Compliance and security glossary. Plain English. No filler.
Clear, practical definitions of the terms that matter in compliance, cybersecurity, and risk management. No jargon for the sake of jargon. Each definition explains what the term means and why it matters to your organisation.
Cyber Essentials
Cyber Essentials is a UK government-backed certification scheme, governed by the NCSC and operationally delivered by IASME, that validates an organisation has implemented five core cybersecurity controls: firewalls, secure configuration, user access control, malware protection, and security update management.
Cyber Essentials Plus
The third-party-verified tier of Cyber Essentials. Cyber Essentials Plus adds an independent technical audit on top of the Cyber Essentials self-assessment, including external vulnerability scanning, device configuration checks, and MFA verification. Fig Cyber Essentials Plus is priced £1,499-£4,499 + VAT and is delivered by IASME-licensed assessors.
Cyber Essentials v3.3
The current version of the NCSC Cyber Essentials scheme, effective 28 April 2026, set out in the IASME-published Cyber Essentials Requirements for Infrastructure (the "Danzell" guide). v3.3 introduces mandatory multi-factor authentication for every user account and clarifies BYOD and cloud-service scoping. Normal home routers used by remote workers are explicitly excluded from scope.
IASME
The Information Assurance for Small and Medium Enterprises consortium is the NCSC-appointed delivery partner for Cyber Essentials. IASME licenses UK Certification Bodies - Fig Group (licence 325cdf33-3812-4082-bf8d-7dce7ac02977) among them - to assess organisations.
IASME Cyber Assurance
IASME's advanced certification scheme, sitting above Cyber Essentials. Cyber Assurance Level 1 is roughly equivalent to the ISO 27001 control set at a lower audit intensity. Jay Hopkins at Fig Group holds IASME Cyber Assurance assessor accreditation.
NCSC
The UK National Cyber Security Centre, part of GCHQ. The NCSC sets UK government cybersecurity policy, authors the Cyber Essentials scheme requirements, and maintains guidance on secure configuration, incident response, and supply chain security.
CS&R
The UK Cyber Security and Resilience Bill, which strengthens reporting, incident, and supply chain obligations for UK organisations, with 24-hour significant incident reporting requirements. Fig's incident management workflow is designed to meet the CS&R 24-hour window.
DCC
Defence Cyber Certification - the IASME-delivered scheme for UK Ministry of Defence supply chain cybersecurity, replacing the earlier DCPP/Def Stan 05-138 model. DCC runs at levels L0, L1, L2, and L3. Fig Group is an IASME-licensed DCC certification body at L0 and L1.
PPN 014/21
UK Cabinet Office Procurement Policy Note 014/21, which requires Cyber Essentials certification for central government contracts that involve handling sensitive or personal information. Suppliers bidding on in-scope contracts must hold valid certification at point of award.
Certification Body
An organisation licensed by IASME to assess applicants against the Cyber Essentials and Cyber Essentials Plus standards and issue certificates. Fig Group is an IASME-licensed Certification Body; the licence is public and verifiable on the IASME directory.
Assessor
A named individual licensed by IASME to review Cyber Essentials and Cyber Essentials Plus submissions. Every Fig Group certification is reviewed by a human IASME-licensed assessor; the AI-augmented pipeline flags priority items but does not replace the assessor.
In Scope
Devices, users, networks, and services that access organisational data are "in scope" for Cyber Essentials. All five Cyber Essentials technical controls (firewall, secure configuration, user access control, malware protection, security update management) apply to in-scope assets.
Out of Scope
Assets explicitly excluded from the Cyber Essentials assessment. Under v3.3, exclusions must be enforced by technical controls (not policy alone) - for example, an MDM Conditional Access rule that blocks personal devices from corporate resources.
Scope Statement
A written declaration by the applicant, on the self-assessment form, of what devices, users, networks, and services are in and out of Cyber Essentials scope. The scope statement is the first thing an assessor reads and the first thing a feedback round tends to query.
Sub-Set Exclusion
The mechanism for removing a device, user group, or system from Cyber Essentials scope by demonstrating it cannot access organisational data. Under v3.3, sub-set must be enforced by technical control, not by policy alone.
