GRC Glossary

Key compliance terms, defined.

Plain-language definitions of the terms that come up most in EU regulatory frameworks and GRC programmes. Each entry links to the canonical guide where the full context lives.

A

Aiko+

Acuna’s AI assistant for GRC operators. It proposes and drafts within the platform, mapping, documentation, and plain-language answers about programme status, while a human reviews and confirms each output.

Aiko+ AI assistant
Audit trail

A chronological, tamper-evident record of who did what and when within a system or process. In compliance work it is the evidence that a control operated as intended, which auditors sample to confirm effectiveness.

B

BIABusiness Impact Analysis

The analysis that identifies an organisation’s critical functions and the operational and financial impact of disrupting them, used to set recovery priorities. It is the foundation of a business continuity plan.

Business impact analysis

C

Compliance Calendar

A schedule of the recurring compliance obligations, control checks, reviews, and deadlines an organisation must meet, so nothing lapses between audits. It turns compliance from a periodic scramble into a maintained cadence.

What is a compliance calendar?
Control Mapping

The practice of linking a single control to the requirements of multiple frameworks it satisfies, so evidence is created once and reused across frameworks instead of duplicated. It is what lets one control programme serve GDPR, ISO 27001, SOC 2, and more at once.

Cross-framework control mapping

D

Data minimisation

The GDPR principle that personal data collected and processed should be adequate, relevant, and limited to what is necessary for the purpose. In practice it means not collecting or keeping data you do not need.

DORADigital Operational Resilience Act

The EU regulation requiring financial entities and their critical ICT providers to manage ICT risk, report major incidents, test operational resilience, and control third-party risk. It applies directly across the EU from 17 January 2025.

DORA framework guide
DPAData Processing Agreement

The contract, required by GDPR Article 28, between a controller and a processor that handles personal data on its behalf. It must bind the processor to specified obligations, including acting only on documented instructions, security, sub-processor controls, and assisting with data subject rights.

What is a Data Processing Agreement?
DPIAData Protection Impact Assessment

An assessment, required under GDPR Article 35 when processing is likely to result in a high risk to individuals, that documents why the processing is necessary and proportionate and what safeguards protect people. It is carried out before the processing begins.

When is a DPIA required?
DSARData Subject Access Request

A request by an individual to exercise their rights over their personal data under the GDPR, most commonly to obtain a copy of it. The controller must respond without undue delay and within the statutory time limit, which can be extended for complex or numerous requests.

How long do you have to respond to a DSAR?

E

Essential and important entities

NIS2’s classification of the organisations it covers. Both tiers meet the same core obligations; the difference is supervisory: essential entities face proactive oversight and higher penalty ceilings, important entities are supervised reactively.

NIS2 scope and applicability

G

GDPRGeneral Data Protection Regulation

The EU regulation governing how organisations collect, use, and protect the personal data of people in the EU and EEA. It sets obligations for lawful processing, data subject rights, and accountability, and applies to organisations outside the EU that handle EU residents’ data.

GDPR framework guide
GRCGovernance, Risk, and Compliance

The discipline of managing an organisation’s governance, risk management, and regulatory compliance in a coordinated way rather than in separate silos. A GRC platform connects the frameworks, risks, controls, and evidence that these functions share.

GRC vs ISMS

I

ICT Third-Party RegisterRegister of information

The register, required by DORA Article 28, of all a financial entity’s contractual arrangements for ICT services. It must be kept current, maintained at entity and where relevant group level, and made available to the competent authority on request.

The DORA ICT third-party register
ISMSInformation Security Management System

The documented set of policies, processes, and controls through which an organisation manages information security in a systematic, risk-based way. It is the management system that ISO 27001 certifies.

GRC vs ISMS
ISO 27001ISO/IEC 27001

The international standard for an information security management system (ISMS). Certification is issued by an accredited body against the standard’s requirements and its Annex A controls, and is recognised globally.

