1. Introduction
    1. Licensing
    2. System Requirements
    3. Setup and Installation
  2. Getting Started
    1. Creating a Database
    2. RM Studio Users/Contacts
    3. Email Configuration
    4. Web Module Setup
    5. Web Module Update
  3. Navigating RM Studio
    1. Main Menu
      1. Save Function
      2. Import External Data
        1. Import Assets
      3. Clear User Cache
      4. Security
      5. Properties
      6. Languages
      7. Registration
      8. User Manual
      9. Manage Checkouts
      10. About
      11. Application Style
    2. Navigation Tree
    3. Tabs
    4. The Grid
    5. Context & Flow
  4. Common Entities
    1. Business Entities
      1. Asset Details - Basic Information tab
      2. Asset Details - Risks tab
      3. Asset Details - Categories tab
      4. Asset Details - Business Entities tab
    2. Contacts
    3. Teams
    4. Categories
    5. Assets
    6. Threats
    7. Standards/Controls
      1. How to: Standards, Regulations, Controls
      2. Standards Implementation Comparison
    8. Documents
  5. Gap Analysis
    1. How to: Gap Analysis
    2. Reporting
  6. Risk Assessment
    1. How to: Risk Assessment
      1. Working with Assets
      2. Evaluation Values
      3. Evaluating Risks
      4. Various Definitions
      5. Risk Assessment Reporting
    2. Risk Owner Tasks
    3. Risk Profile
  7. Web Module
    1. Dashboard
    2. My Tasks
    3. Reports
    4. Standards/Regulations
    5. Documents
    6. Incidents
    7. Risk Owner Web Solution
  8. Control Assessment
    1. Control Assessment Templates
    2. Control Assessment
    3. Reports - Control Assessment
  9. Risk Treatment
    1. How to: Risk Treatment
      1. Risk Treatment Templates
      2. Risk Criteria
      3. Asset Level
      4. Controls Tab
      5. Scheduling a Future Control
      6. Future Controls Tab
      7. Overview
      8. Reload Assets, Threats and Controls
    2. Risk Treatment Reports
  10. STPA
    1. STPA Projects
    2. Models and Diagrams
      1. How to: Create CS Models
      2. How to: Create CS Diagram
        1. Diagram Elements
        2. Models Progress Check
    3. Analyses
      1. How to: Define Purpose of Analysis
      2. Losses
      3. Hazards
      4. Relationship
      5. Constraints
      6. How to: Identify UCAs
      7. How to: Identify Loss Scenarios
        1. Loss Scenario Progress Check
    4. Reporting
    5. Global Properties
  11. Business Continuity Management Module
    1. Organization
      1. New Organization
      2. Stakeholders
      3. Resources/Processes
        1. Impact Analysis
        2. Requirements
    2. Incident Response/Recovery
      1. Associated Threats
      2. Plans
        1. Steps
      3. Maintenance
        1. Test plans
        2. Test Results
    3. Templates
    4. Maintenance
    5. Reports BCM
  12. Database Settings
    1. Database Upgrade
    2. Add Existing
    3. Remove
    4. Migrate
    5. Backup
    6. Restore
  13. Glossary
  14. Calculations


Access control

Access control includes both access authorization and review of access to both logical and physical assets. It refers to all the steps that are taken to selectively authorize and restrict entry, contact, or use of assets. Access authorizations and restrictions are established in accordance with business and security requirements and should reflect the value of the assets in question for the company.


To make an entity accountable is to assign actions and decisions to an identifiable entity and to expect that entity to be answerable for those actions and decisions. Therefore, accountability is the state of being answerable for the actions and decisions that have been assigned to it.

Analytical model

An analytical model is a mathematical, logical or mechanical representation of a relationship, theory, process, system, or sequence of events, so designed that a study of the model functions as a means of summarizing the complex relations of the real world or as a way of illustrating a theory. Analytical models are used to facilitate and support decision making.


An Assessment is the act of evaluating something. Here it means that the organization is evaluated in comparison to Threats that are aimed at its Assets, i.e. Risk.


An asset is any tangible or intangible thing or characteristic that has value to an organization. Obvious types of assets include: facilities, machines, patents, and software; but less obvious types are: information, people, and services, as well as characteristics such as brand, culture, reputation, skill and knowledge.


An attack is any deliberate unauthorized attempt to access, use, alter, expose, steal, disable, or destroy an asset.


