Compliance Glossary
Common terms, acronyms, and definitions used across our compliance frameworks.
| Term | Category | Definition |
|---|---|---|
| Acceptable Use Policy (AUP) | Governance | An Acceptable Use Policy (AUP) is a documented set of rules that defines how people may (and may not) use an organization’s systems, applications, networks, data, and digital services. Similar policies are commonly expected in information security management systems and cybersecurity programs (for example, ISO/IEC 27001-aligned ISMS programs and NIST-aligned security policies). It establishes clear expectations for employees, contractors, and other authorized users about secure, lawful, and ethical use of technology resources—covering topics like account use, device handling, internet and email activity, data access and sharing, software installation, and acceptable behavior on corporate platforms. In the context of ISO/IEC 42001 (an artificial intelligence management system standard), an AUP commonly extends to acceptable use of AI capabilities as well, including approved AI tools, permitted data types for prompts and uploads, restrictions on sensitive or regulated data, requirements to verify AI outputs before use, and safeguards against misuse such as generating harmful content, bypassing controls, or introducing data leakage. A strong AUP supports governance and risk management by reducing ambiguity, enabling consistent enforcement, and providing a basis for monitoring, training, incident response, and corrective action. It is often paired with user acknowledgement, role-based access controls, and exception handling so the organization can manage real-world needs without weakening security or compliance. |
| Access Control Policy | Security | An Access Control Policy is a formal set of rules that defines who (people, services, devices) can access which information and systems, under what conditions, and how that access is granted, changed, and removed. It translates security objectives—like least privilege and segregation of duties—into practical requirements for identity management, authentication, authorization, and ongoing oversight. A strong access control policy specifies access models (such as role-based or attribute-based access), how roles and permissions are designed and approved, and how privileged or administrative access is restricted and monitored. It also covers the full access lifecycle: onboarding and provisioning, access requests, approvals, periodic reviews, access changes due to job moves, and timely deprovisioning when access is no longer required. The policy typically includes rules for remote access, third-party access, service accounts, emergency or break-glass access, and access to sensitive environments (like production). It is a cornerstone governance document for demonstrating that access is controlled, auditable, and aligned to business need, reducing the risk of unauthorized access, data exposure, and operational disruption. |
| Access Control | Security | Access control is a security technique used to regulate who or what can view or use resources in a computing environment. It ensures that only authorized individuals, devices, or systems can access specific information or systems. Access control is a fundamental component of information security, preventing unauthorized access, and protecting sensitive data. It encompasses mechanisms such as user authentication, authorization, and policies that define user roles, privileges, and access levels. This term is relevant in global data protection and compliance standards, including ISO/IEC 27001:2022, where it is used to manage access rights and protect information security within organizations. |
| Appellate Tribunal | Enforcement | An appellate tribunal is a specialized quasi-judicial body established to hear and adjudicate appeals against orders, directions, or penalties issued by a primary regulatory authority. When organizations or individuals ask what is appellate tribunal, the answer lies in its function as an independent oversight mechanism that ensures administrative decisions are legally sound and procedurally fair. In the context of data privacy, the appellate tribunal India and similar bodies globally act as the first level of judicial review above the data protection regulator. They possess the powers of a civil court to summon witnesses, review evidence, and enforce attendance. The appellate tribunal meaning encompasses the authority to confirm, modify, or set aside regulatory orders, ensuring that strict enforcement actions are balanced with the right to a fair hearing and due process before matters escalate to the higher judiciary. |
| Asset Management | Security | Asset management is the set of processes used to identify, record, control, and maintain an accurate inventory of information assets and the systems, services, and devices that store, process, or transmit them throughout their lifecycle. In an ISO/IEC 27001 context, effective asset management ensures you know what you have, who is responsible for it, how it is used, and what protections are required based on business criticality and information security needs. This commonly includes establishing an inventory with unique identifiers, assigning asset owners, defining acceptable use, and ensuring assets are returned or securely disposed of when no longer needed (e.g., Annex A controls such as 5.9 Inventory of information and other associated assets, 5.10 Acceptable use of information and other associated assets, and 5.11 Return of assets). Strong asset management supports risk assessment, incident response, access control, vulnerability management, and audit readiness by reducing blind spots like unmanaged endpoints, unknown cloud resources, or untracked SaaS accounts. Equivalent concepts appear across frameworks (e.g., the NIST Cybersecurity Framework's asset management outcomes, NIST SP 800-53 inventory-related controls, and CIS Controls for inventory and control of enterprise assets). |
