recognize or accept one another's conformity assessment results.
- Note 1 to entry: The general expression “conformity assessment result” is used in 902-06-04 to 902-06-09 to mean the product of any conformity assessment activity (e.g. a report or certificate) and may include a finding of nonconformity. [SOURCE: ISO/IEC 17000:2004, 7.9, modified]
- National Standard: standard that is adopted by a national standards body and made available to the public. [SOURCE: ISO/IEC Guide 2:2004, 3.2.1.3]
- National Treatment: treatment accorded to products or processes originating in other countries that is no less favorable than that accorded to like products or processes of national origin, in a comparable situation. [SOURCE: ISO/IEC 17000:2004, 7.13]
- Nonconformity: non-fulfilment of a requirement. [SOURCE: ISO 9000:2015, 3.6.9, modified]
- Non-Repudiation: ability to prove the occurrence of a claimed event or action and its originating entities.
- Normal Operating Condition: operating condition that represents as closely as possible the range of normal use that can reasonably be expected. [SOURCE: IEC 62368-1:2010, 3.3.7.4]
- Normative Document: document that provides rules, guidelines or characteristics for activities or their results.
- Note 1 to entry: The term “normative document” is a generic term that covers such documents as standards, technical specifications, codes of practice and regulations.
- Note 2 to entry: A “document” is to be understood as any medium with information recorded on or in it.
- Note 3 to entry: The terms for different kinds of normative documents are defined considering the document and its content as a single entity. [SOURCE: ISO/IEC Guide 2:2004, 3.1]
- Objective: result to be achieved.
- Note 1 to entry: An objective can be strategic, tactical, or operational.
- Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels [such as strategic, organization-wide, project, product and process ].
- Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as an information security objective or by the use of other words with similar meaning (e.g. aim, goal, or target).
- Note 4 to entry: In the context of information security management systems, information security objectives are set by the organization, consistent with the information security policy, to achieve specific results.
- Objective Evidence: data supporting the existence or verity of something.
- Note 1 to entry: Objective evidence can be obtained through observation, measurement, test or by other means.
- Note 2 to entry: Objective evidence for the purpose of the audit generally consists of records, statements of fact, or other information which are relevant to the audit criteria and verifiable. [SOURCE: ISO 9000:2015, 3.8.3]
- Organization: person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives.
- Note 1 to entry: The concept of organization includes but is not limited to sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.
- Observer: individual who accompanies the audit team but does not act as an auditor.[SOURCE: ISO 9000:2015, 3.13.17, modified]
- Outsource: make an arrangement where an external organization performs part of an organization’s function or process.
- Note 1 to entry: An external organization is outside the scope of the management system, although the outsourced function or process is within the scope.
- Participant (Participant In A System Or Scheme): body that operates under the applicable rules without having the opportunity to take part in the management of the system or scheme. [SOURCE: ISO/IEC 17000:2004, 2.10]
- Peer Assessment: assessment of a body against specified requirements by representatives of other bodies in, or candidates for, an agreement group [SOURCE: ISO/IEC 17000:2004, 4.5, modified]
- Performance: measurable result.
- Note 1 to entry: Performance can relate either to quantitative or qualitative findings.
- Note 2 to entry: Performance can relate to the management of activities, processes, products (including services), systems or organizations. [SOURCE: ISO 9000:2015, 3.7.8, modified]
- Policy: intentions and direction of an organization, as formally expressed by its top management.
- Pre-standard: document that is adopted provisionally by a standardizing body and made available to the public in order that the necessary experience may be gained from its application on which to base a standard. [SOURCE: ISO/IEC Guide 2:2004, 3.3]
- Procedure: specified way to carry out an activity or a process [ISO 9000:2000, 3.4.5] [SOURCE: ISO/IEC 17000:2004, 3.2]
- Process: set of interrelated or interacting activities which transforms inputs into outputs [SOURCE: ISO 9000:2015, 3.4.1, modified]
- Process Standard: standard that specifies requirements to be fulfilled by a process, to establish its fitness for purpose [SOURCE: ISO/IEC Guide 2:2004, 5.5]
- Product: result of a process [ISO 9000:2000, 3.4.2]
- Note 1 to entry: Four generic product categories are noted in ISO 9000:2000: services (e.g. transport); software (e.g. computer program, dictionary); hardware (e.g. engine, mechanical part); processed materials (e.g. lubricant). Many products comprise elements belonging to different generic product categories. Whether the product is then called service, software, hardware or processed material depends on the dominant element.
- Note 2 to entry: The statement of conformity described in Note 1 to 902-04-02 can be regarded as a product of attestation.
