ISMS Glossary: All Key Terms from A to Z

TL;DR

The glossary covers over 50 technical terms from the areas of ISMS, ISO 27001, NIS2, data protection and IT security.
Each term is explained in 2-4 sentences in clear language, without unnecessary jargon.
Cross-references to in-depth articles help you explore individual topics further as needed.
The glossary serves as a reference for ISOs, auditors, executives and anyone working with information security.

Why an ISMS Glossary?

Anyone working with information security quickly encounters a flood of technical terms, abbreviations and standard references. ISO 27001, BSI IT-Grundschutz, NIS2, TISAX and the DSGVO (GDPR) each bring their own terminologies that partly overlap and partly differ in subtle ways. This makes getting started unnecessarily difficult and in practice regularly leads to misunderstandings between the IT department, management and external consultants.

This glossary creates a common language foundation. It explains over 50 key terms from the ISMS domain in understandable language without sacrificing technical precision. If you are currently building an ISMS, this glossary is your reference for the most important technical terms. The alphabetical arrangement makes it a reference work you can consult at any time when you encounter a term in an audit report, a standard or a technical article.

Where a relevant in-depth article exists, you will find a link at the end of each explanation. This lets you dive deeper as needed.

A

Annex A

Annex A is the normative annex of ISO 27001 and contains a catalog of 93 security controls, organized into four categories: organizational, people, physical and technological controls. It serves as a reference list when creating the Statement of Applicability (SoA). You do not have to implement all controls, but you must justify for each one whether it is applicable or not. Since the 2022 revision, the former 114 controls in 14 categories have been restructured into the more compact format of 93 controls in 4 categories.

Further reading: Creating the Statement of Applicability (SoA)

Asset

An asset is a valuable resource of your organization that requires protection. This encompasses far more than just hardware: information (customer data, contracts, source code), IT systems (servers, databases, cloud services), software, business processes and even the knowledge of individual people all count. Systematic identification of all assets is a cornerstone of risk assessment — because you can only protect what you know about. ISO 27001 requires an up-to-date asset inventory with clear responsibilities.

Further reading: IT Asset Management in the ISMS

Audit

An audit is a systematic, independent review of whether your ISMS meets the requirements of the standard and whether documented processes are actually followed in practice. A distinction is made between internal audits (first-party), which you conduct yourself, external audits by customers or partners (second-party), and certification audits by accredited bodies (third-party). ISO 27001 requires regular internal audits as part of the continuous improvement process. A good audit does not look for blame but for improvement potential.

Further reading: Conducting an Internal ISMS Audit

Authentication

Authentication is the process by which a person or system proves their identity. This is classically done through knowledge (password), possession (hardware token, smartphone) or biometrics (fingerprint, facial recognition). In information security, authentication is the first line of defense against unauthorized access. Modern systems combine at least two of these factors (multi-factor authentication) because individual factors such as passwords alone are too easily compromised.

Authorization

Authorization follows authentication and determines what actions an authenticated user is actually permitted to perform. While authentication answers the question "Who are you?", authorization clarifies "What are you allowed to do?" Typical implementations are role-based access controls (RBAC), where permissions are tied to roles rather than individuals. A well-designed access control concept based on the principle of least privilege ensures that everyone receives only the rights they actually need for their tasks.

Further reading: Creating an Access Control Concept

Awareness

Awareness (security awareness) describes employees' knowledge of and attention to information security risks in daily work. A technically perfectly secured system is of little use if employees fall for phishing emails or leave confidential documents lying around. ISO 27001 therefore requires a systematic awareness program that goes beyond one-time mandatory training and builds a sustainable security culture. Effective programs combine regular training with simulated phishing tests, short videos and practical examples.

Further reading: Building a Security Awareness Program

B

BCM (Business Continuity Management)

Business Continuity Management is a holistic management process that ensures critical business processes continue running — or can be restored within defined timeframes — even during severe disruptions or disasters. BCM goes beyond pure IT disaster recovery and also considers supply chains, personnel, buildings and communication. The foundation is the Business Impact Analysis (BIA), which determines how quickly processes must be restored and what damages result from outages.