BYOD
Bring Your Own Device - a policy under which employees use personal phones, tablets, or laptops to access organisational data and services. Under Cyber Essentials v3.3 (Danzell), a BYOD device with direct access to organisational data is in scope. A BYOD device whose only access is mediated through a virtual desktop or VM in the cloud can be excluded via sub-set; the VM/VDI is then the in-scope device. Sub-set boundaries must be enforced by technical control (MDM Conditional Access, VDI thin-client mode, or network segregation by router/firewall/VLAN). Operating-system software firewalls alone cannot define a sub-set boundary (Danzell A2.5.1). Policy-only BYOD restrictions do not satisfy v3.3.
Home Worker Device
Any device used to access organisational data from a remote worker's home, including laptops, phones, and tablets. Home worker devices are in scope under Cyber Essentials v3.3. The home router itself is explicitly excluded from scope; the device's software firewall handles boundary enforcement against the home network.
Boundary Firewall
The firewall separating your internal network (or corporate VPN gateway) from the public internet. Under Cyber Essentials v3.3, the boundary firewall must have a non-default admin password, current firmware, and deny inbound traffic by default.
Internet-Facing Device
Any device or service with an interface exposed to the public internet - web servers, VPN gateways, mail relays, public APIs. Cyber Essentials Plus external vulnerability scans focus on internet-facing devices.
Scope Boundary
The perimeter defining what is in and out of Cyber Essentials scope. Under v3.3 the boundary must be explicit in the self-assessment - typical boundaries: corporate VPN gateway, corporate firewall, cloud identity provider.
Asset Register
A documented inventory of every device, operating system, application, and cloud service in Cyber Essentials scope. The register underpins patch management, malware protection coverage, and evidence during assessor review.
MFA
Multi-factor authentication - requires two independent factors to authenticate. Under Cyber Essentials v3.3, MFA is mandatory on every user account that accesses organisational data, including cloud services, email, admin accounts, and remote access.
FIDO2
FIDO2 is the WebAuthn-based standard for phishing-resistant authentication using hardware security keys (YubiKey, Titan) or platform authenticators (Windows Hello for Business, Apple Touch ID / Face ID). Preferred MFA method for admin accounts under v3.3.
Windows Hello for Business
Microsoft's passwordless authentication bound to a TPM-enabled Windows device. Uses biometric or PIN plus device-bound FIDO2 credentials and satisfies Cyber Essentials v3.3 MFA requirements when deployed via Intune.
Passkey
A FIDO2 credential synchronised across a user's Apple or Google account. Under v3.3 passkeys satisfy MFA when the sync service itself has MFA enabled. Increasingly standard across consumer and enterprise flows.
Conditional Access
A policy-based access control in identity providers (Entra ID, Okta) that enforces rules such as "require MFA, require compliant device, block legacy auth" on every sign-in. Under v3.3, Conditional Access replaces older "MFA on risky sign-ins only" patterns.
Number Matching
An MFA push-notification feature that displays a number on the sign-in screen which the user must type into their authenticator app. Prevents MFA-fatigue attacks. Microsoft Authenticator requires number matching as default from February 2023.
Legacy Authentication
Older protocols (POP, IMAP, SMTP AUTH, basic auth) that cannot use MFA and bypass modern controls. Cyber Essentials v3.3 requires legacy authentication to be disabled; any account still using it fails the MFA line-item.
Security Defaults
Microsoft 365's free one-click baseline that enforces MFA registration, blocks legacy auth, and requires MFA on risky sign-ins. Passes Cyber Essentials v3.3 for organisations under ~50 users.
Advanced Protection Program (APP)
Google's strictest protection for high-risk accounts: FIDO2-only authentication, blocks dangerous downloads, restricts app access. Recommended for Google Workspace Super Admins under Cyber Essentials v3.3.
Single Sign-On (SSO)
Centralised authentication where the user signs in once at the identity provider and accesses all integrated SaaS tools without separate passwords. Under Cyber Essentials v3.3, SSO is the cleanest way to enforce MFA across multiple SaaS applications.
Break-Glass Account
Emergency-access admin account used when normal admin access fails. Under Cyber Essentials v3.3, break-glass accounts must exist, have strong MFA via an alternate method, be excluded from Conditional Access that could lock them out, and be monitored.
Segregation of Duties
The security principle that no single user can perform all parts of a sensitive transaction alone. Under Cyber Essentials v3.3, segregation applies specifically to admin accounts - admins must have separate day-to-day and admin credentials.
