Terms and Definitions

The terms and definitions are for all stakeholders to use for communicating their perspectives to achieve a common understanding. The terms and definitions are derived from various authoritative sources, accepted standards (ISO/IEC/IEEE, NIST etc), applicable laws (e.g. The IT Act 2000), regulations and broadly accepted public terminologies.

The source(s) of definitions of the terms are also provided, where available. Notes are added under the terms to provide additional information for readers, to help them apply the terms correctly to the context of discussions.

The glossary is divided into the following sub-sections, to align with the ecosystem levels:

  • Conceptual terms. Provide basic definitions and interpretations for all readers of this documentation.
  • Governance terms. Provide the business leadership, top and senior management with a common vocabulary while engaging with other stakeholders at this level.
  • Business terms. Provide the business management and workforce with a common vocabulary while engaging with other stakeholders at this level.
  • Technology terms. Provide the technology stakeholders with a common vocabulary while engaging with others at this level. This will be very useful during technical interactions between the CSEs, OEMs, service providers and the national nodal agencies.
  • Other terms. Provide some standard definitions for use by all readers.
Tip

The glossary is meant to enable interactions within and across the four levels. For example, technical terms are best used within the Technology level. However, when the outcome of technical analysis has to be conveyed to the stakeholders at the Governance and Business levels, the technical teams must use appropriate governance and business terms and the common conceptual terms.

The Search function can be used for searching through the glossary using appropriate keywords.

Conceptual Terms

System (ISO 15288:2015)
  • combination of interacting elements organized to achieve one or more stated purposes.

Note 1: A system is sometimes considered as a product or as the services it provides.

Note 2: In practice, the interpretation of its meaning is frequently clarified by the use of an associative noun, e.g. information system.

Note 3: A complete system includes all of the associated equipment, facilities, material, computer programs, firmware, technical documentation, services and personnel required for operations and support to the degree necessary for self-sufficient use in its intended environment.

Note 4: Stakeholders, while using the term, are encouraged to clarify the context of the term ‘System’. For example, governance and business level stakeholders use the term ‘System’ to imply a business system. For technology level stakeholders, ‘System’ implies a digital system. For physical security and safety stakeholders, ‘System’ implies a security or safety system.

System-of-interest (ISO 15288:2015)
  • system whose life cycle is under consideration.
System-of-systems (SoS) (ISO 15288:2015)
  • set of systems that integrate or interoperate to provide a unique capability that none of the constituent systems can accomplish on its own.

Note 1: Each constituent system is a useful system by itself, having its own management, goals, and resources, but coordinates within the SoS to provide the unique capability of the SoS.

Note 2: In this document, a system-of-systems is also termed as an ‘Ecosystem’. See Business ecosystem and Digital ecosystem.

Business system
  • a structured and integrated collection of processes, people, technology and governance that combine together to help organisations achieve specific goals and objectives. It provides the organisations an operating structure to deliver their mission/ business functions.

Note 1: the key components of a business system are i) processes, procedures and workflows that outline how activities and tasks are coordinated, managed and executed to achieve specific outcomes, ii) individuals and teams, who perform the tasks and contribute to the overall functionality of the system, iii) technology, tools, equipment, software and other resources that support and automate the processes, iv) governing principles, policies, rules and protocols that ensure consistency and control over data and procedures, and v) methods to measure the results and outcomes the system is designed to achieve.

Note 2: Business systems provide the framework within which business processes are executed. The business processes are the moving parts that make the business system work.

Note 3: The term often alludes to the primary digital system that enables the business system. For example, ERP, CRM, HCM system.

Note 4: Business systems must be reliable and trustworthy. They must incorporate clear matrices for accountability and responsibility, have robust documentation, and be monitored regularly to ensure reliability and trustworthiness.

Digital transformation
  • a business strategy initiative that incorporates digital technology across all areas of an organisation. It evaluates and modernises an organisation’s processes, products, operations and technology stack to enable continual, rapid, customer-driven innovation1.

Note 1: Every organisation’s digital transformation implementation is different. It can begin with a single focused technology project, or as a comprehensive enterprise-wide initiative. It can range from integrating digital technology and digital solutions into existing processes and products, to reinventing processes and products or creating entirely new revenue streams by using still-emerging technologies.

Note 2: An associated term ‘business transformation’ defines the wholesale rethinking and restructuring of an organisation’s business planning, operations, technology, development and customer experience to achieve business goals.

Information system NIST SP 800-37r2
  • a discrete set of information resources organised for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. The term information system includes, for example, general-purpose computing systems; industrial/ process control systems; cyber-physical systems; command, control, and communications systems; devices such as smart phones and tablets; environmental control systems; embedded devices/ sensors; and paper-based systems.
Industrial Control System NIST SP 800-82r3
  • general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations that are often found in the industrial sectors and critical infrastructures, such as programmable logic controllers (PLC). An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy).
Digital system

  • an information system.

  • an outcome of digital transformation.

  • a system comprising of ICT, OT, IoT and IIoT elements. It typically comprises of computing, processing and storage systems, networks, applications, data repositories and user devices that enable and support the automation of business processes and business systems.

Note 1: A digital system is also referred to as digital infrastructure or information infrastructure.

Business ecosystem
  • a composition of distributed business systems of individual organisations that work together in partnership to achieve the larger goals and objectives of the community, sector, region and the nation.
Digital ecosystem

  • a geographically dispersed, interconnected and federated conglomeration of digital systems that together function as a large system-of-systems.

  • a federation of the digital systems of the suppliers, customers, partners, service providers and national bodies.

Note 1: The digital ecosystem is also referred to as the underlying digital infrastructure of the business ecosystem.

Cyberspace
  • a conceptual term that mimics the physical space but in a virtual domain. It manifests itself in the form of a digital ecosystem across the world.

Note 1: The national cyberspace is a subset of the global cyberspace, used by the nation’s organisations and people for their business and personal functions. The national cyberspace is not defined by who owns it but by who uses it.

Note 2: An Indian organisation’s cyberspacfe is a subset within the national cyberspace, used by the organisation for its business functions. The organisation acquires the digital infrastructure and uses it to deploy and run applications that enable and support the organisation’s business/ operations. The organisation federates its digital infrastructure with other organisations within the national and global cyberspace.

Note 3: An organisation’s own cyberspace and the national cyberspace can be demarcated within the global cyberspace by means of domains, zones and segments.

Critical Information Infrastructure (ITAA-2008)
  • the computer resource, the incapacitation or destruction of which, shall have debilitating impact on national security, economy, public health or safety.
Critical sectors (G.S.R. 19(E), 16 Jan 2014)
  • sectors, which are critical to the nation and whose incapacitation or destruction will have a debilitating impact on national security, economy, public health, or safety.
Information Technology (IT) (NIST)
  • any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.
Information and Communications Technology (ICT) (NIST)
  • all categories of ubiquitous technology used for the gathering, storing, transmitting, retrieving, or processing of information (e.g., microelectronics, printed circuit boards, computing systems, software, signal processors, mobile telephony, satellite communications, and networks).
Operations Technology (OT) (NIST)
  • a broad range of programmable systems and devices that interact with the physical environment or manage devices that interact with the physical environment. These systems and devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events.

