Compliance glossary

A policy that defines how employees may use an organization's systems, devices, and data, and what behavior is prohibited.

The selective restriction of who can view or use resources, enforced through identification, authentication, and authorization.

Formal recognition that a certification body is competent to carry out audits and issue certificates against a given standard.

A formal decision by the European Commission that a non-EU country provides a level of data protection essentially equivalent to the EU, allowing free data transfers there.

Systematic, unfair skew in an AI system's outputs that can disadvantage certain groups or individuals.

The skills and understanding that let people deploy and use AI systems responsibly and recognize their opportunities and risks.

The risks specific to artificial intelligence systems, including bias, opacity, unsafe outputs, and loss of human control.

The management system that governs the responsible development and use of artificial intelligence, defined by ISO/IEC 42001.

The catalogue of information security controls in ISO/IEC 27001, grouped into organizational, people, physical, and technological themes.

Irreversibly processing data so that individuals can no longer be identified, which takes it outside the scope of the GDPR.

Anything of value to an organization that needs protection, such as data, systems, people, or facilities.

The sum of all points where an attacker could try to enter or extract data from a system or organization.

Records, statements, and other verifiable information that an auditor uses to determine whether requirements are met.

Decisions made solely by automated means, without meaningful human involvement, which the GDPR restricts when they have legal or similarly significant effects.

The property that information and systems are accessible and usable when authorized users need them.

A copy of data kept separately so that information can be restored after loss, corruption, or an attack.

The management system that prepares an organization to keep critical operations running during disruptions and to recover quickly, defined by ISO 22301.

The BSI's Cloud Computing Compliance Criteria Catalogue, a German standard for assessing the security of cloud service providers.

A German methodology and control catalogue from the Federal Office for Information Security (BSI) for building and certifying information security.

The documented procedures that guide an organization in responding to a disruption and continuing or recovering critical activities.

The analysis that identifies an organization's critical activities and the effect over time of their disruption, setting the basis for recovery priorities.

A mark a manufacturer applies to declare that a product meets EU requirements, extended by the AI Act to certain high-risk AI systems.

An independent organization, accredited for the purpose, that audits a management system and issues a certificate when it conforms to a standard.

The three core goals of information security: confidentiality, integrity, and availability.

The property that information is accessible only to those authorized to have it.

The process of demonstrating that a product or system, such as a high-risk AI system, meets the legal requirements before it is placed on the market.

A freely given, specific, informed, and unambiguous agreement by a data subject to the processing of their personal data.

The internal and external issues, and the needs of interested parties, that shape what a management system must achieve.

The ongoing effort to raise the effectiveness of a management system over time, a core requirement of every ISO standard.

A measure that reduces risk, by modifying a threat, a vulnerability, or the impact of an incident.

Action taken to eliminate the root cause of a nonconformity so that it does not happen again.

The capability to lead, decide, and communicate during a major disruptive event that exceeds normal response.

A public, standardized identifier assigned to a specific known security vulnerability.

An open framework that rates the severity of a vulnerability on a scale from 0 to 10.

An EU regulation that sets cybersecurity requirements for products with digital elements across their entire lifecycle.

The practice of labelling information by sensitivity so that the right level of protection is applied to each category.

The party that determines the purposes and means of processing personal data, and bears primary responsibility under the GDPR.

The GDPR principle that personal data collected must be adequate, relevant, and limited to what is necessary for the purpose.

The contract required between a controller and processor that governs how the processor may handle personal data.

A party that processes personal data on behalf of a controller, bound by the controller's instructions and a contract.

An assessment of the privacy risks of a processing activity that is likely to result in a high risk to individuals.

An independent expert who advises an organization on data protection obligations and monitors compliance with the GDPR.

The defined periods for which data is kept before it is deleted or anonymized, balancing legal duties against minimization.

The identified or identifiable individual to whom personal data relates and who holds rights over that data.

A strategy of layering multiple, independent security controls so that if one fails, others still protect the asset.

The technology-focused part of continuity that restores IT systems, data, and infrastructure after a disruptive event.

Technology and rules that detect and block sensitive data from leaving an organization through email, uploads, or removable media.

The records and documents an ISO management system requires to be created, controlled, and maintained as evidence.

An EU regulation that sets uniform requirements for the digital operational resilience of the financial sector, including ICT risk management and third-party oversight.

