Skip to main content

Glossary

Definitions of the compliance, security, privacy, audit, and AI governance terms used across the Axlio site.

A working glossary of the terms used across our articles and service pages. Most of these come up in audit reports, regulatory text, or client conversations and are not always well explained in the source material. Where an article links to a term, this is where the link lands.

Terms are grouped by category and listed alphabetically within each. Most acronyms appear under their letters in the relevant section, with the full form expanded in the definition.

Standards and frameworks

AICPA TSP

The American Institute of Certified Public Accountants’ Trust Services Criteria, used as the assessment basis for SOC 2 reports. Covers security, availability, processing integrity, confidentiality, and privacy.

Annex A

The reference set of information security controls listed in ISO 27001. The 2022 revision contains 93 controls grouped into four themes: organisational, people, physical, and technological.

Annex B (ISO 42001)

The implementation guidance accompanying ISO 42001, the AI management system standard. Provides recommended approaches for the controls listed in Annex A of the same standard.

Annex SL

The harmonised structure that ISO uses across all management system standards. It defines the common 10-clause framework, terminology, and core text that make ISO 27001, ISO 9001, ISO 22301, ISO 42001 and others read consistently. Formally renamed the “Harmonized Structure” in 2021, but the industry still uses Annex SL.

CIS Controls

A prioritised set of cybersecurity actions published by the Center for Internet Security. Often used as a practical baseline alongside ISO and NIST frameworks.

FAIR

Factor Analysis of Information Risk. A quantitative risk methodology that expresses risk in financial terms based on loss event frequency and magnitude.

ISO 9001

The international standard for Quality Management Systems. Focuses on consistent delivery of products and services that meet customer and regulatory requirements.

ISO 13485

The quality management standard specific to medical devices, derived from ISO 9001 with additional regulatory requirements.

ISO 14001

The international standard for Environmental Management Systems. Covers identification and management of an organisation’s environmental impacts.

ISO 19011

The international standard providing guidance on auditing management systems, including auditor competence requirements. Used as the reference for internal audit programmes across the ISO standards family.

ISO 22301

The international standard for Business Continuity Management Systems. Defines requirements to anticipate, prepare for, respond to, and recover from disruptive incidents.

ISO 27001

The international standard for Information Security Management Systems. Defines requirements for establishing, implementing, maintaining, and continually improving an ISMS. The current version is ISO/IEC 27001:2022.

ISO 27005

The international standard providing guidance on information security risk management. Often used as the methodology reference for an organisation’s risk assessment and risk treatment processes.

ISO 27018

A code of practice for protection of personally identifiable information in public cloud services. Used by cloud providers to demonstrate privacy controls.

ISO 27701

An extension to ISO 27001 that adds requirements and guidance for a Privacy Information Management System (PIMS). Used to align an information security management system with privacy obligations such as GDPR.

ISO 29100

The international privacy framework, defining principles and high-level guidance for privacy protection in information and communications technology systems.

ISO 42001

The international standard for Artificial Intelligence Management Systems (AIMS). Defines requirements for governing the development, deployment, and ongoing operation of AI systems.

ISO 42005

A guidance document published alongside ISO 42001, providing a template approach to AI system impact assessment.

NIST AI RMF

The US National Institute of Standards and Technology AI Risk Management Framework. A voluntary framework for managing risks associated with AI systems.

NIST CSF

The US National Institute of Standards and Technology Cybersecurity Framework. A widely adopted voluntary framework organising cybersecurity activities into five functions: Identify, Protect, Detect, Respond, Recover.

OECD AI Principles

A set of principles for responsible stewardship of trustworthy AI, adopted by OECD member countries in 2019. Cover topics such as transparency, accountability, and human-centred values.

SOC 2

A type of audit and attestation report defined by the AICPA TSP covering controls relevant to security, availability, processing integrity, confidentiality, and privacy. Common in B2B SaaS sales because customers often request a SOC 2 report from suppliers.

UKAS

The United Kingdom Accreditation Service. The national body that accredits certification bodies (the organisations that issue ISO certifications), providing assurance that the certification body’s audits meet recognised standards.

