Search glossary...Compliance Glossary A ABDO (General Security Requirements for Defence Contracts)Dutch security standard for companies executing classified contracts for the Ministry of Defence, with requirements for physical and information security. Access ControlThe system of rules and technologies determining who has access to which information systems, data and facilities, when and under what conditions. ACL (Access Control List)A list of rules specifying which users or systems have access to certain resources and what actions they may perform on them. AI GovernanceThe framework of policies, procedures and controls for responsible use of AI systems, including ethical considerations, transparency and accountability. AI Impact Assessment (AIIA)Systematic evaluation of risks and effects of AI systems on individuals, groups and society, required under the EU AI Act. Annex A Controls (ISO 27001)The 93 security controls from ISO 27001:2022 Annex A that organisations can implement to manage information security risks. API SecurityProtection of Application Programming Interfaces against misuse, data breaches and unauthorised access through authentication, encryption and rate limiting. Asset ManagementThe process of identifying, classifying and managing all information assets within an organisation including hardware, software, data and intellectual property. Audit FatigueReduced effectiveness due to excessive audits, addressed with integrated GRC platforms that reuse evidence. Audit TrailChronological log of all system activities and transactions recording who, what, when and why for compliance and forensic purposes. AuthenticationThe process of verifying that a user, system or entity is actually who they claim to be, typically via passwords, tokens or biometrics. AuthorisationThe process of determining what rights and privileges an authenticated user has within a system or application. B BCM (Business Continuity Management)Systematic approach for identifying critical business processes and developing plans to protect them against disruptions. BIO (Government Information Security Baseline)Dutch standard for information security at government organisations, based on ISO 27001/27002 with additional government-specific measures. Biometric DataUnique physical or behavioural characteristics such as fingerprints or facial recognition, classified as special personal data under GDPR. Business Impact Analysis (BIA)Systematic analysis of critical business processes to determine priorities for recovery during disruptions. C CAB (Change Advisory Board)Committee that reviews and approves change requests to minimise risks of system changes according to ITIL principles. CAROC (Complementary User Entity Controls)Controls that customers must implement themselves to ensure effectiveness of SOC 2 certified services. CertificationFormal confirmation by an accredited party that an organisation meets specific standards such as ISO 27001 or SOC 2. Chief Information Security Officer (CISO)C-level executive responsible for overall information security strategy and compliance. CIA ClassificationDutch standard for Confidentiality, Integrity and Availability of information. CIA TriadFundamental information security model consisting of Confidentiality, Integrity and Availability. Classification LevelsCategorisation of information by sensitivity (public, internal, confidential, secret) to determine appropriate security measures. Classified InformationGovernment information classified as state secret, top secret, secret or departmentally confidential. ConfidentialityPrinciple ensuring that information is not disclosed to unauthorized parties, one of the three elements of the CIA Triad. Cloud Security Alliance (CSA)Organisation developing best practices and standards for secure cloud computing, known for the Cloud Controls Matrix framework. CMDB (Configuration Management Database)Central database with all IT assets and their interrelationships, essential for change management and incident response. Compliance AutomationSoftware that automates compliance processes such as evidence collection, control monitoring and audit preparation to minimise manual work. Compliance FrameworkStructured set of guidelines, standards and procedures helping organisations comply with regulations. ConsentFree, specific, informed and unambiguous indication of wishes as GDPR basis. Context of the Organisation (ISO 27001)Requirement to identify internal/external factors and stakeholders that influence the ISMS. Continuous ComplianceReal-time monitoring and automatic validation of compliance status instead of periodic audits. Continuous ImprovementISO 27001 requirement to continuously improve the ISMS via Plan-Do-Check-Act cycle. Continuous MonitoringReal-time or frequent checking of security controls and compliance status to detect and correct deviations immediately. Control AutomationTechnology that automates manual compliance tasks such as evidence collection and control testing. Control ObjectivesSpecific goals that