Note 1: Examples include industrial control systems, building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems.

Note 2: Alternative terms for OT are Industrial Control Systems (ICS) (used by NIST) and Industrial Automation and Control Systems (IACS) (used by IEC).

Internet of Things (IoT) (NIST)
  • user or industrial devices that are connected to the internet. IoT devices include sensors, controllers, and household appliances.
Industrial Internet of Things (IIoT) (NIST)
  • sensors, instruments, machines, and other devices that are networked together and use Internet connectivity to enhance industrial and manufacturing business processes and applications.

Note 1: An IoT device has at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one wired or wireless network interface (e.g., ethernet, wi-fi, bluetooth, Long-Term Evolution (LTE), Zigbee, Ultra-Wideband (UWB)) for interfacing with the digital world (NIST IR 8259).

Note 2: An IoT product contains at least one IoT device and three specific kinds of IoT product components (NIST IR 8425):

  • Specialty networking/ gateway hardware.

  • Companion application software.

  • Backends to which data is transferred for backup, storage and analysis.

Note 3: An IoT system is composed of networked IoT components and interacts with a physical entity of interest through one or more sensors and/or actuators that are within the IoT components. IoT systems differ from conventional IT systems in their ability to directly interact with the physical world (NIST IR 8316).

Information security (IS) (NIST)
  • the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Information security (IS) (ISO 27000:2018)
  • preservation of confidentiality, integrity and availability of information.

Note: In addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.

Cyber security (CS) (ITAA-2008)
  • protecting information, equipment, devices, computer, computer resource, communication device and information stored therein from unauthorised access, use, disclosure, disruption, modification, or destruction.

Note 1: The definition is explicitly used for information technology (IT) elements and also for elements of operations technology (OT) and Industrial Internet of Things (IIoT).

Note 2: The terms Information Security (IS) and Cyber Security (CS) are often used interchangeably, since there are only some minor distinctions between the two terms. Notes 3 to 6 below provide guidance for specific situations in which one term is more appropriate than the other.

Note 3: In general, the information security is used in the context of securing information that is held and managed in both digital and non-digital (paper-based) forms. Cybersecurity is used in the context of securing the cyber-ecosystem (IT, OT, and IIoT) from cyber-attacks.

Note 4: Data and information content encompasses i) content created, used and managed using office productivity tools, ii) content stored in databases and other electronic repositories, which may be located on-premises or on cloud, iii) content searched, accessed and shared using web, email and other technologies, iv) machine to machine exchange of content through information exchange standards and protocols (EDI, API, STIX/TAXII), and OT-specific communication protocols (Modbus, DNP3/ IEEE 1815-2012, IEC-60870, IEC 61850, IEC 61131, IEC 62351) and, v) archival content stored in online and offline backups.

Note 5: Data and information related activities encompass i) content creation, updation and deletion (CRUD activities), ii) data processing, iii) view, copy, scan, search and print, iv) content integrity and confidentiality protection using digital signatures and encryption, v) masking or redaction of sensitive content and reclassification of the masked/ redacted content, vi) content exchange and distribution through electronic media and communication channels, vii) short-term and long-term storage of content and, viii) secure disposal of content from all the electronic stores, as per the organisation policies.

Note 6: Most OT systems are process control systems. Typically, the input and output OT data of such systems have a short period of utility. The most important concerns of such systems are the availability of the systems themselves, safety of the physical environment around the systems or influenced by them. The confidentiality of data exchanged through OT protocols, as well as intermittent data loss are minor concerns. As regards data integrity, the concern is more about the integrity of the process control systems that generate, consume and process the data using OT protocols. In summary, focus of OT security is more about protecting critical processes (Safety, Availability, Integrity) and less about data loss (Confidentiality).

Cyber defence
  • a set of defensive activities carried out across the organisation’s digital infrastructure by different teams of the organisation, by means of well-established practices and processes, with or without automation.

Note 1: The objective of cyber defence is to protect the organisation’s digital infrastructure from harm and to ensure its availability for use by all authorised users.

Note 2: Cyber defence is similar to physical defence but in the cyberspace. Just as in physical defence, securing the digital infrastructure of the nation and/ or organisations requires both proactive actions like anticipating, continually observing and plugging breaches, and reactive measures like responding to and mitigating cyberattacks when they occur.

Resilience (NIST)
  • the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruption. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.
Cyber resilience (NIST)

  • the ability of an information system to operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities, and to recover to an effective operational posture in a time frame consistent with mission needs.

  • the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.

Note: Cybersecurity is the practice of protecting the digital infrastructure from unauthorised access, data breaches, and cyber-attacks. Cyber resilience is an organisation’s capability to prepare for, respond to, and recover from cyber threats and disruptions. Both functions require a combination of technologies, practices and processes, policies and controls, peope and governance for delivering the required outcomes.

Domain (ISO/IEC/IEEE)

  • distinct scope, within which common characteristics are exhibited, common rules observed, and over which a distribution transparency is preserved.

  • area of knowledge or activity characterized by a set of concepts and terminology understood by practitioners in that area.

Domain (NIST)
  • a set of elements, data, resources, and functions that share a commonality in combinations of (1) roles supported, (2) rules governing their use, and (3) protection needs.

Note 1: Domain Coverage/ Scope - A domain’s coverage/ scope lists the elements, data, resources, processes and practices grouped under the domain, to reflect one or any combination of the following: i) capability, functional, or service distinctions; ii) data flow and control flow associated with capability, functional, or service distinctions; iii) data and information sensitivity; iv) data and information security; or v) administrative, management, operational, or jurisdictional authority.

Note 2: Domain Principle/ Objective - A domain’s principle/ objective describes at a high level what an organisation is required to do/ achieve with regard to the requirements for the domain, using the triad of processes, people and technology.

Note 3: “Domain” is a widely used term by different practitioners to describe their working environments. For example, management teams use the term to describe distinct functional areas and job responsibilities. Systems and software engineering teams classify their work into different technical domains. HR and training teams define knowledge and skill domains to refer to different sets of concepts, topics and modules about which the professionals are expected to possess or develop the required competency. Security teams define security domains to categorise the security characteristics, policies and authorities. Cybersecurity capability maturity modelling research teams use distinct domains to classify, gather evidence and measure the capability and maturity of organisations.

Policy (ISO 38500:2015)
  • intentions and direction of an organisation as formally expressed by its governing body or executive managers acting with appropriate authority.

Note 1: A “policy” is a high-level statement of intent or direction that provides guidance to individuals and organisations on how they should act in specific circumstances. A policy is a formal declaration of an organisation’s objectives, values, and principles, and it provides the basis for decision-making and the development of related processes, procedures, and controls.

