Standards and frameworks are what auditors, regulators, and customers point at when they want to see that a security programme is real. ISO 27001 is the international standard for an information security management system. NIS2 is the EU directive extending cybersecurity obligations across critical sectors. SOC 2 is the trust services framework large US buyers expect from their vendors. GDPR is the EU's data protection regulation. Annex A is the catalogue of controls inside ISO 27001 itself. Most European SMEs end up dealing with several of these, often at the same time and on someone else's deadline.
Glossary category
Standards & Frameworks
Plain-language definitions for the standards and frameworks that show up in compliance work: ISO 27001, NIS2, SOC 2, GDPR, Annex A.
Terms in this category.
5 entries.
Annex A
The catalogue of 93 information security controls in ISO/IEC 27001:2022, organised into four themes (organisational, people, physical, technological), referenced from the Statement of Applicability.
GDPR
EU regulation that governs the processing of personal data, granting rights to data subjects and imposing obligations on controllers and processors.
ISO 27001
International standard that defines the requirements for an information security management system (ISMS), including risk assessment, control selection, and management review.
NIS2
EU directive that extends cybersecurity obligations to a much wider set of organisations than its predecessor, requiring governance, risk management, incident reporting, and supply-chain security.
SOC 2
AICPA attestation on a service organisation's security, availability, processing integrity, confidentiality, and privacy controls. Issued as Type 1 (point-in-time) or Type 2 (over a period).