GRC terminology, explained plainly

Access Control

Policies and technologies determining who can access which resources under what conditions.

Asset Inventory

A maintained register of all assets an organization relies on. You cannot protect what you do not know you have.

Audit Trail

A chronological, immutable record of every action, proving who did what, when, and why.

Authenticity

The principle that information and communications are genuine and originate from the claimed source.

Availability

The principle that information and systems are accessible when needed by authorized users.

Business Continuity

The capability to continue delivering services at acceptable levels following a disruptive incident.

Business Impact Analysis (BIA)

Determining the potential effects of interruption to critical functions and setting recovery priorities.

Change Management

A structured process for reviewing, approving, and implementing changes to prevent uncontrolled risk.

Compliance Audit

A formal external examination verifying that an organization meets framework or regulatory requirements.

Compliance Framework

A structured set of guidelines and controls to meet regulatory or industry security requirements.

Confidentiality

The principle that information is accessible only to those authorized to access it.

Control Effectiveness

A measure of how well a security control actually performs its intended function over time.

Control Objective

A statement describing what a control is intended to achieve, bridging policy intent to implementation.

DORA

The EU regulation for digital operational resilience in financial services, with strict ICT risk and reporting requirements.

Data Breach Notification

The legal obligation to inform authorities and individuals when a personal data breach occurs.

Data Processing Agreement (DPA)

A binding contract governing how personal data is handled when shared with a third-party processor.

Evidence Management

Systematic collection and maintenance of documentation proving controls are implemented and effective.

Gap Analysis

Comparing your current posture against a target framework to identify what is missing.

ISMS (Information Security Management System)

A systematic approach to managing sensitive information through people, processes, and technology.

ISO 27001

The international standard for information security management systems. The most recognized security certification globally.

Incident Response

The organized approach to detecting, containing, and recovering from security incidents.

Information Classification

Categorizing information assets by sensitivity level to determine what protection each requires.

Integrity

The principle that information remains accurate, complete, and unaltered except by authorized actions.

Internal Audit

An independent assessment of your own operations, controls, and compliance posture.

Key Risk Indicator (KRI)

A forward-looking metric providing early warning signals about increasing risk exposure.

Maturity Model

A framework for assessing how well-developed processes or controls are on a defined scale.

NIS2

The EU directive expanding cybersecurity obligations with stricter requirements and management accountability.

Penetration Testing

A controlled attempt to exploit vulnerabilities, revealing what an attacker could actually achieve.

Policy Management

The lifecycle of creating, approving, distributing, and reviewing organizational policies.

Regulatory Compliance

Adhering to laws and government-mandated requirements. Unlike voluntary frameworks, this is not optional.

Remediation

Addressing and resolving identified security weaknesses, audit findings, or compliance gaps.

Residual Risk

The risk remaining after treatment measures, formally accepted by leadership as tolerable.

Risk Appetite

The level of risk an organization is willing to accept in pursuit of its objectives.

Risk Assessment

The structured process of identifying, analyzing, and evaluating risks to decide what treatment they need.

Risk Register

The central repository recording all identified risks with their assessments, treatments, and owners.

Risk Treatment

Selecting and implementing measures to modify a risk: mitigate, accept, transfer, or avoid.

SOC 2

The AICPA framework evaluating controls for security, availability, and confidentiality. The standard for SaaS providers.

Security Awareness Training

Educating employees to recognize, avoid, and report security threats targeting the human factor.

Segregation of Duties (SoD)

The principle that no single individual should control all phases of a critical process.

Statement of Applicability (SoA)

A document mapping every control in a framework to your organization, showing which apply and why.

TISAX

The automotive industry standard for information security, enabling mutual recognition across OEM supply chains.

Third-Party Risk Management

Identifying, assessing, and controlling risks introduced by external vendors and service providers.

Threat Modeling

A proactive approach to identifying potential threats, attack surfaces, and which threats warrant mitigation.

VUCA Score

A composite real-time metric quantifying organizational health across 24 GRC risk dimensions.

Vendor Due Diligence

Pre-engagement assessment of a vendor's security, compliance, and operational reliability.