Useful UK Security acronyms and terminology

Security has it’s own set of acronyms and terms. Here’s a list you will find useful for your ISO 27001 and other security work,
Security and IT – Common acronyms

  • Accept (related to risks)
    These are risks you have decided as an organistion to accept. So you may choose to accept that as a US firm, the government is going to have pretty easy access to your data (ok, this is a little tongue in check, but you get the drift). Or you may accept that someone can photograph the screen showing your top secret document.
  • Basic disclosure
    These come from DIsclosure Scotland, and aren’t limited to Scotland! It checks for any ‘unspent convictions’ (if you’ve been convicted of a sentence of more than 2.5 years this an unspent conviction, and must always be declared if you’re asked about your record). If a conviction is for less than 2.5 years, it will eventually be wiped from the public record. http://www.civilandcorporate.co.uk/employment-criminal-record.html http://www.disclosurescotland.co.uk/disclosureinformation/index.htm
  • BPSS Background checks
    The Baseline Personnel Security Standards is a government inspired pre-employments screen. To comply you need: Basic Criminal Record Check Identity check (e.g. passport) Right to work check Address Check Verification of 5 year history – via employement and or qualification checks
  • Controls
  • DBS
    Disclosure and Barring Service (DBS) checks (previously CRB)
  • CHECK tester
  • NCSC approved company who provide penetration testing services – see NCSC site

  • CLAS Consultant
  • CRB
    Criminal Records Bureau – See DBS
  • Gap Analysis
    An analysis of where you are and where you want to be according to your SOA.
  • IL2/3
    Old UK government protective marking scheme. IL2 was for pretty sensitive stuff that might cause financial or reputational loss. IL3 when it got more serious. This is now replaced with Official, Official sensitive and Secret.
  • ISMS
    Information Security Management System. This is a combination of documented policies, processes and systems describing your approach to information security
  • ISO27001
    Information security standard, most recent variant ISO27001:2013.
  • ITHC
    IT Health Check – UK government term for 3rd party technical tests. These can consist of things like pen tests or social engineering tests.
  • Mitigate (related to risks)
    These are risks you have reduced. So you may make your organisation less vulnerable to virus’s by enforcing virus scanning. This mitigates (lowers) the risk.
  • NCSC
    National Cyber Security Centre.
  • RMADS
    Risk Management and Accreditation Document Set. A Lightweight RMADS is required for OFFICIAL / Full RMADS required for SECRET/TOP SECRET. This is a UK government standardised process, which generates a document including things like a description of your service, residual risks, RTP and a Threat assessment.
  • Residual Risk Statement
    Risks you have accepted or rejected
  • Risk Register
    A list of risks you have assessed.
  • RTP
    Risk Treatment Protocol. A list of your risks, and what you’re going to do about them.
  • SoA – statement of Applicability
    A list of the controls you have chosen to accept. e.g. ‘Physical entry controls: Secure areas shall be protected by appropriate entry controls’. This will be a lonngg list.
  • Security Screening
    How you ensure people and often suppliers are secure. In the UK there is BPSS
  • Social engineering
  • Stance
    What it says! A common term used in security circles to define your position relating to security.
  • SyOps
    System operator manuals related to security processes and protocols

Got more? Let us know!