Compliance Glossary
A comprehensive glossary of 202+ compliance, cybersecurity, and data protection terms. Search by keyword, filter by category, or browse alphabetically to understand the standards, controls, and concepts that drive modern compliance programmes.
Showing 202 of 202 terms
ISO 27001
An international standard for information security management systems (ISMS) that specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS within the context of the organisation.
ISO 27002
A supplementary standard to ISO 27001 that provides a reference set of information security, cybersecurity, and privacy protection controls along with implementation guidance.
ISO 27701
An extension to ISO 27001 and ISO 27002 for privacy information management. It provides a framework for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).
ISO 22301
The international standard for business continuity management systems (BCMS). It specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a management system to protect against, reduce likelihood, and ensure recovery from disruptive incidents.
ISO 31000
An international standard providing guidelines on managing risk. It provides a common approach to managing any type of risk and is not industry or sector specific.
SOC 2
A compliance framework developed by the AICPA that defines criteria for managing customer data based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
SOC 1
An audit report focused on internal controls at a service organisation relevant to user entities financial reporting, governed by SSAE 18 (AT-C 320).
SOC 3
A general-use report based on the same Trust Services Criteria as SOC 2 but designed for public distribution without detailed control descriptions.
NIST Cybersecurity Framework
A voluntary framework developed by the National Institute of Standards and Technology consisting of standards, guidelines, and best practices to manage cybersecurity risk. The framework is organised around five core functions: Identify, Protect, Detect, Respond, and Recover.
NIST SP 800-53
A catalog of security and privacy controls for federal information systems and organisations published by NIST. It provides a comprehensive set of safeguards organised into 20 control families.
NIST SP 800-171
NIST guidelines for protecting Controlled Unclassified Information (CUI) in non-federal systems and organisations. It contains 14 families of security requirements.
GDPR
The General Data Protection Regulation is an EU regulation on data protection and privacy that governs the processing of personal data of individuals within the European Economic Area. It establishes rights for data subjects and obligations for data controllers and processors.
HIPAA
The Health Insurance Portability and Accountability Act is a US federal law that establishes national standards to protect sensitive patient health information from being disclosed without the patient consent or knowledge.
PCI DSS
The Payment Card Industry Data Security Standard is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
CCPA
The California Consumer Privacy Act is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. It gives consumers rights over their personal information.
CMMC
The Cybersecurity Maturity Model Certification is a unified standard for implementing cybersecurity across the US Defence Industrial Base. It measures cybersecurity maturity across five levels.
FedRAMP
The Federal Risk and Authorization Management Program is a US government-wide program that provides a standardised approach to security assessment, authorisation, and continuous monitoring for cloud products and services.
COBIT
Control Objectives for Information and Related Technologies is a framework for the governance and management of enterprise IT, created by ISACA. It helps organisations develop, organise, and implement strategies around information management and governance.
ITIL
Information Technology Infrastructure Library is a set of detailed practices for IT service management that focuses on aligning IT services with the needs of the business.
CIS Controls
A prioritised set of actions developed by the Center for Internet Security that collectively form a defence-in-depth set of best practices to mitigate the most common attacks against systems and networks.
Essential Eight
A set of baseline mitigation strategies recommended by the Australian Cyber Security Centre (ACSC) to make it much harder for adversaries to compromise systems. The strategies cover application control, patching, macro settings, user application hardening, admin privileges, patching operating systems, multi-factor authentication, and regular backups.
CSA CCM
The Cloud Security Alliance Cloud Controls Matrix is a cybersecurity controls framework specifically designed for cloud computing. It maps to leading standards, best practices, and regulations.
DORA
The Digital Operational Resilience Act is an EU regulation that creates a binding framework for ICT risk management in the financial sector, covering areas like incident reporting, resilience testing, and third-party risk management.
NIS 2 Directive
The updated EU directive on the security of network and information systems that expands the scope of the original NIS Directive. It sets higher cybersecurity standards for essential and important entities across the EU.
SOX
The Sarbanes-Oxley Act is a US federal law that establishes auditing and financial regulations for public companies. It includes requirements for internal controls over financial reporting.