BIA (Business Impact Analysis)

The Business Impact Analysis is a structured procedure for evaluating the consequences of outages to critical business processes. For each process, you determine the maximum tolerable downtime, the financial and operational damages at various outage durations, and the dependencies between processes and IT systems. The BIA results feed directly into disaster recovery planning and determine restoration priorities. It is also the basis for defining RTO and RPO.

Further reading: Conducting a Business Impact Analysis (BIA)

BSI (Federal Office for Information Security)

The BSI is Germany's central federal authority for IT security. It publishes the IT-Grundschutz catalog, issues warnings about current threats and has served as the national supervisory authority for cybersecurity since NIS2. For companies, the BSI is primarily relevant through its IT-Grundschutz, which — with its building blocks and measure recommendations — offers a more concrete path to information security than the abstract ISO 27001. Since 2023, the BSI has also played a central role in transposing the NIS2 Directive into German law.

C

CIA Triad

The CIA triad describes the three fundamental protection goals of information security: Confidentiality, Integrity and Availability. Confidentiality means that information is accessible only to authorized persons. Integrity ensures that data remain correct and unaltered. Availability guarantees that systems and information are reachable when needed. Every security measure can be mapped to at least one of these three goals, and the protection needs assessment evaluates each asset's needs in every dimension.

Further reading: The CIA Triad Explained: Confidentiality, Integrity and Availability | Protection Needs Assessment

Cloud Act

The Cloud Act (Clarifying Lawful Overseas Use of Data Act) is a US law from 2018 that enables US authorities to access data held by US companies, regardless of where the data are physically stored. For European companies, this means: using cloud services from US providers cannot ensure through a European server location alone that US authorities have no access. In the ISMS context, the Cloud Act is a key factor in the risk assessment of cloud services and vendor selection. The combination of the Cloud Act and the Schrems II ruling has significantly shaped the debate around data sovereignty and European alternatives.

Further reading: Cloud Act and Schrems II: What Does It Mean for Your ISMS?

Compliance

Compliance refers to adherence to legal regulations, standards, contractual agreements and internal policies. In the ISMS context, this encompasses conformity with ISO 27001, GDPR, NIS2, industry-specific requirements like TISAX and your own security policies. Compliance is not an end in itself but creates legal certainty, strengthens the trust of customers and partners, and protects against fines. An effective ISMS already covers most compliance requirements through its structure.

Control

A control (also: security measure) is a technical, organizational, physical or people-related safeguard that reduces an identified risk. Controls can be preventive (e.g., firewall, access control), detective (e.g., monitoring, audit logs) or reactive (e.g., incident response plan). ISO 27001 Annex A lists 93 standardized controls, but you can and should define your own controls as needed. What matters is that every control is mapped to a specific risk and its effectiveness is measurable.

CVSS (Common Vulnerability Scoring System)

CVSS is a standardized scoring system for the severity of software vulnerabilities on a scale of 0.0 to 10.0. It considers factors such as the attack vector (local or network), the complexity of exploitation, the required privileges and the impacts on confidentiality, integrity and availability. You will find CVSS scores in vulnerability databases like the National Vulnerability Database (NVD), and they help you prioritize patches. A score of 7.0 or above is considered high; 9.0 or above is critical.

D

Data Breach

A data breach occurs when personal data are disclosed, altered, deleted or otherwise compromised without authorization. The GDPR requires you to report a data breach to the competent supervisory authority within 72 hours if it is likely to pose a risk to the rights and freedoms of the affected individuals. Where the risk is high, the affected individuals must also be notified. A well-documented reporting chain and clear responsibilities in the incident response plan are essential.

Further reading: Reporting a GDPR Data Breach

Data Sovereignty

Data sovereignty describes a company's ability to maintain full control over its own data. This encompasses the storage location, access rights and the conditions of processing. In times of cloud services, SaaS solutions and international data transfers, data sovereignty becomes a strategic issue for every organization. Losing control over your data risks not only compliance violations but also operational dependencies that can become problematic in a crisis.

Further reading: Data Sovereignty in the ISMS

Digital Sovereignty

Digital sovereignty refers to the ability to independently and self-determinedly manage digital technologies and data. It goes beyond pure data sovereignty and also encompasses technological independence in software, infrastructure and digital processes. For companies, this means not making critical IT systems fully dependent on individual providers or legal jurisdictions. In the ISMS context, digital sovereignty factors into the risk assessment of supply chains and service providers and is gaining importance through regulatory developments such as NIS2 and the EU Data Act.