An attribute is any distinctive feature, characteristic or property of an object that can be identified or isolated, either quantitatively or qualitatively, by human or automated means.


An audit is a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.

Audit Types

  • Internal audits are referred to as first-party audits,
  • External audits can be either second or third party,
  • Combined audits are 2 or more management systems of different disciplines audited simultaneously.

Audit scope

The scope of an audit is a statement that specifies the focus, extent, and boundary of a particular audit. The scope could be specified by defining the physical location of the audit, the business entities that will be examined, the processes and activities that will be included, and the time period that will be covered.


Authentication is the act of confirming the truth of an attribute of a single piece of data (datum) or entity. To authenticate is to verify that a characteristic or attribute that appears to be true is in fact true.


Authenticity is a property or characteristic of an entity. An entity is authentic if it is what it claims to be.


Availability is a property or characteristic of an asset, so if an asset is accessible and usable when an authorized entity requires access, it is available.

Base measure

A base measure is either an attribute or property of an entity and the method used to quantify it.

Business continuity management

Business Continuity Management (BCM) is a holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

Business Continuity Plan

Business continuity plan (BCP) outlines procedures and instructions an organization must follow in the event of a disruption or disaster; BCP includes business processes, assets, human resources, business partners and more.

Business Entity

A business entity is an entity that is formed and administered as per commercial law in order to engage in business activities, charitable work, or other activities allowable. The distinct business entity has complete control over how it utilizes its assets, organizes its management and the most appropriate financing structure if required.


Categories are any general or comprehensive division. In RM Studio Categories are the division of Assets according to the applicable Standard.

Code of Practice

A code of practice is a guide of best practices used to implement a Standard.


A competence is a cluster of related abilities, commitments, knowledge, and skills that enable a person or a business entity to act effectively and as expected in a job or situation.


Confidentiality is a characteristic that applies to information. To protect and preserve the confidentiality of information means to ensure that it is not made available or disclosed to unauthorized entities. In this context, entities include both individuals and processes.


Conformity is the “fulfillment of a requirement”. To conform means to meet or comply to requirements. There are many types of requirements, such as information security requirements, customer, contractual, regulatory, and statutory requirements, to name a few.


A consequence is the effect, result, or outcome of something occurring. A single event can have a range of certain or uncertain consequences and these consequences can influence how well an organization achieves its objectives. In addition, initial consequences can escalate through knock-on effects.


An organization’s context includes all of the internal and external issues that are deemed relevant and the influence these issues could have on its ability to achieve the objectives and outcomes that the ISMS intends to achieve. See internal context and external context.

Continual improvement

Continual improvement is a set of recurring activities designed and executed to upgrade the performance of processes, products, services, systems, and organizations.


In the context of information security management, a control is any administrative, managerial, technical, or legal method that is used to mitigate or manage information security risk. Controls are also referred to as safeguards or countermeasures.

Controls can include:

  • best practices,
  • processes,
  • policies,
  • procedures,
  • programs,
  • tools,
  • techniques,
  • technologies,
  • devices,
  • Organizational structures.

Control objective

An information security control objective provides a specific target against which to evaluate the effectiveness of controls.


A correction is any activity that is taken to eliminate an identified nonconformity; however, corrections do not address causes – corrective actions address causes.

Corrective action

Corrective actions are improvements to an organization’s processes taken to eliminate causes of nonconformities or other undesirable situations.


The term data is defined as a collection or set of values assigned to measures or indicators. A measure is a variable made up of values and an indicator is a measure or variable used to evaluate or estimate an attribute or property of an object.

Decision criteria

Decision criteria are factors like thresholds, targets, or patterns. Decision criteria are used to determine whether action should be taken or whether further investigation is required before decisions can be made. Decision criteria are also used to evaluate results and to describe confidence levels.

Derived measure

A derived measure is a measure that is defined as a mathematical function of two or more values of base measures (a base measure is both an attribute of an entity and the method used to quantify it).

Documented information

The term documented information refers to the information required to be controlled and maintained by an organization and the medium on which it is contained. Documented information can be in any format, any media and from any source. Documented information includes information about the management system and related processes, as well as all the information that organizations need to operate and all the information that they use to document the results they achieve (records). In short, the term documented information is just a new name for what used to be called documents and records; however, this change is significant. In the past, documents and records were to be managed differently, but now they require the same set of requirements.


Effectiveness refers to the degree to which a planned effect is achieved. Planned activities are effective if these activities are executed properly and planned results are effective if they are achieved.


