Glossary of Terms
Glossary of Terms for ISO Standards, Cyber Security,
and Third Party Risk Management
Application Penetration TestingA penetration test, colloquially known as a pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system |
Find out more about Application Penetration Testing | |
Application SecurityApplication security (short AppSec) includes all tasks that introduce a secure software development life cycle to development teams. Its final goal is to improve security practices and, through that, to find, fix and preferably prevent security issues within applications |
Find out more about Application Security | |
BCMSA Business Continuity Management System (BCMS). The standard outlines best practices for identifying potential threats to an organisation, assessing the impact of those threats, and developing and implementing a plan to ensure that critical business functions can continue in the event of a disruption. |
Find out more about BCMS | |
Bring Your Own Device (BYOD)BYOD, for "bring your own device," refers to corporate IT policy that determines when and how employees, contractors, and other authorized end users can use their own laptops, smartphones and other personal devices on the company network to access corporate data and perform their job duties. |
Find out more about Bring Your Own Device (BYOD) | |
Business ContinuityBusiness continuity is having a plan to deal with minor incidents through to major disruption, like cyber attacks, floods, and supply chain failures. |
Find out more about Business Continuity | |
Capability Maturity Model (CMM)The Capability Maturity Model (CMM) is a methodology used to develop and refine an organization's software development process. |
Find out more about Capability Maturity Model (CMM) | |
Common Vulnerability Scoring System (CVSS)The Common Vulnerability Scoring System ( CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. |
Find out more about Common Vulnerability Scoring System (CVSS) | |
Common Weakness Risk Analysis Framework (CWRAF)Common Weakness Risk Analysis Framework or "CWRAF" means a framework for scoring software weaknesses in a consistent, flexible, open manner, while accommodating context for the various business domains |
Find out more about Common Weakness Risk Analysis Framework (CWRAF) | |
Common Weakness Scoring System (CWSS)The Common Weakness Scoring System (CWSS) provides a mechanism for prioritizing software weaknesses in a consistent, flexible, open manner. |
Find out more about Common Weakness Scoring System (CWSS) | |
Cyber EssentialsThe Cyber Essentials scheme, developed by the UK government, provides a simple and affordable approach to cyber security. It outlines five basic security controls that protect organisations from around 80% of common cyber attacks. The certification process is designed to help organisations of any size demonstrate their commitment to cyber security. |
Find out more about Cyber Essentials | |
Cyber Essentials PlusCyber Essentials Plus (CE+) includes an external vulnerability assessment, an internal scan and an on-site assessment. It offers more in-depth testing and therefore stronger assurances of security. CE+ carries across all elements of Cyber Essentials, including a technical audit of your systems to verify the Cyber Essentials recommended controls are in place. |
Find out more about Cyber Essentials Plus | |
Cyber SecurityCybersecurity is the practice of protecting critical systems and sensitive information from digital attacks. Also known as information technology (IT) security, cybersecurity measures are designed to combat threats against networked systems and applications, whether those threats originate from inside or outside of an organization. |
Find out more about Cyber Security | |
Cyber Security AwarenessCyber security awareness refers to how much end-users know about the cyber security threats their business face, the risks they introduce and mitigating security best practices to guide their behavior. |
Find out more about Cyber Security Awareness | |
Cyber Security IncidentA cybersecurity event that has been determined to have an impact on the organization prompting the need for response and recovery. |
Find out more about Cyber Security Incident | |
Cyber Security PostureThe security status of an enterprise's networks, information, and systems based on information security resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes |
Find out more about Cyber Security Posture | |
Cyber Security RoadmapCyber Security Roadmap (CSR) is to identify and plan the delivery timeline and priorities, against identified risks from the Cyber Security Posture Review (CSPR), to ensure you can deliver a secure environment, whilst progressing towards Cyber Maturity. |
Find out more about Cyber Security Roadmap | |
CyberAttackCyberattacks are unwelcome attempts to steal, expose, alter, disable or destroy information through unauthorized access to computer systems. |
Find out more about CyberAttack | |
Disaster RecoveryDisaster recovery is the process of maintaining or reestablishing vital infrastructure and systems following a natural or human-induced disaster, such as a storm or battle. It employs policies, tools, and procedures. |
Find out more about Disaster Recovery | |