Note 2: Policies are an important component of a management system, as they provide the overall direction and guidance for the management system and help to ensure that the management system is aligned with the organisation’s objectives and values. Policies should be clear, concise, and aligned with the overall strategic objectives of the organisation, to enable the management system to deliver its intended outcomes.

Note 3: A policy typically defines a scope (business processes, departments and locations that will be covered by the policy), the external and internal environment of the organisation (to identify the interfaces and dependencies), and the business, IT, and information security objectives of the policy (what it seeks to achieve).

Practice
  • a set of activities that are continuously carried out over time, in pursuit of an organisation’s strategic interests and goals.

Note 1: A “practice” typically comprises of persons/ teams owning the practice, along with activities, governance, tools, and technology platforms to implement and operate the practice. The intelligence of the practice—how it gets something accomplished—is embedded in the complex, analytical and decision-making expertise of the practice owners (individuals/ teams). The key outcomes of a practice are continuous refinement, optimisation of effort and leveraging of the organisation’s expertise. The adoption of best practices can help organisations to improve their performance, meet regulatory requirements, and achieve their goals more effectively.

Process

  • set of interrelated or interacting activities that use inputs to deliver an intended result. (ISO 9000:2015)

  • a set of repeatable activities and tasks, usually designed as a set of well-defined steps with well-defined beginnings and ends, to get something done.

Note 1: A “process” typically comprises of people, activities and tasks, governance, tools, and technology platforms to implement and execute the process. The execution steps of a process may be carried out sequentially or in parallel, either by a person, team or through automation. The intelligence of the process—how it gets something accomplished—is embedded in the process design and does not require complex decision-making by the persons or automation agents executing the steps. In other words, the process designer converts the knowledge of an activity or task into well-defined sequence of steps and records the same in the process documentation. People or automation agents are only supposed to know how to execute the steps laid down in the process documentation, without having to understand why they are to be done. The key outcomes of a process are standardisation, speed, efficiency and automation.

Note 2: There is no rigid hierarchy between practices and processes. A practice can have multiple sub-practices and/ or processes. Usually, over time, many practice owners convert parts of their practice into processes with well-defined execution steps and enable them using automation.

Note 3: Everything need not be a practice or a process. For example, activities and tasks that are performed infrequently, or those that do not have clear sequence of steps, can just be accomplished without defining a practice or process for the same. It is also important that practices and processes should not become the end goal by themselves but should only help reach the end goal.

Note 4: Parameters and metrics to quantify and measure a practice or process are designed so as to help improve and maintain their performance and effectiveness.

Procedure

  • specified way to carry out an activity or a process, which may or may not be documented. (ISO 9000:2015)

  • a specific and documented way of performing a task or activity, to ensure that it is carried out consistently in its defined manner.

Note 1: A procedure typically outlines the detailed steps to be followed by an individual, a team or automation to perform a task or activity to achieve the required outcomes of the task or activity. Procedures are more prescriptive and granular than processes.

Guidelines
  • a type of document that provides recommendations or suggestions on how to achieve a particular outcome or meet certain objectives.

Note 1: Guidelines are intended to help users interpret and apply the requirements and principles set out in the applicable policies and standards, and to provide guidance and best practices for specific applications or contexts.

Control
  • a mechanism to ensure that an activity or process is performed as intended. It comprises of a set of actions that should be taken to manage risk, prevent or mitigate negative outcomes, and ensure that the system is functioning as required.

Note 1: In the context of cybersecurity, a control is a measure implemented to reduce risk and protect information assets. The specific risk or issue being addressed defines the type of control(s) to be used, which may be administrative controls, such as policies and procedures, technical controls, such as role-based access permissions or physical controls, such as locks and alarms.

Control objective/ purpose
  • a statement that defines what a control is intended to achieve.

Note 1: A control objective is a specific and measurable outcome that is desired from a control. It provides the basis for evaluating the effectiveness of the control in relation to the risks or issues that the management system is designed to address.

Note 2: Control objectives/ purposes are an important component of a management system, as they provide the basis for defining and designing controls. Effective control objectives help organisations ensure that their management system is functioning effectively and achieving their objectives.

Governance Terms

Accountable (ISO 38500:2015)
  • answerable for actions, decisions and performance.
Accountability

  • state of being accountable. Accountability relates to an allocated responsibility. The responsibility can be based on regulation or agreement or through assignment as part of delegation. (ISO 38500:2015)

  • the obligation to exercise authority that is based on established standards and to take ownership of the outcomes or results.

Note 1: Authority can be delegated, Responsibility can be shared but cannot be delegated, Accountability can neither be shared nor delegated.

Aim or Goal
  • the desired result of an effort. 

Note: In an entity/ organisational context, the term ‘mission’ is also used.

Audit
  • a structured, independent, and recorded method for gathering audit evidence and impartially assessing it to ascertain the degree of compliance with the audit standards.

Note 1: Audits can be internal (first party), external (second-party or third-party), or combined audits (integrating multiple disciplines).

Note 2: An internal audit is carried out by the organization or by an external entity acting for the organization.

Note 3: The fundamental elements of an audit include the determination of the conformity of an object according to a procedure carried out by personnel not being responsible for the object audited.

Note 4: An internal audit may serve management review and other in-house functions and may underpin an organization’s self-declaration of compliance. Independence in this context is demonstrated by the auditor’s lack of involvement in the activities under review. External audits encompass both second and third-party evaluations. Second-party audits are performed by parties with a vested interest in the organization, like clients or their representatives. Third-party audits are carried out by independent external bodies, such as certification authorities or regulatory agencies.

Note 5: This constitutes one of the common terms and core definitions of the high-level structure for ISO management system standards. The original definition has been modified by adding Notes 3 and 4 to entry.

Authority
  • the right or power assigned to an individual or a government entity in order to achieve defined goals and objectives. An ‘authority’ gives official and legal right to take decisions, command action by others and enforce compliance.
Board of Directors
  • usually maps to the governing body. Designations are usually in the form of CMD, MD, Executive and Non-executive Directors. In the Government, the word ‘Authority’ is also used.
Context of the organisation (ISO 9000:2015)
  • Combination of internal and external issues that can have an effect on an organisation’s approach to developing and achieving its objectives.
Consequence (NIST, ISO 15026-1:2019)
  • effect (change or non-change), usually associated with an event or condition or with the system and usually allowed, facilitated, caused, prevented, changed, or contributed to by the event, condition, or system.
Continuity
  • the strategic and tactical ability, sanctioned by management, for an organization to prepare for and react to various conditions, situations, and events to maintain operations at an approved, predetermined level.

Note 1: Continuity is a broader concept that encompasses both operational and business continuity, ensuring an organization’s capacity to continue functioning under non-standard conditions. This concept is applicable to all types of organizations, including for-profit, non-profit, public interest, and governmental entities.