FISMA
The Federal Information Security Management Act is US legislation that defines a framework for protecting government information, operations, and assets against threats.
GLBA
The Gramm-Leach-Bliley Act is a US federal law requiring financial institutions to explain their information-sharing practices and to safeguard sensitive data.
FERPA
The Family Educational Rights and Privacy Act is a US federal law that protects the privacy of student education records and gives parents certain rights regarding their children education records.
COPPA
The Children Online Privacy Protection Act is a US federal law that imposes requirements on websites and online services directed to children under 13 regarding the collection of personal information.
EU AI Act
The European Union Artificial Intelligence Act is a regulatory framework for artificial intelligence that classifies AI systems by risk level and imposes requirements for high-risk AI systems regarding transparency, data governance, and human oversight.
APRA CPS 234
An Australian Prudential Regulation Authority standard that sets out minimum information security requirements for APRA-regulated entities including banks, insurers, and superannuation funds.
ISM
The Australian Government Information Security Manual produced by the ACSC, providing a cyber security framework for protecting systems and data. It outlines a risk-based approach to cybersecurity.
PSPF
The Australian Government Protective Security Policy Framework establishes security standards for the protection of people, information, and assets. It applies to all Australian government entities.
WCAG
The Web Content Accessibility Guidelines are an international standard for web accessibility published by the W3C. They define how to make web content more accessible to people with disabilities.
OWASP Top 10
A regularly-updated awareness document representing a broad consensus about the most critical security risks to web applications, published by the Open Web Application Security Project.
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used as a foundation for threat models and methodologies in the cybersecurity community.
TOGAF
The Open Group Architecture Framework is an enterprise architecture methodology that provides an approach for designing, planning, implementing, and governing enterprise information technology architecture.
Access Control
The selective restriction of access to resources, data, or systems. Access control policies determine who or what can view or use resources in a computing environment, typically implementing principles like least privilege and separation of duties.
Multi-Factor Authentication
An authentication method that requires the user to provide two or more verification factors to gain access to a resource. Factors include something you know (password), something you have (token), and something you are (biometric).
Single Sign-On
An authentication scheme that allows a user to log in with a single set of credentials to access multiple independent software systems without re-authenticating.
Encryption
The process of converting information or data into a code to prevent unauthorised access. It is a critical security control for protecting data at rest, in transit, and in use.
Encryption at Rest
The protection of data stored on physical media such as hard drives, databases, or cloud storage through cryptographic techniques so that the data is unreadable without proper decryption keys.
Encryption in Transit
The protection of data as it moves between systems or networks using protocols such as TLS/SSL. This prevents eavesdropping, tampering, and man-in-the-middle attacks.
Firewall
A network security device or software that monitors and filters incoming and outgoing network traffic based on an organisation previously established security policies.
Intrusion Detection System
A device or software application that monitors a network or system for malicious activity or policy violations. Any detected activity is typically reported to an administrator or collected centrally using a SIEM system.
Intrusion Prevention System
A network security tool that monitors network and system activities for malicious activity and can take automatic actions to block or prevent those activities.
Data Loss Prevention
A strategy and set of tools to ensure that sensitive data is not lost, misused, or accessed by unauthorised users. DLP software classifies regulated and confidential data and enforces policies for sharing.
Endpoint Detection and Response
A cybersecurity technology that continuously monitors end-user devices to detect and respond to cyber threats such as ransomware and malware. EDR solutions record endpoint system activities and events.
Security Information and Event Management
A security solution that provides real-time analysis of security alerts generated by applications and network hardware. SIEM combines security information management (SIM) and security event management (SEM).
Patch Management
The process of managing software updates that address security vulnerabilities and bugs. An effective patch management strategy is critical for maintaining system security and compliance.
Application Control
A security practice that restricts the execution of applications to an approved set. This prevents malicious software, unauthorised applications, and scripts from running on endpoints.
Network Segmentation
The practice of dividing a computer network into subnetworks to improve security and performance. Each segment can have its own security controls and policies, limiting lateral movement by attackers.
