Compliance is not a one-time exercise. It is a set of recurring processes that turn policy into evidence over a calendar year. The ISMS is the management system itself, the umbrella under which every compliance activity at your organisation gets scheduled, recorded, and reviewed. The Statement of Applicability is the document that ties each ISO 27001 Annex A control to your specific decision to use it or exclude it. Internal audits, management reviews, risk reassessments, and corrective actions all sit underneath. The shorthand "compliance work" is mostly these processes running on a cadence.
Glossary category
Compliance Processes
The recurring processes that turn policy into evidence: the ISMS, the Statement of Applicability, internal audits, and management reviews.
Terms in this category.
6 entries.
Audit Trail
Chronological record of system events, user actions, and changes to data or configuration, retained in a form that can be replayed by an auditor or investigator to reconstruct what happened.
Business Continuity Plan
Documented arrangements an organisation uses to continue delivering its essential functions through and after a disruption, including disaster scenarios that take primary systems offline.
Corrective Action
Recorded response to a non-conformity or audit finding, describing the root cause, the remediation, the owner, and the evidence that closure has been verified.
Information Security Management System
The documented set of policies, procedures, and accountability that an organisation uses to manage information-security risk over time.
Security Awareness Training
Periodic training that informs staff about security threats, organisational policy, and expected behaviours, evidenced through completion records and reinforced through ongoing communication.
Statement of Applicability
ISO 27001 document that records, for every Annex A control, whether it is applied, why it is applied, and what evidence demonstrates that it operates.