Coordination
  • way in which different organisations (public or private) or parts of the same organisation work or act together in order to achieve a common objective.

Note 1: Coordination combines the individual response efforts of all involved entities to create a cohesive incident response with a shared goal and coordinates actions through open sharing of information about their respective incident response efforts.

Note 2: All organizations participate in the process to agree on a shared incident response goal and commit to implementing strategies through a consensus-based decision-making process.

Corrective action
  • to prevent recurrence, remove the cause of a nonconformity and prevent it from occurring.
Crisis
  • volatile situation marked by an imminent drastic or substantial change that demands immediate attention and action to safeguard lives, assets, property, or the environment.
Crisis management
  • comprehensive management approach that identifies potential threats to an organization and establishes a structure for resilience, with the capacity for an effective response that protects the interests of the organization’s key stakeholders, reputation, brand, and value-generating activities, as well as efficiently reinstating operational capabilities.

Note 1: Crisis management also involves managing readiness, mitigation, response, and recovery or continuity in the event of an incident, as well as overseeing the overall programme through training, rehearsals, and reviews to ensure that preparedness, response, and continuity plans remain current and relevant.

Crisis management team
  • a collective of individuals tasked with guiding the creation and implementation of plans for response and operational continuity, declaring states of operational disruption or crisis, and directing the recovery efforts both before and after an incident.

Note 1: This team may include members from within the organization as well as first responders and other relevant parties.

Criticality analysis
  • a systematic procedure to identify and assess the significance of an organization’s assets based on their role in the organization’s mission, the potential impact on people, or the consequences of disruptions on meeting organizational goals.
Customer (ISO 20000-10:2018)
  • organisation or part of an organisation that receives a service or services.

EXAMPLE: Consumer, client, beneficiary, sponsor, purchaser.

Note 1: A customer can be internal or external to the organisation delivering the service or services.

Note 2: A customer can also be a user. A customer can also act as a supplier.

Direct (ISO 38500:2015)
  • communicate desired purposes and outcomes to. In the context of governance of IT, ‘direct’ involves setting objectives, strategies, and policies to be adopted by the members of the organisation to ensure that use of IT meets business objectives. Objectives, strategies, and policies can be set by managers if they have authority delegated by the governing body.
Disruption
  • an event, expected or unexpected, that causes an undesired deviation from the anticipated delivery of products and services, impacting an organization’s objectives.
Documented information
  • records that an organization must manage and maintain, which can be in various formats and media, originating from any source.

EXAMPLE: Policies, plans, process descriptions, procedures, service level agreements or contracts.

Note 1: Documented information can encompass the management system, its processes, operational documentation, and evidence of outcomes achieved.

Effectiveness (ISO 9000:2015, ISO 20000-10:2018)
  • extent to which planned activities are realized and planned results are achieved.
Efficiency (ISO 9000:2015)
  • relationship between the result achieved and the resources used.
Enterprise (TOGAF)
  • any collection of Organizations that has a common set of goals.

Example: an enterprise could be a government agency, a whole corporation, a division of a corporation, a single department, or a chain of geographically distant Organizations linked together by common ownership. An extended enterprise nowadays frequently includes partners, suppliers, and customers.

Enterprise or corporate governance
  • The functions carried out by the governing body of an entity and the top management of the Organisations of an entity.
Entity (ISO 27014:2020)
  • a corporate or enterprise group of companies or a single company in the public or private sector, a government body or a body owned or controlled by the government. An entity can have multiple Organizations within itself or be identical to the organisation, as in smaller companies. The entity has governance authority over the organisation.
Evaluate (ISO 38500:2015)
  • consider and make informed judgements. In the context of governance of IT, evaluate involves judgements about the internal and external, current and future circumstances and opportunities relating to the organisation’s current and future use of IT.
Executive manager (ISO 38500:2015)
  • person who has authority delegated from the governing body for implementation of strategies and policies to fulfil the purpose of the organisation. Executive managers can include roles which report to the governing body or the head of the organisation or have overall accountability for major reporting function, for example Chief Executive Officers (CEOs), Heads of Government Organizations, Chief Financial Officers (CFOs), Chief Operating Officers (COOs), Chief Information Officers (CIs), and similar roles. In management standards, executive managers can be referred to as top management.
Executive management
  • usually maps to the top management of the entity and its Organisations. Designations are usually in the form of CXOs.
External supplier (ISO 20000-10:2018)
  • another party that is external to the organisation that enters into a contract to contribute to the planning, design, transition, delivery or improvement of a service, service component or process.
Function, Operation
  • what an entity does in order to fulfil its goal, mission and objectives. Typically comprises of activities, processes, practices.
Governance (ISO 38500:2015)
  • system of directing and controlling
Governance of information security

  • system by which an organisation’s information security activities are directed and controlled. (ISO 27000:2018)

  • the means by which an organisation’s governing body provides overall direction and control of activities that affect the security of an organisation’s information. This direction and control focuses on circumstances where inadequate information security can adversely affect the organisation’s ability to achieve its overall objectives. (ISO/IEC 27014:2020, Reccomendation ITU-T X.1054 (04/2021))

It is common for a governing body to realise its governance objectives by:

  • providing direction by setting strategies and policies;
  • monitoring the performance of the organization; and
  • evaluating proposals and plans developed by managers.

Management of information security is associated with ensuring the achievement of the objectives of the organisation described within the strategies and policies established by the governing body. This can include interacting with the governing body by:

  • providing proposals and plans for consideration by the governing body; and
  • providing information to the governing body concerning the performance of the organization.

Effective governance of information security requires both members of the governing body and managers to fulfil their respective roles in a consistent way.

Governance of IT (ISO 38500:2015)
  • system by which the current and future use of IT is directed and controlled.

Governance of IT is a component or a subset of organisational governance. The term governance of IT is equivalent to corporate governance of IT, enterprise governance of IT, and organisational governance of IT.

Note: Typically, Enterprise IT Governance deals with resources required to acquire, process, store and disseminate information. Enterprise Information Security Governance deals with assurance of information confidentiality, integrity and availability and effective communication of the same with various external stakeholders.

Governing body (ISO 27014:2020)
  • person or group of people who are accountable for the performance and conformance of the entity.
Impact
  • outcome of a disruption affecting objectives.
Impact analysis
  • process of analysing all operational functions and the effect that an operational interruption can have upon them.

Note 1: Impact analysis, a component of risk assessment, includes business impact analysis and identifies the nature of potential losses, the potential for escalating damage over time, the essential minimum services and resources required for business continuity, and the recovery timeline and scope for organizational activities, functions, and services.

Incident
  • an unexpected interruption or degradation of service, or an event that has not yet affected service delivery to customers or users.
Interested party, Stakeholder (ISO 9000:2015)
  • person or organisation that can affect, be affected by, or perceive itself to be affected by a decision or activity.
Internal supplier (ISO 20000-10:2018)
  • part of a larger organisation that is outside the scope of the SMS, that enters into a documented agreement to contribute to the planning, design, transition, delivery or improvement of a service, service component or process.