| Audit | Governance | An audit is a planned, evidence-based review that checks whether an organization’s practices match defined requirements, policies, and objectives. In information security and compliance, an audit evaluates how well security controls are designed, implemented, and operating over time, using documented criteria (such as an information security management system, internal policies, contractual obligations, and generally accepted security standards). Audits are typically performed by trained, independent reviewers who gather objective evidence through interviews, observation, sampling, and record review. The output is an audit report that describes what was examined, what evidence was observed, and any findings—such as conformities, opportunities for improvement, or nonconformities (gaps) that require corrective action. Audits can be internal (conducted by the organization to validate readiness and continuously improve) or external (performed by a third party for assurance, certification, customer requirements, or regulatory expectations). A well-run audit is not a one-time “inspection”; it is part of an ongoing governance cycle that helps leadership understand risk, verify that controls are working as intended, and prioritize remediation. Effective audits use a defined scope, sampling approach, and clear criteria, and they follow up on findings to ensure issues are corrected and prevented from recurring. |
| Availability | Security | Availability is the property of information, systems, and services being accessible and usable when needed by authorized users and processes. In ISO/IEC 27001, availability is treated as a core information security objective (alongside confidentiality and integrity) and is achieved through risk-based planning, operational controls, and continual monitoring. Organizations define availability requirements (e.g., critical business processes, recovery time objectives (RTOs), and recovery point objectives (RPOs)), assess risks that could disrupt service (such as outages, capacity exhaustion, misconfigurations, supplier failures, or malicious activity), and implement controls to prevent, detect, respond to, and recover from disruptions. Common ISO/IEC 27001-aligned practices include redundancy and failover design, backups and restoration testing, change and release controls to reduce downtime, capacity and performance management, incident response and escalation, and business continuity and disaster recovery arrangements. Availability is often expressed through measurable targets (such as uptime percentages, service level objectives, and maximum tolerable downtime) and is validated through monitoring, testing, and post-incident reviews. Related frameworks describe the same goal using terms like resilience, continuity, and service reliability. |
| Awareness Training | Security | Awareness training is a structured, ongoing program that helps people understand information security risks, their responsibilities, and the safe behaviors expected in day-to-day work. It is designed to reduce human-error incidents (such as phishing clicks, password reuse, misdirected emails, unsafe file sharing, or mishandling sensitive data) by building practical habits and a shared security culture. Effective awareness training is risk-based and role-aware: everyone receives baseline education (acceptable use, reporting, data handling, password hygiene, social engineering, physical security, and secure remote work), while higher-risk roles receive deeper instruction aligned to their duties (e.g., administrators, developers, finance, HR, customer support). It typically includes a mix of onboarding modules, periodic refreshers, short reminders, and simulations or exercises, plus clear reporting paths for suspected incidents. To support audits and continuous improvement, organizations track completion, measure outcomes (like reporting rates and simulation results), document improvements, and update content when risks, systems, or policies change. |
| Behavioural Monitoring | Security | Behavioural monitoring in information security refers to the practice of tracking and analyzing user actions and system behavior to detect anomalies and potential security threats. It involves monitoring activities such as login patterns, file access, and network traffic to identify deviations from typical user behavior. This technique is essential for early detection of insider threats, data breaches, and unauthorized access, helping to mitigate risks and maintain compliance with security standards. In frameworks like ISO 27001, behavioural monitoring plays a crucial role in enhancing the detection of security incidents, contributing to the effectiveness of an organization’s Information Security Management System (ISMS). |
| Blocking Order | Enforcement | A blocking order is a severe enforcement directive issued by a competent government authority requiring internet service providers, intermediaries, or content hosts to restrict public access to specific digital information or platforms. Often considered a measure of last resort, a website blocking order is typically triggered when an organization (data controller) repeatedly violates data protection regulations—such as incurring monetary penalties in multiple instances—and continues to operate in a manner detrimental to the public interest. Unlike routine compliance notices, this mechanism effectively cuts off the digital presence of the non-compliant entity within the jurisdiction. The process ensures that content blocking is not arbitrary; it generally requires a formal reference from the regulatory board, a demonstration that the action is necessary for the general public's interest, and adherence to due process. |
Showing 1 to 10 of 106 results
Rows per page:
...
