Zum Inhalt springen
deveca GRC
GlossaryDeutsch

GRC Glossary – Terms explained clearly.

60+ terms from governance, risk, compliance, information security, and privacy – explained concisely for executives, auditors, data protection officers, and IT leaders. Standards: ISO 27001, ISO 27701, TISAX, NIS2, BSI IT-Grundschutz, GDPR, HinSchG, CRA, DORA, SOC 2, and more.

A

Asset Management (in Information Security)
Structured inventory of all valuable assets – physical assets, software, data, locations, suppliers – including protection needs assessment (confidentiality, integrity, availability) and owner assignment. Foundation of every ISMS under ISO 27001.
Audit (internal / external)
Systematic review of the effectiveness of security and privacy measures. Internal audits are conducted by the in-house ISMS team; external audits by accredited certification bodies (ISO 27001, TISAX, ISO 27701).

B

Bowtie Analysis
Visual risk analysis method mapping causes, preventive controls, a top event, consequences, and reactive controls in a bowtie shape. Especially valuable for major incident risks in NIS2 and critical infrastructure contexts.
BSI IT-Grundschutz
Methodology of the German Federal Office for Information Security (BSI) with modular building blocks, protection needs assessment, and risk analysis. Recommended baseline for public authorities, critical infrastructure operators, and government suppliers in Germany.
Business Continuity Management (BCM)
Business continuity management under ISO 22301: identification of critical business processes, business impact analysis (BIA), emergency plans, recovery time objective (RTO), and recovery point objective (RPO).

C

C5 (Cloud Computing Compliance Criteria Catalogue)
BSI requirements catalogue for cloud providers. C5-tested providers are preferred by public authorities and critical infrastructure sectors in particular.
CAPA (Corrective and Preventive Actions)
Corrective and preventive measures arising from audit findings, incidents, or risk assessments. Must be documented with owner, deadline, status, and effectiveness review – mandatory for ISO 27001 and TISAX.
CISO (Chief Information Security Officer)
Strategic responsibility for enterprise-wide information security. Typically reports to the CEO or CDO and steers the ISMS based on ISO 27001, TISAX, or BSI Grundschutz.
Compliance
Adherence to legal, regulatory, and contractual requirements as well as internal policies. In cybersecurity, especially GDPR, NIS2, HinSchG, DORA, CRA, and ISO/IEC standards.
Conformity Assessment
Review process against a standard or regulatory requirement. In GRC, e.g. TISAX assessment by ENX-accredited auditors.
Continuous Monitoring
Ongoing technical and process-based oversight of suppliers, assets, and controls instead of point-in-time spot checks. Prerequisite for mature TPRM and NIS2 supply chain due diligence.
CRA (Cyber Resilience Act)
EU regulation on cybersecurity for products with digital elements. Requires secure design, vulnerability management, SBOM provision, and reporting obligations – fully applicable from 2027.
Critical Infrastructure (KRITIS)
Operators of critical infrastructure (energy, water, health, IT/telecom, transport, finance, food, government). Extended obligations under the German IT Security Act 2.0 and NIS2 transposition.
Cross-Reference (Control Crosswalk)
Mapping the same control to multiple frameworks (e.g. ISO 27001 A.5.1 ↔ TISAX 1.1.1 ↔ BSI ORP.1). Avoids duplicate work and makes multi-framework audits efficient.
CycloneDX
Open SBOM standard from the OWASP Foundation for software bills of materials. Machine-readable format for component and vulnerability analysis; standard for CRA and supply chain compliance.

D

Data Protection Impact Assessment (DPIA)
Mandatory analysis under Art. 35 GDPR where processing is likely to result in high risk to data subjects. Describes processing, necessity, risks, and mitigation measures. In deveca as a guided workflow with screening, threshold analysis, and supervisory consultation.
Data Protection Officer (DPO)
Mandatory under Art. 37 GDPR or § 38 BDSG from 20 employees with ongoing automated processing of personal data. Independent, not subject to instructions, reporting directly to senior management.
DORA (Digital Operational Resilience Act)
EU Regulation 2022/2554 for the financial sector: ICT risk management, incident reporting, resilience testing, and ICT third-party due diligence. Applicable since 17 January 2025.
DPA (Data Processing Agreement)
Contract under Art. 28 GDPR between controller and processor. Governs instructions, technical and organisational measures (TOMs), sub-processors, deletion concepts, and audit rights. deveca provides a complete, BvD-aligned DPA.

