Skip to main content

Glossary

The terms that show upwhen compliance work gets real.

ISO 27001, NIS2, FAIR, ISMS, Annex A. The vocabulary of governance and risk, defined plainly and in the way Askara Solutions uses each term in real engagements.

Standards & Frameworks

  • Annex A

    The catalogue of 93 information security controls in ISO/IEC 27001:2022, organised into four themes (organisational, people, physical, technological), referenced from the Statement of Applicability.

  • GDPR

    EU regulation that governs the processing of personal data, granting rights to data subjects and imposing obligations on controllers and processors.

  • ISO 27001

    International standard that defines the requirements for an information security management system (ISMS), including risk assessment, control selection, and management review.

  • NIS2

    EU directive that extends cybersecurity obligations to a much wider set of organisations than its predecessor, requiring governance, risk management, incident reporting, and supply-chain security.

  • SOC 2

    AICPA attestation on a service organisation's security, availability, processing integrity, confidentiality, and privacy controls. Issued as Type 1 (point-in-time) or Type 2 (over a period).

Risk Management

  • Annual Loss Expectancy

    The expected annual cost of a risk scenario in financial terms, calculated as Loss Event Frequency multiplied by Loss Magnitude, expressed as a probability distribution rather than a point estimate.

  • FAIR

    Quantitative risk-analysis methodology that expresses cyber risk as financial loss exposure rather than ordinal severity scores, by decomposing it into loss event frequency and loss magnitude.

  • Loss Event Frequency

    The expected number of times per year that a threat actor's action will succeed and produce a loss, calculated as Threat Event Frequency multiplied by Vulnerability (the probability of success).

  • Monte Carlo Simulation

    Computational technique that samples input variables from their probability distributions and aggregates the outcomes, producing a distribution of plausible results rather than a point estimate.

  • Open FAIR

    Open standard governed by The Open Group that codifies the FAIR risk-quantification methodology as a reference taxonomy. The Open FAIR Body of Knowledge is the canonical specification.

  • Risk Appetite

    Board-level statement of how much risk the organisation is prepared to accept in pursuit of its objectives, expressed quantitatively enough to guide trade-offs against control investment.

  • Risk Assessment

    The structured process of identifying threats, estimating likelihood and impact, and producing a defensible record of which risks the organisation accepts, treats, or transfers.

  • Risk Register

    The single source of truth recording every identified risk, its assessment, the control treatment chosen, the owner, and the review date.

  • Risk Scenario

    Specific, named description of how a threat could cause loss to the organisation, written precisely enough to drive quantitative estimation of frequency and magnitude.

  • Threat

    Anything with the potential to cause loss to an asset by exploiting a vulnerability, characterised by the actor's motivation, capability, and frequency of attempted action.

  • Threat Event Frequency

    The expected number of times per year that a threat actor will attempt the action that could lead to a loss event, before any consideration of whether the attempt succeeds.

  • Vulnerability

    A weakness in an asset, control, or process that a threat could exploit to cause loss. In FAIR, the probability that a threat event becomes a loss event when an attempt is made.

Security Controls

  • Access Control

    Policies and mechanisms that restrict who can do what within information systems, by reference to identity, role, or attribute, recorded in a form that can be reviewed.

  • Identity and Access Management

    The discipline of authenticating who someone is, deciding what they are allowed to do, and recording the decisions so they can be reviewed, revoked, or attested to over time.

  • Incident Response

    Procedures, roles, and decisions activated when a security incident is detected, covering containment, eradication, recovery, regulatory notification, and post-incident learning.

  • Least Privilege

    Principle that every identity should hold only the permissions required for its legitimate function, with privileges granted, time-bound, and revoked rather than accumulated.

  • Phishing

    Social-engineering attack in which a threat actor impersonates a trusted party to induce the recipient to disclose credentials, transfer funds, or run malicious code.

  • Supply Chain Security

    The discipline of identifying, assessing, and managing the security risks introduced by third-party suppliers, sub-processors, and managed service providers throughout the contract lifecycle.

Compliance Processes

  • Audit Trail

    Chronological record of system events, user actions, and changes to data or configuration, retained in a form that can be replayed by an auditor or investigator to reconstruct what happened.

  • Business Continuity Plan

    Documented arrangements an organisation uses to continue delivering its essential functions through and after a disruption, including disaster scenarios that take primary systems offline.

  • Corrective Action

    Recorded response to a non-conformity or audit finding, describing the root cause, the remediation, the owner, and the evidence that closure has been verified.

  • Information Security Management System

    The documented set of policies, procedures, and accountability that an organisation uses to manage information-security risk over time.

  • Security Awareness Training

    Periodic training that informs staff about security threats, organisational policy, and expected behaviours, evidenced through completion records and reinforced through ongoing communication.

  • Statement of Applicability

    ISO 27001 document that records, for every Annex A control, whether it is applied, why it is applied, and what evidence demonstrates that it operates.

Acronyms

  • CISO

    Senior executive accountable for the organisation's information security programme, including risk decisions, control investments, regulatory obligations, and incident response.

  • GRC

    Umbrella discipline that ties together how an organisation directs its business (governance), how it manages uncertainty (risk), and how it satisfies external obligations (compliance).

ISO and IEC standards are trademarks of the International Organization for Standardization and the International Electrotechnical Commission. FAIR and Open FAIR are trademarks of the FAIR Institute and The Open Group respectively. Askara Solutions references these standards and frameworks for educational purposes; their authoritative texts are published by the bodies that own them. Read more on the Askara Solutions website.