Glossary
The terms that show upwhen compliance work gets real.
ISO 27001, NIS2, FAIR, ISMS, Annex A. The vocabulary of governance and risk, defined plainly and in the way Askara Solutions uses each term in real engagements.
Standards & Frameworks
Annex A
The catalogue of 93 information security controls in ISO/IEC 27001:2022, organised into four themes (organisational, people, physical, technological), referenced from the Statement of Applicability.
GDPR
EU regulation that governs the processing of personal data, granting rights to data subjects and imposing obligations on controllers and processors.
ISO 27001
International standard that defines the requirements for an information security management system (ISMS), including risk assessment, control selection, and management review.
NIS2
EU directive that extends cybersecurity obligations to a much wider set of organisations than its predecessor, requiring governance, risk management, incident reporting, and supply-chain security.
SOC 2
AICPA attestation on a service organisation's security, availability, processing integrity, confidentiality, and privacy controls. Issued as Type 1 (point-in-time) or Type 2 (over a period).
Risk Management
Annual Loss Expectancy
The expected annual cost of a risk scenario in financial terms, calculated as Loss Event Frequency multiplied by Loss Magnitude, expressed as a probability distribution rather than a point estimate.
FAIR
Quantitative risk-analysis methodology that expresses cyber risk as financial loss exposure rather than ordinal severity scores, by decomposing it into loss event frequency and loss magnitude.
FAIR-CAM
The FAIR Institute extension that maps control strength and coverage to measurable reductions in loss event frequency, translating control investment decisions into annual loss expectancy changes.
Governance Theatre
The pattern of treating compliance as a documentation exercise rather than a risk-reduction programme, producing audit-ready artefacts while leaving the underlying security exposure unchanged.
Loss Event Frequency
The expected number of times per year that a threat actor's action will succeed and produce a loss, calculated as Threat Event Frequency multiplied by Vulnerability (the probability of success).
Monte Carlo Simulation
Computational technique that samples input variables from their probability distributions and aggregates the outcomes, producing a distribution of plausible results rather than a point estimate.
Open FAIR
Open standard governed by The Open Group that codifies the FAIR risk-quantification methodology as a reference taxonomy. The Open FAIR Body of Knowledge is the canonical specification.
Risk Appetite
Board-level statement of how much risk the organisation is prepared to accept in pursuit of its objectives, expressed quantitatively enough to guide trade-offs against control investment.
Risk Assessment
The structured process of identifying threats, estimating likelihood and impact, and producing a defensible record of which risks the organisation accepts, treats, or transfers.
Risk Quantification
The practice of expressing cyber risk as expected annual loss in monetary terms rather than ordinal labels, enabling direct comparison between risk exposure, control investment, and insurance.
Risk Register
The single source of truth recording every identified risk, its assessment, the control treatment chosen, the owner, and the review date.
Risk Scenario
Specific, named description of how a threat could cause loss to the organisation, written precisely enough to drive quantitative estimation of frequency and magnitude.
Threat
Anything with the potential to cause loss to an asset by exploiting a vulnerability, characterised by the actor's motivation, capability, and frequency of attempted action.
Threat Event Frequency
The expected number of times per year that a threat actor will attempt the action that could lead to a loss event, before any consideration of whether the attempt succeeds.
Threat Landscape
The evolving picture of active threat actors, attack techniques, and sector-specific conditions that organisations should factor into risk assessments rather than using generic or historical profiles.
Vulnerability
A weakness in an asset, control, or process that a threat could exploit to cause loss. In FAIR, the probability that a threat event becomes a loss event when an attempt is made.
Security Controls
Access Control
Policies and mechanisms that restrict who can do what within information systems, by reference to identity, role, or attribute, recorded in a form that can be reviewed.
Data Breach
An incident in which personal or confidential data is accessed, disclosed, or destroyed without authorisation, triggering GDPR Article 33 and NIS2 notification obligations.
Identity and Access Management
The discipline of authenticating who someone is, deciding what they are allowed to do, and recording the decisions so they can be reviewed, revoked, or attested to over time.
Incident Response
Procedures, roles, and decisions activated when a security incident is detected, covering containment, eradication, recovery, regulatory notification, and post-incident learning.
Least Privilege
Principle that every identity should hold only the permissions required for its legitimate function, with privileges granted, time-bound, and revoked rather than accumulated.
Multi-Factor Authentication
An authentication mechanism requiring two or more independent verification factors, ensuring that credential theft alone cannot produce a successful breach.
Phishing
Social-engineering attack in which a threat actor impersonates a trusted party to induce the recipient to disclose credentials, transfer funds, or run malicious code.
Prompt Injection
An attack class where adversarial instructions in user input or retrieved content hijack an LLM's system prompt, causing the model to act against its operator's intended behaviour.
Role-Based Access Control
A permissions model where users inherit access rights from assigned business roles rather than through per-person grants, making the access landscape manageable and auditable as headcount grows.
Supply Chain Security
The discipline of identifying, assessing, and managing the security risks introduced by third-party suppliers, sub-processors, and managed service providers throughout the contract lifecycle.
Zero Trust
A security model that removes implicit trust based on network location, requiring every access request to be authenticated and authorised regardless of whether the requestor is inside the perimeter.
Compliance Processes
After-Action Review
A structured debrief after an incident or exercise that documents what happened and what failed, producing corrective actions that feed back into the risk register and incident response playbook.
Audit Trail
Chronological record of system events, user actions, and changes to data or configuration, retained in a form that can be replayed by an auditor or investigator to reconstruct what happened.
Business Continuity Plan
Documented arrangements an organisation uses to continue delivering its essential functions through and after a disruption, including disaster scenarios that take primary systems offline.
Control Mapping
The process of aligning a single set of security controls simultaneously against two or more compliance frameworks to eliminate duplicated evidence collection where requirements overlap.
Corrective Action
Recorded response to a non-conformity or audit finding, describing the root cause, the remediation, the owner, and the evidence that closure has been verified.
Information Security Management System
The documented set of policies, procedures, and accountability that an organisation uses to manage information-security risk over time.
Joiner-Mover-Leaver
The lifecycle framework governing access provisioning at hire, modification on role change, and full revocation at departure, and one of the most frequently cited ISO 27001 access-control gaps.
Security Awareness Training
Periodic training that informs staff about security threats, organisational policy, and expected behaviours, evidenced through completion records and reinforced through ongoing communication.
Statement of Applicability
ISO 27001 document that records, for every Annex A control, whether it is applied, why it is applied, and what evidence demonstrates that it operates.
Acronyms
CISO
Senior executive accountable for the organisation's information security programme, including risk decisions, control investments, regulatory obligations, and incident response.
GRC
Umbrella discipline that ties together how an organisation directs its business (governance), how it manages uncertainty (risk), and how it satisfies external obligations (compliance).
ISO and IEC standards are trademarks of the International Organization for Standardization and the International Electrotechnical Commission. FAIR and Open FAIR are trademarks of the FAIR Institute and The Open Group respectively. Askara Solutions references these standards and frameworks for educational purposes; their authoritative texts are published by the bodies that own them.