IT, security & compliance
terms explained

An authorised, simulated attack on an organisation's systems, networks, or applications, carried out by security specialists to identify vulnerabilities before real attackers can exploit them. Unlike automated vulnerability scanning, penetration testing involves active exploitation attempts and creative thinking to chain weaknesses together. The output is a prioritised report of findings with remediation guidance. Penetration testing is required for PCI DSS compliance and recommended as part of any mature security programme.

A systematic review of an organisation's systems, networks, and applications to identify known security weaknesses, without attempting to exploit them. Results are categorised by severity and presented with remediation recommendations. Vulnerability assessments are typically faster and less invasive than penetration tests and are suited to regular, scheduled scanning. They are a requirement under Cyber Essentials, ISO 27001, and PCI DSS.

A security platform that aggregates and analyses log data from across an organisation's IT environment in real time. SIEM tools correlate events from multiple sources, such as firewalls, endpoints, identity providers, and cloud services, to detect patterns that indicate threats. They generate alerts for security teams and provide forensic data for incident investigations. Continuous monitoring through a SIEM is required or explicitly recommended under NIS2, ISO 27001, and PCI DSS.

A security model based on the principle of never trust, always verify. Rather than granting broad access after a single authentication event, Zero Trust requires continuous verification of identity, device health, and access rights for every request, regardless of whether it originates inside or outside the network perimeter. It is particularly relevant in cloud-first and hybrid-working environments where a traditional network boundary no longer exists, and is endorsed as an architectural approach by the UK NCSC and CISA.

Malicious software that encrypts a victim's files or systems and demands payment in exchange for the decryption key. Modern ransomware attacks, often referred to as double extortion, also involve data exfiltration, with attackers threatening to publish stolen data publicly if payment is not made. Healthcare and financial services organisations are among the most frequently targeted sectors due to the sensitivity of the data they hold and the operational consequences of downtime.

An authentication method that requires users to provide two or more verification factors before accessing a system or application. Factors fall into three categories: something you know (a password), something you have (an authenticator app or hardware token), and something you are (biometrics). MFA significantly reduces the risk of account compromise from phishing and credential theft. It is a core requirement of Cyber Essentials, PCI DSS, and most modern security frameworks.

A social engineering attack in which attackers impersonate a trusted entity to trick individuals into disclosing credentials, clicking malicious links, or transferring funds or data. Spear phishing targets specific individuals with personalised messages, while whaling focuses on senior executives. Phishing is the most common initial access vector in data breaches. Effective mitigation combines email filtering, MFA, and regular security awareness training across the organisation.

The structured process an organisation follows to detect, contain, investigate, and recover from a security incident. An effective incident response plan defines roles, escalation paths, communication templates, and recovery procedures, and should be tested through regular tabletop exercises. Under GDPR, organisations must notify their supervisory authority of certain breaches within 72 hours. Under NIS2, significant incidents must be reported within 24 hours (initial notification) and 72 hours (full report).

The total set of potential entry points through which an attacker could attempt to gain unauthorised access to an organisation's systems or data. This includes external-facing applications, user accounts, APIs, cloud services, third-party integrations, and physical access points. Understanding and reducing the attack surface is a foundational element of any security programme, achieved through asset inventory, network segmentation, access control, and decommissioning unused systems.

A cyberattack that targets an organisation indirectly by compromising a trusted third-party supplier, software vendor, or service provider. Attackers exploit the trust and access that suppliers have within a target's environment to gain a foothold they could not obtain through a direct attack. The SolarWinds and MOVEit incidents are prominent examples. Third-party risk management is a specific requirement under NIS2 and ISO 27001 Annex A.

An incident in which personal data is accessed, disclosed, altered, or destroyed without authorisation, whether as a result of a cyberattack, human error, or system failure. Under GDPR, organisations must notify their supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms. Affected individuals must also be notified without undue delay where the breach is likely to result in a high risk. Breaches can result in regulatory fines, civil claims, and lasting reputational damage.

