top of page
Search

Plain-Language GRC Glossary v1

  • Writer: Shola Hassan
    Shola Hassan
  • Nov 20
  • 6 min read

  1. Old binder with GRC glossary as title

    Governance – How decisions are made and who is responsible for what in an organization.

  2. Risk – What could go wrong, how likely it is, and how bad it would be.

  3. Compliance – Proving that you follow laws, regulations, contracts, and internal policies.

  4. GRC (Governance, Risk & Compliance) – The combined practice of steering the business, managing risks, and meeting rules.

  5. Control – Any policy, process, or technical measure used to reduce risk.

  6. Control Objective – What a control is supposed to achieve (for example: “only authorized users can access this system”).

  7. Risk Register – A structured list of risks, with impact, likelihood, owner, and status.

  8. Risk Owner – The person responsible for understanding and managing a specific risk.

  9. Control Owner – The person responsible for making sure a control exists and works properly.

  10. Issue / Finding – A problem discovered during a review or audit that needs action.

  11. Inherent Risk – The level of risk before any controls are applied.

  12. Residual Risk – The level of risk left over after controls are applied.

  13. Risk Appetite – The amount and type of risk leadership is willing to accept.

  14. Risk Tolerance – The limits or thresholds of risk that are still acceptable.

  15. Likelihood – How probable it is that a risk event will happen.

  16. Impact – How serious the damage would be if the risk event happens.

  17. Risk Rating – A combined view of likelihood and impact, often Low / Medium / High.

  18. Risk Treatment – What you choose to do about a risk: accept, reduce, transfer, or avoid it.

  19. Risk Acceptance – Choosing to live with a risk, usually with conscious approval.

  20. Risk Mitigation – Taking steps to reduce the likelihood or impact of a risk.

  21. Risk Transfer – Shifting part of the risk to another party, for example using insurance or contracts.

  22. Risk Avoidance – Removing the activity that creates the risk.

  23. Key Risk Indicator (KRI) – A metric that gives an early warning about rising risk.

  24. Key Control – A control that is critical for keeping a major risk within acceptable limits.

  25. Control Test – A check to confirm whether a control is designed and working as intended.

  26. Control Design – How the control is set up on paper (policy, process, configuration).

  27. Control Operating Effectiveness – How well the control works in real life.

  28. Policy – A high-level rule or principle that guides decisions and behavior.

  29. Standard – A more detailed requirement that supports a policy (for example: password length, encryption level).

  30. Procedure – Step-by-step instructions for doing a task in a consistent way.

  31. Guideline – Recommended good practice that is helpful but not strictly mandatory.

  32. Exception – An approved deviation from a policy or standard, usually temporary and documented.

  33. Attestation – A formal confirmation (often by signing or clicking) that something is true or has been done.

  34. Audit – An independent review to check whether controls and processes meet defined criteria.

  35. Internal Audit – An audit performed by the organization’s own audit team.

  36. External Audit – An audit performed by an outside firm or assessor.

  37. Assurance – Confidence provided by evidence that controls and processes are working.

  38. Evidence – Documents, screenshots, logs or reports that prove a control is in place.

  39. Segregation of Duties (SoD) – Splitting critical tasks so no single person can perform all steps alone.

  40. Least Privilege – Giving people only the access they need to do their job, nothing more.

  41. Access Control – How access to systems and data is granted, limited and removed.

  42. Role-Based Access Control (RBAC) – Access based on roles (e.g., “HR analyst”, “System admin”) instead of individuals.

  43. Joiner–Mover–Leaver Process – Formal steps to add, change, and remove user access when people join, change roles, or leave.

  44. Information Asset – Data, systems, or services that have value to the organization.

  45. Asset Owner – The person responsible for an information asset.

  46. Data Classification – Grouping data based on sensitivity, such as Public, Internal, Confidential.

  47. Confidentiality – Ensuring that information is not shared with unauthorized people.

  48. Integrity – Ensuring that information is accurate and not changed improperly.

  49. Availability – Ensuring that information and systems are accessible when needed.

  50. CIA Triad – The three core security principles: Confidentiality, Integrity, Availability.

  51. Information Security Management System (ISMS) – A structured system of policies, processes and controls to manage information security.