EXAMPLE - procurement, infrastructure, finance, human resources, facilities.

Key Performance Indicators (KPI)

  • a mechanism for measurement.

  • a measurable value that organisations use to evaluate their performance against strategic and operational goals.

Note 1: Terms such as objectives, metrics, goals, targets, KPIs, and outcomes are often used interchangeably, which can lead to confusion, especially during external audits. Organisations should clarify the context in which these terms are used.

Likelihood
  • chance of something happening.

Note 1: In risk management, “likelihood” refers to the probability of an event, defined in various ways, including objectively, subjectively, qualitatively, quantitatively, or mathematically (e.g., probability or frequency over time).

Note 2: While “likelihood” and “probability” may be used differently in English, in risk management, “likelihood” is intended to be as broadly interpreted as “probability” is in many non-English languages.

Levels of management hierarchy.

Entities usually have the following levels of management hierarchy with regard to business/ IT / Information Security goals, plans, activities and functions:

  • Strategic Level: long term (multi-year) planning, goal setting, management oversight activities and accountability lies with the governing body and top management. IS/ISO/IEC 9001:2015 defines the term ‘strategic direction’.

  • Tactical Level: short term (quarterly/ half-yearly/ yearly) planning, target setting, management oversight activities and responsibility lies with the top management and senior management.

  • Operational Level: ultra-short term (daily/ weekly/ fortnightly/ monthly) planning, target setting, management activities and responsibility lies with the senior, middle level and lower-level management.

Note 1: The term Business as Usual (BAU) is also used for operational level functions and activities.

Note 2: Audit and compliance verification/ validation is usually done across the three time-frames – long term, short term and ultra-short term.

Note 3: One mechanism to distinguish the levels of hierarchy within an entity is by the financial powers and decision authority that is delegated to each level. Another mechanism is the type of decision making that is allowed (strategic, tactical or operational) and the chain of command/ reporting.

Lower management
  • usually maps to supervisory or operative management, the first line managers of systems, processes, and teams.
Management (ISO 38500:2015)
  • exercise of control and supervision within the authority and accountability established by governance.

Note: The term management describes the coordinated activities to direct and control an organisation (ISO 9000:2015). It can include establishing policies and objectives, and processes to achieve the objectives. It is also used as a collective term for those with responsibility for controlling an organisation or parts of an organisation. The term managers is used to avoid confusion with management systems.

Managers (ISO 38500:2015)
  • group of people responsible for control and supervision of an organisation or parts of an organisation. Executive managers are a category of managers.
Middle management
  • usually maps to department or branch management, the second line managers of systems, processes, and teams.
Mission (ISO 9000:2015)
  • organisation’s purpose for existing as expressed by top management.
Monitor (ISO 38500:2015)
  • review as a basis for appropriate decisions and adjustments. Monitoring involves routinely obtaining information about progress against plans as well as the periodic examination of overall achievements against agreed strategies and outcomes to provide a basis for decision making and adjustments to plans. Monitoring includes reviewing compliance with relevant legislation, regulations, and organisational policies.
Objective (ISO 9000:2015)
  • result to be achieved. An objective can relate to different disciplines, be strategic, tactical, or operational, and can apply at different levels (such as strategic, organisation-wide, project, product and process. An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, or by other words with similar meaning (e.g. aim, goal, or target).

Note: Objectives are usually defined using SMART - Specific, Measurable, Achievable, Relevant and Time bound - statements of purpose.

Organisation (ISO 27014:2020)
  • The whole entity or part of an entity, which works under the governance authority of the entity.

Note: ISO/IEC 27014:2020 provides the distinction between entity and organisation in the context of ISMS. By definition, the ISMS covers the whole of an organisation, which by itself may cover the whole of the entity or part of the entity. Typically the two terms defined in ISO 27014:2020 are applied to both the governance of IT and Information Security.

Organisational governance (ISO 38500:2015)
  • system by which Organisations are directed and controlled.
Organisational resilience
  • the capacity of an organization to endure and adapt to changes in the environment.
Outcome
  • the result or effect of an action. Typically expressed using quantifiable/ measurable/ comparative units.

Note: Objectives are rooted in intention and planning. Outcomes are the results of execution. Achievement of objectives can be measured through the outcomes. 

Outsource
  • the practice of delegating a portion of an organization’s functions or processes to an external entity.
Preventive action
  • proactive measures taken to remove the root causes of potential nonconformities or other undesirable situations to prevent their occurrence.
Problem
  • the origin of one or more actual or potential incidents.
Protection
  • strategies and safeguards implemented by an organization to lessen the impact of potential disruptions.
Recovery
  • the process of restoring and, where appropriate, enhancing the operations, infrastructure, livelihoods, or living conditions of organizations affected by disruptions, including actions to reduce risk factors.
Resource
  • the collective term for all assets, including equipment and facilities, personnel, expertise, technology, premises, supplies, and information, that an organization requires for its operations and to achieve its goals.
Response plan
  • a detailed set of procedures and information compiled and maintained in readiness for deployment during an incident.
Response programme
  • a structured approach, including plans, processes, and resources, to conduct activities and provide services essential for the preservation and protection of life, property, operations, and critical assets.

Note 1: Typical response actions include recognizing the incident, notifying the appropriate parties, assessing the situation, declaring the incident, executing the response plan, communicating with stakeholders, and managing resources.

Response team
  • a dedicated group responsible for formulating, implementing, practicing, and updating the response plan and its associated processes and procedures.
Responsibility

  • obligation to act and take decisions to achieve required outcomes. (ISO 38500:2015)

  • an obligation to perform an assigned task or duty and take ownership of the outcomes or results.

Risk
  • the potential effect of uncertainty on objectives.

Note 1: An effect can deviate from what was expected, positively, negatively, or both, and can lead to opportunities as well as threats.

Note 2: Objectives can vary in nature and category and can be applied at different organizational levels.

Note 3: Risk is often characterized by the sources of risk, potential events, their outcomes, and the probability of occurrence.

Risk analysis
  • the examination of risk nature and the assessment of risk levels.

Note 1: Risk analysis informs risk evaluation and decisions regarding risk management.

Note 2: It encompasses risk estimation.

Risk assessment
  • the comprehensive process of risk identification, risk analysis, and risk evaluation.

Note 1: This involves pinpointing internal and external threats and vulnerabilities, assessing the likelihood and impact of potential events, defining essential operations, establishing controls to minimize exposure, and evaluating control costs.

Risk communication
  • the sharing and exchange of risk-related information among decision-makers and other stakeholders.

Note 1: This information may concern the existence, characteristics, probability, severity, acceptability, management, or other aspects of risk.

Risk criteria
  • benchmarks used to gauge the significance of a risk.