EMSEnvironmental Management Systems (EMS). It provides a framework that helps organisations identify and manage their environmental impacts and improve their environmental performance. |
Find out more about EMS | |
Ethical HackerIs a hacker who violates the security of a system with the knowledge and consent of the owner or developer, in order to test the envirnmernt, application or service, without malicious intent. |
Find out more about Ethical Hacker | |
GDPRThe General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live and outside of the European Union (EU). Approved in 2016, the GDPR went into full effect two years later. Its aim is to give consumers control over their own personal data by holding companies responsible for the way they handle and treat this information |
Find out more about GDPR | |
HackerA hacker is someone or something who gets into other people's computer systems without permission in order to find out information or to do something illegal or malicious |
Find out more about Hacker | |
Integrated Management SystemAn Integrated Management System will intergrate multiple ISO Standards and help manage multiple ISO standards more efficiently. Many of the procedures involved in different ISO Standards are identical so if multiple standards are managed separately the work is duplicated, especially during management review meetings and document control work |
Find out more about Integrated Management System | |
Internal AuditorIs a person inside the organization that assess an organization's efficiency as measured by the level of its quality and risk management systems and its overall business practices against one or more ISO Standards |
Find out more about Internal Auditor | |
IRCAIRCA (International Register of Certificated Auditors) are qualified consultants who possess extensive knowledge and expertise in ISO standards. Their rigorous training and assessment equip them with a deep understanding of the requirements, methodologies, and best practices associated with ISO standards. |
Find out more about IRCA | |
ISMSAn Information Security Management System describes and demonstrates your organisation's approach to information security and privacy. It will help you identify and address the threats and opportunities around your valuable information and any related assets. |
Find out more about ISMS | |
ISOISO (International Organisation for Standardisation) is an independent, non-governmental, international organisation that develops standards to ensure the quality, safety, and efficiency of products, services, and systems. |
Find out more about ISO | |
ISO 13485ISO 13485 is an international standard that outlines requirements for a quality management system (QMS) specifically designed for medical device manufacturers and related service providers. It specifies the requirements for a QMS throughout the entire life cycle of a medical device, from design and development to production, installation, and servicing. |
Find out more about ISO 13485 | |
ISO 14001ISO 14001 is an internationally recognised standard for environmental management systems (EMS). It provides a framework that helps organisations identify and manage their environmental impacts and improve their environmental performance. The standard is applicable to organisations of all sizes and types, and it can be used in any industry and can be integrated with other management systems, such as ISO9001 Quality and ISO45001 for Health and Safety. |
Find out more about ISO 14001 | |
ISO 20000ISO 20000 is an international standard that provides guidelines for implementing an Information Technology Service Management (ITSM) system within an organisation. The standard outlines best practices for managing IT services, including planning, design, delivery, and improvement of services, and ensuring that they meet the needs of the organisation and its customers. |
Find out more about ISO 20000 | |
ISO 22000ISO 22000 is an international standard that outlines requirements for a Food Safety Management System (FSMS). It specifies the requirements for an organisation in the food industry to ensure food safety throughout the entire food supply chain, from farm to table. |
Find out more about ISO 22000 | |
ISO 22301ISO 22301 is an international standard that provides a framework for Business Continuity Management (BCM). The standard outlines best practices for identifying potential threats to an organisation, assessing the impact of those threats, and developing and implementing a plan to ensure that critical business functions can continue in the event of a disruption. |
Find out more about ISO 22301 | |
ISO 27001ISO 27001:2022 is a standard for Information Security Management Systems (ISMS) developed by the International Organisation for Standardisation (ISO). It provides a framework for establishing, implementing, maintaining, and continually improving an organisation's information security management system. |
Find out more about ISO 27001 | |
ISO 27701ISO 27701 is a privacy extension to the international standard ISO/IEC 27001, which provides guidelines for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). ISO 27701 provides a framework for organisations to establish, implement, maintain and continually improve a Privacy Information Management System (PIMS) based on ISO/IEC 27001. |