- [SOURCE: ISO/IEC 17000:2004, 3.3, modified]
- Product publication: publication covering a specific product or group of related products
- Note 1 to entry: In IEC Guide 108, the term product includes items such as process, service, installation and combinations thereof, commonly known as systems. [SOURCE: IEC Guide 108:2006, 3.2]
- Product Standard: standard that specifies requirements to be fulfilled by a product or a group of products, to establish its fitness for purpose
- Note 1 to entry: A product standard may include in addition to the fitness for purpose requirements, directly or by reference, aspects such as terminology, sampling, testing, packaging and labelling and, sometimes, processing requirements.
- Note 2 to entry: A product standard can be either complete or not, according to whether it specifies all or only a part of the necessary requirements. In this respect, one may differentiate between standards such as dimensional, material, and technical delivery standards.
- [SOURCE: ISO/IEC Guide 2:2004, 5.4]
- Protective Measure: measure intended to achieve adequate risk reduction, implemented: by the designer (inherent design, safeguarding and complementary protective measures, information for use) and by the user (organization: safe working procedures, supervision, training; permit-to-work systems; provision and use of additional safeguards; use of personal protective equipment) [SOURCE: IEC Guide 116:2010, 3.10]
- Provincial Standard: standard that is adopted at the level of a territorial division of a country and made available to the public [SOURCE: ISO/IEC Guide 2:2004, 3.2.1.4]
- Reasonably Foreseeable Misuse: use of a product, process or service in a way not intended by the supplier, but which may result from readily predictable human behavior [SOURCE: ISO/IEC Guide 51:1999, 3.14]
- Reciprocity: relationship between two parties where both have the same rights and obligations towards each other
- Note 1 to entry: Reciprocity can exist within a multilateral arrangement comprising a network of bilateral reciprocal relationships.
- Note 2 to entry: Although rights and obligations are the same, opportunities emanating from them can differ; this can lead to unequal relationships between parties.
- [SOURCE: ISO/IEC 17000:2004, 7.11]
- Recognition (Recognition of Conformity Assessment Results): acknowledgement of the validity of a conformity assessment result provided by another person or body
- Note 1 to entry: The general expression “conformity assessment result” is used in 902-06-04 to 902-06-09 to mean the product of any conformity assessment activity (e.g. a report or certificate) and may include a finding of nonconformity. [SOURCE: ISO/IEC 17000:2004, 7.5, modified]
- Regional Standard: standard that is adopted by a regional standardizing/standards organization and made available to the public [SOURCE: ISO/IEC Guide 2:2004, 3.2.1.2]
- Regulation: document providing binding legislative rules, that is adopted by an authority [SOURCE: ISO/IEC Guide 2:2004, 3.6]
- Reliability: property of consistent intended behavior and results
- Requirement: need or expectation that is stated, generally implied or obligatory
- Note 1 to entry: “Generally implied” means that it is custom or common practice for the organization and interested parties that the need or expectation under consideration is implied.
- Note 2 to entry: A specified requirement is one that is stated, for example in documented information. [SOURCE: ISO 9000:2015, 3.6.4, modified]
- Residual Risk: risk remaining after risk treatment
- Note 1 to entry: Residual risk can contain unidentified risk.
- Note 2 to entry: Residual risk can also be referred to as “retained risk”.
- Review: activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives [SOURCE: ISO Guide 73:2009, 3.8.2.2, modified]
- * Review: verification of the suitability, adequacy and effectiveness of selection and determination activities, and the results of these activities, with regard to fulfilment of specified requirements by an object of conformity assessment [SOURCE: ISO/IEC 17000:2004, 5.1, modified]
- Review Object: specific item being reviewed.
- Review Objective: statement describing what is to be achieved as a result of a review
- Risk: effect of uncertainty on objectives
- Note 1 to entry: An effect is a deviation from the expected — positive or negative.
- Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
- Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:2009, 3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.
- Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.
- Note 5 to entry: In the context of information security management systems, information security risks can be expressed as effect of uncertainty on information security objectives.
- Note 6 to entry: Information security risk is associated with the potential that threats will exploit vulnerabilities of an information asset or group of information assets and thereby cause harm to an organization.
- [SOURCE: ISO 9000:2015, 3.7.9, modified]
- Risk Acceptance: informed decision to take a particular risk
- Note 1 to entry: Risk acceptance can occur without risk treatment or during the process of risk treatment.
- Note 2 to entry: Accepted risks are subject to monitoring and review.
- [SOURCE: ISO Guide 73:2009, 3.7.1.6]
- Risk Analysis: process to comprehend the nature of risk and to determine the level of risk
- Note 1 to entry: Risk analysis provides the basis for risk evaluation and decisions about risk treatment.
- Note 2 to entry: Risk analysis includes risk estimation.