Note 1: These criteria are derived from organizational goals and both external and internal contexts.

Note 2: They may be based on standards, laws, policies, and other regulations.

Risk evaluation
  • the process of comparing risk analysis outcomes with predefined risk criteria to decide if the risk and its magnitude are acceptable.

Note 1: Risk evaluation aids in making decisions about risk management.

Risk identification
  • the act of detecting, recognizing, and describing risks.

Note 1: This includes pinpointing risk sources, events, their causes, and potential outcomes.

Note 2: Risk identification may use historical data, theoretical analysis, expert input, and stakeholder needs.

Risk management
  • the orchestrated efforts to guide and control an organization with respect to risk.
Risk mitigation
  • the process of reducing the negative effects of a hazardous event.
Risk owner
  • the party responsible and accountable for managing a particular risk.
Risk reduction
  • actions aimed at decreasing the likelihood or adverse consequences associated with a risk.
Risk register
  • a documented record of identified risks.

Note 1: It compiles all risks identified, analysed, and evaluated in the risk assessment process, including details on probability, outcomes, mitigation measures, and risk owners.

Risk sharing
  • a risk management strategy that involves distributing risk among various parties through agreement.

Note 1: Legal or regulatory stipulations may restrict, forbid, or mandate risk sharing.

Note 2: It can be executed via insurance or contractual agreements.

Note 3: The degree of risk distribution depends on the reliability and clarity of the sharing arrangements.

Note 4: Risk transfer is a type of risk sharing.

Risk source
  • a factor or combination of factors that can potentially lead to risk.
Risk tolerance
  • the willingness of an organization or stakeholder to accept risk following risk management measures.

Note 1: Risk tolerance may be influenced by clients, stakeholders, legal, or regulatory requirements.

Risk treatment
  • the process of modifying risk.

Note 1: This can include avoiding, accepting, reducing, or sharing risk, as well as pursuing opportunities presented by the risk.

Note 2: Measures addressing negative outcomes are often termed as risk mitigation, elimination, prevention, or reduction.

Note 3: Risk treatment can introduce new risks or alter existing ones.

Robustness
  • the strength of a system to withstand internal or external attacks, whether virtual or physical.

Note 1: This includes the system’s ability to resist imitation, intrusion, or circumvention.

Security management
  • the coordinated actions to steer and oversee an organization in terms of security and resilience.
Security policy
  • a formal set of guidelines and procedures designed to safeguard information and computing resources.
Senior management
  • usually maps to the management that is one rung lower than the top management. In practice, general managers (GM) business unit, line and staff management heads are part of the senior management.
Service
  • a means of providing value to customers by enabling desired outcomes.

Note 1: Services are usually intangible in nature.

Note 2: Within the context of the SMS, ‘service’ specifically refers to the services covered by the system. Any other use of the term is clearly differentiated.

Service Level Agreement (SLA)
  • a formalized agreement that outlines the services provided and their expected level of performance.

Note 1: SLAs can also be established with external or internal suppliers, or with customers who act as suppliers.

Note 2: An SLA may be part of a contract or another formal agreement.

Service integrator (ISO 20000-10:2018)
  • entity that manages the integration of services and service components delivered by multiple suppliers

Note: The role of the service integrator supports the promotion of end-to-end service management, particularly in complex supply chains by ensuring all parties are aware of, enabled to perform, and are held accountable for their role in the supply chain.

Service management
  • the capabilities and processes used to direct and manage an organization’s activities and resources for the design, transition, delivery, and enhancement of services.

Note 1: Organizations can tailor these requirements into their processes, using sub-clauses to define their SMS processes.

Note 2: An SMS encompasses policies, objectives, plans, processes, documented information, and resources needed for service planning, design, transition, delivery, and improvement.

Service provider (ISO 20000-10:2018)
  • organisation that manages and delivers a service or services to customers.
Strategy (ISO 9000:2015)
  • plan to achieve a long-term or overall objective.
Threat
  • a potential source of harm or adverse event that could negatively impact individuals, assets, systems, organizations, the environment, or communities.
Top management (ISO 27014:2020)
  • person or group of people who direct and control the organisation (as defined above) at the highest level. The top management of the organisation is accountable to the governing body of the entity and has the power to delegate authority and provide resources within the organisation. In smaller entities, where the entity and organisation are identical, top management is the same as governing body.
Use of IT (ISO 38500:2015)
  • planning, design, development, deployment, operation, management, and application of IT to fulfil business objectives and create value for the organisation. The use of IT includes the demand for, and the supply of, IT, the current and future use of IT.
User (ISO 20000-10:2018)
  • individual or group that interacts with or benefits from a service or services.

Note: Examples of users include a person or community of people. A customer can also be a user.

Validation
  • the act of confirming that certain criteria or requirements have been met for a specific purpose or use, supported by objective evidence.
Value
  • the significance, advantage, or utility of something.

Example: This could be monetary worth, service delivery success, meeting service management goals, retaining customers, or eliminating obstacles.

Note 1: Value creation from services involves achieving benefits while managing resources efficiently and handling risks. Both assets and services can be assigned value.

Verification
  • the process of confirming that specific requirements have been satisfied, based on objective evidence.
Vision (ISO 9000:2015)
  • aspiration of what an organisation would like to become as expressed by top management.
Vulnerability
  • a detectable flaw or weakness in a computer system’s hardware or software that could be exploited, leading to malfunction or unintended operation.
Weakness

  • Defect or characteristic that may lead to undesirable behavior.

  • A condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.

Workforce
  • all individuals contributing to the achievement of an organization’s goals, including employees, temporary staff, contractors, and volunteers.

Note 1: This documentation uses the term composite workforce to refer to all the entities and individuals, who “work” for the organisation. The composite workforce comprises of the organisation’s own employees, contracted manpower and third-party product and services providers.

Note 2: Automation agents and bots provide an hugely scalable non-human workforce that supplements the limited human workforce.

Business Terms

Asset
  • a resource, object, or entity that holds potential or actual significance to an organisation.

Note 1: Value may be material or immaterial, encompassing both monetary and non-monetary aspects, and takes into account potential risks and obligations. Throughout various stages of an asset’s lifecycle, its value can fluctuate, presenting either positive or negative worth.

Note 2: Physical assets typically denote the tangible items such as machinery, stock, and real estate that are in the possession of the organization. Physical assets are the opposite of intangible assets, which are non-physical assets such as leases, brands, digital assets, use rights, licences, intellectual property rights, reputation, or agreements.

Note 3: A grouping of assets referred to as an asset system could also be considered as an asset.

Note 4: An asset can also be a configuration item. Some configuration items are not assets.

Business Process
  • a collection of related, structured activities or tasks performed by people or equipment in which a specific sequence produces a service or product (that serves a particular business goal) for a particular customer or customers. Source

Note 1: Processes are the structure by which an organisation does what is necessary to produce value for its customers, partners and employees. A business process begins with a mission or business objective and ends with achievement of the business objective.

