Compliance Glossary
A
Access Control
The system of rules and technologies determining who has access to which information systems, data and facilities, when and under what conditions.
ACL (Access Control List)
A list of rules specifying which users or systems have access to certain resources and what actions they may perform on them.
AI Impact Assessment (AIIA)
Systematic evaluation of risks and effects of AI systems on individuals, groups and society, required under the EU AI Act.
Annex A Controls (ISO 27001)
The 93 security controls from ISO 27001:2022 Annex A that organisations can implement to manage information security risks.
API Security
Protection of Application Programming Interfaces against misuse, data breaches and unauthorised access through authentication, encryption and rate limiting.
Asset Management
The process of identifying, classifying and managing all information assets within an organisation including hardware, software, data and intellectual property.
Audit Fatigue
Reduced effectiveness due to excessive audits, addressed with integrated GRC platforms that reuse evidence.
Audit Trail
Chronological log of all system activities and transactions recording who, what, when and why for compliance and forensic purposes.
B
Biometric Data
Unique physical or behavioural characteristics such as fingerprints or facial recognition, classified as special personal data under GDPR.
Business Impact Analysis (BIA)
Systematic analysis of critical business processes to determine priorities for recovery during disruptions.
C
CAB (Change Advisory Board)
Committee that reviews and approves change requests to minimise risks of system changes according to ITIL principles.
CAROC (Complementary User Entity Controls)
Controls that customers must implement themselves to ensure effectiveness of SOC 2 certified services.
Chief Information Security Officer (CISO)
C-level executive responsible for overall information security strategy and compliance.
CIA Classification
Dutch standard for Confidentiality, Integrity and Availability of information.
Classification Levels
Categorisation of information by sensitivity (public, internal, confidential, secret) to determine appropriate security measures.
Classified Information
Government information classified as state secret, top secret, secret or departmentally confidential.
Confidentiality
Principle ensuring that information is not disclosed to unauthorized parties, one of the three elements of the CIA Triad.
Cloud Security Alliance (CSA)
Organisation developing best practices and standards for secure cloud computing, known for the Cloud Controls Matrix framework.
CMDB (Configuration Management Database)
Central database with all IT assets and their interrelationships, essential for change management and incident response.
Compliance Automation
Software that automates compliance processes such as evidence collection, control monitoring and audit preparation to minimise manual work.
Consent
Free, specific, informed and unambiguous indication of wishes as GDPR basis.
Continuous Compliance
Real-time monitoring and automatic validation of compliance status instead of periodic audits.
Continuous Improvement
ISO 27001 requirement to continuously improve the ISMS via Plan-Do-Check-Act cycle.
Control Automation
Technology that automates manual compliance tasks such as evidence collection and control testing.
Control Objectives
Specific goals that security controls must achieve.
Control Tests
Periodic verification that security controls function effectively as designed.
Corrective Action Plan (CAP)
Documented plan to resolve identified non-conformities or audit findings within a specified timeframe.
Corrective Measures
Actions to remove causes of identified non-conformities and prevent recurrence.
Cross-Border Data Transfer
Transfer of personal data to countries outside the EEA, requiring additional safeguards under GDPR.
Cross-Border Processing
Processing of personal data in multiple EU member states with specific GDPR requirements.
Cryptography
Technique for encrypting data to ensure confidentiality and integrity during storage and transport.
Cybersecurity
The practice of protecting digital systems, networks, and data from unauthorized access, attacks, and damage.
CSIRT (Computer Security Incident Response Team)
Specialised team responsible for detecting, analysing and responding to cybersecurity incidents within an organisation.
D
Data Discovery
Automated process for identifying and locating personal data within all systems and databases of an organisation.
Data Inventory
Complete overview of all data assets including location, owner, classification and access rights.
Data Minimisation
GDPR principle requiring only necessary personal data to be collected and processed for the specific purpose.
Data Protection by Design
Obligation to build privacy and data protection into systems and processes from the beginning.
Data Retention Policy
Policy determining how long different types of data are retained and when they must be destroyed.
