GRC Glossary: the key terms in risk management, compliance, data protection and BCM

The level of a risk before any risk-reducing measures are considered. Calculated as the combination of likelihood and impact in an unprotected state. Gross risk shows how large the risk would theoretically be if no controls existed at all, it's the baseline for judging how effective your measures are.

The remaining risk after implemented measures are taken into account. If a gross risk was rated "high" and a firewall plus monitoring controls are in place, the net risk might come down to "medium". Residual and net risk are used synonymously; ISO 27005 prefers "residual".

The amount of risk an organisation is deliberately willing to take on to achieve its objectives. A conservative insurer has a low risk appetite for cyber incidents, while a growth-stage start-up consciously accepts higher operational risks. Risk appetite is typically defined by executive management and feeds into concrete decision rules.

A document approved by the board or executive management that translates risk appetite into concrete thresholds and categories. A good RAS phrases a clear statement per risk category ("We accept no more than 4 hours per year of customer-facing system downtime") and links each to Key Risk Indicators.

The central, searchable list of all identified risks in an organisation with rating, owner, measures and status. A structured risk register is the minimum requirement of any ISMS and any audit-proof risk management practice. Without it you can neither display total risk exposure nor justify prioritisation.

A two-dimensional depiction of risks, typically 5×5, with likelihood on one axis and impact on the other. Each cell represents a combination (e.g. "possible × critical"), with risks plotted as dots. The heatmap is the preferred tool in management reporting because it shows at a glance where risk concentrations sit.

A quantitative or qualitative metric that provides early warning of a rising risk. Examples: number of failed login attempts per hour, overdue critical patches, average MTTR for incidents. A good KRI is measurable, available in near real time and has a defined threshold that triggers escalation when breached.

A potential cause of harm, the "source" from which a risk may arise. Threats can be human (phishing, insiders), technical (hardware failure, zero-day), natural (fire, water damage) or organisational (supplier failure). The counterpart is the vulnerability the threat can exploit.

A weakness or gap in a system, process or organisation that a threat can exploit. Typical examples: unpatched software, missing separation of duties, weak authentication, unclear responsibilities. Only the combination of a threat and a vulnerability actually creates a risk.

The person in the organisation who is operationally and organisationally accountable for steering a specific risk. The risk owner decides on measures, approves residual risks and reports on developments. Important: the risk owner is not the CISO or the risk manager, but the relevant line or business owner.

A governance model that separates responsibilities into three lines: the first line (operational units that manage risks directly), the second line (risk management and compliance functions that monitor and advise) and the third line (internal audit, which reviews independently). The model originates in banking and finance but is used across industries today.

The internationally leading standard for information security management systems (ISMS). It defines requirements for the establishment, operation and continual improvement of an ISMS. The current version is ISO/IEC 27001:2022; controls are listed in Annex A and described in detail in ISO/IEC 27002. Certifications usually run for three years with annual surveillance audits.

The generic standard for risk management, not certifiable, but widely used as a reference framework. It describes principles (integrated, structured, inclusive, dynamic), a framework and a risk management process. ISO 31000 is industry-neutral and works well as an umbrella when multiple risk types (IT, operational, financial, project) need to be integrated.

The ISO standard for business continuity management. It defines how organisations detect, respond to and recover from disruptions. Key elements are the Business Impact Analysis, the Business Continuity Plan and the Disaster Recovery Plan. Certifiable, and frequently required for organisations with critical processes (financial services, healthcare, critical infrastructure).

A cybersecurity framework developed by the US National Institute of Standards and Technology. The current version 2.0 (2024) is organised into six functions: Govern, Identify, Protect, Detect, Respond, Recover. Not certifiable, but internationally recognised, ideal as a self-assessment tool and as a bridge between technical controls and governance.

The EU directive on network and information security that came into force in 2023, successor to the original NIS Directive. It massively expands the scope (around 160,000 companies across the EU) and introduces strict duties: risk management measures, incident reporting, personal liability for executive management. Swiss companies with subsidiaries or significant EU customers are indirectly affected.

An EU regulation for the financial sector, applicable since January 2025. DORA requires banks, insurers and financial market participants to achieve comprehensive digital operational resilience, with hard requirements for IT risk management, incident reporting, penetration testing and third-party risk management. The regulation applies directly, without transposition into national law.

An IT governance and management framework published by ISACA. The current version, COBIT 2019, distinguishes between governance and management objectives and is geared more towards enterprise IT as a whole than, say, ISO 27001. COBIT is often chosen in organisations that want to anchor IT as a strategic function.

A structured, independent review of whether defined requirements, from a standard, contract or internal policy, are actually being met. Audits are divided into internal (conducted by the organisation's own audit function), external (supplier audit by a customer) and certification audits (by accredited bodies). An audit report documents findings, non-conformities and recommendations.

