• What is accreditation?
• What are business continuity plans?
• What is certification?
• What does data traceability mean?
• What is encryption?
• What is an information security management system?
• What is an information system?
• What are ISO 27001, ISO 27002 and ISO 9001?
• What is risk assessment?

What is accreditation?

Accreditation is certification by a duly recognised body of a party's competence to perform particular tasks and projects. Further details: http://www.ukas.com/

What are business continuity plans?

Business continuity management is part of information security management in accordance with international standards in this field. The goal of business continuity management is to protect critical business processes from the effect of major failures or disasters. With integrated measures through prevention and error recovery, the effects of disruptions and crises are reduced to an acceptable limit.

Business continuity plans are an integral part of business continuity management. Such plans include categorising operations by importance as well as specifying parties with well-defined roles during emergencies, actions to be carried out in order to recover operations in a timely fashion and regular testing. Business continuity plans need to be reviewed regularly to remain valid.

Business continuity plans are also called disaster or contingency plans.

What is certification?

Certification is confirmation by a third party that operating procedures comply with stated criteria. An organisation can be certified in part or in whole. The scope of the operations to be certified must be known, and the certification is limited to those activities. Certification is accredited if the certifying party has been validated by a government-recognised accreditation body. One example of such a government-recognised accreditation body is the United Kingdom Accreditation Service (UKAS). The British Standards Institution in London, which has a branch in Iceland, is an accredited certification body. Certification is not accredited if the certification body itself has not been validated by a government-authorised accreditation body. For example, Vottun hf. in Iceland is not an accredited certification body.

What does data traceability mean?

In all software, it is important that developments and change in data can be examined. This applies particularly to software used in risk and quality management. In software offering traceability, at least the following needs to be recorded upon each change to data:

1. Who made the change
2. The status of the data before the change
3. The status of the data after the change
4. When the change took place
5. The effects of the change on individual parts of the system or the system as a whole

Data traceability is a key component in Stiki's software.

What is encryption?

Encryption:

The process of scrambling information so that only the intended recipient can unscramble and read the information. When words or number sequences are encrypted, they are converted through the use of an algorithm into a secret code. To make the data understandable again, they need to be decrypted, i.e. converted back to their original form. Encryption uses a secret sequence of characters called an encryption key.

One-way encryption:

Encryption without an encryption key. Input, a word or a number sequence, e.g. an ID number, is converted into a sequence of characters that cannot be traced back using a decryption key. This is often done using a mathematical formula called a one-way hash function.

Symmetric encryption:

A single key is used for both encryption and decryption. Input, a word or a number sequence is converted using a certain algorithm and key. The person performing the encryption chooses the key and needs to keep it secret from outsiders. The same key is used to reconvert the encrypted data to its original form.

Asymmetric encryption:

Two different keys are used in asymmetric encryption, for encryption and decryption, respectively. Initially, a pair of mathematically related keys is created. Despite their relation, the decryption key, called the private key, cannot be derived from the encryption key, called the public key. When this type of encryption is used it is vital to keep the decryption key secret. This encryption method is commonly used in e-mail communications. The sender encrypts the e-mail text and attachments using the recipient's public key. After delivery, the recipient decrypts the e-mail using his private key.

What is an information security management system?

An information security management system (ISMS) is part of an organisation's overall management system. It is intended to maintain information security. The ISMS extends to the organisation's activities and customer relations. It covers a company's organisation chart, its policies, internal structure, division of responsibility, work routines, procedures, processes and resources.

The scope of an ISMS can include an organisation's total operations or defined parts of its activities. The ISMS needs to cover the information systems, including assets, services and software, used in the operations specified under the defined scope.

What is an information system?

An information system includes the data collection and a data processing system that together form an integrated system for the storage and use of information. Information systems also include personnel, equipment, software, services, funds and other factors in relation to providing or distributing information

What are ISO 27001, ISO 27002 and ISO 9001?

ISO/IEC 27001:2005 Information technology - Security techniques - Information security management systems - Requirements. This standard contains specification for information security management.

ISO/IEC 27002:2005 Information technology - Security techniques - Code of practice for information security management.

ISO 9001:2008 Quality management systems - Requirements. This is a standard for quality management systems.

Further details: https://bsi-global.com, http://www.iso.org/iso/en/ISOOnline.frontpage

What is risk assessment for data processing?

Risk assessment is the total process of risk analysis and risk weighting in accordance with ISO/IEC 27001:2005, and the evaluation of risks to data and data processing, their effects, sensitivity to them and the probability of the risks being realised. This includes assessment of the risk of an outside party accessing data, changing them or otherwise compromising their security. Risk assessment also covers the scope and results of the risk with reference to the nature of the data being used. The goal of risk assessment is to provide a basis for selecting security measures. Risk assessments are reviewed annually.