Note 2: Business processes can be categorised into:

  • Strategic processes, which are managerial, directive or steering processes.

  • Operational processes, which generate products or services to be delivered to customers. 

  • Support processes, which support the operational and strategic processes.

Note 3: Each business process has a process owner (i.e., the person responsible for the continuous improvement of the process). The process owner may be the same or different from the one, who performs the process.

Industrial Process
  • operational process that is carried out using operations technology (OT), Industrial Internet of Things (IIoT), Industrial Control Systems (ICS) and/ or Industrial Automation and Control Systems (IACS).
Business impact analysis (ISO/IEC 27031:2011)
  • process of analysing operational functions and the effect that a disruption might have upon them.
Acquirer
  • critical sector entities, central agencies and others, who acquire a System for their use.

Note 1: Some acquirers may carry out all the System lifecycle related activities in-house, using their own teams or contracted personnel. Often, the acquirers get the System delivered, installed, commissioned and supported by third-parties, and have a project management team to oversees all the project related activities.

Original Equipment Manufacturer (OEM)
  • an organisation that “owns” or “holds in custody” the design and code of the hardware, appliances and software products. They are responsible for the product maintenance, updates and upgrades.
OEM provided Advanced Services
  • different types of professional services provided by the OEMs directly for their products.

Note 1: Most OEMs provide professional services of an advanced nature directly using OEM’s own teams for the type of work that may be beyond the competence or credibility levels of Partners and Resellers.

Authorized Professional Services
  • different types of professional services provided by the OEM Partners or Reselers for the OEM products.

Note 1: Typically, repetitive services such as installation & commissioning, Level 1 and Level 2 support are delivered by the OEM’s Partners or Resellers, based on training and competency certification given by the OEM.

Authorized Partners
  • organisations, who have been authorised by the OEM to supply the OEM products and/ or provide various services related to the OEM SKUs, such as, installation & commissioning, operations & maintenance support services.

Note 1: OEM(s) develop and manage their partner ecosystem.

Authorized Resellers/ Distributors
  • organisations, who have been authorised by the OEM to sell and deliver the OEM SKUs to the Acquirers.

Note 1: Usually these organisations do not provide any installation & commissioning, operations & maintenance support services. OEM(s) develop and manage their own reseller/ distributor ecosystem.

Cloud Service Provider (CSP)
  • provides the infrastructure and platforms (IaaS, PaaS) for hosting a System on a public, private, government community cloud.
Internet Service Provider (ISP)
  • provides basic network (IP) connectivity between different locations, such as CSEs, Central Agencies, CSP datacentres etc. In addition, they may also provide services, such as DDoS mitigation, site-to-site VPNs, etc.
Subscription Service Provider (SSP)
  • provides various subscription services, such as domain registration and management, DNS, CASB, Cloud-based identity and Zero Trust, SSL/ SSH certificate management, etc.
System Integrators (SI)
  • organisations, who usually front-end the bidding, contracting, delivery and support of turnkey projects of the Acquirers. They may themselves be Authorized Partners or may engage and work with the OEMs, OEM Partners, Authorized Resellers/ Distributors, CSPs, ISPs, SSPs etc, for delivery of the System.
Managed Services Provider (MSP), Managed Security Services Provider (MSSP)
  • organisations, who provide services for operating, managing and securing the Acquirers’ IT and OT during the operating phase.

Technology Terms

Asset
Communication Device (ITAA-2008)
  • Cell Phones, Personal Digital Assistance (Sic), or combination of both or any other device used to communicate, send or transmit any text, video, audio, or image.
Computer (ITAA-2008)
  • any electronic, magnetic, optical or other high-speed data processing device or system which performs logical, arithmetic, and memory functions by manipulations of electronic, magnetic or optical impulses, and includes all input, output, processing, storage, computer software, or communication facilities which are connected or related to the computer in a computer system or computer network.

Note: The definition is also applied to OT and IIoT devices having programmable or upgradable software or firmware, such as i) PLCs, RTUs etc, and ii) CCTV cameras, smartcard and biometric readers etc.

Computer Network (ITAA-2008)
  • the interconnection of one or more Computers or Computer systems or Communication device through i) the use of satellite, microwave, terrestrial line, wire, wireless or other communication media; and ii) terminals or a complex consisting of two or more interconnected computers or communication device whether or not the interconnection is continuously maintained.
Computer Resource (ITAA-2008)
  • computer, communication device, computer system, computer network, data, computer database or software.

Note1: The term ‘Resource’ is also used, when there is no ambiguity that it refers to computer resource.

Note 2: The term is explicitly used for information technology (IT) elements and implicitly for describing elements of operations technology (OT) and Internet of Things (IoT). Alternative terms for OT OT elements the ICS elements. Further the word ICS also includes operations technology (OT) and IACS elements. At places where required, the terms OT and IACS are explicitly defined.

Computer System (ITAA-2008)
  • a device or collection of devices, including input and output support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, which contain computer programmes, electronic instructions, input data, and output data, that performs logic, arithmetic, data storage and retrieval, communication control and other functions.

Note: The definition is also applied to OT and IIoT systems having programmable or upgradable OT and IIoT devices, such as i) SCADA, DCS etc, and ii) smart grid technologies, such as automatic meter infrastructure etc.

Configuration Item CI
  • element that requires to be controlled in order to deliver a service(s).

Note 1: Every IT, OT, IIoT or cybersecurity asset that is in-use within the information infrastructure has to be configured, managed, and protected while it is in-use. The in-use asset is termed as a Configuration Item.

Cyber incident (G.S.R 20(E), 16 Jan 2014)
  • any real or suspected adverse event that is likely to cause or causes an offence or contravention, harm to critical functions and services across the public and private sectors by impairing the confidentiality, integrity, or availability of electronic information, systems, services or networks resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource, changes to data or information without authorisation; or threatens public safety, undermines public confidence, have a negative effect on the national economy, or diminishes the security posture of the nation.
Cyber security incident (G.S.R 20(E), 16 Jan 2014)
  • any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy resulting in unauthorized access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information or changes to data, information without authorisation.
Cybersecurity breach (G.S.R 20(E), 16 Jan 2014)
  • unauthorised acquisition or unauthorised use by a person as well as an entity of data or information that compromises the confidentiality, integrity or availability of information maintained in a computer resource.
Data (ITAA-2008)
  • a representation of information, knowledge, facts, concepts, or instructions which are being prepared or have been prepared in a formalized manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network. ,.and may be in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer.
Defence in depth
  • the provision of multiple security protections, particularly in layers, with the intention to delay if not prevent an attack.

Note 1: This approach involves multiple security measures, including detection systems, to challenge attackers at every layer, mitigate weaknesses in any single layer, and integrate system security into the broader network security architecture.

