Security & Compliance Glossary

A jargon-free glossary of terms like ISO 27001, GDPR, and Cyber Essentials - designed to help you understand audits, access, and compliance with confidence.

Built for business leaders, IT managers, and compliance teams, this glossary explains the terms behind frameworks like ISO 27001, GDPR, and Cyber Essentials. From audits and data rights to risk assessments and access controls, it helps you navigate the world of regulation, evidence, and accountability – in plain English. 

Compliance Standards

Key certifications and frameworks like ISO 27001, Cyber Essentials, and PCI-DSS that help demonstrate your organisation meets baseline security and regulatory requirements. 

Cyber Essentials

A UK government-backed certification scheme designed to help organisations guard against the most common cyber threats. It sets out baseline controls required for cyber hygiene and is often required for government contracts. 

The advanced tier of Cyber Essentials, including an independent assessment of your security controls. It involves hands-on technical verification to ensure your IT infrastructure is properly configured and secure. 

A globally recognised standard for managing information security. ISO/IEC 27001 helps businesses protect data, meet regulatory requirements, and implement structured security controls across people, processes, and technology.

Payment Card Industry Data Security Standard, Version 4 is a global security standard for any business that accepts, processes, stores, or transmits credit card information. This introduces updated requirements to address modern threats, emphasising continuous compliance, stronger authentication, and flexible security controls. It’s mandatory for organisations handling cardholder data and plays a critical role in protecting payment ecosystems from breaches and fraud. 

A suite of assurance reports developed by the AICPA to help organisations demonstrate effective controls over data security and privacy. SOC includes three types: SOC 1, SOC 2, and SOC 3, with SOC 2 widely used by IT service providers and SaaS platforms to validate internal security practices. 

A widely adopted framework for demonstrating how cloud-based and technology organisations protect customer data. It focuses on five trust principles: security, availability, processing integrity, confidentiality, and privacy. Frequently requested in vendor risk assessments and compliance reviews. 

The NIS2 Directive sets cybersecurity rules for essential services and digital providers across the EU and UK. It strengthens requirements for incident reporting, risk management, and supply chain security – especially for sectors like energy, healthcare, finance, cloud services, and IT infrastructure.

An EU directive expanding cybersecurity obligations for digital infrastructure and essential service providers. It impacts sectors including energy, transport, water, banking, financial markets, healthcare, and digital services such as data centers, cloud computing, and managed IT services. NIS2 introduces stricter incident reporting timelines, mandatory risk assessments, and supply chain security obligations across these critical industries. 

A structured framework of policies, procedures, and controls designed to manage and protect an organization’s sensitive data. An ISMS helps identify and address risks to information assets, ensuring confidentiality, integrity, and availability. It is often implemented in accordance with standards like ISO/IEC 27001 to demonstrate a commitment to information security and regulatory compliance.

A framework that helps organisations manage IT in a way that supports business goals. It offers clear processes for improving technology use, reducing risk, and meeting compliance requirements.

Data Protection

Regulations and processes that govern how personal data is collected, used, stored, and deleted – ensuring individuals’ rights and organisational accountability. 

GDPR (General Data Protection Regulation)

The UK GDPR governs the collection, storage, and usage of personal data. It gives individuals control over their data and imposes strict rules on organisations that handle it. 

A formal process used to assess and mitigate the privacy risks of processing personal data. Required under the GDPR for high-risk data processing activities. 

A request made by individuals to access the personal data a company holds about them. Businesses must respond within a month, providing details of what data is processed and for what purposes. 

A legal requirement under GDPR where businesses must notify affected individuals and regulatory bodies (such as the ICO) of certain types of data breaches within 72 hours of becoming aware. 

Outlines how long different types of data are kept. Essential for GDPR, ISO compliance, and legal defensibility. 

The practice of labelling data based on how sensitive it is – like public, internal, or confidential. It helps businesses apply the right controls to protect information and stay compliant.

A GDPR rule that says you should only collect and keep the personal data you truly need. It reduces risk and ensures your organisation stays compliant and responsible with information.

Security Governance

Regulations and processes that govern how personal data is collected, used, stored, and deleted – ensuring individuals’ rights and organisational accountability. 

Security Policy

The framework for managing information within an organisation. It ensures data is accurate, secure, and handled in compliance with legal, regulatory, and operational requirements. 

A formal document that outlines the permitted and prohibited uses of an organisation’s IT systems, networks, and data. It sets clear expectations for staff, helping to prevent security breaches, limit liability, and ensure compliance with legal and regulatory standards.

A structured breakdown of who is accountable for different aspects of security within an organisation. This ensures that key tasks – like monitoring threats, applying patches, or managing access – are clearly assigned and consistently executed, supporting effective governance and audit-readiness.

A UK government-backed certification scheme designed to help organisations guard against the most common cyber threats. It sets out baseline controls required for cyber hygiene and is often required for government contracts. 

Routine checks to ensure only the right people have access to sensitive data or systems. 

The process of identifying, evaluating, and mitigating potential security vulnerabilities and compliance gaps. Regular assessments are essential for building strong, proactive defences. 

Ensures vendors and partners don’t introduce hidden security or compliance risks into your environment. 

Security Tools

Practical technologies and methods that help prevent, detect, and respond to threats. 

Security Awareness Training

Regular training sessions provided to employees to help them recognise cyber threats like phishing or social engineering attacks. It is one of the most effective ways to reduce human error in cybersecurity. 

An authentication method that requires more than one form of verification (e.g. password + mobile code) to grant access to a system, enhancing login security. 

An advanced security solution that monitors, detects, and responds to cyber threats on end-user devices such as laptops, desktops, and mobile phones. EDR builds on traditional endpoint protection by adding real-time threat intelligence, behavioural analysis, and automated incident response—essential for identifying sophisticated attacks and reducing breach dwell time. 

Simulated cyberattacks performed by ethical hackers to uncover vulnerabilities in systems or applications. A key tool for proactively identifying weaknesses before attackers can exploit them. 

A comprehensive system for collecting, analysing, and reporting on data from across the IT environment. It provides real-time visibility into threats and compliance status. See also: [Intrusion Detection Systems (IDS)] 

A security model based on strict access control and continuous verification. It assumes no implicit trust, even for users or devices inside the network perimeter. 

A structured process to find and fix software or system weaknesses—often scrutinised during ISO audits. 

Keeps systems secure by applying updates quickly. Helps close known security gaps.

A register of all IT systems and devices. Essential for managing risk and responding to incidents. 

Find out how we can transform your IT

Whatever your IT requirements we can help.

Speak to an Expert

Let’s Secure Your Business

Book a free 30-minute session with our experts.