Last Updated on September 23, 2025 by Melissa Lazaro

Introduction

ISO/IEC 27001 is the world’s leading standard for information security management—but let’s be honest, the language it uses can feel like jargon. Terms such as “Statement of Applicability” or “residual risk” often sound more complicated than they really are. For newcomers, this can make the standard seem intimidating before they even begin.

This glossary is designed to cut through the confusion. Instead of formal textbook definitions, you’ll find plain-English explanations of the most important ISO/IEC 27001 terms. Each one is explained simply, with short examples to show how it applies in everyday business.

By the end, you’ll be able to read ISO 27001 requirements with confidence—understanding what the terms actually mean and how they fit into building an Information Security Management System (ISMS).

Core ISO/IEC 27001 Terms Explained Simply

ISMS (Information Security Management System)
A structured way of managing how your organisation protects information. Think of it as a “playbook” for keeping data safe—covering risks, policies, controls, and continual improvement.
Example: A company sets up an ISMS to manage how employee data, client files, and financial information are protected across departments.

Annex A Controls
A list of security measures included in ISO 27001. Organisations don’t need all of them but must review the list and apply those that are relevant to their risks.
Example: Using multi-factor authentication to protect system access is one of the Annex A controls.

Confidentiality, Integrity, Availability (CIA Triad)
The three pillars of information security:

• Confidentiality – only the right people can access information.

• Integrity – information stays accurate and unaltered.

• Availability – information is accessible when needed.
  Example: An online banking app must keep account balances correct (integrity), ensure only customers can log in (confidentiality), and stay online for transactions (availability).

Statement of Applicability (SoA)
A document that shows which Annex A controls your organisation has chosen to apply (and why). It acts as a summary of your security approach.
Example: A company includes access control in its SoA but excludes physical security controls if it doesn’t manage its own office buildings.

Risk Assessment & Risk Treatment
Risk assessment means identifying threats to information and deciding how likely and impactful they are. Risk treatment is choosing what to do about them: reduce, accept, transfer, or avoid the risk.
Example: A company identifies phishing emails as a risk. To treat it, they reduce the risk by adding training and email filtering, while still accepting a small residual risk.

Key Roles and Responsibilities

Information Security Officer (ISO / ISMS Manager)
The person responsible for running the ISMS day to day. They coordinate policies, manage risks, and make sure the framework is maintained.
Example: In a mid-sized tech company, the IT manager doubles as the Information Security Officer, ensuring audits and risk reviews happen on schedule.

Top Management
Senior leadership is accountable for information security. They set priorities, provide resources, and approve policies. ISO 27001 makes it clear that security isn’t just an “IT job”—it’s a leadership responsibility.
Example: A CEO signs off on the ISMS scope and ensures budget is allocated for security training.

Internal Auditor
An employee (or team) who checks whether the ISMS is working as intended. They look for gaps or non-conformities before external auditors come in.
Example: An internal auditor reviews access logs and finds that some user accounts were not disabled after staff left the company.

External Auditor / Certification Body
Independent professionals from a certification body who conduct Stage 1 and Stage 2 audits. If successful, they issue the ISO 27001 certificate.
Example: A certification body auditor interviews staff and checks policies during an external audit to confirm compliance.

Data Owner vs. Data Custodian

• Data Owner – the person or department responsible for deciding how information is used.

• Data Custodian – the person or team who handles the day-to-day management of that data.
  Example: HR is the data owner of employee records, while IT acts as custodian by managing the HR system that stores the records.

Essential Processes and Documents

Policies, Procedures, and Records

• Policy – a high-level rule or commitment.

• Procedure – step-by-step instructions on how to follow the policy.

• Record – proof that the procedure was followed.
  Example: A company’s password policy requires strong passwords. The procedure explains how to set them. Records show staff training logs confirming everyone was instructed.

Corrective and Preventive Actions (CAPA)
Actions taken to fix problems and stop them from happening again (corrective) or to prevent them before they occur (preventive).
Example: After a failed backup (problem), IT fixes the system (corrective) and introduces weekly backup tests (preventive).