- [SOURCE: ISO Guide 73:2009, 3.6.1]
- Risk Assessment: overall process of risk identification, risk analysis and risk evaluation [SOURCE: ISO Guide 73:2009, 3.4.1]
- Risk Communication and Consultation: set of continual and iterative processes that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders regarding the management of risk
- Note 1 to entry: The information can relate to the existence, nature, form, likelihood, significance, evaluation, acceptability and treatment of risk.
- Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is a process which impacts on a decision through influence rather than power; and an input to decision making, not joint decision making.
- Risk Criteria: terms of reference against which the significance of risk is evaluated
- Note 1 to entry: Risk criteria are based on organizational objectives, and external context and internal context.
- Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements. [SOURCE: ISO Guide 73:2009, 3.3.1.3]
- Risk Evaluation: process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable
- Note 1 to entry: Risk evaluation assists in the decision about risk treatment. [SOURCE: ISO Guide 73:2009, 3.7.1]
- Risk Identification: process of finding, recognizing and describing risks
- Note 1 to entry: Risk identification involves the identification of risk sources, events, their causes and their potential consequences.
- Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders’ needs.
- [SOURCE: ISO Guide 73:2009, 3.5.1]
- Risk Management: coordinated activities to direct and control an organization with regard to risk [SOURCE: ISO Guide 73:2009, 2.1]
- Risk Management Process: systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analyzing, evaluating, treating, monitoring and reviewing risk
- Note 1 to entry: ISO/IEC 27005 uses the term “process” to describe risk management overall. The elements within the risk management process are referred to as “activities”. [SOURCE: ISO Guide 73:2009, 3.1, modified]
- Risk Owner: person or entity with the accountability and authority to manage a risk [SOURCE: ISO Guide 73:2009, 3.5.1.5]
- Risk Treatment: process to modify risk
- Note 1 to entry: Risk treatment can involve: avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; taking or increasing risk in order to pursue an opportunity; removing the risk source; changing the likelihood; changing the consequences; sharing the risk with another party or parties (including contracts and risk financing); retaining the risk by informed choice.
- Note 2 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.
- Note 3 to entry: Risk treatment can create new risks or modify existing risks.
- [SOURCE: ISO Guide 73:2009, 3.8.1, modified]
- Safety: freedom from unacceptable risk [ISO/IEC Guide 51:1999, definition 3.1] [SOURCE: IEC Guide 116:2010, 3.16]
- Safety Integration: application of the “3-step-methodology” to reduce the residual risk of a product, process or service below the level of tolerable risk.
- NOTE: Sometimes it is possible that tolerable risk is already achieved by applying step 1 or steps 1 and 2.
- Note 1 to entry: See IEC Guide 116:2010, A.2, for further information.
- [SOURCE: IEC Guide 116:2010, 3.17, modified]
- Sampling: provision of a sample of the object of conformity assessment, according to a procedure [SOURCE: ISO/IEC 17000:2004, 4.1]
- Scope of Attestation: range or characteristics of objects of conformity assessment covered by attestation [SOURCE: ISO/IEC 17000:2004, 5.3]
- Second-Party Conformity Assessment Activity: conformity assessment activity that is performed by a person or organization that has a user interest in the object
- Note 1 to entry: Persons or organizations performing second-party conformity assessment activities include, for example, purchasers or users of products, or potential customers seeking to rely on a supplier's management system, or organizations representing those interests.
- Note 2 to entry: See Note 1 to entry to 902-01-02.
- Security Implementation Standard: document specifying authorized ways for realizing security
- Service Standard: standard that specifies requirements to be fulfilled by a service, to establish its fitness for purpose
- Note 1 to entry: Service standards may be prepared in fields such as laundering, hotel-keeping, transport, car-servicing, telecommunications, insurance, banking, trading. [SOURCE: ISO/IEC Guide 2:2004, 5.6]
- Single Fault Condition: condition in which there is a fault of a single protection (but not a reinforced protection) or of a single component or a device
- Note 1 to entry: If a single fault condition results in one or more other fault conditions, all are considered as one single fault condition. [SOURCE: IEC Guide 104:2010, 3.8]
- Specified Requirement: need or expectation that is stated
- Note 1 to entry: Specified requirements may be stated in normative documents such as regulations, standards and technical specifications.
