Cyber governance glossary

A security control family that governs who can access systems, data, and functions.

Related pages: vCISO, Resources and Blog.

AI governance is the management approach for deciding how AI tools are used, which data they may process, who owns the risk, and what human oversight is required. It is not only model testing. It includes policy, use-case inventory, data classification, vendor assessment, monitoring, and decision records.

Why it matters: Generative AI adoption can move faster than security and privacy review. Without governance, teams may expose sensitive data, rely on unclear vendor terms, or use outputs without accountability. A practical AI governance model sets acceptable use boundaries while preserving useful adoption and executive visibility.

The capability to continue important business operations during disruption.

Related pages: vCISO, Resources and Blog.

The person accountable for operating, maintaining, and evidencing a control.

Related pages: vCISO, Resources and Blog.

A documented action that addresses the root cause of a nonconformity or control weakness.

Related pages: vCISO, Resources and Blog.

A transfer of personal data from one jurisdiction to another, often requiring legal and security safeguards.

Related pages: vCISO, Resources and Blog.

The operating model that connects security risk, ownership, controls, reporting, and executive decisions.

Related pages: vCISO, Resources and Blog.

A process for labeling data by sensitivity, business value, and handling requirements.

Related pages: vCISO, Resources and Blog.

The organization or person that determines the purposes and means of personal data processing.

Related pages: vCISO, Resources and Blog.

A party that processes personal data on behalf of a controller.

Related pages: vCISO, Resources and Blog.

The individual whose personal data is processed.

Related pages: vCISO, Resources and Blog.

The ability of an organization to prevent, withstand, recover from, and learn from digital disruptions.

Related pages: vCISO, Resources and Blog.

The process and capability to restore technology services after a major failure or disaster.

Related pages: vCISO, Resources and Blog.

DORA defines digital operational resilience expectations for financial entities and important ICT service providers in the European Union. It is not limited to technical security controls. It also brings attention to incident handling, third-party dependencies, resilience testing, evidence management, and management reporting.

Why it matters: A technology company serving EU finance customers may see DORA requirements appear in security questionnaires, contract clauses, and vendor reviews. Readiness work helps clarify which services are critical, which evidence is available, who owns supplier risk, and how resilience topics are reported to leadership. This is a practical governance explanation, not legal advice.

A data protection impact assessment used to evaluate privacy risks in higher-risk processing activities.

Related pages: vCISO, Resources and Blog.

A technical control that protects data confidentiality by transforming readable data into protected form.

Related pages: vCISO, Resources and Blog.

A part-time CISO model used by companies that need senior security leadership before a permanent executive hire.

Related pages: vCISO, Resources and Blog.

GDPR is the European Union data protection regulation governing personal data processing. It covers lawful bases, transparency, data subject rights, minimization, breach notification, processor obligations, and transfer mechanisms.

Why it matters: Companies outside the EU may still face GDPR expectations when they serve EU customers, employees, or users. Those expectations often appear in contracts, vendor reviews, and security questionnaires. GDPR readiness overlaps with KVKK in some areas, but scope, documentation, transfer analysis, and governance routines should be tracked clearly and separately.

The discipline of identifying, treating, and monitoring risks from information and communication technology systems.

Related pages: vCISO, Resources and Blog.

A documented process for detecting, escalating, containing, and recovering from security incidents.

Related pages: vCISO, Resources and Blog.

An independent review used to test whether policies, controls, and evidence work as intended.

Related pages: vCISO, Resources and Blog.

An ISMS is an information security management system. It brings together risk assessment, policy, control operation, measurement, internal audit, management review, and corrective actions as a repeatable governance cycle.

Why it matters: In ISO 27001 readiness, the value comes from making security decisions in a managed system rather than producing documents only for an audit. An ISMS creates shared ownership across security, legal, HR, product, and leadership teams. It also helps evidence appear during normal work, not only during audit preparation.

ISO 27001 describes a risk-based information security management system. It is more than a document set; it covers scope, risk assessment, control ownership, evidence, internal audit, management review, and continual improvement.

Why it matters: B2B buyers, enterprise customers, and investors often ask about ISO 27001 readiness as a signal of security maturity. The standard does not require every company to implement every control in the same way. It expects reasoned decisions based on risk, supported by evidence that shows the operating system is working before an audit or customer review.

A guidance standard that explains information security controls used with ISO 27001.

Related pages: vCISO, Resources and Blog.

An ISO standard focused on information security risk management.

Related pages: vCISO, Resources and Blog.

A privacy information management extension to ISO 27001 and ISO 27002.

Related pages: vCISO, Resources and Blog.