A globally recognised framework of best practices for IT service management, covering the full IT service lifecycle from strategy and design through to operation and continual service improvement. ITIL v4, the current version, introduces a more flexible, value-focused approach built around a service value chain, four dimensions of service management, and a set of guiding principles. ITIL certifications are held by IT professionals across service desk, change management, and operations roles worldwide.

A formal agreement between a service provider and a customer that defines the expected level of service, including availability targets, response times, resolution times, and support hours. SLAs set clear accountability for service performance and form the basis for measuring whether IT is meeting business needs. For managed IT environments, SLAs typically distinguish between response time (time to acknowledge an issue) and resolution time (time to fix it), often tiered by priority level.

The maximum acceptable length of time that a system, application, or business function can be offline following a disruption before the impact becomes unacceptable to the business. RTO is a key parameter in business continuity and disaster recovery planning, and informs decisions about redundancy architecture, failover mechanisms, and recovery procedures. Different systems will have different RTO requirements, and these should be documented and reviewed regularly.

The maximum amount of data loss an organisation can tolerate in the event of a failure, expressed as a time window. An RPO of four hours means up to four hours of transactions or changes could be lost. RPO determines how frequently backups must be taken and directly informs technology choices around replication, journalling, and off-site backup. Organisations with very low RPO requirements, such as banks or healthcare systems, typically require near-continuous data protection solutions.

An arrangement in which an external provider takes ongoing responsibility for managing specific IT functions, systems, or processes on behalf of an organisation, governed by an SLA. Common coverage includes endpoint management, network monitoring, backup and recovery, helpdesk support, and patch management. Managed services allow organisations to access consistent specialist expertise and predictable costs without the overhead of building equivalent in-house capability.

The process of identifying, acquiring, testing, and deploying software updates to address security vulnerabilities, fix bugs, and maintain compatibility. Effective patch management is one of the five core controls required by Cyber Essentials and a requirement under ISO 27001 and PCI DSS. Unpatched systems are consistently among the most common causes of successful cyberattacks, including many ransomware incidents, making patch management a foundational security control.

A plan that defines how technology will support and advance an organisation's business objectives over a defined period, typically three to five years. An IT strategy covers infrastructure investment, cloud adoption, tooling decisions, vendor relationships, skills development, and cost management. Without a strategy, IT spending tends to be reactive, fragmented, and hard to justify at board level.

A structured approach to aligning IT operations with business goals, managing risk, and meeting regulatory obligations in an integrated way. Rather than treating governance, risk management, and compliance as separate workstreams, GRC frameworks bring them together under a single model. Common GRC activities include policy management, risk registers, control testing, and audit evidence collection. Organisations with mature GRC programmes typically respond faster to audits and spend less on remediation.

The delivery of computing resources, including servers, storage, databases, networking, software, and analytics, over the internet on a pay-as-you-use basis. The three primary service models are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Cloud adoption can reduce capital expenditure and improve scalability, but introduces its own challenges around cost management, security configuration, and data residency compliance.

The provision of technical assistance to end users experiencing problems with hardware, software, connectivity, or access. IT support is typically structured in tiers: first-line handles common requests and password resets, second-line deals with more complex issues, and third-line involves specialist or vendor escalation. Effective IT support is governed by SLAs, measured through ticket metrics, and supported by a knowledge base that reduces repeat incidents over time.

The continuous observation of IT systems, servers, networks, applications, and services to detect performance issues, failures, and security events in real time. Good monitoring reduces mean time to detect (MTTD) and mean time to resolve (MTTR) incidents, and provides the data needed to prove SLA compliance. Monitoring tools generate alerts, dashboards, and audit logs. For regulated organisations, monitoring records are also required as evidence for compliance frameworks including ISO 27001 and NIS2.

The process of planning, forecasting, and managing IT expenditure across capital (CAPEX) and operational (OPEX) categories. An effective IT budget accounts for hardware refresh cycles, software licensing, cloud consumption, support contracts, and project delivery costs. Many organisations overspend on unused licences, underutilised cloud resources, and unplanned emergency work that a structured budget would have anticipated. Clear budgeting also enables the business to evaluate the return on IT investment over time.