Efficiency is a relationship between results achieved (outputs) and resources used (inputs). Efficiency can be enhanced by achieving more with the same or fewer resources. The efficiency of a process or system can be enhanced by achieving more or getting better results (outputs) with the same or fewer resources (inputs).


An event could be one occurrence, several occurrences, or even a non-occurrence (when something doesn’t happen that was supposed to happen). It can also be a change in circumstances. Events are sometimes referred to as incidents or accidents. Events always have causes and usually have consequences.

Executive management

The term executive management (or top management) refers to the people who are responsible for implementing the strategies and policies needed to achieve an organization’s purpose. It includes chief executive officers, chief financial officers, chief information officers, and other similar roles. Executive managers are given this responsibility by a governing body (sometimes referred to as a board of directors).

External context

External environment in which the organization seeks to achieve its objectives and the key drivers and trends having impact on the objectives of the organization, as well as the relationships with, and perceptions and values of external stakeholders.

An organization’s external context may include:

  • social climate,
  • cultural,
  • political,
  • legal,
  • regulatory,
  • technological,
  • economic environment,
  • natural environment,
  • competitive landscape.

Gap Analysis

A formal study of the steps necessary to improve from current performance level to the desired level of performance in areas such as:

  • Business direction
  • Business processes
  • Information technology
  • Information security
  • Organization (e.g., human resources)

In business and economics, a gap analysis is a tool that helps an organization identify its actual performance to determine how to attain its expected performance.

At the core two questions present:

  1. “Where are we now?” and
  2. “Where do we want to be?”

Gap analysis provides a foundation for measuring investment of time, money and human resources required to achieve a particular outcome (e.g. to turn the salary payment process from paper-based to paperless with the use of a system).

Governance: Information Security and Information Technology

The governance of information security refers to the system off concepts and principles for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security related activities within the organization and are applicable to all types and sizes of organizations.

Governing body

The term governing body refers to the people who are responsible for the overall performance and conformance of an organization.


In the context of this standard, guidelines are the steps that are taken to achieve objectives and implement policies. Guidelines clarify what should be done and how.


The effect a realized incident or event will have on the organization.


An indicator is a measure or variable that is used to evaluate or estimate an attribute or property of an object. Indicators are often derived from analytical models and are used to address information needs.

Information need

An information need is an insight that is necessary or required in order to solve problems, to manage risks, and to achieve goals and objectives.

Information processing facilities

An information processing facility is any system, service, or infrastructure, or any physical location that houses these things. A facility can be either an activity or a place and it can be either tangible or intangible.

Information security

The purpose of information security is to protect and preserve the confidentiality, integrity, and availability of information. It may also involve protecting and preserving the authenticity and reliability of information and ensuring that entities can be held accountable.

Information security continuity

Information security continuity refers to an integrated set of policies, procedures, and processes that are used to ensure that a predefined level of security continues during a disaster or crisis (when disruptive incidents occur or adverse situations exist). Continuity is achieved by identifying potential threats and vulnerabilities, by analyzing possible impacts, and by taking steps to build organizational resilience.

Information security event

An information security event is a system, service, or network state, condition, or occurrence that indicates that information security may have been breached or compromised or that a security policy may have been violated or a control may have failed.

Information security incident

An information security incident is made up of one or more unwanted or unexpected information security events that could possibly compromise the security of information and weaken or impair business operations.

Information security incident management

Information security incident management is a set of processes that organizations use to deal with information security incidents. It includes a detection process, a reporting process, an assessment process, a response process, and a learning process.

Information Security Management System

An information security management system (ISMS) includes all of the policies, procedures, documents, records, plans, guidelines, agreements, contracts, processes, practices, methods, activities, roles, responsibilities, relationships, tools, techniques, technologies, resources, and structures that organizations use to protect and preserve information, to manage and control information security risks, and to achieve business objectives. An ISMS is part of an organization’s larger management system.

Information sharing community

An information sharing community is a group of people or a group of organizations that agree to share information.

Information system

An information system is any set of components that is used to handle information. Information systems include applications, services, or any other assets that handle information.


Within the narrow context of information security, the term integrity means to protect the accuracy and completeness of information.

Internal context

An organization’s internal context includes all of the factors and forces within its boundaries that influence how it tries to achieve its objectives.