Find out more about ISO 27701 | |
ISO 45001ISO 45001 is a globally recognized standard for occupational health and safety (OH&S) management systems. It provides a framework for organizations to manage and improve their OH&S performance and to prevent work-related injuries, ill-health, and fatalities. |
Find out more about ISO 45001 | |
ISO 50001ISO 50001 is a global standard for energy management systems (EnMS) that was first published in 2011. It provides a framework for organisations of all sizes and industries to establish, implement, maintain and improve energy management systems, and to continually improve their energy performance. The standard aims to help organisations reduce their energy consumption, improve their energy efficiency, and lower their greenhouse gas emissions. |
Find out more about ISO 50001 | |
ISO 9001ISO 9001 is a standard for quality management systems (QMS) developed by the International Organisation for Standardisation (ISO). It specifies the requirements for an organisation's QMS, including its processes and procedures, to ensure that its products or services consistently meet customer and regulatory requirements. |
Find out more about ISO 9001 | |
ISO AccreditationIs the formal recognition by an independent body, generally known as an accreditation body, that the company operates according to international standards. |
Find out more about ISO Accreditation | |
ISO AuditAn ISO audit is an audit of your organizations compliance to the ISO Standard put forward by the International Organization for Standardization (ISO). |
Find out more about ISO Audit | |
ISO Auditor TrainingThis training course will enable you to develop your action plans and be confident in sampling key documents and records. Throughout the day, there will be interactive presentations, workshops, and role-play exercises. Our comprehensive course explains auditing principles with a practical approach to auditing and looks at specific examples and case studies. Course material is provided with a CPD certificate upon completion. |
Find out more about ISO Auditor Training | |
ISO Certification BodyIs the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements. |
Find out more about ISO Certification Body | |
ISO CertificationISO certification certifies that a management system, manufacturing process, service, or documentation procedure has all the requirements for standardisation and quality assurance as defined by ISO (International Organisation for Standardisation) |
Find out more about ISO Certification | |
ISO ConsultancyThe delivery of services to help business achieve their required ISO certification |
Find out more about ISO Consultancy | |
ISO GAP AnalysisA Gap Analysis is an assessment of your current system against the requirements of the standard. The gap analysis identifies areas where your system does not meet the requirements and is usually conducted as part of a process for assessing the readiness of your business's system for certification |
Find out more about ISO GAP Analysis | |
ISO Independent CertificationIndependent certification, offered by non-UKAS accredited bodies assesses an organizations compliance with the ISO standard required |
Find out more about ISO Independent Certification | |
ISO Management SystemA management system is the way in which an organization manages the interrelated parts of its business in order to achieve its objectives. These objectives can relate to a number of different topics, including product or service quality, operational efficiency, environmental performance, health and safety in the workplace and many more |
Find out more about ISO Management System | |
ISO Pre AuditThis audit would take place prior to the full system audit undertaken by your chosen Certification Body. It would highlight areas in which an organisation may be non-compliant to their own requirements or those of the ISO management system standard. |
Find out more about ISO Pre Audit | |
Leaked CredentialsWhen an orgainsations details such as email adresses and passwords are shared on the dark web |
Find out more about Leaked Credentials | |
National Cyber Security Centre's (NCSC)The NCSC acts as a bridge between industry and government, providing a unified source of advice, guidance and support on cyber security, including the management of cyber security incidents. |
Find out more about National Cyber Security Centre's (NCSC) | |
Network Penetration TestingNetwork penetration testing simulates the processes threat actors can use to attack a business network, business website, network applications, and connected devices. The goal is to uncover security issues before threat actors find and exploit them. |
Find out more about Network Penetration Testing | |
NISTThe NIST Cybersecurity Framework provides comprehensive guidance and best practices that private sector organizations can follow to improve information security and cybersecurity risk management. |
Find out more about NIST | |
OHSOccupational health and safety (OHS) is a practice that deals with the safety, health, welfare and wellbeing of people when they are at work. |
Find out more about OHS | |