- Standard: document, established by consensus and approved by a recognized body, that provides, for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context
- Note 1 to entry: Standards should be based on the consolidated results of science, technology and experience, and aimed at the promotion of optimum community benefits. [SOURCE: ISO/IEC Guide 2:2004, 3.2]
- Standard on Data to Be Provided: standard that contains a list of characteristics for which values or other data are to be stated for specifying the product, process or service
- Note 1 to entry: Some standards, typically, provide for data to be stated by suppliers, others by purchasers. [SOURCE: ISO/IEC Guide 2:2004, 5.8]
- Surveillance: systematic iteration of conformity assessment activities as a basis for maintaining the validity of the statement of conformity [SOURCE: ISO/IEC 17000:2004, 6.1]
- Suspension: temporary invalidation of the statement of conformity for all or part of the specified scope of attestation [SOURCE: ISO/IEC 17000:2004, 6.2]
- Technical Expert: person who provides specific knowledge or expertise to the audit team.
- Note 1 to entry: Specific knowledge or expertise relates to the organization, the activity, process, product, service, discipline to be audited, or language or culture.
- Note 2 to entry: A technical expert to the audit team does not act as an auditor. [SOURCE: ISO 9000:2015, 3.13.16, modified]
- Technical Regulation: regulation that provides technical requirements, either directly or by referring to or incorporating the content of a standard, technical specification or code of practice
- Note 1 to entry: A technical regulation may be supplemented by technical guidance that outlines some means of compliance with the requirements of the regulation, i.e. deemed-to-satisfy provision. [SOURCE: ISO/IEC Guide 2:2004, 3.6.1]
- Technical Specification: document that prescribes technical requirements to be fulfilled by a product, process or service
- Note 1 to entry: A technical specification should indicate, whenever appropriate, the procedure(s) by means of which it may be determined whether the requirements given are fulfilled.
- Note 2 to entry: A technical specification may be a standard, a part of a standard or independent of a standard. [SOURCE: ISO/IEC Guide 2:2004, 3.4, modified]
- Terminology Standard: standard that is concerned with terms, usually accompanied by their definitions, and sometimes by explanatory notes, illustrations, examples, etc. [SOURCE: ISO/IEC Guide 2:2004, 5.2]
- Testing: determination of one or more characteristics of an object of conformity assessment, according to a procedure
- Note 1 to entry: “Testing” typically applies to materials, products or processes. [SOURCE: ISO/IEC 17000:2004, 4.2]
- Testing Standard: standard that is concerned with test methods, sometimes supplemented with other provisions related to testing, such as sampling, use of statistical methods, sequence of tests [SOURCE: ISO/IEC Guide 2:2004, 5.3]
- Third-Party Conformity Assessment Activity: conformity assessment activity that is performed by a person or body that is independent of the person or organization that provides the object, and of user interests in that object
- Note 1 to entry: Criteria for the independence of conformity assessment bodies and accreditation bodies are provided in the International Standards and Guides applicable to their activities (see Bibliography in ISO/IEC 17000).
- Note 2 to entry: See Note 1 to entry to 902-01-02. [SOURCE: ISO/IEC 17000:2004, 2.4, modified]
- Threat: potential cause of an unwanted incident, which can result in harm to a system or organization
- Tolerable Risk: risk which is accepted in a given context based on the current values of society [ISO/IEC Guide 51:1999, definition 3.7] [SOURCE: IEC Guide 116:2010, 3.14]
- Top Management: person or group of people who directs and controls an organization at the highest level
- Note 1 to entry: Top management has the power to delegate authority and provide resources within the organization.
- Note 2 to entry: If the scope of the management system covers only part of an organization, then top management refers to those who direct and control that part of the organization.
- Note 3 to entry: Top management is sometimes called executive management and can include Chief Executive Officers, Chief Financial Officers, Chief Information Officers, and similar roles.
- Trusted Information Communication Entity: autonomous organization supporting information exchange within an information sharing community
- Unilateral Arrangement: arrangement whereby one party recognizes or accepts the conformity assessment results of another party
- Note 1 to entry: The general expression “conformity assessment result” is used in 902-06-04 to 902-06-09 to mean the product of any conformity assessment activity (e.g. a report or certificate) and may include a finding of nonconformity. [SOURCE: ISO/IEC 17000:2004, 7.7, modified]
- Vulnerability: weakness of an asset or control that can be exploited by one or more threats
- Withdrawal (Revocation): cancellation of the statement of conformity. [SOURCE: ISO/IEC 17000:2004, 6.3]
- WYSIWYG (what-you-see-is-what-you-get): capability of a text processor to continually display text as it will be printed
- Note 1 to entry: WYSIWYG provides a constant display whereas print preview is a function that must be requested by the user.
- Note 2 to entry: WYSIWYG; what-you-see-is-what-you-get: terms and definition standardized by ISO/IEC [ISO/IEC 2382-23:1994].
- Note 3 to entry: 23.03.07 (2382)
- [SOURCE:ISO-IEC-2382-23 * 1994 * * *]
1846 E. Innovation Park Dr. Suite 100, Oro Valley AZ, 85755, USA