An organization’s internal context includes:

  • approach to governance,
    • organization’s structure,
    • policies,
    • objectives,
    • roles,
    • accountability,
    • decision making process
  • capabilities,
    • knowledge
    • human resources,
    • technological resources,
    • capital resources,
    • systemic resources.
  • contractual relationships,
  • culture,
  • Internal stakeholders

ISMS project

ISMS projects include all of the work that organizations do to implement information security management systems (ISMS).


The International Organization for Standardization (Organization internationale de normalization), is an international-Standard-setting body composed of representatives from various national Standards organizations.

Level of risk

The level of risk is its magnitude. It is estimated by considering and combining consequences and likelihoods. A level of risk can be assigned to a single risk or to a combination of risks.


Likelihood is the chance that something might happen. Likelihood can be defined, determined, or measured objectively or subjectively and can be expressed either qualitatively or quantitatively (using mathematics).


The term management refers to all the activities that are used to coordinate, direct, and control organizations. In this context, the term management does not refer to people. It refers to what managers do.

Management system

A management system is a set of interrelated or interacting elements that organizations use to establish policies and objectives and all the processes they need to ensure that policies are followed and objectives are achieved. These elements include structures, programs, procedures, plans, documents, records, methods, tools, techniques, technologies, roles, responsibilities, relationships, agreements, and resources. There are many types of management systems. Some of these include information security management systems, quality management systems, environmental management systems, business continuity management systems, food safety management systems, risk management systems, disaster management systems, emergency management systems, and occupational health and safety management systems. The scope or focus of a management system could be restricted to a specific function or section of an organization or it could include the entire organization. It could even include a function that cuts across several organizations.


Measurement is a process that is used to determine a value. In the context of information security management, measurement is a process that is used to obtain information about the effectiveness of an information management system (ISMS) and the controls that it uses. Measurement functions, analytical models, and decision criteria are used to evaluate measurement results and to decide whether action should be taken or whether further investigation is required before decisions can be made.

Measurement function

A measurement function is an algorithm or a calculation that combines two or more base measures. (A base measure is both an attribute and property of an entity and the method used to quantify it.)

Measurement method

A measurement method is a logical sequence of generic operations that uses measurement scales to quantify attributes. Measurement methods use either objective or subjective techniques to quantify attributes.

Measurement results

A measurement result addresses an information need and consists of one or more indicators together with details that explain how these indicators are to be interpreted.

Menu Bar

Also known as the Ribbon. It is the top most part of the application where the most common functions are placed for your convenience.

Mitigating control

A mitigating control is a type of control used in auditing to discover and prevent mistakes that may lead to uncorrected and/or unrecorded misstatements that would generally be related to control deficiencies. The mitigating controls found in the ISO/IEC 27002 (also known as Annex A) are suggested measures to implement for risk mitigation, which reduces the probability or impact of a threat to an asset.

Navigation tree

A navigational tool that allows the user to expand and collapse items representing parts of the software that have been divided into nodes simulating a tree with branches. This allows users to access nested nodes with ease.


Nonconformity is a non-fulfillment or failure to meet a requirement. A requirement is a need, expectation, or obligation. It can be stated or implied by an organization or interested parties.


Non-repudiation techniques and services are used to provide undeniable proof that an alleged event actually happened or an alleged action was actually carried out and that these events and actions were actually carried out by a particular entity and actually had a particular origin. Non-repudiation is a way of guaranteeing that people cannot later deny that an event happened or an action was carried out by an entity.


In this context, an object is any item that has attributes which can be characterized through measurement. Measurement is a process or method that is used to obtain information about the effectiveness of an information management system (ISMS) and the controls that it uses.


An objective is a result you wish to achieve. Objectives can be strategic, tactical, or operational and can apply to an organization as a whole or to a system, process, project, product, or service. A variety of words can be used to express objectives. These include words like target, aim, goal, purpose, or intended outcome.


An organization can be a single person or a group that achieves its objectives by using its own functions, responsibilities, authorities, and relationships. It can be a company, corporation, enterprise, firm, partnership, charity, or institution and can be either incorporated or unincorporated and can be either privately or publicly owned. It can also be a single operating unit that is part of a larger entity.


When an organization makes an arrangement with an outside organization to perform part of a function or process, it is referred to as outsourcing. To outsource means to ask an external organization to perform part of a function or process usually done in-house.


A performance is a measurable result that is achieved by an activity, process, product, service, system, or organization. This definition allows us to consider performance measurements. It allows us to think about the measurement of organizational performance, process performance, product performance, service performance, systemic performance, and so on. Such measurements can be either quantitative or qualitative.