Open Source Intelligence (OSINT)Open source intelligence (OSINT) is the act of gathering and analyzing publicly available data for intelligence purposes |
Find out more about Open Source Intelligence (OSINT) | |
PCI/DSSThe PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data |
Find out more about PCI/DSS | |
Penetration TestingPenetration testing, also called pen testing, is a cyberattack simulation launched on your computer system. The simulation helps discover points of exploitation and test IT breach security. By doing consistent pen testing, businesses can obtain expert, unbiased third-party feedback on their security processes. |
Find out more about Penetration Testing | |
Phishing AttackPhishing attacks are fraudulent emails, text messages, phone calls or web sites designed to trick users into downloading malware, sharing sensitive information or personal data (e.g., Social Security and credit card numbers, bank account numbers, login credentials), |
Find out more about Phishing Attack | |
Pre-AuditThis audit would take place prior to the full system audit undertaken by your chosen Certification Body. It would highlight areas in which an organisation may be non-compliant to their own requirements or those of the ISO management system standard |
Find out more about Pre-Audit | |
QMSA Quality Management System, often called a QMS, is a set of internal rules that are defined by a collection of policies, processes, documented procedures, and records. This system defines how a company will achieve the creation and delivery of the products and services they provide to their customers. |
Find out more about QMS | |
RansomwareRansomware is a type of malware (malicious software) that locks a victim's data or device and threatens to keep it locked—or worse—unless the victim pays a ransom to the attacker. |
Find out more about Ransomware | |
Risk ManagementRisk management is the process of identifying, assessing and controlling financial, legal, strategic and security risks to an organization's capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters. |
Find out more about Risk Management | |
SIEMSecurity information and event management, SIEM for short, is a solution that helps organizations detect, analyze, and respond to security threats before they harm business operations. SIEM, pronounced "sim," combines both security information management (SIM) and security event management (SEM) into one security management system. |
Find out more about SIEM | |
Third Party Risk ManagementThird-party risk management (TPRM) is a form of risk management that focuses on identifying and reducing risks relating to the use of third parties (sometimes referred to as vendors, suppliers, partners, contractors, or service providers). |
Find out more about Third Party Risk Management | |
Threat AnalysisThreat analysis is a cybersecurity strategy that aims to assess an organization's security protocols, processes and procedures to identify threats, vulnerabilities, and even gather knowledge of a potential attack before they happen. |
Find out more about Threat Analysis | |
Threat ManagementThreat management is a process used by cybersecurity professionals to prevent cyberattacks, detect cyber threats and respond to security incidents Why is threat management important? Most security teams face information fragmentation, which can lead to blind spots in security operations. |
Find out more about Threat Management | |
TPRMThird-party risk management (TPRM) is a form of risk management that focuses on identifying and reducing risks relating to the use of third parties (sometimes referred to as vendors, suppliers, partners, contractors, or service providers). |
Find out more about TPRM | |
UKASThe United Kingdom Accreditation Service (UKAS) is the national accreditation body for the United Kingdom, appointed by government, to assess organisations that provide certification, testing, inspection and calibration services |
Find out more about UKAS | |
UKAS CertificationAccreditation determines the technical competence, reliability and integrity of Conformity Assessment Bodies. It spans all aspects of our every day lives to provide confidence that accredited organisations are competent and can be trusted to deliver promised levels of performance and protection for the products and services we rely on. |
Find out more about UKAS Certification | |
Virtual Chief Information Security Officer (vCISO)The vCISO provides flexible, on-demand access to the capabilities required to combat present cyber security threats and proactively plan for future ones. |
Find out more about Virtual Chief Information Security Officer (vCISO) | |
Virtual Data protection Officer (vDPO)The vDPO provides flexible, on-demand access to capabilities that empower organizations to oversee and direct activitiThe vDPO provides flexible, on-demand access to capabilities that empower organizations to oversee and direct activities related to Data Protection. Ensuring regulatory compliance and safeguarding the privacy of personnel, customers, and third parties are critical responsibilities. |
Find out more about Virtual Data protection Officer (vDPO) | |
Vulnerability AssesmentA vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. |
Find out more about Vulnerability Assesment | |
| Find out more about |