Glossary

Cybersecurity, ISO 27001, NIS2 & GRC glossary

100 clear, verified definitions of the key terms in cybersecurity, governance, compliance and risk management. A reference resource by NagaShield Security.

Governance & cybersecurity

Cybersecurity: The set of technical, organisational and human measures aimed at protecting information systems against cyberattacks and preserving the confidentiality, integrity and availability of data.
CISO: Chief Information Security Officer: the executive responsible for defining and steering an organisation's cybersecurity strategy.
Outsourced CISO (vCISO): A CISO provided on a part-time basis by an external firm, steering cybersecurity governance without a full-time internal hire. Suited to SMBs, mid-caps and startups.
CIA triad: Three core properties of information security: Confidentiality (access restricted to authorised parties), Integrity (accurate, unaltered data) and Availability (access when needed).
Information Security Policy: Framework document setting out an organisation's security rules, responsibilities and objectives.
Attack surface: The set of points through which an attacker may attempt to enter or extract data from a system. Reducing the attack surface is a key goal of hardening.
Defence in depth: A security strategy layering several independent protections so that the failure of one layer does not expose the whole system.
Zero Trust: A security model based on "never trust, always verify": every access is authenticated and authorised, whether it originates inside or outside the network.
ANSSI: The French national cybersecurity agency, which issues guides, frameworks and recommendations.
SOC: Security Operations Center: the team and platform providing continuous monitoring, detection and response to security incidents.
SIEM: Security Information and Event Management: a solution that collects and correlates logs from many sources to detect security incidents.
EDR: Endpoint Detection and Response: a solution for detecting and responding to threats on workstations and servers (endpoints).
MFA: Multi-Factor Authentication: a mechanism requiring at least two distinct proofs of identity to log in, sharply reducing the risk of account compromise.
IAM: Identity and Access Management: managing identities and access so each user holds appropriate rights (least-privilege principle).
PAM: Privileged Access Management: managing and securing privileged (administrator) accounts, which are prime targets for attackers.
Phishing: An attack technique impersonating a trusted party to trick a victim into disclosing information or performing a malicious action.
Ransomware: Malware that encrypts a victim's data and demands a ransom to decrypt it. The leading threat to businesses.
Penetration test (pentest): An authorised simulated attack assessing the real robustness of defences and demonstrating the actual impact of exploitable flaws.
CVE: Common Vulnerabilities and Exposures: a standardised identifier assigned to a publicly known security vulnerability.
CVSS: Common Vulnerability Scoring System: a method for rating the severity of a vulnerability on a 0–10 scale.

ISO 27001 & ISMS

ISO/IEC 27001: The leading international standard defining the requirements for an Information Security Management System (ISMS). The current version is ISO/IEC 27001:2022.
ISMS: Information Security Management System: a continuous-improvement framework for managing security risks, at the heart of ISO 27001.
ISO/IEC 27002: A companion standard to ISO 27001 providing best-practice guidance for implementing security controls.
Annex A: The ISO 27001 list of security controls: 93 controls (2022 version) across 4 themes — organisational, people, physical and technological.
Statement of Applicability (SoA): A document listing which Annex A controls are included or excluded, with justification. A cornerstone of the ISO 27001 audit.
Risk assessment: The process of identifying, evaluating and prioritising risks to information assets, required by ISO 27001.
Risk treatment plan: A document defining how each identified risk will be handled: reduced, transferred, avoided or accepted.
Residual risk: The level of risk remaining after security measures are applied, which must be formally accepted by management.
Certification audit: A two-stage audit (documentation review then on-site audit) by an accredited body to grant ISO 27001 certification, valid for 3 years.
Surveillance audit: An annual post-certification audit checking that the ISMS is maintained and effective.
Nonconformity: A gap between a requirement (standard, policy) and the actual situation. A major nonconformity can block certification.
PDCA: Plan-Do-Check-Act (Deming cycle): the continuous-improvement loop that structures an ISO 27001 ISMS.

NIS2 & regulatory

NIS2: EU directive (2022/2555) strengthening and broadening cybersecurity requirements for organisations across 18 critical sectors. Successor to the NIS directive.
Essential entity: NIS2 category for organisations in highly critical sectors, subject to proactive supervision by authorities.
Important entity: NIS2 category subject to reactive supervision (triggered by an incident or report), with obligations similar to essential entities.
Incident notification: NIS2 obligation to report a significant incident to the competent authority: early warning within 24h, full notification within 72h, final report within one month.
Supply chain security: The obligation to manage cyber risks from suppliers and subcontractors, a requirement reinforced by NIS2.
GDPR: General Data Protection Regulation (EU 2016/679): governs the processing of personal data of EU residents.
DPIA: Data Protection Impact Assessment: a mandatory assessment for processing that presents a high risk to individuals’ rights.
DPO: Data Protection Officer: the person responsible for overseeing an organisation's GDPR compliance.
DORA: Digital Operational Resilience Act: an EU regulation on the digital operational resilience of the financial sector.

GRC & risk management

GRC: Governance, Risk, Compliance: an integrated approach aligning governance, risk management and compliance to steer security as a strategic lever.
Governance: The set of decision-making, accountability and steering processes defining who decides what, and how, regarding security.
Risk management: The continuous process of identifying, assessing, treating and monitoring risks to the organisation.
EBIOS Risk Manager: A French digital-risk analysis and management method published by ANSSI, based on a threat-scenario approach.
Risk appetite: The level of risk an organisation is willing to accept in pursuit of its objectives.
Compliance: Adherence to applicable legal, regulatory and contractual obligations (GDPR, NIS2, ISO 27001, sector-specific requirements).
KPI / KRI: Key Performance Indicator and Key Risk Indicator: metrics for steering security performance and risk, reported to management.
BCP / DRP: Business Continuity Plan and Disaster Recovery Plan: arrangements ensuring critical activities continue or resume after a major incident.
Incident response: The set of procedures for detecting, analysing, containing, eradicating and recovering from a security incident.
Asset mapping: A structured inventory of information assets (data, systems, access) classified by criticality — the starting point of any risk assessment.
Security awareness: Activities building employees’ vigilance and good reflexes against cyber threats, the human factor remaining a major risk.
Cyber insurance: Insurance covering some or all of the financial consequences of a cyber incident, often requiring a minimum maturity level to subscribe.