Privileged Access Management
A set of cybersecurity strategies and technologies for controlling elevated (privileged) access and permissions for users, accounts, processes, and systems across an IT environment.
Least Privilege
A security principle that requires that users, programs, and processes are granted only the minimum permissions necessary to perform their intended function. This reduces the attack surface and limits potential damage.
Separation of Duties
A control principle that distributes critical tasks among multiple people to prevent fraud, error, and conflicts of interest. No single individual should have control over all aspects of any critical transaction.
Defense in Depth
A cybersecurity strategy that employs multiple layers of security controls throughout an information technology system. If one layer fails, subsequent layers continue to provide protection.
Zero Trust
A security model based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network perimeter. Every access request is fully authenticated, authorised, and encrypted before granting access.
Role-Based Access Control
An approach to restricting system access to authorised users based on their role within an organisation. Permissions are assigned to roles rather than to individual users.
Attribute-Based Access Control
An access control model that evaluates attributes (user, resource, environment) to determine access permissions. ABAC provides more granular control than role-based approaches.
Configuration Management
The process of systematically handling changes to a system in a way that maintains integrity over time. In security, it ensures systems are configured according to approved baselines.
Change Management
A systematic approach to dealing with the transition or transformation of organisational goals, processes, or technologies. In IT, it ensures changes are implemented with minimum disruption and risk.
Security Baseline
A set of minimum security standards and configurations that all systems within an organisation must meet. Baselines provide a foundation for measuring compliance and identifying deviations.
Hardening
The process of reducing a system attack surface by removing unnecessary software, disabling unused services, and applying security configurations. Hardened systems are more resistant to exploitation.
Log Management
The process of generating, collecting, centralising, parsing, storing, and analysing log data from various sources for security monitoring, troubleshooting, and compliance purposes.
Backup and Recovery
The process of creating copies of data that can be used to restore the original after a data loss event. A robust backup strategy is essential for business continuity and disaster recovery.
Data Controller
Under GDPR, the natural or legal person, public authority, agency, or other body that determines the purposes and means of processing personal data. The controller bears primary responsibility for compliance.
Data Processor
Under GDPR, a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller. Processors must follow the controller instructions and implement appropriate security measures.
Data Subject
An identified or identifiable natural person whose personal data is collected, held, or processed. Data subjects have specific rights under privacy regulations such as GDPR and CCPA.
Personal Data
Any information relating to an identified or identifiable natural person. This includes names, identification numbers, location data, online identifiers, and factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
Personally Identifiable Information
Information that can be used to distinguish or trace an individual identity, either alone or when combined with other information. PII includes names, Social Security numbers, biometric records, and other data linkable to an individual.
Protected Health Information
Under HIPAA, any information about health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual. PHI includes medical records, lab results, and insurance information.
Data Protection Impact Assessment
A process designed to help organisations systematically analyse, identify, and minimise the data protection risks of a project or plan. DPIAs are required under GDPR for processing likely to result in high risk.
Privacy by Design
An approach to systems engineering that takes privacy into account throughout the whole engineering process. It calls for privacy to be considered from the initial design stage rather than as an afterthought.
Privacy by Default
A principle that requires organisations to implement appropriate measures to ensure that, by default, only personal data necessary for each specific purpose is processed. This applies to the amount of data collected, the extent of processing, the period of storage, and accessibility.
Data Minimisation
A principle that limits the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose. Organisations should not collect or retain more data than required.
Purpose Limitation
A data protection principle stating that personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
Data Retention
Policies and procedures governing how long data is kept before being securely deleted or archived. Retention periods should be based on legal requirements, business needs, and data protection principles.
Right to Erasure
Also known as the right to be forgotten, this is a data subject right under GDPR that allows individuals to request the deletion of their personal data when there is no compelling reason for its continued processing.
Right to Access
A data subject right that allows individuals to obtain confirmation as to whether their personal data is being processed, and if so, to access that data and information about how it is being used.
Data Portability
The right that allows individuals to receive their personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller without hindrance.
Consent Management
The process of obtaining, recording, and managing user consent for data collection and processing activities. Under GDPR, consent must be freely given, specific, informed, and unambiguous.