Least Privilege
The principle of granting users only the permissions they need to perform their job. Under Cyber Essentials v3.3, users must not have admin rights unless necessary, and admin rights must be documented and reviewed periodically.
Administrative Account
A user account with privileges to change system configuration, install software, or manage other accounts. Under Cyber Essentials v3.3, administrative accounts must be separate from day-to-day accounts and must use stronger MFA.
Standard Account
A non-privileged user account used for day-to-day activities. Users with administrative duties must have both a standard account for email/web/line-of-business apps and a separate administrative account for privileged actions.
Account Lockout
A policy that locks a user account after a number of failed sign-in attempts. Under Cyber Essentials v3.3, account lockout (or equivalent rate-limiting) is required on internet-facing authentication endpoints.
Tamper Protection
A Windows Defender feature that prevents malware or unauthorised users from disabling antivirus, real-time protection, or cloud-delivered protection. Under Cyber Essentials v3.3, tamper protection is a de-facto requirement for Windows devices using Defender.
EDR (Endpoint Detection and Response)
Security software that continuously monitors endpoints for suspicious behaviour, investigates threats, and responds automatically. Examples: Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne. Exceeds Cyber Essentials minimum.
Dedicated page: /glossary/edr-endpoint-detection-and-response →
Malware Protection
One of the five Cyber Essentials control categories. Requires anti-malware installed, updated, and running on-access scans on every in-scope device. Windows Defender with tamper protection is the most common qualifying control.
Secure Configuration
One of the five Cyber Essentials control categories. Requires default accounts disabled, default passwords changed, auto-run disabled, unnecessary software removed, and configuration hardened per vendor guidance.
Security Update Management
One of the five Cyber Essentials control categories. Requires high/critical patches applied within 14 days of vendor release across operating systems, applications, and firmware.
User Access Control
One of the five Cyber Essentials control categories. Requires every user to have an individual account, MFA on every account (v3.3), separate administrative accounts, and documented leaver processes.
Firewalls and Internet Gateways
One of the five Cyber Essentials control categories. Requires boundary firewalls to be configured with default-deny inbound, non-default admin credentials, current firmware, and documented inbound rules.
14-Day Patching Rule
Under Cyber Essentials v3.3, any security update classified as "high" or "critical" by the vendor must be applied within 14 days of release. Applies to operating systems, applications, firmware, and any internet-facing service.
Supported Software
Software currently receiving security updates from its vendor. Unsupported software (end-of-life OS, discontinued applications) must be removed or isolated from scope under Cyber Essentials v3.3.
Unsupported Software
Software no longer receiving security updates from the vendor. Under Cyber Essentials v3.3, unsupported software in scope is an automatic fail; must be removed, replaced, or isolated before submission.
MAV (Minimum Acceptable Version)
Under Cyber Essentials v3.3, the vendor-defined minimum version of software that is still supported and receiving security updates. Anything below MAV is "unsupported software" and fails Cyber Essentials unless removed or segregated.
CVE
Common Vulnerabilities and Exposures - the globally unique identifier for a known security vulnerability in a specific software product. Under Cyber Essentials v3.3, high/critical CVEs in in-scope software must be patched within 14 days.
CVSS
Common Vulnerability Scoring System - the 0-to-10 severity score assigned to each CVE. v3.3 uses "high" (CVSS 7.0-8.9) and "critical" (CVSS 9.0-10.0) as the 14-day patching threshold.
EPSS
Exploit Prediction Scoring System - a probabilistic score from 0 to 1 that estimates the likelihood a given CVE will be exploited in the wild in the next 30 days. Fig's vulnerability management workflow prioritises by EPSS and CISA KEV.
CISA KEV
The US CISA Known Exploited Vulnerabilities catalogue - a list of CVEs actively being exploited by threat actors. Organisations should patch KEV-listed vulnerabilities within 14 days of catalogue addition.
Zero-Day
A software vulnerability unknown to the vendor at the time of exploitation, or for which no patch is yet available. Under Cyber Essentials v3.3, zero-day exposure is addressed through compensating controls (EDR, network segregation) while a patch is awaited.