A policy statement defines a general commitment, direction, or intention. An information security policy statement should express management’s formal commitment to the implementation and improvement of its information security management system (ISMS) and should include information security objectives or facilitate their development.


A procedure is a way of carrying out a process or activity. Procedures may or may not be documented. ISO/IEC 27001 and 27002 sometimes asks you to document a procedure and sometimes it leaves it up to you to decide.


A process is a set of activities that are interrelated or that interact with one another. Processes use resources to transform inputs into outputs.


The likelihood a threat occurs. Probability (same as likelihood) can be defined, determined, or measured objectively or subjectively and can be expressed either qualitatively or quantitatively (using mathematics).


Records provide evidence that activities have been performed or results have been achieved. Records always document the past.


Reliability is a property of something and means consistency. Something is reliable if it behaves consistently or produces consistent results.


An account or statement describing in detail an event, situation or similar, usually as a result of observation or inquiry.


A document or record of accumulated data containing information organized in a narrative, graphic or tabular form, prepared on ad hoc, periodic, recurring, regular or as required basis. Reports may refer to specific periods, events, occurrences or subjects and may be presented in digital or written form.


A requirement is a need, expectation, or obligation. It can be stated or implied by an organization, its customers, or other interested parties. A specified requirement is one that has been stated (in a document for example), whereas an implied requirement is a need, expectation, or obligation that is common practice or customary.

Residual risk

Residual risk is the risk left over after you’ve implemented all reasonable risk treatment options.


A review is an activity. Its purpose is to determine how well the thing being reviewed is capable of achieving established objectives. Reviews ask the following question: is the subject of the review a suitable, adequate, effective, and efficient way of achieving objectives?

Review objective

A review objective is a statement that describes what a review is intended or expected to achieve


According to ISO 31000, risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected.

The following paragraph will explain what this means. ISO 31000 recognizes that all of us operate in an uncertain world. Whenever we try to achieve an objective, there’s always the chance that things will not go according to plan. Every step has an element of risk that needs to be managed and every outcome is uncertain. Whenever we try to achieve an objective, we don’t always get the results we expect. Sometimes we get positive results and sometimes we get negative results and occasionally we get both. Because of this, ISO 31000 wants us to reduce uncertainty as much as possible. Information security risk is often expressed as a combination of two factors: probability and consequences.

It asks two basic questions:

  1. What is the probability that a particular information security event will occur in the future?
  2. What consequences would this event produce or what impact would it have if it is realized?

Information security risks often emerge because potential security threats are identified that could exploit vulnerabilities in an information asset or group of assets and therefore cause harm to an organization.

Risk acceptance

Risk acceptance occurs when the cost of managing a certain type of risk is accepted, because the risk involved is not adequate enough to warrant the added cost it will take to avoid that risk.

Risk analysis

Risk analysis is a process that is used to understand the nature, sources, and causes of the risks that have been identified and to estimate the level of risk. Risk analysis results are used to carry out risk evaluations and to make risk treatment decisions. How detailed your risk analysis ought to be will depend upon the risk, the purpose of the analysis, the information you have, and the resources available.

Risk Assessment

Risk assessment is a process that is, in turn, made up of three processes: risk identification, risk analysis, and risk evaluation. Risk identification is a process that is used to find, recognize, and describe the risks that could affect the achievement of objectives. Risk analysis is a process that is used to understand the nature, sources, and causes of the risks that you have identified and to estimate the level of risk. Risk evaluation is a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a specified level of risk is acceptable or tolerable.

Risk communication and consultation

Risk communication and consultation is a dialogue between an organization and its stakeholders. Discussions could be about the existence of risks, their nature, form, likelihood, and significance, as well as whether or not risks are acceptable or should be treated, and what treatment options should be considered. This dialogue is both continual and iterative. It is a two-way process that involves both sharing and receiving information about the management of risk. However, this is not joint decision making. Once communication and consultation is finished, decisions are made and directions are established by the organization, not by stakeholders.

Risk criteria

Risk criteria are terms of reference and are used to evaluate the significance or importance of an organization’s risks. They are used to determine whether a specified level of risk is acceptable or tolerable. Risk criteria should reflect your organization’s values, policies, and objectives, should be based on its external and internal context, should consider the views of stakeholders, and should be derived from standards, laws, policies, and other requirements.

Risk evaluation

Risk evaluation is a process that is used to compare risk analysis results with risk criteria in order to determine whether or not a risk or a specified level of risk is acceptable or tolerable. Risk evaluation results are used to help select risk treatment options.

