Frequently asked questions are listed questions and answers, all supposed to be commonly asked in some context, and pertaining to a particular topic.

This International Standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The adoption of an ISMS should be a strategic decision for an organization. The design and implementation of an organization's ISMS is influenced by their needs and objectives, security requirements, the processes employed and the size and structure of the organization. These and their supporting systems are expected to change over time. It is expected that an ISMS implementation will be scaled in accordance with the needs of the organization. ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization.

The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card processing - including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks.

Risk identification sets out to identify an organization's exposure to uncertainty. This requires an intimate knowledge of the organization, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as the development of a sound understanding of its strategic and operational objectives, including factors critical to its success and the threats and opportunities related to the achievement of these objectives. Risk identification should be approached in a methodical way to ensure that all significant activities within the organization have been identified and all the risks flowing from these activities defined. All associated volatility related to these activities should be identified and categorized.

When the risk analysis process has been completed, it is necessary to compare the estimated risks against risk criteria which the organization has established. The risk criteria may include associated costs and benefits, legal requirements, socioeconomic and environmental factors, concerns of stakeholders, etc. Risk evaluation therefore, is used to make decisions about the significance of risks to the organization and whether each specific risk should be accepted or treated.

Information Security Policies & Standards underpin the security and well being of information resources. They are the foundation, the bottom line, of information security within the company.

Business continuity planning is "planning which identifies the organization's exposure to internal and external threats and synthesizes hard and soft assets to provide effective prevention and recovery for the organization, whilst maintaining competitive advantage and value system integrity". The logistical plan used in BCP is called a business continuity plan. The intended effect of BCP is to ensure business continuity, which is an ongoing state or methodology governing how business is conducted. In plain language, BCP is working out how to stay in business in the event of disaster. Typical incidents include local events like building fires, regional incidents like earthquakes or floods, or national incidents like pandemic illnesses. However, it is not limited to just that. Any event that could cause the potential for loss of business should be considered, including any event that the business is dependent on, such as loss of source of supply, loss of critical infrastructure (a major piece of machinery or computing/network resource), or the result of theft or vandalism. As such, risk management must be incorporated as part of BCP.

Incident Management (IcM) refers to the activities of an organization to identify, analyze and correct hazards. For instance, a fire in a factory would be a risk that realized, or an incident that happened. An Incident Response Team (IRT) or an Incident Management Team (IMT), specifically designated for the task beforehand or on the spot, would then manage the organization through the incident.