The combined set of hardware, software, networks, and facilities that underpin an organisation's IT environment. Infrastructure includes servers (physical and virtual), storage systems, network devices, endpoints, data centres or colocation facilities, and the cloud services that extend or replace them. Infrastructure must be actively managed: patched, monitored, capacity-planned, and reviewed against business requirements. Neglected infrastructure is a common source of both security incidents and unplanned downtime.

A documented plan and set of procedures for restoring IT systems and operations following a disruptive event such as a ransomware attack, hardware failure, flood, or power outage. A disaster recovery plan documents RTO and RPO targets for each critical system, recovery sequences, team responsibilities, and communication protocols. Plans must be tested regularly: untested recovery procedures frequently fail under real conditions, and the failure is only discovered when it matters most.

A branch of artificial intelligence in which systems learn from data to improve their performance on a task without being explicitly programmed for every scenario. Models are trained on historical data to identify patterns, make predictions, or classify inputs. Common business applications include demand forecasting, fraud detection, churn prediction, and anomaly detection. The quality of a model's outputs depends directly on the quality and representativeness of the data it is trained on.

A type of AI model trained on large volumes of text data to understand and generate human language. LLMs can perform a wide range of language tasks including summarisation, drafting, translation, question answering, and code generation. They form the foundation of tools like Microsoft Copilot, ChatGPT, and similar enterprise AI applications. Deploying LLMs safely in a business context requires controls around data access permissions, output accuracy validation, and compliance with applicable regulations including the EU AI Act.

AI systems that create new content, including text, images, code, audio, and video, based on patterns learned from training data. Generative AI tools have moved rapidly into enterprise use cases across content creation, customer service, software development, and data analysis, and productivity gains can be significant. However, organisations must address risks around data leakage, output accuracy, intellectual property ownership, and regulatory compliance before any production deployment.

A branch of AI that enables computers to understand, interpret, and generate human language. NLP powers applications including chatbots, document classification, sentiment analysis, machine translation, and voice assistants. Large language models are a recent and particularly powerful form of NLP. In regulated sectors, NLP is used to automate document review, extract data from unstructured records, and route customer communications, raising questions about accuracy, bias, and auditability that governance frameworks must address.

A field of AI that enables systems to interpret and act on visual information from images, video, and cameras. Applications include quality control, facial recognition, object detection, document digitisation, and medical imaging analysis. In regulated sectors, computer vision deployments require careful attention to data protection obligations, particularly where biometric data or patient imagery is involved. The EU AI Act classifies certain computer vision applications, including real-time biometric surveillance in public spaces, as prohibited or high-risk.

Software that automates repetitive, rules-based digital tasks by mimicking how a human interacts with applications: navigating interfaces, copying and pasting data, submitting forms, and triggering workflows. RPA is effective for structured, predictable processes but cannot handle exceptions or unstructured inputs without additional logic. Combining RPA with machine learning extends its reach into less structured work, a combination increasingly referred to as intelligent automation. Common use cases include invoice processing, data entry, report generation, and compliance evidence collection.

The practice of identifying and mitigating security risks specific to AI systems and the infrastructure that supports them. AI introduces attack vectors beyond traditional IT security: prompt injection (manipulating model outputs via crafted inputs), model poisoning (corrupting training data), data extraction (recovering sensitive information through model queries), and adversarial inputs designed to cause misclassification or harmful outputs. Organisations deploying AI in production must assess these risks, implement appropriate controls, and include AI systems in their broader security testing and incident response programmes.

The frameworks, policies, and controls that ensure AI systems are developed and used responsibly, safely, and in compliance with legal and ethical standards. AI governance covers risk assessment, model documentation, transparency, human oversight, accountability, and bias management. It is explicitly required for high-risk AI systems under the EU AI Act and is increasingly expected as a baseline practice for any organisation deploying AI in a business-critical or customer-facing context.

The set of policies, processes, and assigned responsibilities that ensure data is managed consistently, accurately, and in accordance with regulatory requirements across an organisation. Data governance covers data ownership, classification, quality standards, retention schedules, and access control. It is a prerequisite for GDPR compliance, effective AI deployment, and any strategic initiative that depends on reliable, well-understood data. Without it, organisations often discover data quality and access problems only when they try to act on the data.