Auto-run
Operating system feature that automatically executes media when inserted. Cyber Essentials requires auto-run to be disabled on every in-scope Windows device to prevent USB-based malware infection.
Screen Lock
Automatic device lock after a period of inactivity. Under Cyber Essentials v3.3, screen lock must activate after 15 minutes or less on every in-scope device - enforced via MDM, Group Policy, or system settings.
FileVault
Apple's built-in full-disk encryption on macOS. Enabled by default on modern Macs. Satisfies the encryption-at-rest requirement under Cyber Essentials v3.3 for in-scope macOS laptops.
BitLocker
Microsoft's built-in full-disk encryption on Windows. Required enabled on in-scope Windows laptops under Cyber Essentials v3.3 for the encryption-at-rest requirement, typically managed via Intune.
Intune
Microsoft's mobile device management (MDM) platform. Intune-enforced device compliance is the default BYOD control for UK organisations under Cyber Essentials v3.3, satisfying sub-set exclusion for personal devices that access organisational data only via compliant-device policies.
Jamf
Enterprise MDM for Apple (macOS, iOS) devices. Jamf Pro and Jamf Now enforce device policies, passcode complexity, FileVault, and app installation. Common BYOD and corporate-device management tool for UK organisations certifying under Cyber Essentials v3.3.
IaaS
Infrastructure as a Service - virtualised compute, storage, and networking delivered on demand. Examples: AWS EC2, Azure VMs, Google Compute Engine. In Cyber Essentials scope if you run organisational data on it; the cloud provider handles the infrastructure, you handle OS, data, and identity.
PaaS
Platform as a Service - managed runtime environments for deploying code without managing underlying OS. Examples: AWS Lambda, Azure App Service, Vercel. In Cyber Essentials scope when they process organisational data.
SaaS
Software as a Service - full applications delivered over the internet. Examples: Microsoft 365, Google Workspace, Salesforce. Always in Cyber Essentials scope if it holds organisational data; the provider handles infrastructure, you handle identity and access configuration.
Shared Responsibility
The cloud security division of labour: the cloud provider secures the infrastructure (physical, network, hypervisor), the customer secures their application, data, and identity configuration. Cyber Essentials v3.3 tests the customer side.
Supply Chain Risk
The potential for security incidents caused by vulnerabilities in an organisation's third-party vendors and service providers. NIS2 and DORA both include specific supply chain requirements; Fig's supplier risk monitoring capability automates third-party risk scoring.
Third-Party Risk Management
The discipline of assessing and monitoring risks introduced by external vendors, suppliers, and service providers. TPRM programmes include vendor due diligence, risk scoring, contractual security requirements, and ongoing monitoring.
Self-Assessment Questionnaire (SAQ)
The core Cyber Essentials instrument: a structured questionnaire covering the five technical control categories. Completed by the organisation, submitted to an IASME-licensed certification body for review. Most organisations complete the SAQ in 1-3 hours given adequate preparation.
Dedicated page: /glossary/self-assessment-questionnaire-saq →
Remote Audit
The Cyber Essentials Plus audit format: the assessor reviews device samples, runs external scans, and tests malware protection via video call and screen share rather than in person. Fig Cyber Essentials Plus audits are remote by default.
Re-Submission
A second or subsequent attempt at the Cyber Essentials self-assessment after initial feedback. Fig Group includes three free re-submissions with every certification; most other bodies charge £100-£200 per re-submission.
Evidence Collection
The process of gathering documentation, logs, screenshots, and configuration data that prove an organisation is implementing its stated security controls. Fig's governance-first platform automates evidence collection from 300+ integrated tools.
Audit Trail
A chronological record of all actions, changes, and access events within a system. Audit trails provide evidence of who did what and when, which is essential for regulatory compliance, incident investigation, and demonstrating due diligence.
6-Hour Certification Guarantee
Fig Group's published speed guarantee: Cyber Essentials certification is issued within 6 working hours of a compliant self-assessment submission made before midday on a UK business day, or the certification fee is refunded.
ISO 27001
The international standard for information security management systems (ISMS). ISO 27001 provides a systematic framework for managing sensitive information through risk assessment, control implementation, and continuous improvement. Heavier than Cyber Essentials; Cyber Essentials is a practical first step towards ISO 27001.