Further reading: Digital Sovereignty for SMEs

DSGVO (GDPR — General Data Protection Regulation)

The DSGVO (GDPR) is the European regulation on the protection of personal data, in effect since May 2018. It regulates how personal data may be collected, processed, stored and deleted. For the ISMS, the GDPR is relevant because information security and data protection are closely intertwined: many technical and organizational measures (TOMs) serve both objectives. The regulation requires, among other things, a record of processing activities, data protection impact assessments and the reporting of data breaches.

Further reading: Creating a Record of Processing Activities (RPA) Under GDPR

F

Firewall

A firewall is a security system that monitors network traffic between different network zones and permits or blocks it based on defined rules. Modern next-generation firewalls (NGFW) can additionally identify applications, inspect encrypted traffic and perform intrusion prevention functions. In the ISMS context, the firewall is a central technical control for network segmentation and perimeter protection. What matters is not just the procurement but the regular maintenance of rule sets and monitoring of logs.

Further reading: Network Segmentation for SMEs

Framework

A framework is a structured reference system that consolidates principles, requirements and best practices for a specific domain. In information security, several relevant frameworks exist: ISO 27001 as the international standard, BSI IT-Grundschutz as the German approach, NIST Cybersecurity Framework from the US and industry-specific frameworks like TISAX for the automotive industry. The choice of the right framework depends on industry, company size, customer requirements and regulatory obligations. In ISMS Lite, you can centrally map the requirements of various frameworks and track the implementation status.

Further reading: Which Frameworks Do I Need? NIS2, ISO 27001, BSI IT-Grundschutz, TISAX Compared

G

Gap Analysis

A gap analysis is a systematic assessment that compares the current state of your information security (as-is) with the requirements of a standard (to-be). The result shows you exactly where gaps exist and where measures are already effective. For ISMS implementation, the gap analysis is the ideal starting point because it makes the actual effort visible and enables prioritization of next steps. Typically, you review every section of ISO 27001 and every relevant control from Annex A.

Scope

The scope defines which parts of the organization — which locations, processes and IT systems — are covered by the ISMS. Scope definition is one of the most important steps in building an ISMS and is required by ISO 27001 Section 4.3. A scope that is too broad overwhelms the organization; one that is too narrow leaves critical areas unprotected. Good scopes are aligned with business processes and also consider interfaces to areas outside the scope. The scope must be documented and comprehensible to all stakeholders.

H

Hashing

Hashing is a cryptographic procedure that converts an input of arbitrary length into a fixed-length value (hash value or digest). Unlike encryption, hashing is a one-way function: the original input cannot be reconstructed from the hash value. Typical use cases include password storage (as a salted hash rather than plaintext), file integrity verification and digital signatures. Current secure algorithms include SHA-256 and SHA-3, while MD5 and SHA-1 are considered insecure and should no longer be used.

I

IDS/IPS (Intrusion Detection System / Intrusion Prevention System)

An Intrusion Detection System (IDS) monitors network traffic or system activities for suspicious patterns and reports detected anomalies to administrators. An Intrusion Prevention System (IPS) goes a step further and automatically blocks detected attacks. Both systems operate either signature-based (detecting known attack patterns) or behavior-based (detecting unusual activities). In the ISMS, IDS/IPS are classified as detective or reactive controls. They do not replace a firewall but complement it with deeper traffic analysis.

Incident (Security Incident)

A security incident is an event that actually impairs — or is highly likely to impair — the confidentiality, integrity or availability of information or IT systems. Examples include successful phishing attacks, ransomware infections, data losses due to misconfiguration or unauthorized access to confidential information. ISO 27001 requires a documented process for detecting, reporting, assessing and handling security incidents. Fast response times and clear escalation paths are critical for limiting damage.

Further reading: Detecting, Assessing and Reporting Security Incidents

ISMS (Information Security Management System)

An ISMS is a systematic approach to managing confidential information, encompassing policies, processes, technical measures and organizational structures. The goal is to identify information security risks and reduce them to an acceptable level. Unlike point security measures, an ISMS is a continuous management process based on the PDCA cycle (Plan-Do-Check-Act). ISO 27001 defines the requirements for an ISMS and forms the basis for internationally recognized certification.