security controls must achieve. Control TestsPeriodic verification that security controls function effectively as designed. ControlsTechnical or organisational measures to manage risks. Corrective Action Plan (CAP)Documented plan to resolve identified non-conformities or audit findings within a specified timeframe. Corrective MeasuresActions to remove causes of identified non-conformities and prevent recurrence. Cross-Border Data TransferTransfer of personal data to countries outside the EEA, requiring additional safeguards under GDPR. Cross-Border ProcessingProcessing of personal data in multiple EU member states with specific GDPR requirements. CryptographyTechnique for encrypting data to ensure confidentiality and integrity during storage and transport. CybersecurityThe practice of protecting digital systems, networks, and data from unauthorized access, attacks, and damage. CSIRT (Computer Security Incident Response Team)Specialised team responsible for detecting, analysing and responding to cybersecurity incidents within an organisation. D Data Breach Notification ObligationLegal obligation to report serious data breaches within 72 hours to supervisory authority and data subjects. Data ClassificationProcess of categorising data based on sensitivity and criticality to determine appropriate security measures. Data ControllerEntity that determines the purposes and means of data processing and is ultimately responsible for GDPR compliance. Data DiscoveryAutomated process for identifying and locating personal data within all systems and databases of an organisation. Data InventoryComplete overview of all data assets including location, owner, classification and access rights. Data Loss Prevention (DLP)Technologies and processes preventing sensitive data from leaving the organisation unauthorised. Data MinimisationGDPR principle requiring only necessary personal data to be collected and processed for the specific purpose. Data Processing Agreement (DPA)Mandatory contract between controller and processor with agreements on data processing according to GDPR Article 28. Data ProcessorOrganisation that processes personal data on behalf of and according to instructions from the controller. Data Protection AuthoritySupervisory authority for data protection, in the Netherlands the Personal Data Authority (AP). Data Protection by DesignObligation to build privacy and data protection into systems and processes from the beginning. Data Protection Impact Assessment (DPIA)Systematic analysis of privacy risks in new processing, mandatory for high-risk processing under GDPR. Data Protection Officer (DPO)Mandatory officer for overseeing GDPR compliance in large-scale data processing. Data Retention PolicyPolicy determining how long different types of data are retained and when they must be destroyed. Data SubjectNatural person to whom personal data relates. Data Subject RightsRights of individuals under GDPR such as access, rectification, erasure and data portability of their personal data. DDoS ProtectionMeasures to detect and mitigate Distributed Denial of Service attacks that make systems unavailable. DevSecOpsIntegration of security practices into DevOps processes to build security into software development from the beginning. Disaster RecoveryPlan and procedures for restoring critical systems and data after a disruptive event such as a natural disaster or cyberattack. Digital Operational Resilience Act (DORA)EU regulation setting uniform requirements for digital operational resilience of financial entities. Document Change ManagementProcess of tracking and approving changes to compliance documents and contracts. Document ManagementSystematic management of documents and records throughout their lifecycle for compliance purposes. E EncryptionTechnique for encoding data to ensure confidentiality and integrity during storage and transmission. Encryption at RestEncryption of data stored on hard drives, databases or other storage media. Encryption in TransitProtection of data during transmission between systems through protocols such as TLS/SSL. Endpoint Detection and Response (EDR)Security solution that monitors endpoints and automatically responds to detected threats. Essential Entities (NIS2)Organisations in critical sectors with strictest obligations under NIS2 such as energy and healthcare. Evidence ArchiveCentral storage for all compliance evidence organised by control and framework. Evidence CollectionSystematic gathering of evidence demonstrating that security controls function effectively for compliance audits. Explainable AI (XAI)AI systems whose decision-making is transparent and comprehensible to users, required under ISO 42001. F Federated Identity ManagementSystem where users gain access to multiple systems with one set of credentials via identity federation. FIDO2 AuthenticationModern authentication standard for passwordless verification via biometrics or hardware security keys. Framework HarmonisationIntegration of multiple compliance frameworks to eliminate