Information (ITAA-2008)
  • includes data, message, text, images, sound, voice, codes, computer programmes, software and databases or microfilm or computer-generated micro fiche.
Information infrastructure
  • conglomeration of all computer resources of an entity or a group of entities, viz, include systems, networks, applications, databases, information along with associated user and machine identities.

Note 1: This term is derived from the ITAA-2008 definitions of ‘computer resources’ and ‘critical information infrastructure’ and the term ‘federated digital ecosystem’ in this documentation.

Note 2: The term can also be used in a larger context that includes

  • the technical practices and processes to configure, administer, manage, secure and maintain the conglomeration of computer resources.
  • the composite workforce that carries out the technical practices and processes.
Information security incident
  • an isolated or series of unwanted information security events with a significant likelihood of jeopardizing business operations and information security.
Root of Trust (NIST)

  • highly reliable hardware, firmware, and software components that perform specific, critical security functions.

  • a starting point that is implicitly trusted.

Security operation
  • activities and functions aimed at protecting individuals and safeguarding tangible and intangible assets.
Security operations management
  • the organized activities that guide and oversee an organization’s security operations.

Note 1: This typically involves formulating policies, setting objectives, planning operational processes, and fostering continuous improvement.

Security operations programme
  • a continuous management and governance initiative, backed by senior leadership and adequately resourced, to ensure coordinated action towards meeting the goals of the security operations management system.
Security threat scenario
  • a potential sequence of events that could lead to a security incident.
Threat action
  • an attack on system security.
Threat agent
  • the entity responsible for initiating a threat action.
Threat analysis
  • the process of identifying and assessing the potential sources of harm and their possible impact.
Vulnerability analysis
  • the process of identifying and measuring weaknesses that could be exploited by threats.
Vulnerability assessment
  • the systematic evaluation and quantification of vulnerabilities.

Other Terms

Indian Regulations
Regulated entities (Reserve Bank of India (RBI))
  • financial institutions such as commercial banks, non-banking financial companies (NBFCs), and credit information companies that are subject to RBI’s guidelines to ensure stability, transparency, and customer protection in the financial sector.
Regulated entities (Securities and Exchange Board of India (SEBI))
  • financial institutions and organizations that operate under the supervision of SEBI. These entities must comply with specific regulations set forth by SEBI to ensure market integrity and protect investors.
Responsible entities (Central Electricity Authority (CEA))
  • power sector entities deploying Operational Technologies with or without IT systems, including Generating companies including the captive plants, Renewable Energy Sources, Energy Storage System, Transmission Licensees including deemed transmission licensee, Distribution Licensees, National Load Dispatch Centre, Regional Load Dispatch Centers, State Load Dispatch Centers, Control Centers of distribution licensee, Central Transmission Utility, State Transmission Utilities, and Renewable Energy Management Centers, forecasting service provider, Traders, Power Exchanges, Qualified Coordinating Agencies.

Note: Responsible entities serve various roles in the power sector and are sector participants with significant exposure to cyber threats.

Authorised entities (Department of Telecom (DoT))
  • a person holding an authorisation for
    • providing telecommunication services;
    • establishing, operating, maintaining or expanding telecommunication networks; or
    • possessing radio equipment.
NCIIPC-QCI Conformity Assessment Framework

The following terms are defined in the NCIIPC-QCI Conformity Assessment Framework and are to be read in line with the definitions notified in IS/ISO/IEC 27000 and its family of standards.

Accreditation
  • third-party attestation related to a conformity assessment body conveying formal demonstration of its competence to carry out specific conformity assessment tasks.
Accreditation Body
  • authoritative body that performs accreditation. The authority of an accreditation body can be derived from government, public authorities, contracts, market acceptance or Scheme owners.
Assessment
  • process that evaluates a person’s fulfilment of the requirements of the Scheme.
Attest
  • process that confirms the conformance of the entity and individual certified, inspected, accredited, or approved.
Attestation
  • issue of a statement, based on a decision following review, that fulfilment of specified requirements has been demonstrated. The resulting statement, referred to in this Standard as a “statement of conformity”, conveys the assurance that the specified requirements have been fulfilled. Such an assurance does not, of itself, afford contractual or other legal guarantees. First-party and third-party attestation activities are distinguished by the terms. For second-party attestation, no special term is available.
Certificate
  • document issued by a certification body under the provisions of this Standard, indicating that the named person has fulfilled the certification requirements.
Certification
  • third-party attestation related to products, processes, systems or persons. Certification of a management system is some- times also called registration. Certification is applicable to all objects of conformity assessment except for conformity assessment bodies themselves, to which accreditation is applicable.
Conformity assessment
  • demonstration that specified requirements are fulfilled. Conformity Assessment includes activities, such as but not limited to testing, inspection, validation, verification, certification, and accreditation.
Conformity Assessment Body
  • body that performs conformity assessment activities, excluding accreditation. The CAF includes following conformity assessment bodies:
    • Certification Body (CB)
    • Inspection Body (IB)
    • Certification Body for Persons (PrCB)
Conformity Assessment Framework
  • structure of processes and specifications, related to conformity assessment system, designed to support the accomplishment of a specific task. There are various conformity assessment Schemes that can be used to determine whether specified requirements are fulfilled, they include but are not limited to inspection, evaluation, audit of management system etc. In a framework, these conformity assessment Schemes / system share common vocabulary, principles and family of standards which ensure interoperability of various Schemes.
Conformity Assessment System
  • set of rules and procedures for the management of similar or related conformity assessment schemes. A conformity assessment system can be operated at an international, regional, national, sub-national, or industry sector level.
Conformity Assessment Scheme
  • set of rules and procedures that describes the objects of conformity assessment identifies the specified requirements and provides the methodology for performing conformity assessment. A Scheme can be managed within a conformity assessment system. A scheme can be operated at an international, regional, national, sub-national, or industry sector level. A Scheme can cover all or part of the conformity assessment functions.
Inspection
  • examining a product’s design, the product itself, or an installation to determine its conformity with specific requirements. This determination is made either through adherence to explicit criteria or, when professional judgment is applied, in accordance with general conditions.
Object of conformity assessment
  • entity to which specified requirements apply.

Example: product, process, service, system, installation, project, data, design, material, claim, person, body or organisation, or any combination thereof. The term “body” is used in this framework to refer to conformity assessment bodies and accreditation bodies. The term “organisation” is used in its general meaning and may include bodies according to the context.

Scope of attestation
  • range or characteristics of objects of conformity assessment covered by attestation.
Surveillance
  • systematic iteration of conformity assessment activities as a basis for maintaining the validity of the statement of conformity.
Suspension
  • temporary invalidation of the statement of conformity for all or part of the specified scope of attestation.
Withdrawal
  • revocation, cancellation of the statement of conformity appeal request by the provider of the object of conformity assessment to the conformity assessment body or accreditation body for reconsideration by that body of a decision it has made relating to that object.

  1. https://www.ibm.com/think/topics/digital-transformation ↩︎