Archives Glossary Terms

Information Security The practice of protecting information from unauthorised access and use.

Senior Information Risk Owner SIRO is a role used in Government Information Assurance and is particularly prominent in the NHS and where health data is handled, often combined with other job roles

Security Incident and Event Management The process of using products and/or services to manage security information and security events.  Usually by providing real-time reporting and analysis of network activity.

Plan, Do, Check, Act The cycle implemented in a management system to drive continual improvement.  Based on the Deming Cycle.

Corrective Action / Preventive Action Actions to correct a non-conformance and prevent reoccurrence.  Note: Preventive Action has been replaced by a Risk-Based approach in Annex SL standards.

Risk Register A register documents the potential risks identified including the analysis of that risk (often involving scoring), controls and ownership of the risk.

Risk Assessment The process through which risks are assessed and quantified, but can also include the identification and control process.  Risk Assessment is used within Health & Safety, Information Security and Business Risk.

Statement of Applicability A requirement of ISO 27001.  The SOA lists the controls provided within the standard and justifies their inclusion or exclusion by the organisation.

Opportunity for Improvement something that has been identified as having potential for improvement and could escalate to a non-conformance

Observation Something that has been noted as potentially negative or non-compliant