Cross-Border Data Transfer
The movement of personal data from one jurisdiction to another. Many privacy regulations restrict international data transfers unless adequate data protection safeguards are in place.
Anonymisation
The process of removing or modifying personal data so that it can no longer be attributed to a specific individual. Properly anonymised data falls outside the scope of data protection regulations.
Pseudonymisation
The processing of personal data so that it can no longer be attributed to a specific data subject without the use of additional information. Unlike anonymisation, pseudonymised data is still considered personal data under GDPR.
Data Breach Notification
The requirement for organisations to notify relevant authorities and affected individuals when a data breach involving personal data occurs. Under GDPR, notification to the supervisory authority must occur within 72 hours.
Data Classification
The process of organising data into categories based on its sensitivity and the impact its unauthorised disclosure, alteration, or destruction would have. Common levels include public, internal, confidential, and restricted.
Data Sovereignty
The concept that data is subject to the laws and governance structures within the nation it is collected or processed. It affects where data can be stored and how it must be protected.
Risk Assessment
The process of identifying, analysing, and evaluating risks to an organisation information assets. It involves determining the likelihood and impact of potential threats and vulnerabilities.
Risk Management
The coordinated activities to direct and control an organisation with regard to risk. It includes risk identification, risk analysis, risk evaluation, risk treatment, and risk monitoring.
Risk Appetite
The amount and type of risk that an organisation is willing to pursue or retain in order to meet its strategic objectives. Risk appetite guides decision-making about acceptable risk levels.
Risk Tolerance
The degree of variability in outcomes that an organisation is willing to withstand. While risk appetite is a broad-level statement, risk tolerance is more specific and measurable.
Risk Treatment
The process of selecting and implementing measures to modify risk. Treatment options include risk avoidance, risk mitigation, risk transfer (e.g., insurance), and risk acceptance.
Risk Register
A document used as a risk management tool to record identified risks, their severity, and the actions taken to mitigate them. It serves as a central repository for all risk-related information.
Residual Risk
The risk that remains after controls and mitigation measures have been applied. Organisations must decide whether the residual risk level is acceptable within their risk appetite.
Inherent Risk
The level of risk in a process or activity before any controls or mitigation measures are applied. Comparing inherent risk to residual risk shows the effectiveness of implemented controls.
Threat Modeling
A structured approach for identifying and prioritising potential threats to a system, determining the value that potential mitigations would have, and deciding where to apply resources to mitigate threats.
Business Impact Analysis
A systematic process to determine and evaluate the potential effects of an interruption to critical business operations. BIA identifies time-sensitive or critical business functions and resources.
Business Continuity
The capability of an organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident. It includes planning, preparation, and maintenance of operations.
Disaster Recovery
The process, policies, and procedures related to preparing for recovery of technology infrastructure critical to an organisation after a natural or human-induced disaster.
Incident Response
An organised approach to addressing and managing the aftermath of a security breach or cyberattack. The goal is to handle the situation in a way that limits damage, reduces recovery time and costs.
Incident Response Plan
A documented set of instructions or procedures to detect, respond to, and limit consequences of a security incident. It typically includes preparation, identification, containment, eradication, recovery, and lessons learned phases.
Information Security Policy
A set of rules, guidelines, and practices that prescribe how an organisation manages, protects, and distributes sensitive information. It forms the foundation of an organisation security programme.
Acceptable Use Policy
A document that outlines the rules and guidelines for using an organisation IT resources. It defines what users can and cannot do with company systems, networks, and data.
Governance, Risk, and Compliance
An integrated approach to managing an organisation governance, enterprise risk management, and compliance with regulations. GRC helps organisations align IT with business objectives while managing risk.
Information Security Governance
The system by which an organisation directs and controls information security. It specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated.
Compliance Framework
A structured set of guidelines, best practices, and controls that organisations follow to meet regulatory requirements, industry standards, or internal policies. Compliance frameworks help ensure consistent and measurable security practices.
