KaitoSecKaitoSec Docs
DEEN

Glossary

Definitions of key terms used throughout KaitoSec.

This glossary explains the terms you will encounter while working with KaitoSec.

Core records

These are the primary records you create and manage in KaitoSec.

Asset

An item you protect, such as an application, service, data store, network, or business process.

Requirement

A control requirement from a standards catalog that you review for applicability to your organization.

Risk

A threat scenario with assessed likelihood, impact, and a defined treatment strategy.

Control

A security measure that reduces risk and maps to one or more requirements from your applicable catalogs.

Finding

An issue identified during an audit or review that requires corrective action.

Improvement

A tracked action that addresses findings or raises the maturity of your controls.

Catalog

A structured collection of security requirements from a standard or framework, such as ISO 27001 Annex A or the BSI IT-Grundschutz Compendium.

Statement of Applicability (SoA)

A document that lists every control from your chosen catalog, states whether each control applies to your organization, and provides justification for any exclusions.

Governance and organization

These terms define ownership, boundaries, and recurring processes in your ISMS.

Scope

The organizational boundary that defines what your ISMS covers, including entities, locations, and systems.

Entity

A legal or organizational unit inside your tenant, such as a subsidiary or department.

Responsible

A person accountable for a task, record, or review activity within the ISMS.

Policy sign-off

A confirmation workflow where designated individuals formally acknowledge and accept an information security policy.

PDCA Cycle

The Plan-Do-Check-Act cycle is the continuous improvement model at the heart of ISO 27001. You plan your ISMS, implement it, monitor its effectiveness, and act on lessons learned.

Treatment Strategy

The approach chosen for handling a risk: mitigate (reduce), accept, transfer (share with a third party), or avoid (eliminate the activity).

Residual Risk

The level of risk that remains after controls and treatment measures have been applied. Residual risk must be formally accepted by management.

Awareness Campaign

A structured effort to educate employees about information security policies, threats, and their responsibilities.

Vendor Assessment

An evaluation of a third-party supplier's security posture, typically conducted as part of supply chain risk management.

FAQ

Häufig gestellte Fragen zu IT-Grundschutz, ISO 27001, ISMS-Zertifizierung und verwandten Themen.

On this page

Core recordsAssetRequirementRiskControlFindingImprovementCatalogStatement of Applicability (SoA)Governance and organizationScopeEntityResponsiblePolicy sign-offPDCA CycleTreatment StrategyResidual RiskAwareness CampaignVendor Assessment