Further reading: Building an ISMS: The Complete Guide

ISO 27001

ISO 27001 is the internationally leading standard for information security management systems. It specifies the requirements an ISMS must meet and provides a catalog of 93 security controls as a reference in Annex A. The current version ISO/IEC 27001:2022 modernized the control structure and incorporated new topics such as cloud security and threat intelligence. Certification to ISO 27001 by an accredited body is a prerequisite for business relationships in many industries and is increasingly recognized by NIS2 as evidence of compliance.

K

KPI (Key Performance Indicator)

KPIs in the ISMS measure the effectiveness of your security measures and the performance of the management system. ISO 27001 requires in Section 9.1 the monitoring, measurement, analysis and evaluation of information security performance. Typical KPIs include the number of security incidents per quarter, average incident response time, the percentage of patched systems, the employee training completion rate and the number of open audit findings. Good KPIs are specific, measurable and paired with a target value.

Further reading: Management Review per ISO 27001

KRITIS (Critical Infrastructure)

Critical infrastructures are facilities and installations whose failure or impairment would lead to significant supply shortages or threats to public safety. In Germany, the BSI Act defines the critical infrastructure sectors: energy, water, food, IT and telecommunications, health, finance and insurance, transport and traffic, and municipal waste disposal. Critical infrastructure operators are subject to special reporting obligations and must demonstrate adequate security measures. With NIS2, the circle of affected companies is significantly expanded.

L

Deletion Policy

A deletion policy systematically describes when and how personal data are deleted once the processing purpose has ceased or statutory retention periods have expired. The GDPR anchors the right to erasure in Article 17, and a missing deletion policy is one of the most common findings in data protection audits. Good deletion policies define the retention period, deletion date, technical deletion method and responsibility for each data category. Particularly challenging is deletion in backup systems and for data distributed across multiple systems.

M

Malware

Malware (malicious software) is the umbrella term for programs designed to damage IT systems, steal data or enable unauthorized access. Common types include viruses, trojans, ransomware, spyware and rootkits. Malware reaches systems via phishing emails, infected downloads, USB drives or software vulnerabilities. Defense requires a multi-layered approach combining antivirus software, email filtering, regular updates, network segmentation and trained employees. No single tool provides complete protection.

Measure

A measure (also: control) is a concrete action or safeguard intended to reduce an identified risk to an acceptable level. Measures can be technical (firewall configuration, encryption), organizational (policies, training) or physical (access control, fire protection). In the ISMS context, every measure is mapped to a risk, assigned a responsible person, given a deadline, and reviewed for effectiveness after implementation. The documentation of measures and their status is central to the management review and to audits.

MFA (Multi-Factor Authentication)

Multi-factor authentication combines at least two different authentication factors from the categories knowledge (password, PIN), possession (smartphone, hardware token) and inherence (fingerprint, facial recognition). MFA is one of the most effective measures against account compromise because a stolen password alone is no longer sufficient for access. ISO 27001 recommends MFA for access to critical systems and privileged accounts. Implementation today is technically simple and cost-effective with TOTP apps, FIDO2 keys or push notifications.

N

NIS2 (Network and Information Security Directive 2)

NIS2 is the European directive for strengthening cybersecurity, which was transposed into national law in October 2024. It significantly expands the circle of affected companies and distinguishes between "essential" and "important" entities across 18 sectors. NIS2 obliges affected companies to implement risk management, incident reporting, supply chain security and executive liability. Fines can reach up to 10 million euros or 2% of worldwide annual revenue. Organizations already operating an ISMS per ISO 27001 already meet many NIS2 requirements.

Nonconformity

A nonconformity is a deviation from a standard requirement, an internal policy or a defined process. In the audit context, a distinction is made between major nonconformities (severe, threatening the effectiveness of the ISMS) and minor nonconformities (minor, isolated finding). A major nonconformity can prevent or suspend certification. For every nonconformity, you must perform a root cause analysis, define corrective actions and demonstrate their effectiveness. This is not a flaw but part of the continuous improvement process.

Further reading: Evaluating Audit Findings and Deriving Actions

O

OT (Operational Technology)

Operational Technology refers to hardware and software that monitors and controls physical processes in industry. This includes SCADA systems, programmable logic controllers (PLCs), industrial sensors and actuators. Unlike traditional IT, availability is the absolute priority in OT because an outage can mean production shutdowns, environmental damage or even danger to human life. The increasing interconnection of OT with IT networks (IT/OT convergence) creates new attack surfaces that must be considered in the ISMS. NIS2 directly affects many companies with OT systems for the first time.