The management system that organizes how an organization meets data protection obligations such as the GDPR, covering lawful processing, data subject rights, and accountability.

Software on laptops, servers, and devices that continuously monitors for malicious activity and helps responders investigate and contain it.

The process of converting information into a coded form so that only authorized parties holding the key can read it.

The EU regulation that governs artificial intelligence using a risk-based approach, with the strictest obligations for high-risk AI systems.

The degree to which the reasoning behind an AI system's outputs can be understood and explained to people.

A network security control that filters traffic between networks based on defined rules, allowing legitimate connections and blocking unwanted ones.

The EU General Data Protection Regulation, the comprehensive law governing how personal data of individuals in the EU may be processed.

An AI model that can perform a wide range of tasks and be integrated into many different systems, regulated under specific provisions of the EU AI Act.

AI systems that create new content such as text, images, audio, or code, often built on large foundation models.

An integrated approach that aligns governance, risk management, and regulatory compliance so an organization can pursue objectives while staying within its risk appetite and the law.

Under the EU AI Act, an AI system whose use poses significant risk to health, safety, or fundamental rights, subject to strict requirements.

Measures that keep people able to monitor, intervene in, and override the operation of an AI system.

The framework of policies and technology that manages digital identities and controls their access to resources.

The extent of harm that would result if a risk scenario occurred, measured across dimensions such as finance, operations, and reputation.

The organized approach to detecting, containing, eradicating, and recovering from security incidents, and learning from them.

Measurable targets an organization sets to improve information security, consistent with its security policy.

The level of risk that exists before any controls or mitigations are applied.

The property that information remains accurate, complete, and unaltered except by authorized means.

The stakeholders whose needs and expectations a management system must consider, such as customers, regulators, employees, and suppliers.

A planned, independent review that checks whether a management system conforms to its own requirements and to the relevant standard, and whether it is effective.

The transfer of personal data to a country outside the EU or EEA, which the GDPR permits only under specific safeguards.

The management system that governs how an organization identifies, treats, and monitors information security risks, defined primarily by ISO/IEC 27001.

The international standard for a business continuity management system (BCMS), specifying how to prepare for, respond to, and recover from disruptions.

The international standard that specifies the requirements for an information security management system (ISMS) and is the most widely recognized security certification.

The companion guidance to ISO/IEC 27001 that explains how to implement each information security control in detail.

A guidance standard that adds cloud-specific information security controls on top of ISO/IEC 27002.

An extension to ISO/IEC 27001 and 27002 that adds requirements for a privacy information management system (PIMS).

The first international management system standard for artificial intelligence, specifying requirements for an AI management system (AIMS).

Two or more controllers that jointly determine the purposes and means of processing personal data, sharing responsibility under the GDPR.

A metric that shows how well a process or control is performing against its goal.

A metric that provides an early signal of rising risk exposure before it turns into an incident.

The German term for critical infrastructure: sectors whose failure would seriously threaten public supply and safety.

The qualified auditor who plans and directs an audit, leads the audit team, and is responsible for its conclusions.

The principle of granting each user or process only the access rights it needs to do its job, and no more.

A legal basis under the GDPR that allows processing of personal data when an organization's interests are not overridden by the rights of the individual.

The chance that a given risk scenario will actually occur, used together with impact to rate a risk.

The recording of system and security events and their ongoing review to detect anomalies and support investigations.

Malicious software designed to damage, disrupt, or gain unauthorized access to systems and data.

A regular review by top management of whether the management system remains suitable, adequate, and effective, with decisions on changes and resources.

A structured set of policies, processes, and controls an organization uses to direct and improve a specific discipline, such as information security or business continuity.

The longest time an activity can be unavailable before the resulting harm to the organization becomes unacceptable.

A short, structured document that describes an AI model's purpose, performance, limitations, and intended use.

An authentication method that requires two or more independent factors to verify a user's identity.

The EU directive that expands cybersecurity obligations for essential and important entities, including risk management measures and incident reporting.

A voluntary US framework that organizes cybersecurity activities into a set of high-level functions to help organizations manage risk.

A failure to meet a requirement, whether from the standard, a policy, or a legal obligation, identified through audits or operations.

An independent organization designated by an EU country to assess the conformity of certain high-risk products before they reach the market.

The process of acquiring, testing, and applying software updates to fix vulnerabilities and keep systems current.

The Payment Card Industry Data Security Standard, a mandatory standard for organizations that store, process, or transmit cardholder data.

