Glossary
The vocabulary of GRC, in plain English first. Use search and filters to find what you need quickly.
Anything of value to the organization — data, systems, people, facilities, intellectual property.
Why it matters: Risk only exists in relation to an asset. You cannot rate a risk without naming the asset at stake.
Example: The customer database is an asset; the marketing blog usually is not.
The authoritative list of assets in scope for a security program, including ownership and classification.
Why it matters: First control in nearly every framework. Without it, every other control has gaps.
A formal management decision by a senior official authorizing a system to operate and accepting the residual risk.
Why it matters: The deliverable that ends the NIST RMF process; required to operate federal systems.
The reference list of 93 information security controls in ISO/IEC 27001:2022.
Why it matters: The catalog you pull from when building the Statement of Applicability.
A formal assurance report issued by a licensed practitioner (e.g., a CPA firm) about an assertion by management.
Why it matters: SOC 2 is an attestation, not a certification — the wording matters in contracts.
A chronological record of activity sufficient to reconstruct who did what when.
Why it matters: Foundational for forensics and most logging-related controls.
Verifying that an entity is who it claims to be.
Why it matters: Half of access control (the other half is authorization).
Determining what an authenticated entity is allowed to do.
Why it matters: Most least-privilege failures are authorization failures, not authentication failures.
Contract required under HIPAA between a covered entity and a vendor that handles ePHI on its behalf.
Why it matters: Without a BAA, the vendor relationship is non-compliant with HIPAA.
A minimum standard configuration or control set applied across like systems.
Why it matters: Drift from baseline is one of the most common audit findings.
Unauthorized access, acquisition, use, or disclosure of protected data.
Why it matters: Defined precisely by regulation (GDPR, HIPAA, state laws) — definitions trigger notification clocks.
Documented plan to maintain or restore business operations during and after a disruption.
Why it matters: Required by most frameworks; tested annually at minimum.
Analysis identifying critical processes and the impact of their disruption over time.
Why it matters: Drives RTO/RPO targets and BCP/DR investment priorities.
California Consumer Privacy Act and its successor; grants California residents privacy rights similar to GDPR.
Why it matters: The most influential U.S. state privacy law; many other states model on it.
Confidentiality, Integrity, Availability — the three foundational properties of information security.
Why it matters: Risks and controls are usually framed around which of the three they protect.
Cybersecurity Maturity Model Certification — the U.S. DoD's certification program for defense contractors.
Why it matters: Required to bid on most DoD contracts.
An alternative control that achieves the intent of a primary control when the primary control cannot be implemented.
Why it matters: Common in PCI DSS and exception management.
Establishing, maintaining, and verifying the configuration of systems against a baseline.
Why it matters: Drift from baseline is a leading audit finding.
A safeguard or countermeasure that reduces risk by preventing, detecting, or correcting an event.
Why it matters: Controls are the building blocks of every security program and audit.
The person accountable for the design and operation of a control.
Why it matters: Auditors test by interviewing owners. Unowned controls are unmanageable.
A mapping that shows where requirements in one framework correspond to another.
Why it matters: Lets one control satisfy many requirements; reduces audit effort.
Controlled Unclassified Information — U.S. government information requiring safeguarding per law or policy.
Why it matters: Drives CMMC Level 2 scope.
Categorizing data by sensitivity to determine handling and protection requirements.
Why it matters: Drives encryption, access, retention, and destruction decisions.
An identified or identifiable natural person whose personal data is processed.
Why it matters: GDPR rights belong to data subjects.
Data Subject Access Request — an individual's request to know what personal data an org holds about them.
Why it matters: GDPR requires response within one month.
A control that identifies when an event has occurred (e.g., logging, monitoring, IDS).
Why it matters: One leg of the prevent/detect/correct triad.
Layered controls so the failure of any one does not result in compromise.
Why it matters: Justification for controls that look 'redundant.'
Data Protection Impact Assessment — required under GDPR for high-risk processing.