P

Patch

A patch is a software update that closes security vulnerabilities, fixes bugs or improves functionality. Patch management is the systematic process of identifying available patches in a timely manner, testing them and rolling them out to all affected systems. Unpatched vulnerabilities are one of the most common attack vectors because attackers often exploit known vulnerabilities within days of patch publication. Good patch management defines prioritization criteria (by CVSS score and criticality), testing procedures and maximum time windows for installation.

PDCA (Plan-Do-Check-Act)

The PDCA cycle is the heart of continuous improvement in the ISMS. In the Plan phase, you analyze risks and plan measures. In the Do phase, you implement them. In the Check phase, you verify effectiveness through audits, KPIs and management reviews. In the Act phase, you derive corrective and improvement actions. ISO 27001 is structurally based on the PDCA cycle, even though the standard no longer explicitly names it. The cycle ensures that your ISMS does not remain static but continuously adapts to new threats and changed conditions.

Further reading: The PDCA Cycle in the ISMS: Plan-Do-Check-Act in Practice

Penetration Test

A penetration test (pentest) is an authorized, simulated attack on IT systems, applications or networks to identify vulnerabilities before real attackers exploit them. Pentests are conducted by specialized security experts (ethical hackers) and can be performed as black-box (without prior knowledge), gray-box (with partial knowledge) or white-box (with full access). The results document not only the vulnerabilities found but also assess their exploitability and recommend specific countermeasures. ISO 27001 does not mandate regular pentests, but they are a valuable complement to technical security reviews.

Phishing

Phishing is a form of social engineering in which attackers use forged emails, websites or messages to trick victims into revealing credentials, personal information or installing malware. The messages impersonate trusted senders such as banks, business partners or internal departments. Spear phishing targets specific individuals or organizations and is significantly harder to detect than mass phishing. Technical protection measures such as email filters, SPF/DKIM/DMARC and link scanning reduce the risk, but trained employees remain the last — and often decisive — line of defense.

Further reading: Detecting and Reporting Phishing

R

Ransomware

Ransomware is malicious software that encrypts files or entire systems and demands a ransom for decryption. Modern ransomware groups additionally practice "double extortion": they steal data before encryption and threaten to publish them. Ransomware attacks are among the most devastating security incidents for companies and can lead to weeks of business interruption. The most effective countermeasures are regular, tested backups, network segmentation, up-to-date patches, MFA and trained employees. Authorities and experts strongly advise against paying the ransom.

Further reading: Ransomware Attack: Immediate Response Measures

Residual Risk

Residual risk is the risk that remains after all planned security measures have been implemented. No ISMS can completely eliminate all risks, and that is not even the goal. What matters is that the residual risk is consciously assessed, documented and formally accepted by management. ISO 27001 requires this explicit risk acceptance as part of the risk treatment process. If the residual risk after treatment is still above the defined risk tolerance, further measures or an adjustment to the business strategy are required.

Further reading: Risk Treatment: Mitigate, Accept, Transfer or Avoid

Risk

A risk in the ISMS context describes the combination of the likelihood that a threat exploits a vulnerability and the resulting impacts on the protection goals (confidentiality, integrity, availability). ISO 27001 requires a systematic process for risk identification, risk assessment and risk treatment. Each identified risk is assigned a risk owner, evaluated against defined criteria and mapped to a treatment option. The totality of risks and their treatment status forms the risk inventory of your ISMS.

Further reading: Risk Assessment in the ISMS

Risk Treatment

Risk treatment is the process of choosing one of four options for each assessed risk: mitigate (reduce risk through measures), transfer (shift risk to third parties, e.g., through insurance), avoid (discontinue the risky activity) or accept (consciously bear the risk). ISO 27001 requires a documented risk treatment plan that records the chosen option, the planned measures, the responsible persons and the timeline for each risk. Management must formally approve the risk treatment plan and the remaining residual risks.