overlap and increase efficiency. Framework MappingLinking between overlapping requirements from different standards to prevent duplication of work. G Gap AnalysisSystematic comparison between current state and required compliance level to identify missing controls. GDPR (General Data Protection Regulation)EU regulation for personal data protection with strict requirements for processing, security and data subject rights. GRC PlatformSoftware for Governance, Risk and Compliance management that automates and centralises processes. I IAM (Identity and Access Management)Framework for managing digital identities and access rights within an organisation. ICT Risk Management (DORA)Specific requirements for managing ICT risks in the financial sector under DORA. IDS/IPS (Intrusion Detection/Prevention System)Systems that monitor network traffic for suspicious activities and detect or automatically block them. Important Entities (NIS2)Organisations with NIS2 obligations but less strict than essential entities. Incident Response PlanDocumented procedures for detecting, analysing and recovering from security incidents. Information Security Management System (ISMS)Systematic approach for managing sensitive business information according to ISO 27001 standards. Information Security PolicyOverarching policy document defining the security objectives and principles of an organisation. Inherent RiskRisk level before mitigating measures are implemented. Internal AuditIndependent evaluation of compliance and control effectiveness by internal audit function. ISO 27001International standard for information security management systems with certification possibility. ISO 27017Standard with specific guidelines for information security in cloud services. ISO 27018Standard for protection of personal data in public cloud services. ISO 27701Privacy extension to ISO 27001 for Privacy Information Management Systems (PIMS). ISO 42001First international standard for AI Management Systems focusing on responsible AI development. IT General Controls (ITGC)Basic IT controls ensuring reliability of automated processes. J Joint ControllerTwo or more parties jointly determining purposes and means of data processing under GDPR. K Key ManagementProcesses for securely generating, distributing, storing and destroying cryptographic keys. Key Performance Indicators (KPIs)Measurable values demonstrating effectiveness of compliance and security programmes. Key Risk Indicators (KRIs)Metrics providing early warning of increasing risks before they materialise. L Lawful BasisLegal basis required for any processing of personal data under GDPR. Leadership Commitment (ISO 27001)Required involvement of top management in implementing and maintaining the ISMS. Least PrivilegeSecurity principle where users receive only minimally necessary access rights for their function. Legal ObligationGDPR basis for processing necessary to comply with legal obligation. Legitimate InterestGDPR basis where organisational interests are balanced against privacy impact for data subjects. Likelihood and Impact MatrixTool for risk assessment combining probability and consequences for prioritisation. Logging and MonitoringContinuous recording and analysis of system events for security and compliance purposes. Logical Access SecurityTechnical measures such as passwords and multi-factor authentication for system access. M Machine Learning Operations (MLOps)Framework for managing machine learning models in production focusing on compliance and ethics. Main EstablishmentPlace of central administration in EU for determining lead supervisory authority in cross-border processing. Model GovernanceFramework for managing, monitoring, and controlling AI and machine learning models throughout their lifecycle to ensure compliance and performance. Managed Security Service Provider (MSSP)External party providing security monitoring and incident response services. Management ReviewPeriodic evaluation by management of compliance management system effectiveness. Maturity ModelFramework for assessing and improving maturity of compliance and security processes. MetadataStructured information about data such as creation date, owner and classification level. MFA (Multi-Factor Authentication)Authentication combining multiple verification methods such as password plus SMS code or biometrics. N NEN 7510Dutch standard for information security in healthcare, based on ISO 27001/27002. Network SegmentationDivision of networks into zones to limit impact of security incidents. NIS2 DirectiveRevised EU directive for cybersecurity with expanded obligations for essential and important entities. NIST Cybersecurity FrameworkAmerican framework with five functions (Identify, Protect, Detect, Respond, Recover) for cybersecurity management. Non-ConformityDeviation from requirements in standards, laws or regulations requiring corrective action. Non-Disclosure Agreement (NDA)Confidentiality agreement protecting confidential information in collaboration with external parties. O OAuth 