Compliance and Security Glossary
Clear, practical definitions of the terms that matter in compliance, cybersecurity, and risk management. No jargon for the sake of jargon. Each definition explains what the term means and why it matters to your organisation.
Audit Trail
A chronological record of all actions, changes, and access events within a system. Audit trails provide evidence of who did what and when, which is essential for regulatory compliance, incident investigation, and demonstrating due diligence to auditors and insurers.
CMMC
The Cybersecurity Maturity Model Certification is a US Department of Defense framework that measures cybersecurity maturity across five levels. Organisations in the defence supply chain must achieve the appropriate CMMC level to bid on DoD contracts. Fig supports CMMC compliance automation and evidence collection.
Compliance Automation
The use of technology to continuously monitor, collect evidence, and verify that an organisation meets the requirements of regulatory frameworks and security standards. Compliance automation replaces manual evidence gathering, spreadsheet tracking, and point-in-time assessments with real-time, continuous compliance monitoring.
Control Framework
A structured set of security controls that an organisation implements to manage risk and meet regulatory requirements. Common control frameworks include ISO 27001 Annex A, NIST CSF, CIS Controls, and the Cyber Essentials five-category model. Fig maps controls across 65+ frameworks to reduce duplication of effort.
Cyber Essentials
A UK government-backed certification scheme developed by IASME and the NCSC. It validates that an organisation has implemented five core cybersecurity controls: secure configuration, user access control, malware protection, patch management, and incident management. Cyber Essentials Plus adds independent third-party verification.
DORA
The Digital Operational Resilience Act is an EU regulation that applies to financial sector entities and their ICT third-party service providers. DORA requires organisations to manage ICT risk, report incidents, test operational resilience, and oversee third-party ICT providers. It came into effect in January 2025.
Evidence Collection
The process of gathering documentation, logs, screenshots, configuration data, and other artefacts that prove an organisation is implementing its stated security controls. Manual evidence collection is time-consuming and error-prone. Automated evidence collection, as provided by Fig, pulls this data directly from connected systems.
GDPR
The General Data Protection Regulation is an EU regulation governing the processing of personal data. It applies to any organisation that processes personal data of EU residents, regardless of where the organisation is based. GDPR requires data protection by design, breach notification within 72 hours, and documented lawful basis for processing.
Governance-First
An approach to security and compliance that starts with governance structures (policies, risk registers, accountability frameworks) before implementing technical controls. A governance-first methodology ensures that security investments are aligned with business objectives and regulatory requirements rather than deployed reactively.
GRC
Governance, Risk, and Compliance. GRC refers to the integrated approach of managing corporate governance, enterprise risk management, and regulatory compliance. Traditional GRC platforms are enterprise software tools that cost £30,000-500,000+ annually. Fig provides modern GRC capabilities at a fraction of the cost.
Incident Response
The structured process of detecting, containing, eradicating, and recovering from security incidents. An effective incident response programme includes pre-defined playbooks, clear roles and responsibilities, communication templates, and post-incident review procedures. Regular tabletop exercises test and refine the plan.
ISO 27001
The international standard for information security management systems (ISMS). ISO 27001 provides a systematic framework for managing sensitive information through risk assessment, control implementation, and continuous improvement. Certification requires an independent audit by an accredited certification body and annual surveillance audits.
MFA
Multi-Factor Authentication requires users to provide two or more verification factors to access a system. Factors typically include something you know (password), something you have (authenticator app or hardware token), and something you are (biometric). MFA is the single most impactful control for reducing account compromise and is heavily weighted by cyber insurance underwriters.
MSP
A Managed Service Provider is an organisation that manages IT infrastructure, security, and compliance services on behalf of its clients. MSPs typically serve multiple clients simultaneously and require multi-tenant platforms that can manage each client environment separately while providing centralised visibility and reporting.
MSSP
A Managed Security Service Provider specialises in delivering security-focused services including threat monitoring, incident response, vulnerability management, and compliance. MSSPs differ from general MSPs in their specific focus on security operations, though the lines between MSP and MSSP continue to blur.
NIS2
The Network and Information Systems Directive 2 is an EU directive that strengthens cybersecurity requirements for essential and important entities across 18 sectors. NIS2 mandates risk management measures, incident reporting, supply chain security, and management accountability. Non-compliance can result in fines of up to 2% of global turnover for essential entities.
Penetration Testing
A controlled simulated attack on an organisation's systems, networks, or applications to identify exploitable vulnerabilities. Penetration tests are conducted by qualified professionals and provide a realistic assessment of an organisation's defences. Results inform remediation priorities and satisfy requirements for certifications like Cyber Essentials Plus.
Policy Management
The lifecycle management of organisational security and compliance policies. This includes drafting, reviewing, approving, distributing, tracking acknowledgement, and periodically updating policies. Effective policy management ensures that staff understand their responsibilities and that the organisation can demonstrate its governance framework to auditors.
Risk Register
A documented record of identified risks, their likelihood, potential impact, current controls, and treatment plans. A risk register is a living document that should be reviewed regularly and updated as new risks emerge or existing risks change. It serves as the foundation for risk-based decision-making and regulatory compliance.
SIEM
Security Information and Event Management systems collect, aggregate, and analyse log data from across an organisation's IT environment to detect security threats and anomalies. SIEM platforms provide real-time alerting, correlation of events across multiple sources, and forensic investigation capabilities.
SOC 2
A compliance framework developed by the AICPA (American Institute of Certified Public Accountants) based on five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are widely requested by enterprise customers evaluating the security practices of service providers, particularly SaaS companies.
Supply Chain Risk
The potential for security incidents, data breaches, or service disruptions caused by vulnerabilities in an organisation's third-party vendors, suppliers, and service providers. Supply chain risk management involves identifying, assessing, and continuously monitoring the security posture of all third-party relationships. NIS2 and DORA both include specific supply chain requirements.
Third-Party Risk Management
The discipline of assessing and monitoring the risks introduced by external vendors, suppliers, contractors, and service providers. TPRM programmes include vendor due diligence, risk scoring, contractual security requirements, ongoing monitoring, and periodic reassessment. Fig automates TPRM through continuous vendor risk scoring and evidence collection.
Vulnerability Scanning
The automated process of identifying known security weaknesses in systems, applications, and network infrastructure. Vulnerability scanners compare system configurations and software versions against databases of known vulnerabilities (CVEs) and generate prioritised reports. Continuous scanning, as opposed to periodic scans, provides ongoing visibility into an organisation's attack surface.
Zero Trust
A security architecture model based on the principle of "never trust, always verify." Zero Trust assumes that threats exist both inside and outside the network and requires continuous verification of every user, device, and connection before granting access to resources. Implementation typically involves identity verification, micro-segmentation, least-privilege access, and continuous monitoring.
Put These Concepts into Practice
Fig turns compliance terminology into operational reality. From risk registers and policy management to vulnerability scanning and incident response, see how the platform brings these concepts together.