Built for business leaders, IT managers, and compliance teams, this glossary explains the terms behind frameworks like ISO 27001, GDPR, and Cyber Essentials. From audits and data rights to risk assessments and access controls, it helps you navigate the world of regulation, evidence, and accountability – in plain English.
Compliance Standards
Key certifications and frameworks like ISO 27001, Cyber Essentials, and PCI-DSS that help demonstrate your organisation meets baseline security and regulatory requirements.
Cyber Essentials
A UK government-backed certification scheme designed to help organisations guard against the most common cyber threats. It sets out baseline controls required for cyber hygiene and is often required for government contracts.
Cyber Essentials Plus
The advanced tier of Cyber Essentials, including an independent assessment of your security controls. It involves hands-on technical verification to ensure your IT infrastructure is properly configured and secure.
ISO / IEC 27001
A globally recognised standard for managing information security. ISO/IEC 27001 helps businesses protect data, meet regulatory requirements, and implement structured security controls across people, processes, and technology.
PCI DSS v4.0
Payment Card Industry Data Security Standard, Version 4 is a global security standard for any business that accepts, processes, stores, or transmits credit card information. This introduces updated requirements to address modern threats, emphasising continuous compliance, stronger authentication, and flexible security controls. It’s mandatory for organisations handling cardholder data and plays a critical role in protecting payment ecosystems from breaches and fraud.
SOC (System and Organisation Controls)
A suite of assurance reports developed by the AICPA to help organisations demonstrate effective controls over data security and privacy. SOC includes three types: SOC 1, SOC 2, and SOC 3, with SOC 2 widely used by IT service providers and SaaS platforms to validate internal security practices.
SOC 2 (Service Organisation Control 2)
A widely adopted framework for demonstrating how cloud-based and technology organisations protect customer data. It focuses on five trust principles: security, availability, processing integrity, confidentiality, and privacy. Frequently requested in vendor risk assessments and compliance reviews.
NIST Cybersecurity Framework (CSF)
The NIS2 Directive sets cybersecurity rules for essential services and digital providers across the EU and UK. It strengthens requirements for incident reporting, risk management, and supply chain security – especially for sectors like energy, healthcare, finance, cloud services, and IT infrastructure.
NIS2 Directive (Network and Information Security Directive 2)
An EU directive expanding cybersecurity obligations for digital infrastructure and essential service providers. It impacts sectors including energy, transport, water, banking, financial markets, healthcare, and digital services such as data centers, cloud computing, and managed IT services. NIS2 introduces stricter incident reporting timelines, mandatory risk assessments, and supply chain security obligations across these critical industries.
Information Security Management System (ISMS)
A structured framework of policies, procedures, and controls designed to manage and protect an organization’s sensitive data. An ISMS helps identify and address risks to information assets, ensuring confidentiality, integrity, and availability. It is often implemented in accordance with standards like ISO/IEC 27001 to demonstrate a commitment to information security and regulatory compliance.
COBIT
A framework that helps organisations manage IT in a way that supports business goals. It offers clear processes for improving technology use, reducing risk, and meeting compliance requirements.
Data Protection
Regulations and processes that govern how personal data is collected, used, stored, and deleted – ensuring individuals’ rights and organisational accountability.
GDPR (General Data Protection Regulation)
The UK GDPR governs the collection, storage, and usage of personal data. It gives individuals control over their data and imposes strict rules on organisations that handle it.
DPIA (Data Protection Impact Assessment)
A formal process used to assess and mitigate the privacy risks of processing personal data. Required under the GDPR for high-risk data processing activities.
DSAR (Data Subject Access Request)
A request made by individuals to access the personal data a company holds about them. Businesses must respond within a month, providing details of what data is processed and for what purposes.
Breach Notification
A legal requirement under GDPR where businesses must notify affected individuals and regulatory bodies (such as the ICO) of certain types of data breaches within 72 hours of becoming aware.
Data Retention Policy
Outlines how long different types of data are kept. Essential for GDPR, ISO compliance, and legal defensibility.
Data Classification
The practice of labelling data based on how sensitive it is – like public, internal, or confidential. It helps businesses apply the right controls to protect information and stay compliant.
Data Minimisation
A GDPR rule that says you should only collect and keep the personal data you truly need. It reduces risk and ensures your organisation stays compliant and responsible with information.
Security Governance
Regulations and processes that govern how personal data is collected, used, stored, and deleted – ensuring individuals’ rights and organisational accountability.
Security Policy
The framework for managing information within an organisation. It ensures data is accurate, secure, and handled in compliance with legal, regulatory, and operational requirements.
AUP (Acceptable Use Policy)
A formal document that outlines the permitted and prohibited uses of an organisation’s IT systems, networks, and data. It sets clear expectations for staff, helping to prevent security breaches, limit liability, and ensure compliance with legal and regulatory standards.
Security Roles and Responsibilities
A structured breakdown of who is accountable for different aspects of security within an organisation. This ensures that key tasks – like monitoring threats, applying patches, or managing access – are clearly assigned and consistently executed, supporting effective governance and audit-readiness.
Information Governance
A UK government-backed certification scheme designed to help organisations guard against the most common cyber threats. It sets out baseline controls required for cyber hygiene and is often required for government contracts.
Access Reviews
Routine checks to ensure only the right people have access to sensitive data or systems.
Risk Assessment
The process of identifying, evaluating, and mitigating potential security vulnerabilities and compliance gaps. Regular assessments are essential for building strong, proactive defences.
TPRM (Third-Party Risk Management)
Ensures vendors and partners don’t introduce hidden security or compliance risks into your environment.
Security Tools
Practical technologies and methods that help prevent, detect, and respond to threats.
Security Awareness Training
Regular training sessions provided to employees to help them recognise cyber threats like phishing or social engineering attacks. It is one of the most effective ways to reduce human error in cybersecurity.
MFA (Multi-Factor Authentication)
An authentication method that requires more than one form of verification (e.g. password + mobile code) to grant access to a system, enhancing login security.
EDR (Endpoint Detection and Response)
An advanced security solution that monitors, detects, and responds to cyber threats on end-user devices such as laptops, desktops, and mobile phones. EDR builds on traditional endpoint protection by adding real-time threat intelligence, behavioural analysis, and automated incident response—essential for identifying sophisticated attacks and reducing breach dwell time.
Penetration Testing
Simulated cyberattacks performed by ethical hackers to uncover vulnerabilities in systems or applications. A key tool for proactively identifying weaknesses before attackers can exploit them.
SIEM (Security Information and Event Management)
A comprehensive system for collecting, analysing, and reporting on data from across the IT environment. It provides real-time visibility into threats and compliance status. See also: [Intrusion Detection Systems (IDS)]
Zero Trust Architecture
A security model based on strict access control and continuous verification. It assumes no implicit trust, even for users or devices inside the network perimeter.
Vulnerability Management
A structured process to find and fix software or system weaknesses—often scrutinised during ISO audits.
Patch Management
Keeps systems secure by applying updates quickly. Helps close known security gaps.
Asset Inventory
A register of all IT systems and devices. Essential for managing risk and responding to incidents.
Find out how we can transform your IT
Whatever your IT requirements we can help.