Control Framework
A systematic set of controls or safeguards designed to manage information security risks. Control frameworks like NIST SP 800-53 and ISO 27002 provide comprehensive catalogs of controls organised by domain.
Control Mapping
The process of identifying relationships and overlaps between controls across different frameworks. Control mapping enables organisations to satisfy multiple compliance requirements with shared implementations.
Control Objective
A statement of the desired result or purpose to be achieved by implementing controls. Control objectives define what a control is intended to accomplish in terms of risk reduction or compliance.
Maturity Model
A framework that describes the progression of capabilities through defined levels of maturity. In cybersecurity, maturity models such as CMMC help organisations assess and improve their security posture incrementally.
Key Risk Indicator
A metric used to provide an early signal of increasing risk exposure in various areas of an organisation. KRIs are used to monitor risk trends and trigger risk management actions.
Key Performance Indicator
A measurable value that demonstrates how effectively an organisation is achieving key business or security objectives. In compliance, KPIs track control effectiveness and programme maturity.
Third-Party Risk Management
The process of analysing and controlling risks associated with outsourcing to third-party vendors or service providers. It involves assessing vendor security postures and monitoring ongoing compliance.
Supply Chain Security
The efforts to enhance the security of the supply chain, including managing cyber risks associated with suppliers, vendors, logistics, and the transportation of goods.
Security Awareness Training
Educational programmes designed to teach employees about cybersecurity threats, safe computing practices, and organisational security policies. Regular training reduces the risk of human error leading to security breaches.
Statement of Applicability
A key document in ISO 27001 that identifies which controls from Annex A are applicable to the organisation ISMS and justifies any exclusions. The SoA links risk assessment results to security controls.
Internal Audit
An independent, objective assurance activity designed to add value and improve an organisation operations. Internal audits evaluate the effectiveness of risk management, control, and governance processes.
External Audit
An independent examination of an organisation systems, processes, or financial statements conducted by an external party. External audits provide assurance to stakeholders and may be required for compliance certification.
Certification Audit
A formal audit conducted by an accredited certification body to determine whether an organisation management system meets the requirements of a specific standard such as ISO 27001.
Surveillance Audit
A periodic audit conducted between certification audits to ensure an organisation continues to maintain compliance with the certified standard. Surveillance audits are typically annual.
Gap Analysis
A process of comparing an organisation current state of compliance against the requirements of a target framework or standard. The analysis identifies gaps that must be addressed to achieve compliance.
Self-Assessment
An internal evaluation where an organisation measures its own compliance posture against a framework or standard. Self-assessments help identify areas for improvement before formal external audits.
Readiness Assessment
An evaluation conducted to determine how prepared an organisation is for a formal audit or certification process. It identifies gaps and areas needing remediation before the official assessment.
Penetration Testing
A simulated cyberattack against a system to check for exploitable vulnerabilities. Penetration tests are conducted by authorised security professionals who attempt to breach systems using the same techniques as attackers.
Vulnerability Assessment
The process of identifying, quantifying, and prioritising the vulnerabilities in a system. Unlike penetration testing, vulnerability assessments identify weaknesses without actively exploiting them.
Vulnerability Scanning
The automated process of proactively identifying security vulnerabilities in systems, applications, and network infrastructure using specialised scanning tools.
Red Team
A group of security professionals authorised to simulate real-world attacks against an organisation to test defences. Red team exercises are broader and more realistic than standard penetration tests.
Blue Team
A group of security professionals responsible for defending an organisation information systems by maintaining security infrastructure, identifying vulnerabilities, and responding to incidents.
Purple Team
A collaborative approach where red team (offensive) and blue team (defensive) security professionals work together to maximise security improvements. Purple teaming combines attack simulation with defensive response.
Tabletop Exercise
A discussion-based exercise where key personnel walk through a simulated incident scenario. Tabletop exercises test incident response plans and identify gaps in procedures without disrupting operations.
Evidence Collection
The process of gathering documentation, artifacts, and records to demonstrate compliance with specific controls or requirements. Evidence may include policies, configuration screenshots, logs, and test results.
Audit Trail
A chronological set of records providing documentary evidence of the sequence of activities that have affected a specific operation, procedure, or event. Audit trails are essential for accountability and forensic investigation.
