Knowledge Hub

Cybersecurity, ISO 27001 & GRC glossary

The reference definitions you need to write your policies and prepare for audits — in plain language, no needless jargon.

Acceptable Use Policy(AUP)Policies: A policy defining how employees may use company systems, devices, networks and data, and what is prohibited. It is one of the most frequently requested documents in audits and onboarding.; See a related PDF template →
Access Control PolicyPoliciesISO 27001: A policy governing how identities are provisioned, authenticated, authorised, reviewed and revoked, typically enforcing least privilege and role-based access control.; See a related PDF template →
Business Continuity Plan(BCP)PoliciesGRC: A plan ensuring critical business functions can continue or be quickly restored during and after a disruption. It is underpinned by recovery objectives (RPO/RTO) and tested regularly.; See a related PDF template →
BYODPolicies: Bring Your Own Device — the practice of allowing employees to use personal devices for work. A BYOD policy sets the security conditions (encryption, MFA, remote wipe, separation of data) under which this is permitted.; See a related PDF template →
CIS ControlsGRC: A prioritised set of 18 safeguards published by the Center for Internet Security, designed to stop the most common attacks. Implementation Groups (IG1–IG3) scale the controls to an organisation’s size and risk.
Data ClassificationPolicies: The practice of labelling information by sensitivity (e.g. public, internal, confidential, restricted) so that handling, storage, sharing and retention rules can be applied consistently.; See a related PDF template →
Data Processing Agreement(DPA)RegulationGRC: A contract required by GDPR Article 28 between a data controller and a processor, setting out the scope, duration, security measures and obligations governing the processing of personal data.
DORARegulation: The EU Digital Operational Resilience Act — regulation harmonising ICT risk management, incident reporting, resilience testing and third-party oversight for the financial sector.
GRCGRC: Governance, Risk and Compliance — the discipline of aligning security governance, risk management and regulatory compliance so they reinforce rather than duplicate each other.
Incident Response PolicyPolicies: A policy and procedure defining how security incidents are detected, triaged, contained, eradicated, recovered from and reviewed, including roles, escalation paths and breach-notification timelines.; See a related PDF template →
Information security policyPoliciesISO 27001: The top-level, management-approved document that states an organisation’s commitment to protecting information and sets the direction for all subordinate security policies. Required by ISO 27001 clause 5.2.
ISMS(SMSI)ISO 27001GRC: Information Security Management System — the set of policies, processes, roles and controls an organisation uses to manage information security risk in a systematic, auditable way. ISO/IEC 27001 defines the requirements for an ISMS.
ISO/IEC 27001ISO 27001Regulation: The international standard specifying the requirements for establishing, operating and continually improving an ISMS. Certification is granted by an accredited body after a two-stage audit. The 2022 revision aligns controls with ISO/IEC 27002:2022.
ISO/IEC 27002ISO 27001: A companion guidance standard that describes the 93 information security controls referenced by ISO 27001 Annex A, organised into four themes: organisational, people, physical and technological.
ISO/IEC 27701ISO 27001Regulation: An extension of ISO 27001/27002 for privacy information management (a PIMS). It helps organisations manage personal data and demonstrate GDPR-aligned accountability.
Least PrivilegePoliciesGRC: The principle that every user, process or system is granted only the minimum access required to perform its function, reducing the blast radius of compromised credentials.
Multi-Factor Authentication(MFA)Policies: An authentication method requiring two or more independent factors (something you know, have or are). It is one of the single most effective controls against account takeover.
NIS2Regulation: An EU directive (2022/2555) expanding cybersecurity obligations across more sectors, with stricter risk-management measures, incident reporting and management accountability than its predecessor.
NIST CSFGRC: The NIST Cybersecurity Framework — a voluntary, risk-based framework organised around core functions (Govern, Identify, Protect, Detect, Respond, Recover) used to assess and improve cybersecurity posture.
Risk assessmentGRCISO 27001: The process of identifying assets, threats and vulnerabilities, then estimating the likelihood and impact of risks so they can be prioritised. ISO 27001 requires a documented, repeatable risk assessment method.
Risk treatmentGRCISO 27001: Deciding how to handle each identified risk — mitigate, accept, transfer or avoid — and recording the choice in a risk treatment plan. Selected controls feed the Statement of Applicability.
RPO / RTOGRC: Recovery Point Objective and Recovery Time Objective — RPO is the maximum acceptable data loss measured in time; RTO is the maximum acceptable time to restore a service after an incident.
SOC 2GRCRegulation: An attestation report (AICPA) evaluating a service organisation’s controls against five Trust Services Criteria: security, availability, processing integrity, confidentiality and privacy. Type I assesses design at a point in time; Type II assesses operating effectiveness over a period.
Statement of Applicability(SoA / DdA)ISO 27001: A mandatory ISO 27001 document listing every Annex A control, whether it is applicable, the justification, and its implementation status. It is the central map auditors use to navigate an ISMS.

From definition to document, in 5 minutes

PolicyForge turns these concepts into audit-ready policies aligned with ISO 27001, SOC 2, GDPR, NIS2 and DORA.

Start free Browse the 60 templates