  52. ISO/IEC 27001 – An international standard for building and operating an ISMS.

  53. Annex A (ISO 27001) – The list of security controls suggested by ISO 27001.

  54. Scope (ISMS) – The boundaries of what is included in the ISMS.

  55. Statement of Applicability (SoA) – A document listing which Annex A controls are applied or not, and why.

  56. Management Review (ISMS) – Regular leadership meetings to review the health of the ISMS.

  57. Corrective Action – A step taken to fix the cause of a non-conformity so it doesn’t happen again.

  58. Non-Conformity – A situation where a requirement (policy, standard, ISO clause) is not being met.

  59. Continuous Improvement – Ongoing effort to make processes and controls better over time.

  60. Information Security Policy – The top-level policy that sets the organization’s security direction.

  61. SOC 2 – A framework and report type for assessing service organizations’ controls over security, availability, confidentiality, processing integrity and privacy.

  62. PCI DSS – A security standard for organizations that store, process or transmit payment card data.

  63. NIST Cybersecurity Framework (CSF) – A framework that organizes security activities into Identify, Protect, Detect, Respond, and Recover.

  64. NIST SP 800-53 – A large catalog of security and privacy controls, often used in the public sector.

  65. CIS Controls – A prioritized set of security best practices published by the Center for Internet Security.

  66. GDPR – The EU’s General Data Protection Regulation, focused on personal data protection and privacy.

  67. PIPEDA – Canada’s federal privacy law for private-sector organizations.

  68. Data Subject – A person whose personal data is being collected or processed.

  69. Data Controller – The party that decides why and how personal data is processed.

  70. Data Processor – The party that processes personal data on behalf of a controller.

  71. Privacy Impact Assessment (PIA) – A review to understand privacy risks in a system or project.

  72. Data Protection Impact Assessment (DPIA) – A deeper assessment required in some laws when privacy risks are high.

  73. Data Breach – A security incident that leads to loss, theft, or unauthorized access to data.

  74. Incident – An event that harms or could harm confidentiality, integrity, or availability.

  75. Incident Response Plan – The documented approach for detecting, responding to and learning from incidents.

  76. Business Continuity – How the organization keeps critical services running during a disruption.

  77. Disaster Recovery (DR) – How IT systems and data are restored after a major outage or disaster.

  78. Recovery Time Objective (RTO) – The target time to restore a system or process after a disruption.

  79. Recovery Point Objective (RPO) – How much data loss (in time) is acceptable, e.g., “we can lose at most 1 hour of data”.

  80. Business Impact Analysis (BIA) – A study to understand how much different processes matter and what happens if they are down.

  81. Third-Party Risk Management (TPRM) – Managing risk from vendors, partners and suppliers.

  82. Vendor Due Diligence – Checks performed on a vendor before or during the relationship (questionnaires, documents, references).

  83. Service Level Agreement (SLA) – A contract term that defines expected service levels and penalties.

  84. Data Processing Agreement (DPA) – A contract that sets rules for handling personal data between controller and processor.

  85. Sub-processor – A vendor used by your vendor to help deliver the service.

  86. Onboarding (Vendor) – The process of approving and setting up a new vendor.

  87. Offboarding (Vendor) – The process of safely ending the relationship and revoking access.

  88. Critical Vendor – A vendor whose failure would seriously impact operations or compliance.

  89. Vendor Inventory – A list of all vendors with key details like service, owner and risk level.

  90. Vendor Tiering – Grouping vendors by risk or importance, such as Critical, High, Medium, Low.

  91. Line 1 (First Line of Defense) – Business and operations teams that own and manage risks day to day.

  92. Line 2 (Second Line of Defense) – Risk, compliance and security functions that oversee and guide Line 1.

  93. Line 3 (Third Line of Defense) – Internal audit, providing independent assurance over Lines 1 and 2.

  94. Governance Committee – A group (often including senior leaders) that reviews risks, issues and major decisions.

  95. Charter (Committee or Program) – A document that explains purpose, scope, roles and responsibilities for a committee or program.

  96. Register (Log) – A structured list, such as a risk register, issue log or vendor inventory.

  97. Dashboard – A visual summary of key metrics, risks and control statuses.

  98. Metric / KPI – A measurement used to track performance or progress.

  99. Exception Register – A list of approved policy or control exceptions, with owners and expiry dates.

  100. Audit Trail – A record of who did what and when, used for accountability and investigation.

Comments

bottom of page