Continuous Monitoring
The ongoing awareness of information security, vulnerabilities, and threats to support organisational risk management decisions. Continuous monitoring automates the detection of security control deviations.
Continuous Compliance
An approach to compliance management that uses automated monitoring and assessment to maintain compliance in real time rather than through periodic manual reviews.
Remediation Plan
A structured action plan that outlines the steps an organisation will take to address identified security gaps, vulnerabilities, or audit findings. It includes timelines, responsibilities, and success criteria.
Corrective Action
Steps taken to eliminate the causes of an existing nonconformity, defect, or other undesirable situation in order to prevent recurrence. In compliance, corrective actions address audit findings.
Non-Conformity
A deviation from a specified requirement or standard. In audit contexts, non-conformities can be major (significant deviation) or minor (isolated, not systemic) and require corrective action.
Attestation
A formal declaration or certification by an independent party confirming that an organisation meets specified criteria or standards. SOC reports are a common form of attestation.
Compliance Posture
The overall status of an organisation compliance with applicable regulations, standards, and internal policies. A strong compliance posture indicates effective controls and minimal gaps.
Transport Layer Security
A cryptographic protocol designed to provide communications security over a computer network. TLS, the successor to SSL, is widely used for securing web traffic via HTTPS.
Public Key Infrastructure
A set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.
Digital Certificate
An electronic document used to prove the ownership of a public key. Digital certificates include information about the key, the identity of its owner, and the digital signature of a certificate authority.
Virtual Private Network
A technology that creates a safe and encrypted connection over a less secure network, such as the internet. VPNs extend a private network across a public network, enabling users to send and receive data securely.
Web Application Firewall
A specific form of application firewall that filters, monitors, and blocks HTTP traffic to and from a web service. WAFs protect against common web exploits such as SQL injection and cross-site scripting.
Secure Software Development Lifecycle
An approach to software development that integrates security practices at every phase of the development lifecycle, from requirements gathering through design, implementation, testing, deployment, and maintenance.
DevSecOps
An approach that integrates security practices within the DevOps process. DevSecOps creates a culture where security is a shared responsibility throughout the entire IT lifecycle.
Container Security
The practice of protecting containerised applications and their infrastructure. It encompasses image scanning, runtime security, orchestration security, and network policies for container environments.
Cloud Security
The broad set of policies, technologies, applications, and controls utilised to protect virtualised IP, data, applications, services, and the associated infrastructure of cloud computing.
Identity and Access Management
A framework of business processes, policies, and technologies that facilitates the management of electronic or digital identities. IAM ensures that the right individuals access the right resources at the right times.
Security Orchestration, Automation, and Response
A collection of software solutions and tools that allow organisations to streamline security operations. SOAR platforms collect threat data, automate responses, and manage incident response workflows.
API Security
The practice of protecting application programming interfaces from attacks and misuse. API security involves authentication, authorisation, rate limiting, input validation, and encryption of API communications.
Tokenisation
The process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token. Tokens retain essential information about the data without compromising its security.
Key Management
The management of cryptographic keys in a cryptosystem. This includes key generation, exchange, storage, use, rotation, and destruction. Effective key management is essential for maintaining encryption security.
Security Operations Centre
A centralised unit that deals with security issues on an organisational and technical level. A SOC team monitors, detects, investigates, and responds to cybersecurity incidents around the clock.
Threat Intelligence
Evidence-based knowledge about existing or emerging threats to an organisation assets. Threat intelligence helps organisations make informed decisions about how to prevent and respond to cyber threats.
Indicators of Compromise
Forensic artifacts or observable data that indicate potentially malicious activity on a system or network. IOCs include unusual network traffic, suspicious file changes, and anomalous user behaviour.
Malware
Software that is specifically designed to disrupt, damage, or gain unauthorised access to a computer system. Types include viruses, worms, trojans, ransomware, and spyware.
Ransomware
A type of malicious software designed to block access to a computer system or data until a sum of money is paid. Ransomware typically encrypts files and demands payment in cryptocurrency.