ISO 27017 / ISO 27018
ISO extensions to 27001 for cloud services. 27017 is cloud security controls, 27018 is privacy in cloud. Relevant for SaaS companies that need to go beyond Cyber Essentials for the production environment while keeping Cyber Essentials for the corporate estate.
SOC 2 Type II
AICPA's attestation standard for service-organisation controls over a period of time. Common US-origin requirement, increasingly requested by UK buyers of SaaS. Sits alongside Cyber Essentials - SOC 2 tests product-environment controls, Cyber Essentials tests corporate-estate controls.
GDPR
The General Data Protection Regulation - EU and UK law governing processing of personal data. Applies to any organisation that processes personal data of EU/UK residents. GDPR requires data protection by design, breach notification within 72 hours, and documented lawful basis for processing.
NIS2
The Network and Information Systems Directive 2 - EU directive strengthening cybersecurity for essential and important entities across 18 sectors. NIS2 mandates risk management, incident reporting, supply chain security, and management accountability.
DORA
The Digital Operational Resilience Act - EU regulation applying to financial sector entities and their ICT providers. DORA requires ICT risk management, incident reporting, operational resilience testing, and oversight of third-party ICT providers. In effect from January 2025.
CMMC
The Cybersecurity Maturity Model Certification - US Department of Defense framework measuring cybersecurity maturity across five levels. Organisations in the defence supply chain must achieve the appropriate CMMC level to bid on DoD contracts.
Governance-First
An approach to security and compliance that starts with governance structures (policies, risk registers, accountability frameworks) before implementing technical controls. Ensures security investments align with business objectives and regulatory requirements.
GRC
Governance, Risk, and Compliance - the integrated approach of managing corporate governance, enterprise risk management, and regulatory compliance. Traditional GRC platforms cost £30,000-£500,000+ annually; Fig provides modern GRC capabilities at a fraction of the cost.
Risk Register
A documented record of identified risks, their likelihood, potential impact, current controls, and treatment plans. A risk register is a living document that should be reviewed regularly and updated as new risks emerge or existing risks change.
Policy Management
The lifecycle management of organisational security and compliance policies: drafting, reviewing, approving, distributing, tracking acknowledgement, and periodically updating. Effective policy management ensures staff understand their responsibilities and the organisation can demonstrate governance to auditors.
Incident Response
The structured process of detecting, containing, eradicating, and recovering from security incidents. An effective IR programme includes pre-defined playbooks, clear roles and responsibilities, communication templates, and post-incident review.
Compliance Automation
The use of technology to continuously monitor, collect evidence, and verify that an organisation meets the requirements of regulatory frameworks and security standards. Replaces manual evidence gathering with real-time compliance monitoring.
Control Framework
A structured set of security controls that an organisation implements to manage risk and meet regulatory requirements. Common control frameworks include ISO 27001 Annex A, NIST CSF, CIS Controls, and the Cyber Essentials five-category model.
MSP
A Managed Service Provider - an organisation that manages IT infrastructure, security, and compliance services on behalf of its clients. MSPs typically serve multiple clients and require multi-tenant platforms. Fig Group's MSP programme supports white-label Cyber Essentials reselling.
MSSP
A Managed Security Service Provider specialises in delivering security-focused services including threat monitoring, incident response, vulnerability management, and compliance. MSSPs differ from general MSPs in their specific focus on security operations.
SIEM
Security Information and Event Management - systems that collect, aggregate, and analyse log data from across an organisation's IT environment to detect security threats and anomalies. SIEM platforms provide real-time alerting and forensic investigation capabilities.
Vulnerability Scanning
The automated process of identifying known security weaknesses in systems, applications, and network infrastructure. Continuous scanning, as opposed to periodic scans, provides ongoing visibility into an organisation's attack surface.
Penetration Testing
A controlled simulated attack on an organisation's systems, networks, or applications to identify exploitable vulnerabilities. Penetration tests provide a realistic assessment of defences and satisfy requirements for certifications like Cyber Essentials Plus.
Zero Trust
A security architecture model based on the principle of "never trust, always verify." Zero Trust assumes threats exist both inside and outside the network and requires continuous verification of every user, device, and connection before granting access to resources.
OWASP Top 10
The Open Web Application Security Project's biennial list of the most critical web application vulnerabilities. Not a direct Cyber Essentials requirement but informs secure configuration for internet-facing services.