Management systems

AIMS

AI Management System. The set of policies, procedures, controls, and oversight defined under ISO 42001 for governing the development and use of AI systems.

BCMS

Business Continuity Management System. The set of policies, procedures, and controls defined under ISO 22301 for preparing for and recovering from disruptions to operations.

Integrated management system

A single management system that satisfies multiple standards simultaneously (for example, ISO 27001 and ISO 9001 operated as one system). Made practical by the shared Annex SL structure across standards.

ISMS

Information Security Management System. The set of policies, procedures, controls, and oversight defined under ISO 27001 for protecting information assets and managing security risk.

PIMS

Privacy Information Management System. The set of policies, procedures, and controls defined under ISO 27701 for protecting personal data and managing privacy risk.

QMS

Quality Management System. The set of policies, procedures, and controls defined under ISO 9001 for delivering consistent quality across products and services.

Audit

Audit programme

The full set of internal audits planned and conducted across a defined cycle, with assigned auditors, scopes, and timing. Required under Clause 9.2 of Annex SL standards.

Audit readiness review

An independent review conducted before a certification or surveillance audit, using the methodology a real auditor would use, to identify and address issues before the external audit visit.

Audit scope and criteria

The boundaries of an audit (what is being examined) and the standards against which it is being measured. Defined at the start of every audit.

Auditor competence

The knowledge, skills, and personal qualities an auditor needs to perform an audit, as defined in ISO 19011. Used as the reference for assessing whether an internal or external auditor is qualified.

Auditor independence

The requirement that an auditor be objective, impartial, and free from bias and conflict of interest, as defined in ISO 19011. The auditor cannot audit work they have themselves built or operate.

CAPA

Corrective and Preventive Action. The documented process for addressing identified nonconformities (corrective) and reducing the likelihood of future issues (preventive). Required under Clause 10.2 of Annex SL standards.

Certification audit

The external audit conducted by an accredited certification body to determine whether an organisation meets the requirements of a standard. Typically conducted in two stages (see Stage 1 audit and Stage 2 audit).

Clause 9.2

The internal audit requirement common to all Annex SL management system standards. Requires the organisation to conduct internal audits at planned intervals, by independent and competent auditors, with results reported to management.

Clause 9.3

The management review requirement common to all Annex SL management system standards. Requires top management to review the management system at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.

Clause 10.2

The nonconformity and corrective action requirement common to all Annex SL management system standards. Requires the organisation to react to nonconformities and take action to control and correct them.

Conformity

A finding in an audit indicating that the assessed area meets the requirements of the standard. The positive counterpart to a nonconformity.

External audit

An audit conducted by an independent third party, typically a certification body for certification, surveillance, or recertification purposes.

Internal audit

An audit conducted by or for the organisation itself to assess whether its management system conforms to the standard and to its own requirements. Required under Clause 9.2.

Major nonconformity

A systematic failure or complete absence of a required element of the management system. Must be addressed before certification or recertification can be granted.

Management review

A formal review of the management system by top management, required under Clause 9.3. Examines audit outputs, performance metrics, risks, opportunities, and changes that may affect the system.

Minor nonconformity

A single lapse, partial failure, or incomplete implementation of a required element. Can be addressed through a corrective action plan rather than blocking certification.

Mock audit

A simulated audit conducted in advance of a real audit, typically by an independent party, to test readiness and identify likely findings. Often used interchangeably with audit readiness review.

Nonconformity

A failure to meet a requirement of the standard or the organisation’s own documented requirements. Classified as major or minor. The opposite of conformity.

OFI

Opportunity for Improvement. An audit observation that does not constitute a nonconformity but identifies an area where the management system could be improved. OFIs do not block certification but are typically revisited at the next audit cycle.

Recertification audit

The full external audit at the end of a certification cycle (typically three years), examining the management system against all requirements before issuing renewed certification.

Stage 1 audit

The first part of a certification audit. A documentation-focused review to confirm the management system exists, has been designed appropriately, and is ready for the Stage 2 assessment.