Risk identification

Risk identification is a process that involves finding, recognizing, and describing the risks that could affect the achievement of an organization’s objectives. It involves discovering possible sources of risk in addition to the events and circumstances that could affect the achievement of objectives; it also includes the identification of possible causes and potential consequences. You may use historical data, theoretical analysis, informed opinion, expert advice, and stakeholder input to identify your risks.

Risk management

Risk management refers to a coordinated set of activities, methods, and techniques that organizations use to deal with the risk and uncertainty that influences how well they achieve their objectives.

Risk management process

A risk management process is one that systematically uses management policies, procedures, and practices to establish context, to communicate and consult with stakeholders, and to identify, analyze, evaluate, treat, monitor, and review risk.

Risk mitigation

Risk mitigation is a systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence (also referred to as risk reduction).

Risk Owner

A risk owner is a person or entity that has been given the authority to manage a particular risk and is accountable for doing so.

Risk Treatment

Risk treatment involves identifying the range of options for treating risk, assessing those options, preparing risk treatment plans and implementing them. The options available for the treatment of risks include: Retain/accept the risk – if, after controls are put in place, the remaining risk is deemed acceptable to the organization, the risk can be retained. However, plans should be put in place to manage/fund the consequences of the risk should it occur. Reduce the Likelihood of the risk occurring – by preventative maintenance, audit & compliance programs, supervision, contract conditions, policies & procedures, testing, investment & portfolio management, training of staff, technical controls and quality assurance programs etc. Reduce the Consequences of the risk occurring – through contingency planning, contract conditions, disaster recovery & business continuity plans, off-site back-up, public relations, emergency procedures and staff training etc. Transfer the risk – this involves another party bearing or sharing some part of the risk by the use of contracts, insurance, outsourcing, joint ventures or partnerships etc. Avoid the risk – decide not to proceed with the activity likely to generate the risk, where this is practicable.


A scale is an ordered set of values. Scales can be distinguished from one another based on how values on the same scale are interrelated. There are at least four types of scales: nominal, ordinal, interval, and ratio. Nominal scales use categories as values (e.g. female vs. male), ordinal scales rank values (1st, 2nd, 3rd, 4th, etc.), interval scales use equal quantities as values (e.g., dates and temperatures), and ratio scales use values that specify how much or how many (e.g. duration and length). Ratio scales are possible because they exploit the fact that sometimes it makes sense to use zero as a value. Being able to use a zero value allows you to do calculations and to say that something is twice as far as something else or takes three times as long as something else, for example.

Security implementation standard

A security implementation standard is a document that describes the officially or formally authorized ways in which security can be achieved or realized.

Statement of Applicability (SoA)

The Statement of Applicability is the primary document that identifies an organization’s information security implementation and is the connection between the risk assessment and risk treatment. The Statement of Applicability also includes an explanation (justification) of how and why such controls are appropriate and at what stage of implementation each control exists. The SoA justification should reference policies, procedures, other documentation and implemented systems through which controls will manifest. A clear justification for the controls deemed not applicable to the organization must also be included. The SoA is a vital document in the certification process as it is a single document providing required information for the certification that can be easily presented to management with regular status updates.

Third party

A third party is any person or body that is recognized as independent of the people directly involved with an issue.


A threat is a potential event. When a threat turns into an actual event, it may cause an unwanted incident. It is unwanted because the incident may harm an organization or system.

Top management

The term top management normally refers to the people at the top of an organization; the people who provide resources and delegate authority and who coordinate, direct, and control organizations. However, if the scope of a management system covers only part of an organization, then the term top management refers, instead, to the people who direct and control that part of the organization.

Trusted information communication entity

A trusted information communication entity is an autonomous organization that supports the exchange of information between members of an information sharing community.

Unit of measurement

A unit of measurement is a particular quantity or magnitude that is used as a standard for comparing measurements of the same kind. A standard unit of measurement is one that has been defined and adopted by convention, by agreement, or officially established by law.


Validation is a process. It uses objective evidence to confirm that the requirements which define an intended use or application have been met. Whenever all requirements have been met, a validated status is achieved. The process of validation can be carried out under realistic use conditions or within a simulated use environment.


Verification is a process that uses objective evidence to confirm that specified requirements have actually been met. Verification is sometimes referred to as compliance testing.


Vulnerability is a weakness of an asset or control that could potentially be exploited by one or more threats.

Suggest Edit