Security Glossary
Plain-English definitions of the cybersecurity terms that matter most for modern businesses — from foundational concepts to compliance frameworks.
Access Control
The policies and mechanisms that determine who can access which resources, under what conditions, and what actions they can perform.
Authentication
The process of verifying that a person or system is who or what they claim to be before granting access to resources.
Cloud Security
The set of policies, controls, and technologies that protect data, applications, and infrastructure hosted in cloud environments.
Compliance Framework
A structured set of guidelines, standards, and controls that organisations use to meet regulatory, legal, or industry security requirements.
Credential Stuffing
An automated attack that uses leaked username and password pairs from one breach to attempt access to other services, exploiting widespread password reuse.
Data Classification
The process of categorising data by sensitivity and business value so that appropriate security controls can be applied to each category.
Data Protection
The practices, technologies, and legal frameworks used to safeguard personal and sensitive data from loss, theft, misuse, and unauthorised access.
Disaster Recovery
The policies, tools, and procedures for restoring IT systems and data following a disruptive event such as a cyberattack, hardware failure, or natural disaster.
Identity and Access Management (IAM)
The framework of policies, processes, and technologies that manage digital identities and control access to systems and resources.
Incident Response
The structured process an organisation follows to detect, contain, investigate, and recover from a security incident.
ISO 27001
The international standard for information security management systems (ISMS), providing a framework to systematically manage and protect sensitive company information.
Penetration Testing
A simulated cyberattack conducted by security professionals to identify exploitable vulnerabilities before real attackers do.
Phishing
A social engineering attack that tricks users into revealing credentials, clicking malicious links, or installing malware by impersonating a trusted entity.
Principle of Least Privilege
A security principle that grants users, applications, and systems only the minimum access rights required to perform their function — nothing more.
Security Risk Assessment
A structured process for identifying, analysing, and prioritising security risks to an organisation's assets, operations, and people.
SOC 2
A widely used US security audit framework for service organisations that demonstrates how data is protected across five Trust Services Criteria.
Social Engineering
Psychological manipulation techniques used by attackers to trick people into revealing information, granting access, or taking actions that compromise security.
Supply Chain Attack
An attack that targets a less-secure element in an organisation's supply chain — a vendor, software provider, or partner — to gain access to the ultimate target.
Third-Party Risk
The exposure an organisation faces from the security posture, actions, or failures of its external partners, suppliers, and service providers.
Threat Intelligence
Evidence-based knowledge about existing or emerging threats that informs decisions about how to respond to or mitigate cyber risks.
Vendor Risk Management
The process of identifying, assessing, and mitigating security risks introduced by third-party vendors and service providers.
Vulnerability Management
The continuous process of identifying, classifying, prioritising, and remediating security vulnerabilities across an organisation's systems and software.
29 of 29 terms