Compliance & Governance Glossary: 200+ Key Terms Defined

Security measures that regulate who can view or use resources in a computing environment. Access controls include authentication, authorisation, and audit mechanisms.

Formal recognition by an authoritative body that an organisation is competent to carry out specific tasks, such as certification audits or testing.

Laws, regulations, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income.

The section of ISO 27001 that contains the reference set of information security controls. The 2022 revision organises 93 controls into four themes: Organisational, People, Physical, and Technological.

A systematic, independent examination of an organisation's activities, processes, or financial records to verify compliance with standards, regulations, or internal policies.

A chronological record of system activities that enables the reconstruction and examination of events. Essential for forensic analysis and regulatory compliance.

The process of verifying the identity of a user, device, or system. Common methods include passwords, biometrics, tokens, and multi-factor authentication (MFA).

The process of determining what actions an authenticated user or system is permitted to perform. Typically enforced through access control lists or role-based access control.

A minimum set of security controls or configurations established as a starting point. Baselines can be tailored based on an organisation's risk profile and operating environment.

A process that identifies critical business functions and determines the impact of disruption. Used to set recovery time objectives (RTO) and recovery point objectives (RPO).

The legal requirement to inform affected individuals, regulators, or other parties when personal data has been compromised. GDPR requires notification within 72 hours.

The capability of an organisation to continue delivering products or services at acceptable levels following a disruptive incident. Governed by frameworks like ISO 22301.

California's consumer privacy law, amended by CPRA in 2023. Gives consumers rights over their personal information including the right to know, delete, opt-out, and non-discrimination.

Formal attestation by an accredited body that an organisation's management system meets the requirements of a specific standard (e.g., ISO 27001, ISO 9001).

The senior executive responsible for an organisation's information security strategy, policies, and operations. Reports to the CEO, CIO, or board depending on the organisation.

The set of policies, controls, procedures, and technologies that protect cloud-based systems, data, and infrastructure. Governed by the shared responsibility model between cloud provider and customer.

A US Department of Defense framework requiring defence contractors to demonstrate cybersecurity maturity across five levels. Based on NIST 800-171 controls.

An alternative security measure employed when a primary control cannot be implemented. Must provide an equivalent level of protection and be documented with justification.

The state of conforming to laws, regulations, standards, or internal policies. In information security, compliance is typically demonstrated through audits, certifications, and continuous monitoring.

The principle of ensuring that information is accessible only to authorised individuals, entities, or processes. One of the three pillars of information security (CIA triad).

A measure (policy, procedure, technical mechanism, or physical safeguard) that modifies risk. Controls can prevent, detect, or correct security incidents.

The process of identifying relationships between controls in different frameworks. For example, mapping ISO 27001 Annex A controls to NIST 800-53 controls to identify overlap and gaps.

Control Objectives for Information and Related Technologies, an IT governance framework by ISACA. COBIT 2019 provides 40 governance and management objectives across five domains.

Action taken to eliminate the root cause of a detected nonconformity or other undesirable situation, preventing its recurrence. A key concept in ISO management systems.

The discipline of identifying equivalent or related controls across multiple compliance frameworks. Enables unified control sets and reduces duplicate compliance effort.

An organisation's ability to continuously deliver intended outcomes despite adverse cyber events. Goes beyond cybersecurity to include preparedness, response, and recovery.

An incident where confidential, private, or protected data is accessed, disclosed, or stolen by an unauthorised party. May trigger breach notification requirements under GDPR, HIPAA, or other regulations.

The process of categorising data based on its sensitivity and the impact of unauthorised disclosure. Common levels: Public, Internal, Confidential, Restricted.

Under GDPR, the entity that determines the purposes and means of processing personal data. The controller bears primary responsibility for compliance.

Under GDPR, an entity that processes personal data on behalf of a data controller. Must act only on the controller's instructions and implement appropriate security measures.

A process required by GDPR Article 35 for assessing the risks of data processing activities that are likely to result in a high risk to individuals' rights and freedoms.

A security strategy that uses multiple layers of controls to protect assets. If one layer fails, others continue to provide protection.

The process of restoring IT systems and data after a catastrophic event. Typically governed by a Disaster Recovery Plan (DRP) with defined RTOs and RPOs.

The investigation or audit of a potential investment, partner, or vendor to confirm facts and assess risks. In compliance, often refers to vendor risk assessment.

The process of converting data into a coded format to prevent unauthorised access. Includes encryption at rest (stored data) and encryption in transit (data being transmitted).

A holistic approach to identifying, assessing, and managing risks across an entire organisation. Frameworks include COSO ERM and ISO 31000.

The European Union's regulation on artificial intelligence, establishing a risk-based classification system. Bans certain AI practices and imposes strict requirements on high-risk AI systems.

The Federal Risk and Authorization Management Program, a US government programme that standardises security assessment and authorisation for cloud services used by federal agencies.

A structured set of guidelines, practices, and controls that organisations use to manage specific aspects of their operations. Compliance frameworks provide requirements for achieving and demonstrating compliance.

A comparison between an organisation's current state and the requirements of a target framework or standard. Identifies areas that need improvement to achieve compliance.