ISO 27001 framework guide
ISO 42001ISO/IEC 42001

The international standard for an artificial intelligence management system (AIMS), setting out how an organisation governs the development and use of AI responsibly. It is the AI-governance counterpart to ISO 27001.

ISO 42001 framework guide

L

Legitimate interest

One of the six lawful bases for processing personal data under the GDPR, relied on where the processing is necessary for interests pursued by the controller or a third party and those interests are not overridden by the individual’s rights. Using it requires a documented balancing assessment.

N

NIS2Network and Information Security Directive 2

The EU directive setting cybersecurity risk-management and incident-reporting obligations for essential and important entities across a broad set of sectors. As a directive, it applies through each member state’s national transposition rather than directly.

NIS2 framework guide

P

Penetration testing

A controlled security test in which testers attempt to exploit weaknesses in systems the way an attacker would, to find and fix them before a real attacker does. Under DORA, significant financial entities perform an advanced, intelligence-led form of it (TLPT).

What is TLPT under DORA?

R

RBACRole-Based Access Control

An access-control approach in which permissions are assigned to roles rather than individuals, so people receive access according to their role. It supports the access provisioning, authentication, and periodic review that security frameworks require.

Access control
Risk Treatment Plan

The documented plan setting out how an organisation will address each identified risk, whether by reducing, transferring, accepting, or avoiding it, with owners and timelines. It records the decisions that follow a risk assessment.

What is a risk treatment plan?
ROPARecord of Processing Activities

The register, required by GDPR Article 30, documenting how an organisation processes personal data: each activity’s purpose, data and data subject categories, recipients, transfers, retention, and security measures. Controllers and processors must keep one and produce it to a supervisory authority on request.

What is a ROPA?
RTO, RPO, MTPDRecovery Time Objective, Recovery Point Objective, Maximum Tolerable Period of Disruption

The three timing metrics of business continuity. RTO is how quickly a function must be restored; RPO is how much data loss is tolerable, measured as time; MTPD is the longest a function can be down before the damage becomes unacceptable.

RTO vs RPO vs MTPD

S

SOAStatement of Applicability

The document in an ISO 27001 programme that lists the Annex A controls, states which apply and which are excluded, and justifies each decision. It is the bridge between an organisation’s risk assessment and the controls it implements.

What is a Statement of Applicability?
SOC 2System and Organization Controls 2

An AICPA attestation framework under which an independent CPA firm examines a service organisation’s controls against the Trust Services Criteria and issues a report. Unlike a certification, it produces a private report widely required by enterprise buyers, especially in US markets.

SOC 2 framework guide
Supplier Shield

Acuna’s third-party risk management capability. It maintains the vendor and supplier register, runs assessment campaigns, and monitors external security posture, and it operationalises the DORA ICT register and the supply-chain requirements of NIS2 and ISO 27001.

Third-party risk management

T

TIATransfer Impact Assessment

The analysis carried out under GDPR Chapter V before transferring personal data to a country outside the EU or EEA that lacks an adequacy decision. Following the Schrems II judgment, it assesses whether the destination provides essentially equivalent protection and what supplementary measures the transfer needs.

What is a Transfer Impact Assessment?
TLPTThreat-Led Penetration Testing

The advanced resilience test DORA requires of significant financial entities: an intelligence-led simulation of real threat-actor behaviour against live production systems, performed by qualified testers and drawing on the TIBER-EU framework.

What is TLPT under DORA?
TPRMThird-Party Risk Management

The practice of identifying, assessing, and monitoring the risk that vendors and suppliers introduce, across security, financial, and operational dimensions. It covers due diligence before onboarding and continuous monitoring afterwards.

Third-party risk management
Trust Services CriteriaTSC

The AICPA criteria a SOC 2 examination assesses controls against: Security (the common criteria, always included), plus Availability, Processing Integrity, Confidentiality, and Privacy where relevant. They are the measuring stick for a SOC 2 report.

What are the Trust Services Criteria?