E

Encryption at Rest / in Transit
At rest: data stored encrypted on media (e.g. AES-256-GCM). In transit: transmission over TLS 1.3. Both are minimum standards for any processing requiring protection.
End-to-End Encryption (E2E)
Data is encrypted and decrypted only on sender and recipient sides; the server operator has no access to plaintext. Required for anonymous whistleblower portals under HinSchG.
Evidence
Proof artefact demonstrating control effectiveness (screenshot, log file, protocol, configuration). Auditors assess an ISMS based on this evidence.

F

Fault Tree Analysis (FTA)
Top-down root cause analysis method: a top event is traced back to basic causes via boolean gates (AND, OR). Used in complex technical incident investigations.

G

GDPR
EU General Data Protection Regulation (Regulation 2016/679). Governs processing of personal data, data subject rights (Art. 15–22), breach notification (Art. 33/34), and fines (up to 4% of group turnover).
GRC (Governance, Risk & Compliance)
Integrated discipline for steering corporate governance, risk management, and compliance. A GRC platform like deveca consolidates risks, controls, audits, incidents, and suppliers in one tool.

H

HinSchG (German Whistleblower Protection Act)
German transposition of the EU Whistleblower Directive, in force since July 2023. Requires companies with 50+ employees to operate an internal reporting channel with confidentiality, 7-day acknowledgement, and 3-month feedback.
HSM (Hardware Security Module)
Specialised hardware for generating, storing, and using cryptographic keys. Provides tamper protection and FIPS 140 certifications; commonly used in banking and government environments.

I

Incident (Security Incident)
Event that compromises confidentiality, integrity, or availability of information. Lifecycle: detection → triage → containment → eradication → recovery → lessons learned. Reporting obligations under NIS2 (24h/72h) and GDPR (72h), among others.
Information Security Management System (ISMS)
Systematic approach to managing information security using plan-do-check-act. Standard: ISO/IEC 27001. deveca delivers a fully integrated ISMS with risks, controls, audits, and policies.
Ishikawa Diagram (Fishbone)
Cause-and-effect diagram for root cause analysis. Typically categorises influencing factors into man, method, machine, material, milieu, and measurement (6M).
ISO/IEC 27001
International standard for information security management systems. Current 2022 version with Annex A (93 controls in 4 themes). Certifiable through audit by an accredited body.
ISO/IEC 27701
Extension of ISO 27001 for a Privacy Information Management System (PIMS). Adds 49 additional requirements for controllers and processors, aligned with GDPR Art. 24/28.

J

JSON-LD
JSON for Linked Data – machine-readable format for structured data (schema.org) evaluated by search engines like Google for rich results and AEO/GEO optimisation.

L

Lessons Learned
Structured post-incident review to identify learning outcomes and systemic improvements. Mandatory part of incident response under ISO 27035.

M

MCP (Model Context Protocol)
Open standard from Anthropic enabling AI assistants (Claude, ChatGPT, Microsoft Copilot) to access structured enterprise data in a controlled way. deveca plans an MCP server with scoped tokens per tenant and a full audit trail of every AI action.
Multi-Tenancy
Architecture principle where multiple customers run on the same software instance in isolation – with separate data, encryption keys, and configurations. Required for SaaS GRC tools.

N

NIS2 (EU Directive 2022/2555)
EU cybersecurity directive with extended obligations for risk management, supply chain due diligence, management accountability, plus 24h early warning and 72h incident notification. Transposed in Germany as NIS2UmsuCG.

O

OWASP Top 10
De facto standard list of the ten most common web application vulnerabilities (e.g. injection, broken access control, cryptographic failures). Minimum requirement in every secure software development lifecycle (SDLC).

