Plain-English definitions of the management terms that recur in CISM study. Simplified for learning; ISACA’s material is authoritative.
| Term | Definition |
|---|---|
| Governance | The strategy, policies and oversight that direct and control security. |
| Business alignment | Ensuring security supports the organisation’s objectives. |
| Risk appetite | The amount and type of risk an organisation is willing to pursue. |
| Risk tolerance | The acceptable variation around the risk appetite. |
| Residual risk | The risk left after controls are applied. |
| Inherent risk | Risk before any controls are applied. |
| Risk response | Avoiding, transferring, mitigating or accepting a risk. |
| KPI | Key Performance Indicator — measures how well something performs. |
| KRI | Key Risk Indicator — signals rising risk. |
| Policy | A high-level statement of management intent. |
| Standard | A mandatory rule supporting a policy. |
| Procedure | Step-by-step instructions to meet a standard. |
| RACI | A responsibility model: Responsible, Accountable, Consulted, Informed. |
| Due care | Taking reasonable steps to protect assets. |
| Due diligence | Ongoing effort to identify and manage risk. |
| BIA | Business Impact Analysis — identifies critical functions and impacts. |
| RTO | Recovery Time Objective — target time to restore a function. |
| RPO | Recovery Point Objective — acceptable data loss. |
| Incident response | The organised approach to handling a security incident. |
| Maturity model | A scale used to assess how developed a process is. |
| Third-party risk | Risk introduced by vendors and partners. |
| Gap analysis | Comparing the current state to a desired state. |