Compliance is not a one-time exercise. It is a set of recurring processes that turn policy into evidence over a calendar year. The ISMS is the management system itself, the umbrella under which every compliance activity at your organisation gets scheduled, recorded, and reviewed. The Statement of Applicability is the document that ties each ISO 27001 Annex A control to your specific decision to use it or exclude it. Internal audits, management reviews, risk reassessments, and corrective actions all sit underneath. The shorthand "compliance work" is mostly these processes running on a cadence.
Glossary category
Compliance Processes
The recurring processes that turn policy into evidence: the ISMS, the Statement of Applicability, internal audits, and management reviews.
Terms in this category.
9 entries.
After-Action Review
A structured debrief after an incident or exercise that documents what happened and what failed, producing corrective actions that feed back into the risk register and incident response playbook.
Audit Trail
Chronological record of system events, user actions, and changes to data or configuration, retained in a form that can be replayed by an auditor or investigator to reconstruct what happened.
Business Continuity Plan
Documented arrangements an organisation uses to continue delivering its essential functions through and after a disruption, including disaster scenarios that take primary systems offline.
Control Mapping
The process of aligning a single set of security controls simultaneously against two or more compliance frameworks to eliminate duplicated evidence collection where requirements overlap.
Corrective Action
Recorded response to a non-conformity or audit finding, describing the root cause, the remediation, the owner, and the evidence that closure has been verified.
Information Security Management System
The documented set of policies, procedures, and accountability that an organisation uses to manage information-security risk over time.
Joiner-Mover-Leaver
The lifecycle framework governing access provisioning at hire, modification on role change, and full revocation at departure, and one of the most frequently cited ISO 27001 access-control gaps.
Security Awareness Training
Periodic training that informs staff about security threats, organisational policy, and expected behaviours, evidenced through completion records and reinforced through ongoing communication.
Statement of Applicability
ISO 27001 document that records, for every Annex A control, whether it is applied, why it is applied, and what evidence demonstrates that it operates.