DDoS Protection
Measures to detect and mitigate Distributed Denial of Service attacks that make systems unavailable.
DevSecOps
Integration of security practices into DevOps processes to build security into software development from the beginning.
Disaster Recovery
Plan and procedures for restoring critical systems and data after a disruptive event such as a natural disaster or cyberattack.
Document Change Management
Process of tracking and approving changes to compliance documents and contracts.
Document Management
Systematic management of documents and records throughout their lifecycle for compliance purposes.
E
Encryption at Rest
Encryption of data stored on hard drives, databases or other storage media.
Encryption in Transit
Protection of data during transmission between systems through protocols such as TLS/SSL.
Endpoint Detection and Response (EDR)
Security solution that monitors endpoints and automatically responds to detected threats.
Evidence Archive
Central storage for all compliance evidence organised by control and framework.
Evidence Collection
Systematic gathering of evidence demonstrating that security controls function effectively for compliance audits.
Explainable AI (XAI)
AI systems whose decision-making is transparent and comprehensible to users, required under ISO 42001.
F
Federated Identity Management
System where users gain access to multiple systems with one set of credentials via identity federation.
FIDO2 Authentication
Modern authentication standard for passwordless verification via biometrics or hardware security keys.
Framework Harmonisation
Integration of multiple compliance frameworks to eliminate overlap and increase efficiency.
Framework Mapping
Linking between overlapping requirements from different standards to prevent duplication of work.
G
Gap Analysis
Systematic comparison between current state and required compliance level to identify missing controls.
GRC Platform
Software for Governance, Risk and Compliance management that automates and centralises processes.
I
IAM (Identity and Access Management)
Framework for managing digital identities and access rights within an organisation.
ICT Risk Management (DORA)
Specific requirements for managing ICT risks in the financial sector under DORA.
IDS/IPS (Intrusion Detection/Prevention System)
Systems that monitor network traffic for suspicious activities and detect or automatically block them.
Information Security Policy
Overarching policy document defining the security objectives and principles of an organisation.
Inherent Risk
Risk level before mitigating measures are implemented.
Internal Audit
Independent evaluation of compliance and control effectiveness by internal audit function.
IT General Controls (ITGC)
Basic IT controls ensuring reliability of automated processes.
J
Joint Controller
Two or more parties jointly determining purposes and means of data processing under GDPR.
K
Key Management
Processes for securely generating, distributing, storing and destroying cryptographic keys.
Key Performance Indicators (KPIs)
Measurable values demonstrating effectiveness of compliance and security programmes.
Key Risk Indicators (KRIs)
Metrics providing early warning of increasing risks before they materialise.
L
Least Privilege
Security principle where users receive only minimally necessary access rights for their function.
Likelihood and Impact Matrix
Tool for risk assessment combining probability and consequences for prioritisation.
Logging and Monitoring
Continuous recording and analysis of system events for security and compliance purposes.
Logical Access Security
Technical measures such as passwords and multi-factor authentication for system access.
M
Machine Learning Operations (MLOps)
Framework for managing machine learning models in production focusing on compliance and ethics.
Main Establishment
Place of central administration in EU for determining lead supervisory authority in cross-border processing.
Model Governance
Framework for managing, monitoring, and controlling AI and machine learning models throughout their lifecycle to ensure compliance and performance.
Managed Security Service Provider (MSSP)
External party providing security monitoring and incident response services.
Management Review
Periodic evaluation by management of compliance management system effectiveness.
Maturity Model
Framework for assessing and improving maturity of compliance and security processes.
Metadata
Structured information about data such as creation date, owner and classification level.
MFA (Multi-Factor Authentication)
Authentication combining multiple verification methods such as password plus SMS code or biometrics.
N
Network Segmentation
Division of networks into zones to limit impact of security incidents.
Non-Conformity
Deviation from requirements in standards, laws or regulations requiring corrective action.
Non-Disclosure Agreement (NDA)
Confidentiality agreement protecting confidential information in collaboration with external parties.
