Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability (Tier 3), or CIA for short, support business (Tier 2), and create and deliver values (Tier 1).

Source: The Effective CISSP: Security and Risk Management

Risk is the “effect of uncertainty on objectives.” (ISO 31000) In the context of information security, a threat is any risk that may bring negative effects on objectives, which typically involves a threat source that initiates one or more threat events to exploit vulnerabilities and results in adverse impact.

Vulnerability “includes a weakness of an asset or group of assets which can be exploited by a threat” (ISO/IEC 21827) or refers to “weakness in the security of an IT-system that can be exploited or triggered by a threat.” (ISO/TR 22100-4)

• Weakness is one “kind of deficiency.” (ISO 81001-1)
• An asset is anything of value and worthy of protection.
• Protection refers to the endeavor of keeping objectives from deviation. Protection means applying risk treatments in risk management or implementing security controls (aka safeguards) in the context of information security.
• Protecting human life is always the priority.

An information system, aka IT-system, is “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. In the context of this publication, the definition includes the environment in which the information system operates (i.e., people, processes, technologies, facilities, and cyberspace).” (NIST SP 800-39)

A CISSP is an ISC2 certified professional who knows very well how to protect information systems.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams, and an informative reference for security professionals.

References

• ISO/IEC 21827:2008 Information technology — Security techniques — Systems Security Engineering — Capability Maturity Model® (SSE-CMM®)
• ISO/TR 22100-4:2018 Safety of machinery — Relationship with ISO 12100 — Part 4: Guidance to machinery manufacturers for consideration of related IT-security (cyber security) aspects
• ISO 81001-1:2021 Health software and health IT systems safety, effectiveness and security — Part 1: Principles and concepts