Nonconformity
Any gap where the organisation isn’t meeting ISO 27001 requirements or its own ISMS rules.
Example: An audit finds that an access review wasn’t carried out on time—that’s a nonconformity.

Management Review
A regular meeting where top management reviews how well the ISMS is performing, identifies improvements, and approves actions.
Example: The leadership team reviews recent incidents, risk assessments, and audit findings during a quarterly review.

Internal Audit
A self-check carried out by trained staff to see whether the ISMS is working as planned and meeting ISO 27001 requirements.
Example: The internal auditor interviews employees to check if they know how to report security incidents.

Risk and Control Concepts

Control vs. Control Objective

• Control Objective – the goal you want to achieve.

• Control – the specific action taken to meet that goal.
  Example: The objective is to prevent unauthorised access. The control is enabling multi-factor authentication.

Residual Risk
The level of risk that remains after controls have been applied.
Example: Even with strong spam filters, some phishing emails still get through. That small leftover risk is residual risk.

Mitigation, Acceptance, Transfer, Avoidance
The four common strategies for dealing with risks:

• Mitigation – reduce the risk (e.g., use encryption).

• Acceptance – accept the risk if it’s low (e.g., tolerating minor downtime).

• Transfer – shift the risk elsewhere (e.g., buy cyber insurance).

• Avoidance – stop the risky activity altogether (e.g., not storing certain sensitive data).

Incident vs. Event vs. Breach

• Event – something that happens, but not necessarily harmful.

• Incident – an event that disrupts operations or poses a risk.

• Breach – a confirmed incident where information has been compromised.
  Example: A login attempt from an unknown IP (event). Multiple failed logins triggering an alert (incident). Hacker successfully gaining access (breach).

Certification and Audit Terminology

Stage 1 Audit
A preliminary audit where the certification body checks whether your ISMS documentation and scope are ready for full assessment.
Example: The auditor reviews policies, risk assessments, and your Statement of Applicability to confirm readiness.

Stage 2 Audit
The main certification audit. Auditors test whether your ISMS is actually working in practice.
Example: The auditor interviews staff, checks logs, and reviews incident reports to confirm policies are being followed.

Surveillance Audit
A smaller audit carried out every year after certification to make sure the ISMS is still maintained.
Example: An auditor checks whether management reviews and risk assessments have been updated since certification.

Recertification Audit
A full reassessment that happens every three years to renew certification.
Example: The organisation undergoes a complete audit cycle again to prove ongoing compliance.

Scope Statement
A document defining which parts of the organisation and which types of information are covered by the ISMS.
Example: A software company might limit scope to its cloud services platform, not including HR systems.

Certification Body vs. Accreditation Body

• Certification Body – the organisation that audits you and issues the ISO 27001 certificate.

• Accreditation Body – the authority that approves certification bodies to ensure they are competent and impartial.
  Example: In the UK, UKAS is the accreditation body. It authorises certification bodies like BSI or SGS.

FAQs

Do I need to learn every ISO 27001 term before starting implementation?
No. You’ll pick up the terminology as you go. What matters is understanding the key concepts well enough to apply them in practice.

Are these plain-English definitions official?
Not exactly. The official definitions come from the ISO/IEC 27000 series. This glossary simplifies them so they’re easier to understand and use day to day.

Will these terms change over time?
The core concepts—like ISMS, risk assessment, and audits—stay the same. However, specific details may evolve when ISO updates the standard (for example, Annex A controls were refreshed in the 2022 version).

Conclusion

ISO/IEC 27001 is packed with terminology that can feel complex at first. But when broken down into plain English, the concepts are straightforward and practical. From understanding what an ISMS is, to knowing the difference between an event and a breach, clarity in language makes it easier to build, manage, and sustain a strong information security management system.

This glossary isn’t just about definitions—it’s a tool to help organisations and their teams talk about ISO 27001 with confidence. The more accessible the language, the smoother the path to certification and long-term compliance.

Next Step: Keep this glossary handy as a reference, and use it alongside ISO 27001 toolkits, training, and templates to put these terms into real action.