Compliance glossary
The acronyms and jargon of UK compliance, explained in plain English. 48 terms and counting.
A
- Annex A
-
Annex A of ISO 27001:2022 is a reference list of 93 information security controls, grouped into four themes (organisational, people, physical and technological). Organisations choose which apply to them and record the decision in their Statement of Applicability.
- Asset register
-
A record of the information assets an organisation holds — systems, data, devices and services — often with an owner and a value or sensitivity rating. It underpins risk assessment by making clear what needs protecting.
See also: Risk assessment, Scope
C
- Caldicott Guardian
-
A senior person in a health or social care organisation responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing. Required in many NHS-facing organisations.
- Cardholder data
-
Under PCI DSS, cardholder data includes the primary account number (PAN) and, where present, cardholder name, expiry date and service code. Any system that stores, processes or transmits it falls within PCI DSS scope.
- Certification body
-
An independent organisation, ideally UKAS-accredited, that audits your management system and issues certification (for example to ISO 27001). It is separate from any consultant who helps you prepare.
See also: UKAS, Stage 1 & Stage 2 audits, Surveillance audit - Control
-
A measure that reduces information security risk — technical (such as multi-factor authentication), organisational (such as a policy) or physical (such as a locked server room). ISO 27001 Annex A and the Cyber Essentials five controls are examples.
See also: Annex A, Cyber Essentials, Risk assessment - Corrective action
-
Action taken to eliminate the cause of a nonconformity so it does not recur. In ISO 27001, corrective actions follow internal or external audit findings and are tracked to closure.
See also: Nonconformity, Internal audit - Cyber Essentials
-
A UK government-backed scheme, delivered by IASME for the NCSC, that certifies an organisation has five core technical controls in place: firewalls, secure configuration, user access control, malware protection and security update management.
- Cyber Essentials Plus
-
The higher tier of Cyber Essentials. It adds an independent technical audit — vulnerability scans and device sampling — to verify the five controls are genuinely in place, rather than relying on self-assessment alone.
D
- Data controller
-
Under UK GDPR, the organisation that determines the purposes and means of processing personal data. Controllers carry the primary legal responsibility for compliance.
- Data processor
-
Under UK GDPR, an organisation that processes personal data on behalf of a controller — for example a cloud provider or payroll bureau. Processors have direct legal duties and must operate under a written contract.
- Data Protection Act 2018 (DPA 2018)
-
The UK law that sits alongside the UK GDPR, tailoring it to the UK and covering areas such as law-enforcement and intelligence processing. Together they form the UK's data-protection framework.
Data Protection & UK GDPR service → See also: UK GDPR - Data Protection Impact Assessment (DPIA)
-
A structured assessment that identifies and reduces the data-protection risks of a project before it starts. A DPIA is legally required for processing likely to result in a high risk to individuals — for example new systems handling health data.
- Data Protection Officer (DPO)
-
A role required under UK GDPR for public authorities and organisations whose core activities involve large-scale or special-category data processing. The DPO advises on compliance, monitors it and is the contact point for the ICO. The role can be outsourced.
- Data Security and Protection Toolkit (DSPT)
-
An annual online self-assessment that organisations handling NHS health and care data must complete to demonstrate they meet the required data-security and information-governance standards. The standard annual deadline is 30 June.
- Data subject
-
Under UK GDPR, the identified or identifiable living individual to whom personal data relates — for example a patient, resident, employee or customer.
G
- Gap analysis
-
A structured review that compares your current position against a standard's requirements and identifies what is missing. It is usually the first step of a compliance project and shapes the action plan.
See also: Remediation, Statement of Applicability (SoA)
I
- IASME
-
The organisation appointed by the NCSC to deliver the Cyber Essentials scheme, and the owner of the IASME Cyber Assurance standard — an SME-friendly alternative to ISO 27001.
- ICO (Information Commissioner's Office)
-
The UK's independent regulator for data protection and information rights. Organisations register with the ICO, report notifiable breaches to it, and can be investigated or fined by it for non-compliance.
- Information governance
-
The framework of policies, roles and processes through which an organisation manages information — especially personal and health data — securely, legally and ethically. It underpins the DSPT.
- Internal audit
-
A planned, independent check that your management system (such as an ISMS) meets the standard and works in practice. ISO 27001 requires internal audits before certification and on an ongoing basis.
- ISMS (Information Security Management System)
-
The set of policies, processes, roles and controls an organisation uses to manage information security risk in a structured, ongoing way. Building a certifiable ISMS is the core of ISO 27001.
- ISO 27001
-
The international standard (current version ISO/IEC 27001:2022) for establishing, operating and improving an information security management system. Certification by an accredited body demonstrates a managed approach to security.
ISO 27001 service → See also: , Annex A, UKAS, Statement of Applicability (SoA)
L
- Lawful basis
-
Under UK GDPR, every act of processing personal data must have one of six lawful bases — for example consent, contract, legal obligation, vital interests, public task or legitimate interests. Special-category data needs an additional condition.