2.0Open standard for delegated authorisation allowing applications to act on behalf of users. Objective EvidenceVerifiable documentation demonstrating controls work effectively for audit purposes. Operational ResilienceAbility to continue delivering critical services during and after disruptions. OWASP Top 10List of most critical web application security risks published by Open Web Application Security Project. P Patch ManagementSystematic process for testing and installing security updates and patches. PCI DSS (Payment Card Industry Data Security Standard)Security standard for organisations processing credit card transactions. Penetration TestAuthorised simulated cyber attack to identify weaknesses in systems. Perimeter ProtectionSecurity measures at network edge such as firewalls and intrusion prevention systems. Personal DataAny information about an identified or identifiable natural person according to GDPR. Personal Data BreachOfficial GDPR term for data breach with notification obligation within 72 hours. Physical SecurityMeasures to protect physical assets such as access control to data centres. PII (Personally Identifiable Information)Information that can be used directly or indirectly to identify an individual. Policy ManagementSystematic management of policy rules including creation, approval, distribution and periodic review. Privacy by DefaultObligation to use the most privacy-friendly settings by default in systems. Privacy ChampionEmployee who promotes privacy awareness and serves as contact point within a department. Privacy EngineeringTechnical implementation of privacy principles in systems and applications. Privacy Impact Assessment (PIA)Evaluation of privacy risks in new projects or processing, predecessor of DPIA. Privacy NoticeTransparent communication to data subjects about how their personal data is processed. Privileged Access Management (PAM)Management and monitoring of accounts with elevated rights such as administrator accounts. Processing ActivityAny operation with personal data such as collecting, storing, consulting or destroying. Processing RegisterOverview of all processing activities including purposes, categories and retention periods required under GDPR Article 30. ProfilingAutomated processing of personal data for evaluating personal aspects. PseudonymisationTechnique where personal data is no longer directly traceable without additional information. Purpose LimitationGDPR principle that data may only be used for the purpose for which it was collected. Q Quantum-Safe CryptographyEncryption methods resistant to future quantum computers. R RACI MatrixModel defining Responsible, Accountable, Consulted and Informed parties for compliance tasks. Ransomware ProtectionMeasures against malware that encrypts files and demands ransom for decryption. RBAC (Role-Based Access Control)Access management based on functions where rights are linked to roles. Responsible AIApproach to AI development and deployment that prioritizes ethics, transparency, accountability, and alignment with human values and regulations. RecipientNatural or legal person to whom personal data is disclosed. Recovery Point Objective (RPO)Maximum acceptable data loss measured in time during an incident or disaster. Recovery Time Objective (RTO)Maximum acceptable time within which systems or processes must be restored after a disruption. Regulatory Change ManagementProcess for identifying, assessing and implementing changes in laws and regulations. RemediationProcess of resolving identified compliance shortcomings or security vulnerabilities. Residual RiskRemaining risk level after implementing mitigating measures. Retention PeriodThe period during which personal data or documents may be retained, determined by legal requirements or business purposes. Right to be ForgottenGDPR right whereby data subjects can request deletion of their personal data under certain conditions. Risk AppetiteAmount and type of risk an organisation is willing to accept for its objectives. Risk AssessmentSystematic evaluation of probability and impact of potential risks. Risk ManagementProcess of identifying, analyzing, and responding to risks to protect organizational assets and achieve business objectives. Risk RegisterCentral documentation of all identified risks including owner, impact and mitigation status. Risk ScoreQuantitative method for assigning numerical values to risks for objective prioritisation. Risk TreatmentISO 27001 process for selecting and implementing measures to modify risks. Risk Treatment PlanDocumented approach for addressing risks through acceptance, mitigation, transfer or avoidance. S SAML (Security Assertion Markup Language)XML standard for exchanging authentication and authorisation data between identity providers. SAST (Static Application Security Testing)Automated analysis of source code to identify security vulnerabilities. Schrems IIEU ruling setting strict requirements for international data transfers to countries without adequate protection level. ScopeDefinition