Glossary

A reference of key terms used throughout the StickSecure platform and documentation.

Maturity Assessment / Gap Assessment

An evaluation of your organisation's current cybersecurity posture against a chosen framework. It identifies the gaps between your current maturity level and your target state.

Control / Control Set / Category

A control is a specific security requirement or practice defined by a framework (e.g. "Access control policy"). Controls are grouped into categories (e.g. "Access Control"), and a complete collection of categories and controls for a framework is called a control set.

Framework

A structured set of guidelines and best practices for managing cybersecurity risk. Examples include ISO 27001:2022, NIST CSF, PCI DSS v4.0, SOC 2, and the Essential Eight.

Evidence / Evidence Type

Evidence is any document, screenshot, configuration export, or scan result that demonstrates compliance with a control. An evidence type categorises the nature of the evidence (e.g. policy document, configuration screenshot, audit log).

Risk / Risk Treatment

A risk is a potential event that could negatively affect your organisation's information security. Risk treatment is the strategy chosen to address a risk: Accept, Transfer, Reduce, or Avoid.

Vulnerability / CVSS / VRT

A vulnerability is a weakness in a system that could be exploited. CVSS (Common Vulnerability Scoring System) is the industry-standard method for rating the severity of vulnerabilities on a numerical scale. VRT (Vulnerability Rating Taxonomy) is Bugcrowd's classification system for categorising vulnerability types.

Benchmark / CIS Benchmark

A benchmark is a standardised set of configuration checks for a specific platform or service. CIS Benchmarks are published by the Centre for Internet Security and define best-practice configurations for cloud providers, operating systems, and applications.

Scope / Finding

In penetration testing, scope defines the systems, networks, or applications that are authorised for testing. A finding is a specific vulnerability or issue discovered during testing.

SOA (Statement of Applicability)

A document required by ISO 27001 that lists all controls from the standard and states whether each is applicable to the organisation, along with justification for any exclusions.

Non-conformity / Observation

In an internal audit, a non-conformity is a failure to meet a requirement of the standard. An observation is a noted area for improvement that does not constitute a formal non-conformity.

GRC (Governance, Risk, and Compliance)

The integrated approach to managing an organisation's governance structures, risk management processes, and compliance with laws, regulations, and standards. StickSecure is a GRC platform.

note

Articles in this section are being written. Check back soon or contact support@sticksecure.ai.

Maturity Assessment / Gap Assessment​

Control / Control Set / Category​

Framework​

Evidence / Evidence Type​

Risk / Risk Treatment​

Vulnerability / CVSS / VRT​

Benchmark / CIS Benchmark​

Scope / Finding​

SOA (Statement of Applicability)​

Non-conformity / Observation​

GRC (Governance, Risk, and Compliance)​