A concrete measure that reduces a risk or provides evidence of compliance. Controls are typically split into preventive (stop it happening), detective (notice it happened) and corrective (fix it). Examples: four-eyes principle on payments (preventive), SIEM alerting (detective), backup restore (corrective). ISO 27002 lists 93 controls for information security.

EU Regulation 2016/679, applicable since May 2018. It governs the processing of personal data of natural persons and also applies to companies outside the EU insofar as they offer goods or services in the EU or track EU citizens (market-place principle). Fines of up to EUR 20 million or 4% of global annual turnover, Swiss companies with EU customers are subject to it just like European ones.

The revised Swiss Data Protection Act, in force since 1 September 2023. It lifts the Swiss level of data protection largely to GDPR standard, but remains leaner (no general obligation for data protection impact assessments, no automatic rights of access for many third countries). Breaches can lead to criminal prosecution, fines of up to CHF 250,000, imposed on natural persons, not on the company.

A structured risk analysis that controllers must carry out when a processing activity is likely to result in high risks to the rights and freedoms of data subjects. Typical triggers: systematic surveillance, large volumes of particularly sensitive data, new technologies. A DPIA documents the processing, assesses risks and defines measures, it must be reviewed regularly.

The written contract between a controller and a processor that governs the processing of personal data. Mandatory components include: subject, duration, type of data, binding instructions, duties of the processor (confidentiality, TOMs, sub-processors, data subject rights), audit rights. Without a valid DPA, passing data to a service provider is not lawful.

The identified or identifiable natural person whose personal data is being processed. Their rights include access, rectification, erasure, objection, data portability and the right not to be subject to purely automated decision-making. These rights typically have to be actioned within one month.

A natural or legal person who processes personal data on behalf of a controller. Typical examples are cloud providers, IT service providers and payroll providers. The processor may only process data in line with documented instructions, must implement appropriate TOMs and must be able to demonstrate compliance.

All measures that ensure an appropriate level of protection for processing activities. Technical: encryption, access control, pseudonymisation, backups. Organisational: role concepts, training, confidentiality obligations, deletion policies. TOMs are a core element of every DPA and are examined during audits.

The systematic investigation of which business processes are critical, which dependencies they have and how damaging an outage becomes over time. The output is a prioritised list of processes with their RTO and RPO targets. The BIA is the foundation of any BCP, without it, recovery plans become arbitrary.

The playbook that governs the continuation of critical business processes in a crisis, with roles, alert routing, alternative sites, priorities and recovery procedures. A BCP is only useful if it is tested and updated regularly; a plan sitting in a drawer is worse than none at all because it creates a false sense of security.

The technical counterpart to business continuity planning: how IT systems, data and infrastructure are restored after a disruption. The DRP defines concrete steps, failover to the secondary data centre, restore from backups, redeployment of services. While a BCP is process-oriented, a DRP is system-oriented.

The maximum allowable time between an outage and the recovery of a process or system. An RTO of "4 hours" for the accounting system means: at the latest four hours after an outage, the system must be operational again. The RTO is derived from the BIA and directly drives the cost of continuity solutions, a low RTO requires redundant systems and hot standby.

The maximum tolerable data loss, measured in time. An RPO of "1 hour" means: in a total outage, at most one hour of data may be lost. The RPO determines the backup frequency, RPO = 24h allows daily backups, RPO = 15 min requires continuous replication.

The maximum time a process can be unavailable without seriously endangering the survival or strategic objectives of the organisation. MTPD is an absolute upper bound; the RTO must be clearly below it. While RTO is defined operationally, MTPD is typically an executive decision.

The minimum level of service that must be maintained during a disruption. Example: a call centre normally handles 100 requests per hour, its MBCO might be 20 per hour, with a reduced team in emergency mode. The MBCO forces clear priorities around what truly needs to keep running.

The combined structures, processes and communication channels that are activated during a crisis. Typically, there is a crisis team with clearly defined roles (leadership, communications, IT, legal, HR), predefined escalation paths and rehearsed procedures. Good crisis management shows when the first 60 minutes aren't improvised.

A detailed, step-by-step guide for a specific operational situation, such as "primary database server failure" or "suspected ransomware on admin workstation". Runbooks must be written so that someone other than the original author can execute the actions correctly: clear prerequisites, numbered steps, decision points, validations.

The three classic protection goals of information security: confidentiality (only authorised parties may see the data), integrity (data must not be altered without notice), availability (data and systems must be accessible when needed). The CIA triad is the starting point of any risk analysis, for each asset, you ask how high each of the three goals needs to be.