Why it matters: Demonstrates accountability and surfaces privacy risks before they become incidents.
Data Protection Officer — required role for some organizations under GDPR.
Why it matters: Independent advisor reporting to the highest management level.
Protecting data while stored on disk (rest) and while moving across networks (transit).
Why it matters: Mandated by nearly every framework and most contracts.
Electronic Protected Health Information — any individually identifiable health information in electronic form.
Why it matters: The data class regulated by the HIPAA Security Rule.
Documentation proving a control operated as designed during the audit period.
Why it matters: The currency of audit work. No evidence = control failure regardless of reality.
A documented, time-bound deviation from a policy or control with compensating measures.
Why it matters: Formalizes 'we can't comply yet' into managed risk.
An audit performed by an independent third party (vs. internal audit).
Why it matters: Required for SOC 2, ISO 27001 certification, FedRAMP.
Federal Contract Information — info not for public release generated for or provided under a federal contract.
Why it matters: Drives CMMC Level 1 scope.
U.S. government program standardizing security assessment for cloud services used by federal agencies.
Why it matters: Required to sell cloud services to U.S. federal agencies.
An auditor's documented observation that a control failed or is deficient.
Why it matters: Findings drive remediation work and can lead to qualified opinions.
A structured set of guidelines for managing security or compliance (e.g., NIST CSF, ISO 27001).
Why it matters: Provides shared vocabulary and scope.
General Data Protection Regulation — EU regulation governing the processing of personal data.
Why it matters: Applies extraterritorially; fines up to 4% of global turnover.
The structures, roles, and policies that direct and control an organization's security program.
Why it matters: The 'G' in GRC and now a top-level CSF 2.0 Function.
Reducing a system's attack surface through configuration changes.
Why it matters: Operationalizes baselines like CIS Benchmarks.
Health Insurance Portability and Accountability Act — U.S. law governing protected health information.
Why it matters: Dominant framework for U.S. healthcare GRC.
An event that compromises or threatens to compromise the CIA of information.
Why it matters: Triggers IR plan, communications, and post-incident review.
A documented system of policies, processes, and procedures for managing information security risks, per ISO 27001.
Why it matters: The thing that gets certified in ISO 27001.
Inherent = risk with no controls; Residual = risk remaining after controls.
Why it matters: Control effectiveness is the gap between the two.
Independent assurance activity performed by employees of the organization.
Why it matters: Catches issues before external auditors do.
International standard for an Information Security Management System (ISMS).
Why it matters: Most widely recognized international security certification.
IT General Controls — foundational controls (access, change, ops) tested for financial-statement audits.
Why it matters: Heart of SOX IT audits; overlaps heavily with SOC 1.
A measurable value showing how effectively an objective is being met.
Why it matters: Drives metrics reporting to leadership.
A measurable signal that risk exposure is increasing.
Why it matters: Early warning for board-level risk reporting.
Granting only the minimum access needed to perform a job function.
Why it matters: Cited in almost every access-related framework requirement.
Generating and retaining records of system and user activity.
Why it matters: Foundation of detection, forensics, and most compliance audit trails.
A deficiency severe enough that a material misstatement may not be prevented or detected.
Why it matters: Most serious audit conclusion; usually triggers public disclosure for SOX.
Multi-Factor Authentication — requires two or more independent factors.
Why it matters: Highest-impact, lowest-cost preventive control.
NIST Cybersecurity Framework — voluntary framework with six Functions.
Why it matters: Most widely adopted umbrella framework in industry.
NIST Risk Management Framework — seven-step process for managing federal system risk.
Why it matters: Backbone of FedRAMP, FISMA, DoD RMF.
Catalog of security and privacy controls for federal systems.
Why it matters: The control catalog NIST RMF selects from.
110 controls for protecting Controlled Unclassified Information (CUI) in non-federal systems.
Why it matters: Foundation of CMMC Level 2.