M
- Management review
-
A regular review by senior management of how the information security management system is performing — covering risks, incidents, audit results and objectives. ISO 27001 requires it to ensure the ISMS stays effective.
ISO 27001 service → See also: Internal audit - Multi-factor authentication (MFA)
-
A sign-in method that requires two or more independent factors — such as a password plus a code from an app. MFA is a Cyber Essentials requirement for cloud services and a common reason assessments pass or fail.
Cyber Essentials service → See also: Cyber Essentials, Control
N
- NCSC (National Cyber Security Centre)
-
The UK government body that provides cyber-security guidance and owns the Cyber Essentials scheme (delivered on its behalf by IASME).
See also: Cyber Essentials, IASME - NHS England
-
The national NHS body responsible for the Data Security and Protection Toolkit and related information-governance requirements that health and care organisations must meet.
- Nonconformity
-
A finding that a requirement of a standard has not been met. In ISO 27001 audits, nonconformities are classified as minor or major and must be addressed through corrective action before certification.
P
- PCI DSS
-
The Payment Card Industry Data Security Standard (current version v4.0.1) applies to any organisation that stores, processes or transmits cardholder data. Compliance is evidenced through a Self-Assessment Questionnaire or formal assessment.
- Penetration test
-
An authorised, in-depth test in which specialists attempt to exploit weaknesses in systems to see what a real attacker could achieve. It goes further than an automated vulnerability scan and is sometimes required for higher-assurance standards.
See also: Vulnerability scan, Cyber Essentials Plus - Personal data
-
Under UK GDPR, any information relating to an identified or identifiable living individual — names, contact details, identifiers and more. Its processing is regulated by UK GDPR and the DPA 2018.
- Personal data breach
-
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Notifiable breaches must be reported to the ICO without undue delay and within 72 hours.
R
- Record of Processing Activities (RoPA)
-
A documented inventory of an organisation's personal-data processing — what data, for what purpose, on what basis, shared with whom, and for how long. UK GDPR requires most organisations to maintain one.
- Remediation
-
The work of closing the gaps a review or audit has identified — updating policies, configuring systems, gathering evidence — so an organisation meets the standard.
See also: Gap analysis, Corrective action - Risk appetite
-
The level of information security risk an organisation is willing to accept in pursuit of its objectives. It guides which risks are treated, tolerated, transferred or terminated.
ISO 27001 service → See also: Risk assessment, Control - Risk assessment
-
The process of identifying information-security risks, assessing their likelihood and impact, and deciding how to treat them. It is central to ISO 27001 and drives the Statement of Applicability.
S
- SAQ (Self-Assessment Questionnaire)
-
A validation tool for PCI DSS. Different SAQ types (for example A, A-EP, B, C and D) apply depending on how a merchant takes card payments; choosing the right one — and reducing scope — is key to simpler compliance.
- Scope
-
The defined boundary of what a standard or assessment applies to — which systems, locations, data and business units. Getting scope right keeps compliance proportionate; reducing scope (in PCI DSS especially) reduces effort and cost.
See also: , Statement of Applicability (SoA), PCI DSS - Special category data
-
Under UK GDPR, sensitive personal data — including health, biometric, genetic, racial or ethnic, religious, and sexual-orientation data — which needs extra protection and an additional condition for processing. Health and care data usually falls here.
- Stage 1 & Stage 2 audits
-
ISO 27001 certification is assessed in two stages: Stage 1 reviews your documentation and readiness; Stage 2 tests whether the ISMS operates effectively in practice. Passing both leads to certification.
- Standards Met
-
The DSPT status showing an organisation has satisfied all mandatory assertions for its profile. 'Approaching Standards' means some are outstanding with a plan to close them.
- Statement of Applicability (SoA)
-
A central ISO 27001 document that lists the Annex A controls, states whether each is applicable, records the justification, and notes its implementation status. Auditors rely on it heavily.
ISO 27001 service → See also: Annex A, Risk assessment - Subject Access Request (SAR)
-
A request from an individual to access the personal data an organisation holds about them. Under UK GDPR it must usually be answered free of charge within one month.
- Surveillance audit
-
Periodic (usually annual) audits by the certification body that confirm a certified management system is still maintained and effective, between full recertifications every three years.
U
- UK GDPR
-
The United Kingdom General Data Protection Regulation — the UK's retained version of the EU GDPR — which, with the Data Protection Act 2018, governs how organisations process personal data.
- UKAS
-
The United Kingdom Accreditation Service — the national body that accredits certification bodies. A UKAS-accredited ISO 27001 certificate carries more weight than an unaccredited one.
ISO 27001 service → See also: Certification body, ISO 27001
V
- Vulnerability scan
-
An automated scan that checks systems for known security weaknesses, such as missing patches or insecure configuration. Vulnerability scanning is part of the Cyber Essentials Plus audit.
Lost in the jargon?
We translate compliance into plain English — and do the heavy lifting for you.