Phishing
A type of social engineering attack where attackers send fraudulent communications that appear to come from a reputable source, usually through email, to steal sensitive data or install malware.
Denial of Service
A cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the internet.
Man-in-the-Middle Attack
A cyberattack where the attacker secretly relays and possibly alters communications between two parties who believe they are directly communicating with each other.
SQL Injection
A code injection technique that exploits security vulnerabilities in an application database layer. It allows attackers to interfere with the queries that an application makes to its database.
Cross-Site Scripting
A type of security vulnerability found in web applications where attackers inject malicious client-side scripts into web pages viewed by other users. XSS enables attackers to bypass access controls.
Zero-Day Vulnerability
A software security flaw that is unknown to the software vendor or to antivirus vendors. Zero-day vulnerabilities can be exploited by attackers before the developer has had a chance to create a fix.
Attack Surface
The total number of all possible entry points for unauthorised access into any system. Reducing the attack surface is a fundamental security strategy that involves removing unnecessary services and access points.
Cryptography
The practice and study of techniques for secure communication in the presence of adversaries. Modern cryptography involves mathematical algorithms for data confidentiality, integrity, authentication, and non-repudiation.
Hash Function
A mathematical algorithm that maps data of arbitrary size to a fixed-size output. Cryptographic hash functions are used for data integrity verification, password storage, and digital signatures.
Digital Forensics
The process of uncovering and interpreting electronic data for use in legal proceedings or investigations. Digital forensics involves the preservation, identification, extraction, and documentation of computer evidence.
IRAP
The Information Security Registered Assessors Program is an Australian Signals Directorate initiative that endorses qualified ICT security professionals to assess the implementation of the ISM.
Common Criteria
An international standard (ISO/IEC 15408) for computer security certification. It provides a framework for evaluating the security properties of IT products and systems at various Evaluation Assurance Levels (EAL).
SWIFT Customer Security Programme
A set of mandatory and advisory security controls for institutions connected to the SWIFT network. The programme helps financial institutions secure their local SWIFT-related infrastructure.
NERC CIP
North American Electric Reliability Corporation Critical Infrastructure Protection standards are a set of requirements designed to secure the assets required for operating the bulk electric system in North America.
IEC 62443
An international series of standards addressing cybersecurity for operational technology in automation and control systems. It defines security requirements across system integrators, asset owners, and product suppliers.
HITRUST CSF
A certifiable framework that provides organisations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management, particularly popular in the healthcare industry.
FDA 21 CFR Part 11
A US regulation that defines the criteria under which electronic records and electronic signatures are considered trustworthy and equivalent to paper records and handwritten signatures in the pharmaceutical and medical device industries.
Basel III
An international regulatory framework for banks developed by the Basel Committee on Banking Supervision. It establishes requirements for bank capital adequacy, stress testing, and market liquidity risk.
MAS TRM
The Monetary Authority of Singapore Technology Risk Management Guidelines provide risk management principles and best practices for technology risk governance in financial institutions.
PSD2
The revised Payment Services Directive is an EU regulation for electronic payment services. PSD2 introduces requirements for strong customer authentication and opens banking APIs to third-party providers.
HL7 FHIR
Health Level Seven Fast Healthcare Interoperability Resources is a standard for exchanging healthcare information electronically. FHIR defines a set of resources and APIs for health data exchange.
ISO 13485
An international standard for quality management systems in the design and manufacture of medical devices. It ensures that organisations consistently meet customer and regulatory requirements.
Cyber Essentials
A UK government-backed scheme that helps organisations protect against the most common cyber threats. It covers five key controls: firewalls, secure configuration, access control, malware protection, and patch management.
TISAX
Trusted Information Security Assessment Exchange is a standard for information security in the automotive industry based on the VDA Information Security Assessment (VDA ISA) catalog.
NIST AI RMF
The NIST Artificial Intelligence Risk Management Framework provides guidance for managing risks associated with AI systems. It helps organisations design, develop, deploy, and use AI systems responsibly.
ISO 42001
The international standard for artificial intelligence management systems (AIMS). It specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system.