Further reading: Risk Treatment: Mitigate, Accept, Transfer or Avoid

RTO / RPO (Recovery Time Objective / Recovery Point Objective)

The Recovery Time Objective (RTO) defines the maximum time a system or process may take to be restored after an outage. The Recovery Point Objective (RPO) specifies the maximum tolerable data loss, measured as the time between the last usable backup and the point of failure. Both values derive from the Business Impact Analysis and determine the requirements for backup strategy and disaster recovery. An RTO of 4 hours and an RPO of 1 hour mean: the system must be running again within 4 hours, and a maximum of 1 hour of data may be lost.

Further reading: Backup Strategy and Restore Testing

S

SIEM (Security Information and Event Management)

A SIEM system collects, correlates and analyzes security-relevant log data from various sources such as firewalls, servers, applications and endpoints in real time. It detects suspicious patterns and relationships that would go unnoticed when examining individual logs in isolation. For example, a SIEM can link a login attempt from an unusual country with a subsequent data exfiltration and trigger an alert. For SMEs, a full-scale SIEM may be oversized; managed SIEM services or focused log management solutions offer a pragmatic alternative.

SoA (Statement of Applicability)

The Statement of Applicability is one of the central documents in the ISMS. It lists all controls from ISO 27001 Annex A and documents for each one whether it is applicable or not. For applicable controls, you describe the implementation status and justification; for non-applicable controls, you document the exclusion reasons. The SoA is mandatory documentation for certification and is thoroughly examined in audits. It should be a living document that is updated when changes occur in the scope or risk landscape.

Further reading: Creating the Statement of Applicability (SoA)

Schrems II

Schrems II is the common name for the July 2020 ruling by the European Court of Justice (ECJ) that invalidated the EU-US Privacy Shield. The court found that the level of data protection in the US does not meet European requirements, particularly due to the broad surveillance powers of US intelligence agencies. The ruling affects every transfer of personal data to the US and requires additional safeguards such as standard contractual clauses with supplementary risk assessment. For the ISMS, Schrems II means that a thorough Transfer Impact Assessment must be conducted for every use of US cloud services.

Further reading: Cloud Act and Schrems II: What Does It Mean for Your ISMS?

Self-Hosting

Self-hosting refers to operating software on your own infrastructure rather than with an external cloud provider. This gives you maximum control over your data, availability and system configuration. In the ISMS context, self-hosting offers advantages for data sovereignty because no data leave your sphere of influence and regulatory requirements such as Schrems II or the Cloud Act are not applicable. The trade-off is the higher effort for operation, updates and security, which must be competently covered in-house.

Further reading: Setting Up a Self-Hosted ISMS with Docker

Social Engineering

Social engineering refers to manipulation techniques in which attackers exploit human traits such as helpfulness, trust, respect for authority or time pressure to obtain confidential information or induce people to take certain actions. Phishing is the best-known form, but social engineering also includes pretexting (fabricated pretenses), tailgating (physical infiltration), CEO fraud (forged instructions from executives) and baiting (prepared USB drives). Technical safeguards alone are insufficient against social engineering, which is why regular awareness training is indispensable.

Further reading: Social Engineering in the Workplace

T

TCO (Total Cost of Ownership)

Total Cost of Ownership describes the total costs over the complete usage period of a software or solution — not just the pure license or subscription costs. TCO encompasses acquisition, implementation, operation, maintenance, training, migration and eventual exit. Especially when comparing SaaS solutions with self-hosted alternatives, the TCO analysis is decisive because monthly subscription costs over years can significantly exceed one-time investments in your own infrastructure. In the ISMS context, TCO analysis is part of the economic evaluation of security measures and tool decisions.

Further reading: TCO Comparison: SaaS vs. Self-Hosted ISMS

TLS (Transport Layer Security)

TLS is a cryptographic protocol that encrypts and authenticates communication between two systems. It is the successor to SSL and today secures the majority of internet traffic (recognizable by "https://" in the browser address bar). TLS protects the confidentiality and integrity of transmitted data and uses certificates to ensure you are actually communicating with the correct server. At minimum, TLS 1.2 should be used; TLS 1.3 offers additional security and better performance. Older versions (TLS 1.0, 1.1, SSL) are considered insecure and should be disabled.

