Master GRC Terminology
All essential terms in governance, risk, compliance and cybersecurity — clearly defined, enriched with our articles.
Audit trail
Chronological record of all security-relevant events in a system. Essential for incident investigations, compliance audits and forensic analysis. ISO 27001 and Law 25 both require maintaining audit trails for critical systems.
Compliance
State of conformity with applicable laws, regulations, standards and contractual obligations. In GRC, compliance includes regulatory compliance (Law 25, PIPEDA, DORA), normative compliance (ISO 27001, PCI-DSS) and contractual compliance.
CISO
Chief Information Security Officer. Executive responsible for defining and leading the organization's information security strategy. Key contact for management, auditors and regulators on all cybersecurity and compliance matters.
Control
Technical, organizational or legal measure implemented to reduce an identified risk. Controls can be preventive (prevent an incident), detective (detect an incident) or corrective (recover after an incident). ISO 27001 lists 93 controls in its Annex A.
DORA
Digital Operational Resilience Act. European regulation that came into force on January 17, 2025, imposing strict requirements on financial institutions for digital operational resilience: ICT risk management, resilience testing, third-party provider management and cyber threat information sharing.
Gap analysis
Exercise comparing an organization's current security or compliance state with the requirements of a target framework (ISO 27001, Law 25, DORA, etc.). The result identifies gaps to be addressed through prioritized action plans.
GRC
Governance, Risk and Compliance. Integrated framework enabling an organization to align its strategy, manage risks and meet regulatory obligations in a consistent manner. A GRC platform centralizes these three dimensions to avoid silos and duplication of effort.
Information asset
Any information or information system of value to an organization. Includes personal data, databases, software, infrastructure and documents. Law 25 requires their inventory and classification.
ISO 27001
International standard (ISO/IEC 27001:2022) specifying requirements for establishing, implementing, maintaining and improving an Information Security Management System (ISMS). Recognized worldwide, it covers 93 controls across 4 themes and results in a certificate issued by an accredited body.
KRI
Key Risk Indicator. Metric that monitors the evolution of the risk level over time and detects deterioration before an incident occurs. Unlike a KPI (performance measure), a KRI is predictive and oriented toward early detection.
Law 25
An Act to modernize legislative provisions as regards the protection of personal information (Quebec). Implemented progressively from 2022 to 2024, it imposes governance, consent, PIA and incident notification obligations on Quebec organizations. Penalties up to $25M or 4% of worldwide turnover.
NIS2
Network and Information Security Directive 2. European directive that came into application in October 2024. Covers 18 critical sectors and imposes risk management, incident notification and supply chain security requirements. Penalties up to EUR 10M or 2% of global turnover.
PCI-DSS
Payment Card Industry Data Security Standard. Mandatory security standard for any organization that processes, stores or transmits payment card data. Version 4.0 came into force in March 2024 with enhanced authentication and security testing requirements.
Go further →
PIA
Privacy Impact Assessment. Mandatory analysis tool under Law 25 for any project involving personal information. Identifies and mitigates privacy risks before deploying a system or process. Quebec equivalent of the GDPR's Data Protection Impact Assessment (DPIA).
PIPEDA
Personal Information Protection and Electronic Documents Act. Canadian federal law governing the collection, use and disclosure of personal information in commercial activities. Applies to private organizations under federal jurisdiction. Being replaced by Bill C-27.
Privacy by Default
Principle requiring organizations to implement the most privacy-protective settings by default, without requiring action from the individual. Required by Law 25 (Phase 3, September 2024) and GDPR. Means that the strictest privacy options must be pre-selected in all systems.
Go further →
Residual risk
Level of risk remaining after applying security controls. Formula: Residual risk = Gross risk - Control effectiveness. Residual risk must be formally accepted by management when it exceeds the defined risk appetite.
Risk register
Central document of the risk management program listing all identified risks, their assessment (probability, impact, gross and residual risk), controls in place and associated treatment plans. Foundation of any GRC program and ISO 27001 requirement.
Go further →
SOC 2
Service Organization Control 2. Audit report developed by the AICPA evaluating an organization's controls across 5 Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy. Highly sought by US clients of SaaS companies. Type II covers a 12-month period.
Zero Trust
Security architecture based on the principle 'never trust, always verify'. No user, device or system is considered trustworthy by default, even inside the network. Relies on micro-segmentation, MFA and continuous monitoring. Recommended by the Canadian Centre for Cyber Security.
A term missing from this glossary?
Explore our articles to go further on each GRC concept, or contact our team of experts.