ISO 27001 term for a failure to meet a requirement; can be major or minor.
Why it matters: Majors can block certification.
Provided By Client — the list of documents/evidence an auditor requests.
Why it matters: Your audit project plan revolves around the PBC.
Payment Card Industry Data Security Standard — protects cardholder data.
Why it matters: Mandatory for any org handling card data; card brands enforce.
Plan of Action and Milestones — the running list of open weaknesses and remediation plans for a federal system.
Why it matters: Required for ATO maintenance; reviewed continuously.
High-level statement of management intent; the 'must' at the top of the documentation hierarchy.
Why it matters: Sets the floor for control expectations.
A control that stops an event from happening.
Why it matters: One leg of the prevent/detect/correct triad.
The rights and expectations of individuals over the collection, use, and disclosure of their personal information.
Why it matters: Distinct from security: you can be secure and still violate privacy.
Step-by-step instructions implementing a standard.
Why it matters: Where 'we said we'd do this' becomes 'here's how we actually do it.'
Auditor authorized by the PCI SSC to perform PCI DSS Reports on Compliance.
Why it matters: Required for Level 1 merchants and many service providers.
Responsibility matrix: Responsible, Accountable, Consulted, Informed.
Why it matters: Clarifies who does what for a control or process.
Role-Based Access Control — access rights granted based on roles, not individuals.
Why it matters: Most common access model in enterprises.
Maximum acceptable data loss measured in time.
Why it matters: Drives backup frequency.
Maximum acceptable time to restore a service after disruption.
Why it matters: Drives DR architecture investment.
The effect of uncertainty on objectives, usually expressed as likelihood × impact.
Why it matters: The central object the GRC team manages.
Formal decision to tolerate a risk without further treatment.
Why it matters: Must be approved by someone with the authority to accept that level of risk.
The amount of risk an organization is willing to pursue or retain.
Why it matters: Sets the boundary between 'accept' and 'treat.'
The catalog of identified risks with ratings, owners, treatments, and status.
Why it matters: Single source of truth for risk management.
The decision and actions to address a risk: treat, transfer, tolerate, terminate.
Why it matters: Every risk needs an explicit treatment decision.
Record of Processing Activities — GDPR Article 30 register of all personal data processing.
Why it matters: First thing a regulator asks for.
AICPA attestation reports: SOC 1 for financial-reporting controls, SOC 2 for Trust Services Criteria, SOC 3 for public-use security marketing.
Why it matters: Most B2B SaaS deals reference SOC 2.
Sarbanes-Oxley Act — U.S. law requiring public companies to maintain effective internal controls over financial reporting.
Why it matters: Drives ITGC testing in public companies.
Mandatory rules implementing a policy (e.g., 'all admin access must use phishing-resistant MFA').
Why it matters: Bridges policy intent and operational procedure.
ISO 27001 document listing every Annex A control with applicability and justification.
Why it matters: Central artifact reviewed in every ISO 27001 audit.
Master document describing a system and how each control is implemented; required for NIST RMF and CMMC.
Why it matters: The single document an assessor reads first.
Discussion-based exercise walking through response to a hypothetical scenario.
Why it matters: Cheap, frequent, surfaces gaps in plans and roles.
A potential cause of an unwanted incident.
Why it matters: Half of the threat × vulnerability calculation.
Information about adversaries' tactics, techniques, and indicators.
Why it matters: Informs risk scoring and detection engineering.
The five SOC 2 categories: Security, Availability, Processing Integrity, Confidentiality, Privacy.
Why it matters: What every SOC 2 control maps to.
Risk introduced by third parties that process data or provide services.
Why it matters: Many breaches originate with vendors; customers expect TPRM programs.
A weakness that a threat can exploit.
Why it matters: Risk = threat × vulnerability × impact.
Auditor's session with a control owner to understand how a control is performed.
Why it matters: Sets the auditor's expectations for evidence; usually precedes testing.