The EU's comprehensive data protection regulation (effective May 2018). Applies to any organisation processing personal data of EU residents, regardless of the organisation's location.

The system by which an organisation is directed and controlled. IT governance ensures that IT investments support business objectives and manage risks appropriately.

Governance, Risk, and Compliance, an integrated approach to aligning IT with business objectives, managing risk, and meeting compliance requirements.

The Health Insurance Portability and Accountability Act, a US federal law that establishes standards for protecting sensitive health information. Includes the Privacy Rule and Security Rule.

The organised approach to addressing and managing a security breach or cyberattack. Includes preparation, identification, containment, eradication, recovery, and lessons learned.

The practice of protecting information by mitigating risks to its confidentiality, integrity, and availability. Governed by frameworks such as ISO 27001 and NIST CSF.

The principle of ensuring that data is accurate, complete, and has not been modified by unauthorised parties. One of the three pillars of the CIA triad.

An independent, objective assurance activity within an organisation that evaluates the effectiveness of risk management, controls, and governance processes.

A systematic approach to managing sensitive information so that it remains secure. ISO 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an ISMS.

The international standard for information security management systems (ISMS). The 2022 revision (ISO/IEC 27001:2022) includes 93 controls in Annex A, restructured into four themes.

The companion standard to ISO 27001 that provides implementation guidance for the Annex A controls. Not a certifiable standard itself. It supports ISO 27001 implementation.

The Information Technology Infrastructure Library, a set of practices for IT service management (ITSM). ITIL 4 aligns with modern ways of working including Agile, DevOps, and Lean.

A metric used to signal increasing risk exposures in various areas of an enterprise. KRIs provide early warning signs that enable proactive risk management.

The process of verifying the identity and assessing the suitability of customers. A key component of anti-money laundering compliance.

The security principle of granting users only the minimum access rights needed to perform their job functions. Reduces the attack surface and limits damage from compromised accounts.

A framework that describes levels of organisational capability or process maturity, typically from initial/ad hoc to optimised. Used to benchmark progress and set improvement targets.

An authentication method requiring two or more verification factors: something you know (password), something you have (token), or something you are (biometric).

A voluntary framework by the US National Institute of Standards and Technology. Version 2.0 includes six functions: Govern, Identify, Protect, Detect, Respond, and Recover.

A failure to fulfil a requirement. In ISO management systems, nonconformities found during audits must be addressed through corrective actions to eliminate the root cause.

An authorised simulated cyberattack against a system to evaluate its security. Identifies vulnerabilities that could be exploited by real attackers.

Under HIPAA, any individually identifiable health information held by a covered entity or business associate, including demographic data, medical records, and billing information.

An approach that embeds privacy protections into the design and architecture of systems and processes from the outset, rather than adding them as an afterthought. A principle of GDPR.

A formal statement of management intent and direction. Security policies establish the rules, expectations, and standards that guide an organisation's approach to information security.

An access control model where permissions are assigned to roles rather than individual users. Users are then assigned to roles based on their job functions.

The process of adhering to laws and regulations relevant to an organisation's operations. Non-compliance can result in fines, legal action, and reputational damage.

The risk that remains after controls have been applied. If residual risk exceeds the organisation's risk appetite, additional controls or risk treatment is required.

The amount and type of risk an organisation is willing to accept in pursuit of its objectives. Set by the board and communicated throughout the organisation.

The process of identifying, analysing, and evaluating risks. Includes identifying assets and threats, assessing likelihood and impact, and determining risk treatment options.

A documented inventory of identified risks, their assessments, treatment plans, and current status. A key tool in enterprise risk management.

The process of selecting and implementing measures to modify risk. Options include: mitigate (reduce), accept (retain), avoid (eliminate), or transfer (share) the risk.

The maximum acceptable amount of data loss measured in time. An RPO of 4 hours means the organisation can tolerate losing up to 4 hours of data.

The maximum acceptable time to restore a system or process after a disruption. An RTO of 2 hours means the system must be back online within 2 hours.

A technology platform that aggregates and analyses log data from across an organisation's IT infrastructure to detect security threats and support incident response.

An AICPA audit report on controls at a service organisation relevant to user entities' financial reporting. Available as Type I (design only) or Type II (design and operating effectiveness).

An AICPA audit report based on the Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The most common assurance report for technology service providers.

A US federal law (2002) requiring public companies to establish and maintain internal controls over financial reporting. SOX Section 404 requires management assessment of internal controls.

A required ISO 27001 document listing all Annex A controls, indicating which are applicable, which are implemented, and justification for any exclusions.

A periodic audit conducted between certification and recertification to verify that a certified management system continues to meet the standard's requirements.

The process of identifying, assessing, and managing risks associated with outsourcing to or partnering with external organisations. Includes vendor due diligence and ongoing monitoring.

Evidence-based knowledge about existing or emerging threats, including context, mechanisms, indicators, and actionable advice. Used to inform security decisions.

The five criteria used in SOC 2 audits: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Organisations select which criteria apply.

A systematic process of identifying, quantifying, and prioritising security vulnerabilities in systems, applications, and networks.

A security model that assumes no user, device, or network should be trusted by default, even those inside the corporate perimeter. Requires continuous verification for every access request.