Stage 2 audit

The second part of a certification audit. An evidence-focused review to confirm that the management system is implemented, operating, and producing the required outputs.

Surveillance audit

The shorter annual external audits conducted between certification and recertification, focused on key controls and on changes since the previous audit.

Risk and security

Business continuity

The capability of an organisation to continue delivering products and services at acceptable predefined levels following a disruptive incident. The subject of ISO 22301 and a key area in NIS2 and DORA.

Business email compromise (BEC)

A category of fraud in which an attacker impersonates a senior person or trusted contact, usually via email, to authorise a fraudulent payment or sensitive disclosure. Increasingly executed with deepfake audio or video.

Business impact analysis (BIA)

A structured assessment of the consequences of disrupting each business activity, used as the foundation for business continuity planning under ISO 22301.

Deepfake

Synthetic audio, video, or imagery generated using AI to impersonate a real person. Used in social engineering attacks including business email compromise and CEO fraud.

Disaster recovery (DR)

The processes and infrastructure for restoring IT systems after a disruption. A subset of business continuity, focused on the technology layer rather than the whole organisation.

Incident response

The set of processes for detecting, responding to, and recovering from cybersecurity incidents. A required capability under ISO 27001, NIS2, and DORA.

MTTD

Mean Time to Detect. A measure of the average time between an incident occurring and being identified. Used to assess detection capability.

MTTR

Mean Time to Respond. A measure of the average time between an incident being identified and being contained or resolved. Used to assess response capability.

Multi-factor authentication (MFA)

An authentication method requiring two or more independent factors (e.g. password plus a one-time code, hardware token, or biometric). A baseline control under most modern security frameworks.

Penetration testing

Authorised, scoped security testing in which testers attempt to compromise systems using the techniques a real attacker might use. Used to verify that controls work in practice.

Phishing simulation

A controlled exercise in which simulated phishing emails are sent to staff to assess awareness and identify training needs. A common part of security awareness programmes.

Privileged access

High-level system access, typically administrative or root, that allows the holder to alter security configurations, access sensitive data, or affect many users. Subject to additional controls in most frameworks.

Ransomware

A category of malware that encrypts files or systems and demands payment for recovery. A leading cause of major business disruption and a frequent test of business continuity preparedness.

Recovery Point Objective (RPO)

The maximum acceptable amount of data loss measured in time. An RPO of one hour means the organisation can tolerate losing up to one hour of data in a recovery scenario.

Recovery Time Objective (RTO)

The target maximum acceptable time to restore an operation after disruption. An RTO of four hours means an operation should be restored within four hours of an incident.

Risk appetite

The amount and type of risk an organisation is willing to accept in pursuit of its objectives. Set by leadership and used to guide risk treatment decisions.

Risk assessment

The structured process of identifying risks, analysing their likelihood and impact, and evaluating them against the organisation’s risk appetite.

Risk register

The documented inventory of identified risks, with their assessment, treatment decisions, owners, and current status. The central artefact of risk management.

Risk treatment

The decision and action taken to address each identified risk, typically one of: mitigate, transfer, avoid, or accept. Recorded in the risk register and linked to specific controls.

Statement of Applicability (SoA)

A documented decision, required under ISO 27001, recording which Annex A controls are applicable, which are not, and the justification for each decision. The bridge between the risk assessment and the implemented controls.

Supplier risk

The risk introduced into an organisation through its relationships with suppliers, especially when suppliers process the organisation’s data or provide critical services. Managed through third-party risk processes.

Supply chain security

The discipline of identifying and managing risk across the full chain of suppliers, subcontractors, and dependencies. A specific focus area under NIS2.

Tabletop exercise

A facilitated scenario-based discussion in which a team works through a hypothetical incident to test plans, decisions, and communications. Used in incident response and business continuity preparation.

TEMPEST

A class of techniques for protecting against information leakage through unintended electromagnetic emissions (RF, acoustic, mechanical). Historically applied in intelligence and defence environments, relevant again with Wi-Fi sensing under IEEE 802.11bf.