SPF / DKIM / DMARC
Email authentication standards. SPF declares which mail servers can send for a domain, DKIM cryptographically signs outbound mail, DMARC enforces alignment and reports abuse. Cyber Essentials Plus remote audits include an email authentication check.
Data Sovereignty
Where organisational data is physically stored and which jurisdiction governs it. UK-focused organisations increasingly require UK data residency for GDPR, NIS2, and supply chain reasons. Fig Group is a UK-resident SaaS - data stays in UK Azure regions.
DCPP
Defence Cyber Protection Partnership - the legacy MOD scheme that mandated Def Stan 05-138 cyber risk profiles for defence supply-chain contracts before being absorbed into the IASME-delivered Defence Cyber Certification (DCC) framework. Buyers may still encounter DCPP language in older contracts; the operational requirement is now DCC at the appropriate level.
DEFCON 658
The MOD Defence Condition clause that requires cyber risk assessment and protection measures on contracts handling MOD identifiable information. DEFCON 658 typically references the supplier's required Cyber Risk Profile, which in turn maps to a DCC level. Suppliers should treat a DEFCON 658 contract clause as a trigger to complete the DCC self-assessment for the matching CRP.
Def Stan 05-138
The MOD defence standard that originally codified the four Cyber Risk Profiles (Very Low, Low, Moderate, High). Def Stan 05-138 is referenced by DEFCON 658 contract clauses. The IASME-delivered Defence Cyber Certification (DCC) operationalises these CRPs as DCC Levels 0, 1, 2, and 3.
Cyber Risk Profile
The MOD-defined risk classification that determines which Defence Cyber Certification (DCC) level applies to a contract. The four profiles are Very Low (DCC L0), Low (DCC L1), Moderate (DCC L2), and High (DCC L3). The buying authority sets the CRP in the contract; the supplier must hold the matching DCC level.
CRP
See Cyber Risk Profile - the MOD risk band (Very Low, Low, Moderate, High) that determines the required DCC level for a defence supply-chain contract.
IL2
Information Limit 2 - an MOD information-classification band sometimes referenced alongside Cyber Risk Profile in defence contracts. IL2 typically maps to OFFICIAL information handling and lower CRP bands. Use the contract's explicit CRP statement to determine the required DCC level rather than inferring from the IL designation alone.
IL3
Information Limit 3 - the OFFICIAL-SENSITIVE information-handling band in MOD contracts. IL3 contracts often reference Low or Moderate CRP, mapping to DCC L1 or DCC L2. Confirm the required DCC level from the contract's CRP statement, not the IL designation.
IL4
Information Limit 4 - the SECRET information-handling band in MOD contracts. IL4 work typically requires Moderate or High CRP and DCC L2 / L3 plus formal MOD security accreditation. Fig Group is IASME-licensed at DCC L0 and L1; IL4-classified contracts are referred to specialist L2 / L3 providers.
DCC Level 0
Defence Cyber Certification Level 0 - the entry tier for Very Low Cyber Risk Profile MOD contracts. L0 is a self-assessment plus IASME-licensed assessor review. Cyber Essentials is the prerequisite. Fig Group is IASME-licensed at DCC L0.
DCC Level 1
Defence Cyber Certification Level 1 - for Low Cyber Risk Profile MOD contracts. L1 is a self-assessment plus IASME-licensed assessor review with deeper evidence than L0 (technical controls, supply-chain governance, incident response). Cyber Essentials is the prerequisite. Fig Group is IASME-licensed at DCC L1.
DCC Level 2
Defence Cyber Certification Level 2 - for Moderate Cyber Risk Profile MOD contracts. L2 includes an external technical audit similar in shape to Cyber Essentials Plus plus deeper evidence on supply-chain assurance. Fig Group is not licensed at L2 and refers L2 work to specialist providers.
DCC Level 3
Defence Cyber Certification Level 3 - for High Cyber Risk Profile MOD contracts handling more sensitive information. L3 includes an external technical audit with stricter evidence and may require formal MOD security accreditation alongside the DCC assessment. Fig Group is not licensed at L3 and refers L3 work to specialist providers.
Put These Concepts into Practice
Fig turns compliance terminology into operational reality. From risk registers and policy management to vulnerability scanning and incident response, see how the platform brings these concepts together.