AICPA Trust Services Criteria
A set of control criteria used as the basis for SOC 2 reports. The five categories are security (common criteria), availability, processing integrity, confidentiality, and privacy.
COSO
The Committee of Sponsoring Organizations of the Treadway Commission framework for internal control and enterprise risk management. COSO provides guidance on internal control, risk management, and fraud deterrence.
NIST Privacy Framework
A voluntary tool developed by NIST to help organisations identify and manage privacy risk. It follows a structure similar to the NIST Cybersecurity Framework with Identify, Govern, Control, Communicate, and Protect functions.
Cloud Controls Matrix
A cybersecurity control framework for cloud computing published by the Cloud Security Alliance. It is specifically designed to provide fundamental security principles and is aligned with other industry standards.
StateRAMP
A programme that provides a standardised approach for state and local governments to verify cloud product security, modeled after the federal FedRAMP programme.
TX-RAMP
The Texas Risk and Authorization Management Program provides a standardised approach for security assessment, authorisation, and continuous monitoring of cloud computing services used by Texas state agencies.
ACSC Essential Eight Maturity Model
A model that defines three maturity levels for each of the Australian Cyber Security Centre Essential Eight mitigation strategies, helping organisations prioritise implementation based on their threat profile.
ASD ISM
The Australian Signals Directorate Information Security Manual is the Australian Government standard for protecting ICT systems. It provides guidance on system hardening, access control, cryptography, and network security.
Privacy Act 1988
The primary piece of Australian legislation protecting the handling of personal information about individuals. It includes thirteen Australian Privacy Principles that govern the collection, use, and disclosure of personal information.
Notifiable Data Breaches Scheme
An Australian scheme requiring organisations covered by the Privacy Act 1988 to notify affected individuals and the Office of the Australian Information Commissioner when a data breach is likely to result in serious harm.
SOX Compliance
The process of meeting the requirements set forth in the Sarbanes-Oxley Act, including establishing and maintaining internal controls over financial reporting and conducting annual audits of those controls.
ITAR
The International Traffic in Arms Regulations are US regulations that control the export and import of defence-related articles and services. ITAR compliance involves strict data access controls and citizenship requirements.
EAR
The Export Administration Regulations are a set of US regulations governing the export and re-export of commercial and dual-use goods, software, and technology. EAR is administered by the Bureau of Industry and Security.
PIPEDA
The Personal Information Protection and Electronic Documents Act is the Canadian federal privacy law for private-sector organisations. It sets out the ground rules for how businesses must handle personal information.
LGPD
Lei Geral de Protecao de Dados is Brazil general data protection law that regulates the processing of personal data. It is similar to GDPR and establishes principles, rights, and obligations for data processing.
PDPA
The Personal Data Protection Act is data protection legislation in several countries (Singapore, Thailand, Malaysia) governing the collection, use, and disclosure of personal data by organisations.
Related Resources
Frequently Asked Questions
What is a compliance framework?
A compliance framework is a structured set of guidelines, controls, and best practices that organisations follow to meet regulatory requirements, manage risk, and protect data. TheArtOfService covers 692+ frameworks including ISO 27001, NIST CSF, SOC 2, GDPR, and many more.
What is the difference between a standard and a regulation?
A standard (e.g. ISO 27001, SOC 2) is a voluntary set of requirements published by a standards body that organisations choose to adopt, often to demonstrate trust. A regulation (e.g. GDPR, HIPAA) is a legally binding requirement imposed by a government or regulatory authority. Non-compliance with regulations can result in fines and legal penalties.
What is cross-framework control mapping?
Cross-framework control mapping identifies overlapping controls between different compliance frameworks, allowing organisations to implement a control once and satisfy multiple standards simultaneously. TheArtOfService provides 819K+ pre-computed control mappings across 692+ frameworks.
Put These Terms into Practice
Browse 692+ compliance frameworks, map controls across standards, and run self-assessments — all in one platform.
Get Started Free →Free forever — no credit card required
Social Engineering
The psychological manipulation of people into performing actions or divulging confidential information. Social engineering exploits human behaviour rather than technical vulnerabilities.