Third-party risk

The risk introduced to an organisation by reliance on external parties, including suppliers, processors, service providers, and partners. Managed through assessments, contracts, and ongoing monitoring.

Vulnerability scanning

The automated process of testing systems for known security weaknesses. Typically conducted recurringly as part of security operations, alongside more in-depth penetration testing.

Privacy and data protection

Controller

Under GDPR, the natural or legal person that determines the purposes and means of processing personal data. Holds primary accountability for compliance.

Data minimisation

A core GDPR principle (Article 5(1)(c)) requiring personal data processing to be adequate, relevant, and limited to what is necessary for the stated purpose.

Data subject

The identified or identifiable natural person to whom personal data relates. The individual whose rights GDPR protects.

DPIA

Data Protection Impact Assessment. A structured process required under GDPR Article 35 when a processing activity is likely to result in a high risk to data subject rights, to identify and mitigate those risks before processing begins.

DPO

Data Protection Officer. A formal role required under GDPR for certain organisations (public authorities, large-scale systematic monitoring, special category processing at scale). Provides independent oversight of privacy compliance.

Lawful basis

The legal grounds on which personal data may be processed under GDPR Article 6, such as consent, contract, legal obligation, vital interest, public task, or legitimate interest. Every processing activity needs one.

Personal data breach

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. May trigger notification obligations within 72 hours under GDPR.

Privacy by design

A core principle under GDPR Article 25 requiring privacy to be embedded into the design and operation of processing activities from inception, rather than added later.

Privacy notice

The document or page that communicates to data subjects what personal data is processed, by whom, on what basis, for what purpose, and for how long. Required under GDPR Articles 13 and 14.

Processor

Under GDPR, the natural or legal person that processes personal data on behalf of a controller. Bound by the controller’s instructions and by a written processing agreement.

Records of Processing Activities (RoPA)

The documented inventory of processing activities required under GDPR Article 30, including the purpose, categories of data, recipients, retention, and security measures for each activity.

Schrems II

The 2020 Court of Justice of the European Union ruling that invalidated the EU-US Privacy Shield and tightened the requirements for transferring personal data from the EU to third countries.

Special category data

Personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification, health data, or data on sex life or sexual orientation. Subject to enhanced protections under GDPR Article 9.

Standard Contractual Clauses (SCCs)

EU-approved contract terms that provide a legal basis for transferring personal data from the EU to third countries that do not have an adequacy decision. Updated in 2021 to reflect Schrems II.

Transfer Impact Assessment (TIA)

A risk assessment required following Schrems II for international data transfers using Standard Contractual Clauses, evaluating whether the destination country’s laws undermine the protections.

Regulatory frameworks

Data Protection Act 2018

The Irish legislation that gives effect to GDPR in domestic law, along with provisions specific to law enforcement processing and certain national derogations.

DORA

Digital Operational Resilience Act. EU regulation, effective from January 2025, that sets ICT risk management, incident reporting, resilience testing, and third-party risk requirements for financial entities.

ePrivacy Directive

The EU directive (2002/58/EC, as amended) covering confidentiality of electronic communications, cookies and similar technologies, and unsolicited marketing. Implemented in Ireland through the ePrivacy Regulations 2011.

ePrivacy Regulations 2011

The Irish statutory instrument (SI 336 of 2011) that transposes the ePrivacy Directive into Irish law.

Essential entity

Under NIS2, an organisation in a sector considered critical to society and the economy (energy, transport, banking, health, water, digital infrastructure, public administration, and others). Subject to the most stringent supervision and reporting requirements.

EU AI Act

The European Union’s regulation on artificial intelligence, classifying AI systems by risk level and setting obligations for providers and deployers. The first comprehensive AI law of its kind.

GDPR

The EU General Data Protection Regulation (2016/679). Applies to processing of personal data of individuals in the EU regardless of where the processor is located. Enforced by national supervisory authorities, in Ireland the Data Protection Commission.