TOMs (Technical and Organizational Measures)

TOMs are the concrete protective measures you implement to secure personal data and information. The GDPR requires in Article 32 "appropriate technical and organizational measures" without prescribing them in detail. Technical measures include encryption, access controls, firewalls and backup systems. Organizational measures include policies, training, authorization concepts and processes. The documentation of TOMs is relevant for both GDPR compliance and the ISMS and is regularly reviewed by supervisory authorities and during audits.

Further reading: Documenting Technical and Organizational Measures (TOMs)

TOTP (Time-based One-Time Password)

TOTP is a method for generating time-based one-time passwords, frequently used as a second factor in multi-factor authentication. An authenticator app on the smartphone generates a new six-digit code every 30 seconds based on a shared secret and the current time. TOTP codes work offline, are easy to implement and offer significantly better protection than SMS-based codes, which can be intercepted through SIM swapping. Widely used TOTP apps include Google Authenticator, Microsoft Authenticator and Authy.

TISAX (Trusted Information Security Assessment Exchange)

TISAX is an assessment and exchange mechanism for information security in the automotive industry, developed by the German Association of the Automotive Industry (VDA). It is based on the VDA ISA questionnaire (Information Security Assessment), which in turn builds on ISO 27001 but adds industry-specific requirements. TISAX assessments are conducted by accredited audit providers, and the results are exchanged among participants via the ENX platform. For suppliers in the automotive industry, a TISAX label is frequently a contractual prerequisite for collaboration with OEMs.

V

Vendor Lock-in

Vendor lock-in refers to dependence on a software provider arising from proprietary data formats, missing export capabilities, vendor-specific APIs or high switching costs. In the ISMS context, vendor lock-in is a risk in its own right because it jeopardizes the availability and continuity of your security processes if the provider raises prices, discontinues the service or is acquired. When selecting ISMS tools and compliance software, you should therefore look for open standards, complete data exports and transparent contract terms. A documented exit plan is part of the duty of care for every critical service provider.

Further reading: Avoiding Vendor Lock-in with Compliance Software

Encryption

Encryption is a cryptographic procedure that converts readable data (plaintext) into unreadable data (ciphertext) using a key. A distinction is made between symmetric encryption (one key for both encryption and decryption, e.g., AES-256) and asymmetric encryption (public and private key, e.g., RSA). Encryption protects data at rest (e.g., disk encryption) and in transit (e.g., TLS). An ISMS should define clear specifications for which data must be encrypted, which algorithms are permitted and how keys are managed.

VPN (Virtual Private Network)

A VPN establishes an encrypted connection over a public network (typically the internet), enabling secure access to internal resources from external locations. Common protocols include WireGuard, OpenVPN and IPsec. In the enterprise context, a VPN primarily serves to securely connect remote employees and link offices. However, a VPN does not replace a genuine security architecture: it encrypts the transport path but does not verify whether the connecting device is trustworthy. This is why the trend is moving toward zero trust approaches that do not base trust solely on network membership.

RPA (Record of Processing Activities)

The Record of Processing Activities is a document required by the GDPR (Article 30) that systematically captures all processing of personal data in your organization. For each processing activity, you document the purpose, the affected data categories, the recipients, third-country transfers, the retention periods and the technical and organizational safeguards. The RPA is not a one-time project but must be updated with every new processing activity or change. It forms the basis for data protection impact assessments and is the first document that supervisory authorities request during an audit.

Further reading: Creating a Record of Processing Activities Under GDPR

Z

Zero Trust

Zero Trust is a security concept based on the principle "Never trust, always verify." Unlike the traditional perimeter model (inside = secure, outside = insecure), Zero Trust assumes that no user, no device and no network segment is automatically trustworthy. Every access is individually authenticated, authorized and continuously verified, regardless of whether it originates from inside or outside the corporate network. Implementation requires, among other things, strong identity verification (MFA), microsegmentation, least-privilege access and continuous monitoring. Zero Trust is less a product than an architectural philosophy that can be implemented incrementally.

Certification

Certification to ISO 27001 is the official confirmation by an accredited certification body that your ISMS meets the requirements of the standard. The certification process encompasses a Stage 1 audit (document review) and a Stage 2 audit (on-site assessment). The certificate is valid for three years, with annual surveillance audits. Certification is a strong signal to customers, partners and supervisory authorities, but not self-sustaining: it requires a living ISMS, not just paper documentation. Costs vary by company size and scope, but the return on investment often materializes quickly through won contracts and strengthened customer trust.