ISACA glossary
Key ISACA certification terms and acronyms.
Definitions are AI-assisted and reviewed for general accuracy — verify critical details against ISACA's official documentation.
Access Control
Mechanisms and policies that restrict system access to authorized users, processes, or devices based on defined roles and permissions.
Audit Charter
A formal document that defines the purpose, authority, scope, and responsibilities of the internal audit function within an organization.
Audit Evidence
Information gathered by an auditor through observation, inquiry, inspection, or analysis used to support audit findings and conclusions.
BCPBusiness Continuity Plan
A documented plan outlining procedures to maintain essential business functions during and after a disruptive event.
BCPBusiness Continuity Plan
A plan that enables critical business functions to continue during and after a disruptive event.
BIABusiness Impact Analysis
A process that identifies critical business functions and quantifies the effect of disruptions on those functions.
CAATsComputer-Assisted Audit Techniques
Software tools and techniques used by auditors to perform audit procedures directly on electronic data and systems.
Change Management
A formal process for requesting, reviewing, approving, implementing, and documenting changes to IT systems to minimize risk.
CIA Triad
The foundational security model comprising Confidentiality, Integrity, and Availability as core properties to protect information.
CISMCertified Information Security Manager
ISACA credential validating expertise in information security management, governance, risk management, and incident response.
COBITControl Objectives for Information and Related Technologies
An ISACA framework for IT governance and management that aligns IT goals with business objectives.
COBITControl Objectives for Information and Related Technologies
An ISACA framework providing governance and management objectives for enterprise IT, widely used as an audit reference.
Compensating Control
An alternative control used to reduce risk when a primary control cannot be implemented, providing equivalent risk mitigation.
Control Objective
A statement of the desired result or purpose to be achieved by implementing controls within a particular process or system area.
Data Classification
The process of categorizing data based on its sensitivity and criticality to apply appropriate security and handling controls.
Defense in Depth
A layered security strategy that places multiple independent controls across an environment so that failure of one layer does not compromise the whole.
DRPDisaster Recovery Plan
A subset of the BCP that focuses specifically on restoring IT systems, data, and infrastructure after a disaster or major outage.
DRPDisaster Recovery Plan
A documented process for restoring IT systems and infrastructure following a disaster or major disruption.
Inherent Risk
The level of risk that exists in the absence of any controls or mitigating measures taken by management.
IRPIncident Response Plan
A documented set of procedures for detecting, responding to, and recovering from information security incidents.
ISInformation Systems
The combination of people, processes, data, and technology used to collect, process, store, and distribute information within an organization.
IS AuditInformation Systems Audit
A formal examination of an organization's information systems, controls, and processes to assess security, integrity, and compliance.
IS GovernanceInformation Systems Governance
The framework of policies, accountability structures, and decision-making processes that ensure IS aligns with and supports business objectives.
ISACAInformation Systems Audit and Control Association
A global professional association that develops standards, frameworks, and certifications for IS audit, governance, risk, and cybersecurity professionals.
ISGInformation Security Governance
The set of responsibilities and practices exercised by the board and management to provide strategic direction and ensure security objectives are achieved.
ISMSInformation Security Management System
A systematic framework of policies, processes, and controls for managing an organization's information security risks.
ISO 27001
An international standard specifying requirements for establishing, implementing, maintaining, and improving an ISMS.
ISRMInformation Security Risk Management
The process of identifying, assessing, and treating risks to information assets to maintain them within acceptable levels.
ITGCIT General Controls
Broad controls applied across IT environments—such as access management, change management, and operations—that support application-level controls.
KPIKey Performance Indicator
A measurable value that demonstrates how effectively a security program is achieving its defined objectives.
KRIKey Risk Indicator
A metric that provides early warning signals about increasing risk exposure before a risk event occurs.
MTTRMean Time to Repair
The average time required to restore a system or service to full operation after a failure or security incident.
NIST CSFNational Institute of Standards and Technology Cybersecurity Framework
A voluntary framework of standards and best practices organized into five functions: Identify, Protect, Detect, Respond, and Recover.
Penetration Testing
An authorized simulated cyberattack on a system used to identify exploitable vulnerabilities before malicious actors can discover them.
Penetration Testing
An authorized simulated cyberattack on a system to evaluate security controls and identify exploitable vulnerabilities.
Residual Risk
The remaining level of risk after controls have been applied to reduce the inherent risk of a process or system.
Risk Appetite
The amount and type of risk an organization is willing to accept in pursuit of its business objectives.
Risk Assessment
The process of identifying, analyzing, and evaluating risks to determine their potential impact and likelihood on organizational objectives.
Risk Tolerance
The acceptable variation around a risk appetite threshold within which an organization will operate.
RPORecovery Point Objective
The maximum acceptable amount of data loss measured in time that an organization can tolerate after an incident.
RPORecovery Point Objective
The maximum acceptable amount of data loss measured in time; it defines how far back data must be recoverable after a disruption.
RTORecovery Time Objective
The maximum acceptable length of time that a system or process can be offline after a disruption before causing unacceptable business impact.
RTORecovery Time Objective
The maximum acceptable duration of time within which a business process must be restored after a disruption.
SDLCSystems Development Life Cycle
A structured process for planning, creating, testing, deploying, and maintaining information systems throughout their entire life cycle.
SIEMSecurity Information and Event Management
A platform that aggregates and correlates log data from multiple sources to detect and alert on security events in near real time.
SLAService Level Agreement
A formal contract between a service provider and customer that defines expected service levels, metrics, and remedies for non-compliance.
SOCSecurity Operations Center
A centralized team or facility responsible for monitoring, detecting, analyzing, and responding to cybersecurity incidents.
SODSegregation of Duties
A control principle that divides critical tasks among multiple individuals to prevent fraud and errors by ensuring no single person controls an entire process.
Third-Party Risk
The risk posed to an organization's information assets by vendors, suppliers, or partners who have access to those assets.
Vulnerability Assessment
A process of identifying, classifying, and prioritizing weaknesses in systems before they can be exploited.