of processes, locations and systems to which the ISMS applies. Security Awareness TrainingPeriodic training for employees on security risks and best practices. Security BaselineMinimum set of security measures that must be implemented according to organisational policy. Security ControlTechnical, administrative or physical measure to manage security risks. Security IncidentEvent that threatens the confidentiality, integrity or availability of information. Security Operations Centre (SOC)Central team providing 24/7 security monitoring and incident response. Security Orchestration (SOAR)Automation of security processes for faster detection and response to incidents. Security PostureOverall status of security measures and resilience against cyber attacks. Segregation of Duties (SoD)Separation of tasks to prevent fraud by distributing critical functions across multiple people. Sensitive Personal DataSpecial categories of personal data such as health, religion or biometrics with additional protection requirements. Service Level Agreement (SLA)Contract with agreements on performance, availability and security of services. Shared Responsibility ModelDistribution of security responsibilities between cloud provider and customer. SIEM (Security Information and Event Management)Platform collecting, correlating and analysing security events for threat detection. Single Sign-On (SSO)Authentication method where users gain access to multiple applications with one login. SOC 2American standard for service organizations reporting on control design and operational effectiveness. SOC 2 Type IReport on control design at a specific moment according to AICPA standards. SOC 2 Type IIExtended report on operational effectiveness of controls over a period of at least 3 months. Software Bill of Materials (SBOM)Inventory of all components and dependencies in software for supply chain security. Special Categories of Personal DataSensitive data such as race, religion, health or sexual orientation with additional GDPR protection. SpoofingAttack technique where identity is falsified to gain unauthorised access. Standard Contractual Clauses (SCC)EU-approved model contracts for international data transfer. Statement of Applicability (SoA)Document indicating which ISO 27001 Annex A controls are/aren't applicable with justification. SubprocessorThird party engaged by processor for specific processing activities, requiring approval under GDPR. Supplier Risk AssessmentEvaluation of security and compliance risks with suppliers prior to collaboration. Supply Chain SecurityMeasures to identify and manage risks with suppliers and partners. System HardeningProcess of removing unnecessary functions and configuring secure settings. T Technical and Organisational Measures (TOMs)Technical and organisational measures required under GDPR Article 32. Third PartyNatural or legal person other than data subject, controller or processor. Third Party Risk Management (TPRM)Management of compliance and security risks with suppliers and partners. ThreatPotential danger or harmful event that could exploit vulnerabilities and negatively impact the confidentiality, integrity, or availability of information or systems. Threat IntelligenceCollected information about current cyber threats for proactive defence. Threat ModellingSystematic identification of potential threats and vulnerabilities in systems. Trust Service Principles (TSP)AICPA criteria for SOC 2: Security, Availability, Processing Integrity, Confidentiality, Privacy. Two-Factor Authentication (2FA)Verification via two different methods such as password plus SMS code. U User Access ReviewPeriodic check whether user rights are still appropriate for function and responsibilities. User Access RightsSpecific authorisations granted to users for access to systems, data and functionalities. V Version ControlSystematic management of changes to documents, code and configurations with traceability of all modifications. Vital InterestsGDPR basis for processing necessary to protect life or health. Vulnerability AssessmentSystematic investigation of weaknesses in systems, applications and processes. Vulnerability ManagementContinuous process of identifying, evaluating and remediating vulnerabilities in systems. Vulnerability ScanAutomated detection of known weaknesses in systems, networks and applications. W WAF (Web Application Firewall)Firewall filtering HTTP/HTTPS traffic to protect web applications against attacks. Waterfall MethodTraditional development method with sequential phases, opposite of Agile/DevSecOps. Whistleblower ProtectionMeasures to protect employees who report misconduct according to EU Whistleblower Directive. Z Zero-Knowledge ProofCryptographic method where one party can prove knowing something without revealing the information. Zero-Trust ArchitectureSecurity model where no network or user is trusted by default and continuous verification is required. Zone-Based SecurityNetwork architecture with separated zones based on trust level and sensitivity.