P

PII (Personally Identifiable Information)
International term for personal data – in GDPR context synonymous with Art. 4(1) GDPR.
PIMS (Privacy Information Management System)
Privacy management system under ISO 27701. Extends the ISMS with privacy requirements for controllers and processors.
Policy
Binding organisational requirement (e.g. password policy, clean desk policy). Lifecycle: draft → review → approval → publication → read confirmation → re-review. In deveca with SharePoint integration and news distribution.
Protection Needs Assessment (CIA)
Assessment of assets by confidentiality, integrity, and availability – in BSI Grundschutz also referred to as confidentiality, availability, and authenticity analysis (VVA).

R

RBAC (Role-Based Access Control)
Permission assignment by role rather than individual. Reduces complexity and enables need-to-know. deveca offers RBAC with field-level permissions across 50+ roles.
Record of Processing Activities (Art. 30 GDPR)
Mandatory documentation of all processing activities with purposes, data categories, recipients, third-country transfers, and retention periods. In deveca with templates, mandatory fields, and versioned history.
Recovery Point Objective (RPO)
Maximum acceptable data loss expressed in time (e.g. 1 hour). Determines backup frequency and is a mandatory BCM parameter.
Recovery Time Objective (RTO)
Maximum acceptable recovery time after an outage. Complements RPO and defines requirements for failover and DR architectures.
Risk Analysis
Systematic assessment of threats and vulnerabilities with likelihood, impact, and optionally detectability (3-factor scoring). Result: gross and net risk with treatment option (avoid, reduce, transfer, accept).
Risk Management
Continuous process of identifying, analysing, evaluating, treating, and monitoring risks. Methodology under ISO 31000, integrated into ISMS under ISO 27001 clause 6.1.
Root Cause Analysis (RCA)
Structured approach to identify the underlying cause of an incident. Methods: 5-Why, Ishikawa, fault tree (FTA), timeline analysis, Apollo, custom.

S

SBOM (Software Bill of Materials)
Machine-readable inventory of all software components incl. versions and licences. Standards: CycloneDX, SPDX. Required for CRA and many supply chain due diligence requirements.
SIEM (Security Information & Event Management)
Platform for central collection, correlation, and analysis of security-relevant logs. Examples: Microsoft Sentinel, Splunk, Elastic Security, IBM QRadar.
Single Sign-On (SSO)
Central authentication via an identity provider (e.g. Microsoft Entra ID, Okta, Keycloak) via SAML 2.0 or OIDC. Reduces password risks and enables conditional access.
SOC (Security Operations Center)
Operational unit (internal or managed service) that monitors security events around the clock, triages incidents, and coordinates response.
SOC 2
US audit standard from AICPA (Type I/II) covering trust service criteria: security, availability, processing integrity, confidentiality, and privacy.

T

Third-Party Risk Management (TPRM / TPM)
Structured assessment and monitoring of suppliers and sub-processors through onboarding, risk classes, contracts, certificates, and continuous monitoring. Required for NIS2, DORA, ISO 27036, among others.
TISAX (Trusted Information Security Assessment Exchange)
Industry standard of the German automotive sector (VDA-ISA). Mandatory for suppliers to OEMs such as BMW, Mercedes-Benz, VW. Three protection levels: AL1, AL2, AL3.
TLS 1.3
Current standard for transport layer security. Offers forward secrecy, faster handshakes (1-RTT, 0-RTT), and eliminates outdated cipher suites.
TOM (Technical and Organisational Measures)
Mandatory measures under Art. 32 GDPR to protect personal data – e.g. encryption, access control, availability control, media management. Categorised per BSI Grundschutz or VDS 10000.

W

Whistleblowing Portal
Anonymously accessible reporting channel under HinSchG with two-way communication, case file, deadline monitoring (7d acknowledgement, 3M feedback), and protection against retaliation.

Z

Zero Trust Architecture
"Never trust, always verify": every access – even from the internal network – is continuously authenticated and authorised. Combines MFA, conditional access, micro-segmentation, and continuous device assessment.