O
OAuth 2.0
Open standard for delegated authorisation allowing applications to act on behalf of users.
Objective Evidence
Verifiable documentation demonstrating controls work effectively for audit purposes.
Operational Resilience
Ability to continue delivering critical services during and after disruptions.
OWASP Top 10
List of most critical web application security risks published by Open Web Application Security Project.
P
Patch Management
Systematic process for testing and installing security updates and patches.
PCI DSS (Payment Card Industry Data Security Standard)
Security standard for organisations processing credit card transactions.
Penetration Test
Authorised simulated cyber attack to identify weaknesses in systems.
Perimeter Protection
Security measures at network edge such as firewalls and intrusion prevention systems.
Personal Data
Any information about an identified or identifiable natural person according to GDPR.
Physical Security
Measures to protect physical assets such as access control to data centres.
PII (Personally Identifiable Information)
Information that can be used directly or indirectly to identify an individual.
Policy Management
Systematic management of policy rules including creation, approval, distribution and periodic review.
Privacy by Default
Obligation to use the most privacy-friendly settings by default in systems.
Privacy Champion
Employee who promotes privacy awareness and serves as contact point within a department.
Privacy Engineering
Technical implementation of privacy principles in systems and applications.
Privacy Impact Assessment (PIA)
Evaluation of privacy risks in new projects or processing, predecessor of DPIA.
Privacy Notice
Transparent communication to data subjects about how their personal data is processed.
Privileged Access Management (PAM)
Management and monitoring of accounts with elevated rights such as administrator accounts.
Processing Activity
Any operation with personal data such as collecting, storing, consulting or destroying.
Processing Register
Overview of all processing activities including purposes, categories and retention periods required under GDPR Article 30.
Profiling
Automated processing of personal data for evaluating personal aspects.
Pseudonymisation
Technique where personal data is no longer directly traceable without additional information.
Purpose Limitation
GDPR principle that data may only be used for the purpose for which it was collected.
Q
Quantum-Safe Cryptography
Encryption methods resistant to future quantum computers.
R
RACI Matrix
Model defining Responsible, Accountable, Consulted and Informed parties for compliance tasks.
Ransomware Protection
Measures against malware that encrypts files and demands ransom for decryption.
RBAC (Role-Based Access Control)
Access management based on functions where rights are linked to roles.
Responsible AI
Approach to AI development and deployment that prioritizes ethics, transparency, accountability, and alignment with human values and regulations.
Recipient
Natural or legal person to whom personal data is disclosed.
Recovery Point Objective (RPO)
Maximum acceptable data loss measured in time during an incident or disaster.
Recovery Time Objective (RTO)
Maximum acceptable time within which systems or processes must be restored after a disruption.
Regulatory Change Management
Process for identifying, assessing and implementing changes in laws and regulations.
Remediation
Process of resolving identified compliance shortcomings or security vulnerabilities.
Residual Risk
Remaining risk level after implementing mitigating measures.
Retention Period
The period during which personal data or documents may be retained, determined by legal requirements or business purposes.
Right to be Forgotten
GDPR right whereby data subjects can request deletion of their personal data under certain conditions.
Risk Appetite
Amount and type of risk an organisation is willing to accept for its objectives.
Risk Management
Process of identifying, analyzing, and responding to risks to protect organizational assets and achieve business objectives.
Risk Register
Central documentation of all identified risks including owner, impact and mitigation status.
Risk Score
Quantitative method for assigning numerical values to risks for objective prioritisation.
Risk Treatment
ISO 27001 process for selecting and implementing measures to modify risks.
Risk Treatment Plan
Documented approach for addressing risks through acceptance, mitigation, transfer or avoidance.
S
SAML (Security Assertion Markup Language)
XML standard for exchanging authentication and authorisation data between identity providers.
SAST (Static Application Security Testing)
Automated analysis of source code to identify security vulnerabilities.
Schrems II
EU ruling setting strict requirements for international data transfers to countries without adequate protection level.