Plan, Do, Check, Act: the iterative four-step model behind continual improvement in every ISO management system.

An authorized, simulated attack on systems or applications to find and demonstrate exploitable security weaknesses.

Any information relating to an identified or identifiable natural person, the central concept the GDPR protects.

A breach of security leading to the destruction, loss, alteration, or unauthorized disclosure of or access to personal data.

A social engineering attack that tricks people into revealing credentials or sensitive data, usually through deceptive messages.

The ongoing duty to track how an AI system performs after deployment and to act on problems that emerge in real use.

The GDPR requirement to build data protection into systems from the outset and to apply the most protective settings by default.

Uses of AI that the EU AI Act bans outright because they pose an unacceptable risk to fundamental rights.

Processing personal data so it can no longer be attributed to a person without separately kept additional information.

Malicious software that encrypts or blocks access to data and demands payment to restore it.

A full audit at the end of a certificate's cycle, usually every three years, to renew certification for another period.

The documented inventory of an organization's personal data processing activities, required by the GDPR.

The maximum amount of data, measured as time, that an organization can afford to lose in a disruption.

The target time within which a disrupted activity or system must be restored after an incident.

The risk that remains after controls have been applied to treat it.

The GDPR right of individuals to receive their personal data in a structured, common format and to transmit it to another provider.

The GDPR right of individuals to have their personal data deleted in certain circumstances, also known as the right to be forgotten.

The amount and type of risk an organization is willing to accept in pursuit of its objectives.

The process of identifying risks, then analyzing and evaluating them by their likelihood and impact to decide which need treatment.

A grid that plots risks by likelihood and impact to help rank and compare them.

The person accountable for a specific risk and the decisions about how it is treated.

The central record of identified risks, their assessment, owners, and treatment status.

The step where an organization decides how to handle each assessed risk: reduce it, accept it, avoid the activity, or share it.

The boundaries of a management system: the parts of the organization, locations, assets, and activities it covers.

Education that helps staff recognize and respond correctly to security risks such as phishing and social engineering.

An event, or series of events, that compromises or threatens the confidentiality, integrity, or availability of information.

A team and facility that continuously monitors, detects, and responds to security threats across an organization.

A high-level document approved by top management that states an organization's intentions and direction for protecting information.

The control of splitting a sensitive task across more than one person so that no single individual can complete it alone.

A system that collects and correlates log and event data across an organization to detect and investigate security incidents.

A US attestation report on a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy.

Manipulating people into revealing information or taking actions that compromise security, rather than attacking technology directly.

Sensitive personal data under the GDPR, such as health, biometrics, or beliefs, that receives stronger protection and stricter processing conditions.

The first part of an initial certification audit, a readiness review that checks whether the management system is documented and ready for the main audit.

The main certification audit, where an auditor gathers evidence that the management system is implemented and operating effectively.

Pre-approved contract terms issued by the European Commission that provide a lawful basis for transferring personal data outside the EEA.

The document that lists every ISO/IEC 27001 Annex A control, states whether it applies, and justifies each inclusion or exclusion.

A third party engaged by a processor to carry out specific processing of personal data on behalf of the controller.

An independent public body that enforces data protection law, handles complaints, and can impose fines under the GDPR.

An attack that compromises an organization indirectly by targeting a trusted supplier, vendor, or software component it relies on.

A periodic audit during a certificate's validity period that confirms the management system continues to operate and improve.

A discussion-based rehearsal in which a team walks through its response to a simulated scenario to test plans and roles.

The process of assessing and controlling the security and continuity risks that suppliers and service providers introduce.

A potential cause of an unwanted incident that could harm an asset, such as malware, human error, or a natural event.

A structured exercise to identify potential threats to a system early, so they can be designed out or mitigated.

An assessment and exchange mechanism for information security in the automotive industry, based on the VDA ISA catalogue.

The person or group that directs and controls an organization at the highest level, accountable for the management system under ISO standards.

The data used to teach a machine learning model, whose quality and representativeness strongly shape the model's behavior.

A weakness in an asset or control that a threat can exploit to cause harm.

A defined process for receiving, assessing, and acting on reports of security weaknesses from researchers or the public.

An automated check of systems against a database of known weaknesses to identify missing patches and misconfigurations.

A security model that trusts no user or device by default and verifies every access request, regardless of network location.