Threats & attacks

Malware: A generic term for any program designed to cause harm (virus, worm, trojan, ransomware, spyware).
Trojan: Malware disguised as legitimate software to trick the victim into running it, then opening a door for the attacker.
Spyware: Software that secretly collects information about a user or organisation without their knowledge.
DDoS: Distributed Denial of Service: flooding a service with massive request volumes to make it unavailable.
Brute force: An attack that systematically tries many password combinations until the correct one is found.
Credential stuffing: Automated reuse of stolen credentials (from breaches) to log into other services where the victim reused their password.
SQL injection: A flaw allowing malicious SQL commands to be injected via unfiltered input, to read or alter a database.
XSS: Cross-Site Scripting: injecting malicious code (often JavaScript) into a web page, executed in other users’ browsers.
Zero-day: A vulnerability unknown to the vendor with no patch available, hence especially dangerous when exploited.
Supply chain attack: Compromising a trusted supplier or software component to indirectly reach its customers.
Social engineering: Psychological manipulation of a person to get them to disclose information or act against security.
Man-in-the-Middle (MITM): An attack where the adversary intercepts or alters a communication between two parties without their knowledge.

Cloud & infrastructure

Cloud security: The set of practices and controls protecting data, applications and infrastructure hosted in the cloud (AWS, Azure, GCP).
IaaS / PaaS / SaaS: Three cloud service models: Infrastructure, Platform and Software as a Service, with decreasing management on the customer side.
Shared responsibility model: Cloud principle splitting security responsibilities between the provider (security of the cloud) and the customer (security in the cloud).
CSPM: Cloud Security Posture Management: tools detecting misconfigurations and non-compliance in cloud environments.
CASB: Cloud Access Security Broker: an intermediary enforcing security policies between users and cloud services.
Container / Docker: An isolated software unit packaging an application and its dependencies; Docker is the most common implementation.
Kubernetes: A platform for orchestrating containers at scale, whose hardening (RBAC, secrets, network) is a key concern.
WAF: Web Application Firewall: a firewall filtering HTTP traffic to block web attacks (injection, XSS, etc.).
Network segmentation: Dividing a network into isolated zones to limit attack propagation and enforce least privilege.
Patch management: The process of regularly deploying security updates to fix known vulnerabilities.

Cryptography & data protection

Encryption: Transforming data into an unreadable format without the decryption key, ensuring its confidentiality.
End-to-end encryption (E2EE): Encryption where only the sender and recipient can read the message; even the service provider cannot access it.
TLS / SSL: Protocols encrypting network communications (HTTPS). TLS is the modern, secure version; SSL is obsolete.
Hashing: An irreversible transformation of data into a fixed-size digest, used notably to store passwords.
PKI: Public Key Infrastructure: the set of components managing keys and digital certificates to authenticate and encrypt.
Pseudonymisation: Processing personal data so it can no longer be attributed to a person without additional information (a GDPR concept).
Anonymisation: Processing that makes re-identifying a person impossible; anonymised data falls outside the scope of the GDPR.
DLP: Data Loss Prevention: technologies preventing the leakage or exfiltration of sensitive data outside the organisation.
Backup (3-2-1 rule): Backup best practice: 3 copies of data, on 2 different media, with 1 off-site, to withstand failures and ransomware.

Detection & response

XDR: Extended Detection and Response: an approach unifying detection and response across endpoints, network, cloud and email.
SOAR: Security Orchestration, Automation and Response: automating incident responses through playbooks.
Threat intelligence: The collection and analysis of information on attackers, their techniques and indicators.
IOC: Indicator of Compromise: a technical artefact (IP, hash, domain) signalling a potential compromise.
Threat hunting: Proactively searching for threats already present in the information system, beyond automated alerts.
MITRE ATT&CK: A global knowledge base cataloguing attacker tactics and techniques, used for detection and red teaming.
Digital forensics: The collection and analysis of evidence after an incident to understand its course and impact.
Honeypot: A deliberately exposed decoy to attract attackers, detect their techniques and divert them from real assets.

Sector compliance & controls

SOC 2: A US audit framework (AICPA) attesting to a service provider’s control of security (often for SaaS).
PCI DSS: A data security standard for organisations handling payment card data.
HDS (Health Data Hosting): A mandatory French certification for hosting personal health data.
Least privilege: The principle of granting each user or system only the rights strictly necessary for its function.
Segregation of duties: Splitting responsibilities across several people so no single actor can both commit and conceal fraud.
Security by Design: Building security into a product or system from the design stage rather than adding it afterwards.
Vulnerability management: The continuous process of identifying, assessing, prioritising and remediating vulnerabilities in the information system.
Hardening: Securely configuring a system to reduce its attack surface (disabling unnecessary services, accounts, ports).

Want to go further?

These concepts underpin any cybersecurity and compliance journey. NagaShield Security supports SMBs, mid-caps, startups and SaaS with hands-on delivery: ISO 27001, NIS2, outsourced CISO, audit and pentest.

ISO 27001 certification NIS2 compliance Outsourced CISO

A question about your cybersecurity?

Let's discuss your compliance and security stakes. First call free, no commitment.