Scope
Definition of processes, locations and systems to which the ISMS applies.
Security Awareness Training
Periodic training for employees on security risks and best practices.
Security Baseline
Minimum set of security measures that must be implemented according to organisational policy.
Security Control
Technical, administrative or physical measure to manage security risks.
Security Incident
Event that threatens the confidentiality, integrity or availability of information.
Security Operations Centre (SOC)
Central team providing 24/7 security monitoring and incident response.
Security Orchestration (SOAR)
Automation of security processes for faster detection and response to incidents.
Security Posture
Overall status of security measures and resilience against cyber attacks.
Segregation of Duties (SoD)
Separation of tasks to prevent fraud by distributing critical functions across multiple people.
Sensitive Personal Data
Special categories of personal data such as health, religion or biometrics with additional protection requirements.
Service Level Agreement (SLA)
Contract with agreements on performance, availability and security of services.
SIEM (Security Information and Event Management)
Platform collecting, correlating and analysing security events for threat detection.
Single Sign-On (SSO)
Authentication method where users gain access to multiple applications with one login.
SOC 2 Type I
Report on control design at a specific moment according to AICPA standards.
SOC 2 Type II
Extended report on operational effectiveness of controls over a period of at least 3 months.
Software Bill of Materials (SBOM)
Inventory of all components and dependencies in software for supply chain security.
Special Categories of Personal Data
Sensitive data such as race, religion, health or sexual orientation with additional GDPR protection.
Spoofing
Attack technique where identity is falsified to gain unauthorised access.
Standard Contractual Clauses (SCC)
EU-approved model contracts for international data transfer.
Statement of Applicability (SoA)
Document indicating which ISO 27001 Annex A controls are/aren't applicable with justification.
Subprocessor
Third party engaged by processor for specific processing activities, requiring approval under GDPR.
Supplier Risk Assessment
Evaluation of security and compliance risks with suppliers prior to collaboration.
Supply Chain Security
Measures to identify and manage risks with suppliers and partners.
System Hardening
Process of removing unnecessary functions and configuring secure settings.
T
Technical and Organisational Measures (TOMs)
Technical and organisational measures required under GDPR Article 32.
Third Party
Natural or legal person other than data subject, controller or processor.
Third Party Risk Management (TPRM)
Management of compliance and security risks with suppliers and partners.
Threat
Potential danger or harmful event that could exploit vulnerabilities and negatively impact the confidentiality, integrity, or availability of information or systems.
Threat Intelligence
Collected information about current cyber threats for proactive defence.
Threat Modelling
Systematic identification of potential threats and vulnerabilities in systems.
Trust Service Principles (TSP)
AICPA criteria for SOC 2: Security, Availability, Processing Integrity, Confidentiality, Privacy.
Two-Factor Authentication (2FA)
Verification via two different methods such as password plus SMS code.
U
User Access Review
Periodic check whether user rights are still appropriate for function and responsibilities.
User Access Rights
Specific authorisations granted to users for access to systems, data and functionalities.
V
Version Control
Systematic management of changes to documents, code and configurations with traceability of all modifications.
Vital Interests
GDPR basis for processing necessary to protect life or health.
Vulnerability Assessment
Systematic investigation of weaknesses in systems, applications and processes.
Vulnerability Management
Continuous process of identifying, evaluating and remediating vulnerabilities in systems.
Vulnerability Scan
Automated detection of known weaknesses in systems, networks and applications.
W
WAF (Web Application Firewall)
Firewall filtering HTTP/HTTPS traffic to protect web applications against attacks.
Waterfall Method
Traditional development method with sequential phases, opposite of Agile/DevSecOps.
Whistleblower Protection
Measures to protect employees who report misconduct according to EU Whistleblower Directive.
Z
Zero-Knowledge Proof
Cryptographic method where one party can prove knowing something without revealing the information.
Zero-Trust Architecture
Security model where no network or user is trusted by default and continuous verification is required.
Zone-Based Security
Network architecture with separated zones based on trust level and sensitivity.