Best-practice catalogues maintained by the Center for Internet Security: the CIS Controls are 18 prioritised security controls; the CIS Benchmarks are product-specific hardening configurations (for Microsoft 365, Windows Server, AWS, Kubernetes and so on). Benchmarks in particular are popular among Swiss SMEs because they're directly actionable and updated regularly.

A security paradigm based on the principle "never trust, always verify". Instead of assuming the internal network is trustworthy (the classic perimeter model), every access, internal or external, is authenticated, authorised and continuously verified. Zero Trust is not a product but an architecture rolled out over several years.

A login procedure that combines at least two independent factors: knowledge (password), possession (smartphone, hardware token) or inherence (fingerprint, face). MFA is the single most effective measure against password theft and phishing, it blocks over 99% of automated attacks. Best implemented with FIDO2/passkeys, not SMS.

A platform that collects, correlates and analyses logs and events from a wide range of sources (firewalls, endpoints, cloud services, applications). A SIEM detects patterns indicating attacks, triggers alerts and supports forensic analysis. Well-known products: Splunk, Sentinel, QRadar, Elastic Security. A SIEM without defined use cases and 24/7 monitoring is just an expensive log store.

The combined processes and systems that govern which digital identities exist in an organisation and what they may access. IAM covers joiner-mover-leaver processes, role models (RBAC), privileged access management, identity federation (SSO) and access recertification. IAM weaknesses are among the most frequent sources of compliance findings.

A social-engineering attack where victims are tricked via forged messages into revealing credentials or executing malicious code. Variants: spear phishing (targeted at specific individuals), whaling (at executives), business email compromise (forged CEO instruction). Technical controls (mail filtering, DMARC, MFA) only work in combination with awareness training.

Malware that encrypts the victim's data and demands a ransom for decryption, modern variants additionally exfiltrate data and threaten publication ("double extortion"). Ransomware attacks on Swiss SMEs and municipalities have risen sharply in recent years. Key defences: tested offline backups, network segmentation, MFA and a realistic playbook.

The management system that steers information security, analogous to a quality management system (QMS) or environmental management system (EMS). It comprises policies, processes, roles, risk management, controls, training, audits and continual improvement (PDCA cycle). A certified ISMS under ISO 27001 is often a prerequisite for doing business with large enterprises or the public sector.

The precise boundary of which parts of the organisation (sites, business units, services, systems) are covered by the ISMS. A sensibly chosen scope is the decisive lever: too small, the certification is meaningless; too large, the rollout becomes overwhelming. The scope must be justified and documented transparently and is listed on the certificate.

The central document of an ISMS under ISO 27001: a list of all 93 Annex A controls stating whether they apply, why (or why not) and where the evidence lives. The SoA is the first thing a certification auditor looks at, it shows how thoughtfully the organisation has selected its controls. An SoA with "all controls applicable, no exceptions" is a warning sign.

The improvement cycle at the heart of every management system: Plan (define goals and measures), Do (implement), Check (test effectiveness), Act (adjust). In practice this means: annual risk reviews, regular audits, management reviews, continual improvement. Without PDCA, an ISMS is just a static document set.

A documented deviation from a defined requirement, a standard, an internal policy, a contract. Deviations are split into major (systematic failure, endangers certification) and minor (isolated deviation). Every NC must be followed up with a root cause analysis and corrective action before certification can be renewed.

The Swiss data protection supervisory authority, the counterpart of national data protection authorities in the EU (such as the BfDI in Germany). Under the revDPA, the FDPIC has significantly expanded powers: investigations, binding orders, receipt of data breach notifications. Its guidance and fact sheets are the primary interpretive source for the revDPA.

The Swiss supervisory authority for banks, insurers, stock exchanges and fund management companies. FINMA circulars (such as Circ. 2023/1 "Operational risks and resilience" and Circ. 2008/21 "Operational risks, banks") impose binding requirements on risk management, IT security and business continuity for supervised institutions.

The national cybersecurity authority, formed out of the National Cybersecurity Centre (NCSC). It operates the reporting point for cyber incidents, publishes recommendations and coordinates responses to attacks on critical infrastructure. Under the Information Security Act (ISA, in force since 2024), there is a staggered reporting obligation for certain organisations.

A guideline published by the Federal Office for National Economic Supply (FONES) that recommends baseline protection for operators of critical infrastructure in Switzerland. Content-wise it's aligned with the NIST CSF, with Swiss-specific adjustments. Not a law, but regularly referenced in tenders and sector standards (electricity, water, transport).

The federal law in force since January 2024 that governs information security at federal authorities and certain operators of critical infrastructure. From 2025 onwards, a mandatory reporting obligation for cyber incidents affecting critical infrastructure was added. The direct effect on the private sector is indirect, but anyone holding federal contracts must work in line with the ISA.