A management system standard for artificial intelligence governance.

Related pages: vCISO, Resources and Blog.

KVKK is Turkey’s primary personal data protection law and privacy compliance framework. For companies, it is not only a privacy notice exercise. Processing purposes, controller and processor roles, retention, third-party transfers, and security measures need to work together.

Why it matters: KVKK readiness connects directly with security governance. Access control, logging, data classification, vendor assessment, and incident response all affect personal data risk. Companies working with Turkish customers or operations need a practical way to connect privacy obligations with daily control ownership. This summary is an operational explanation, not legal advice.

The principle that users and systems should have only the access needed to perform their role.

Related pages: vCISO, Resources and Blog.

Collection and review of events to detect issues, support investigations, and prove control operation.

Related pages: vCISO, Resources and Blog.

Multi-factor authentication requiring more than one factor to verify user identity.

Related pages: vCISO, Resources and Blog.

A privacy information management system for organizing privacy roles, controls, evidence, and accountability.

Related pages: vCISO, Resources and Blog.

A documented, approved deviation from a policy, usually with risk acceptance and an expiry date.

Related pages: vCISO, Resources and Blog.

A practice of embedding privacy safeguards into systems and processes from the beginning.

Related pages: vCISO, Resources and Blog.

The risk that remains after controls and treatment actions are applied.

Related pages: vCISO, Resources and Blog.

The amount and type of risk an organization is willing to accept in pursuit of objectives.

Related pages: vCISO, Resources and Blog.

A risk register is a structured record of security and privacy risks, owners, likelihood, impact, treatment decisions, controls, and status. A useful register is not just a list of findings. It records decision history and makes ownership visible.

Why it matters: Executive reporting and audit readiness both require clarity on who owns a risk and what decision has been made. A risk register turns technical findings into business priorities and supports decisions about budget, remediation, acceptance, and sequencing.

RoPA means Records of Processing Activities. It documents personal data processing purposes, categories, systems, recipients, retention, and other key processing details. It gives privacy and security teams operational visibility into data flows.

Why it matters: Without a processing record, it is difficult to design accurate notices, retention rules, vendor reviews, or security controls. RoPA supports data classification, access control, transfer analysis, and incident response scoping. It is most useful when maintained as a living inventory rather than a one-time spreadsheet.

A reusable set of policies, reports, diagrams, and control evidence used to answer trust requests.

Related pages: vCISO, Resources and Blog.

A security questionnaire is a customer or buyer assessment of a vendor’s controls and evidence. It commonly covers access management, encryption, logging, incident response, business continuity, vendor management, privacy, and audit readiness.

Why it matters: In enterprise sales, weak or inconsistent questionnaire answers can slow the buying process. A maintained evidence pack, approved answer base, and clear control ownership model help teams respond faster and more accurately. The goal is not to say yes to every question, but to explain the current control position clearly.

SOC 2 is an attestation reporting approach used by service organizations to explain controls related to security, availability, confidentiality, processing integrity, and privacy. It is not the same as an ISO-style certificate. Scope, report period, control design, and selected criteria matter.

Why it matters: SaaS and technology companies often use SOC 2 reports when enterprise customers request assurance evidence. Readiness work helps teams define control owners, evidence sources, exception handling, and reusable answer bases for security questionnaires. The goal is not to overpromise compliance, but to make control operation easier to explain and verify.

The Statement of Applicability is an ISO 27001 document explaining which controls apply, which do not, and why. It connects scope, risk assessment, control ownership, and implementation status into one decision record.

Why it matters: During audit readiness, the SoA explains why controls were selected or excluded and how their implementation is tracked. If it is not maintained, the document can drift away from operational reality. It should therefore be managed with the risk register, evidence map, and control owner matrix.

A broader risk discipline for outsourced services, suppliers, technology providers, and partners.

Related pages: vCISO, Resources and Blog.

The criteria used in SOC 2 reports covering areas such as security, availability, processing integrity, confidentiality, and privacy.

Related pages: vCISO, Resources and Blog.

A virtual or fractional executive security leader who guides cyber governance without requiring a full-time CISO.

Related pages: vCISO, Resources and Blog.

Vendor risk management is the process of assessing and monitoring security, privacy, resilience, and compliance risks from external providers. It should include criticality, due diligence, contract expectations, evidence review, ongoing monitoring, and incident communication.

Why it matters: Cloud platforms, SaaS tools, consultants, and AI providers are part of normal business operations. Risk therefore extends beyond the company boundary. A clear program helps show which vendors are critical, which controls are evidenced, and who accepts residual risk when gaps remain.