Health Research Regulations 2018

The Irish statutory instrument governing the processing of personal data for health research, with consent and governance requirements that supplement GDPR in the health research context.

Important entity

Under NIS2, an organisation in a sector that is significant but not critical (postal services, waste management, certain manufacturing, food production, digital services). Subject to NIS2 requirements but with lighter supervision than essential entities.

NIS2

The Network and Information Security Directive (EU 2022/2555), the EU’s updated cybersecurity directive expanding scope and obligations from the original 2016 NIS Directive. Imposes risk management, incident reporting, and supply chain security requirements on covered entities.

Irish regulatory bodies

ComReg

The Commission for Communications Regulation, the Irish authority for electronic communications and radio spectrum, including the licensing and protection of radio frequency bands.

Data Protection Commission (DPC)

The Irish supervisory authority for GDPR and the Data Protection Act 2018. Investigates complaints, conducts inquiries, and enforces compliance.

Workplace Relations Commission (WRC)

The Irish body responsible for employment law, equality, and industrial relations. Handles complaints relating to employee monitoring, dismissals, and workplace rights.

Roles

CISO

Chief Information Security Officer. The senior executive accountable for an organisation’s information security strategy, programme, and risk posture.

vCISO

Virtual Chief Information Security Officer. A fractional, outsourced model in which an external consultant or firm provides CISO-level leadership without the cost or commitment of a full-time hire.

AI governance

AI risk assessment

The structured process of identifying and evaluating risks specific to AI systems, including bias, explainability, safety, data quality, and unintended consequences. Required under ISO 42001 and the EU AI Act.

AI System Impact Assessment (AISIA)

A documented assessment of the potential impact of an AI system on individuals, groups, and society, including risks of harm, bias, and rights infringement. The methodology referenced in ISO 42005.

AI system inventory

A documented register of all AI systems in use across an organisation, with attributes such as purpose, data inputs, outputs, owner, vendor, and risk classification. The foundation of any AI governance programme.

Bias (in AI)

Systematic error in an AI system’s outputs that disadvantages certain groups or individuals, typically caused by skewed training data, flawed assumptions, or inappropriate model choices.

Explainability

The property of an AI system whose decisions can be understood and articulated by humans. Required to varying degrees by GDPR Article 22 (automated decision-making), the EU AI Act, and ISO 42001.

Generative AI

AI systems that produce new content (text, images, audio, video, code) rather than classifying or predicting from existing inputs. The category that includes large language models.

Human oversight

The requirement for human review, intervention, or override in AI decision-making, particularly for high-risk systems. A core control under the EU AI Act and ISO 42001.

Large language model (LLM)

A category of generative AI trained on large text corpora to produce natural language outputs. Examples include the GPT, Claude, and Gemini families.

Customer assurance

CAIQ

Consensus Assessments Initiative Questionnaire. A standard set of security questions published by the Cloud Security Alliance, often used by enterprise customers when assessing cloud service providers.

Due diligence

The structured process of investigating a counterparty, supplier, or acquisition target before entering into a transaction or relationship, particularly examining their security, privacy, and compliance posture.

Security questionnaire

A structured set of questions used by buyers (typically enterprise customers) to assess the security and compliance posture of suppliers. Common formats include SIG, CAIQ, and customer-specific questionnaires.

SIG

Shared Assessments Standardised Information Gathering questionnaire. A widely used security assessment questionnaire, available in full and lite versions.

Technical

Channel State Information (CSI)

Metadata about how a Wi-Fi signal propagates between transmitter and receiver, including amplitude and phase shifts across subcarriers. The data foundation of Wi-Fi sensing under IEEE 802.11bf.

IEEE 802.11bf

An amendment to the IEEE 802.11 standard family, published 26 September 2025, that turns Wi-Fi into a sensing platform. Enables motion, presence, and gesture detection across standard wireless infrastructure.

WPA2 and WPA3

Wi-Fi Protected Access 2 and 3. The current and previous generations of Wi-Fi encryption standards. Both protect the data payload of Wi-Fi traffic but do not prevent radio-layer observation, which is relevant to Channel State Information sensing.