GRC Glossary
Gain insight into some of the essential foundational concepts necessary to navigate the GRC landscape effectively and understand RISMA’s governance, risk, and compliance approach.
The Act on Strengthened Preparedness covers Denmark's energy sector and enforces the EU’s NIS2 Directive and CER Directive. It sets stricter standards for cybersecurity, physical security, risk assessment, incident management, and contingency planning for electricity grid operators, heating suppliers, and gas distributors. The goal is to guarantee supply security and defend against rising cyber and physical threats in this vital sector.
ABC stands for Anti-Bribery and Corruption. The term refers to the policies, procedures, and measures an organization implements to prevent, detect, and address bribery and corrupt practices. These efforts may be grounded in international and national legislations to promote ethical business practices and ensure that organizations operate with integrity.
The EU AI Act (Artificial Intelligence Act) is a regulation designed to ensure that artificial intelligence is developed and used safely, ethically, and with respect for individuals’ rights. The regulation takes a risk-based approach. The AI Act applies to anyone who develops, provides, or uses AI in the EU and came into effect in July 2024, with gradual implementation through 2026. Organizations must map their AI systems, document compliance, inform users, and supervise their suppliers.
AML stands for Anti-Money Laundering. It describes the process of preventing, identifying, and reporting suspicious financial transactions that may indicate money laundering activities. These efforts are rooted in various legislations—both international and national—aimed at preventing criminals from exploiting the financial system to launder money and finance terrorism.
Annex A is an integral part of the ISO 27001 standard, listing a series of classified security controls that organizations must use to demonstrate compliance with the standard. Annex A contains 93 controls divided into four categories:
-
Organizational
-
People
-
Physical
-
Technological
Based on these controls, the Statement of Applicability (SoA) is created, detailing how each control is implemented, adjusted, or excluded. Annex A and the SoA are, therefore, closely connected.
Article 13 is part of the EU's General Data Protection Regulation (GDPR) and specifies the information that the data controller must provide when personal data is collected directly from the data subject. This includes, among other things:
-
The identity and contact details of the data controller
-
The purposes of the processing and the legal basis
-
Recipients and any further purposes
-
Retention period
-
The rights of the data subject and avenues for lodging complaints
The information must be actively provided to the data subject and not merely made available on a website. If personal data is subsequently used for a new purpose, the data subject must be informed before the processing begins.
Article 15 is part of the EU's General Data Protection Regulation (GDPR) and focuses on the data subject's right of access to their personal data. The right of access allows the data subject to request and review the personal data an organization processes about them, as well as obtain information about the data processing activities. The purpose of Article 15 is to promote transparency in data processing and ensure greater control for the data subject.
Article 16 is part of the EU's General Data Protection Regulation (GDPR) and gives the data subject the right to have personal data rectified. This means that an individual can have incorrect information corrected and incomplete information completed by the data controller. The organization must handle requests promptly and efficiently, and if the information has already been shared with third parties, they must be informed of the corrections, unless this is impossible or would require disproportionate resources.
Article 17 is part of the EU's General Data Protection Regulation (GDPR) and gives the data subject the right to have their personal data erased under certain circumstances. This applies, among other things, if the data is no longer necessary, consent is withdrawn, the processing is unlawful, or there is a legal obligation to erase the data.
The organization must act without undue delay, verify the identity of the data subject, inform any third parties, and take into account exceptions such as freedom of expression, public interest, or legal claims.
Article 18 is part of the EU's General Data Protection Regulation (GDPR) and gives the data subject the right to restrict the processing of their personal data so that it is not used for a specific purpose. This right applies in the following situations:
-
There is doubt about whether the information is accurate.
-
The processing is unlawful, but the data subject does not want the data to be erased.
-
The organization no longer needs the information, but the data subject requires it for a legal claim.
-
The data subject has lodged an objection that is still under consideration.
Article 19 is part of the EU's General Data Protection Regulation (GDPR) and requires the data controller to notify all recipients of personal data when the data is rectified, erased, or processing is restricted, unless this is impossible or would require disproportionate effort. The data subject can request information about who has been notified.
The purpose is to ensure that all recipients of personal data are updated with changes, promoting transparency and accurate processing. Organizations must be able to identify recipients, notify them effectively, and document the process to comply with this requirement.
Article 20 is part of the EU's General Data Protection Regulation (GDPR) and concerns the data subject's right to data portability. This right allows the data subject to receive a copy of the personal data they have provided to the organization. The data must be delivered in a commonly used and machine-readable format.
Additionally, Article 20 enables the data subject to request that the data be transferred directly to another data controller without obstruction, provided it is technically feasible.
Article 21 is part of the EU's General Data Protection Regulation (GDPR) and gives the data subject the right to object to the processing of their personal data under certain circumstances. The data subject can object to processing based on legitimate interests or public interest, to profiling, and to direct marketing, where the right is unconditional. When an objection is made, the data controller must assess whether the processing can continue based on legitimate grounds that outweigh the data subject’s interests. At the same time, the data subject must be clearly informed of their right to object at the first point of communication, so they can exercise control over their data from the outset.
Article 22 is part of the EU's General Data Protection Regulation (GDPR) and aims to protect individuals from automated decisions that have legal or significant effects, without human intervention.
Article 30 is part of the EU's General Data Protection Regulation (GDPR) and aligns with the regulation's emphasis on accountability. The article establishes the requirement for data controllers to maintain a record of their organization's processing activities. Similarly, data processors must maintain a record of the processing activities they perform on behalf of a data controller.
Article 32 is part of the EU's General Data Protection Regulation (GDPR) and focuses on the security of personal data processing for data controllers and processors. It requires organizations to implement technical and organizational security measures appropriate to the risks associated with data processing.
The article also specifies that personal data must only be processed by authorized personnel acting under the instructions of the data controller or data processor or in accordance with national or EU legislation. The goal is to ensure a high level of security and protection for personal data.
CER stands for Critical Entities Resilience and is an EU directive aimed at strengthening the resilience of critical societal functions in Europe. The directive focuses on ensuring that the covered entities document and maintain a high level of physical resilience and organizational preparedness.
CIS18, also known as the Center for Internet Security’s 18 Controls, is a framework of specific security controls developed to enhance cybersecurity in organizations worldwide. The controls provides detailed guidance on identifying, prioritizing, and implementing security measures to protect organizational data and systems.
Compliance refers to complying with the applicable laws, standards, and requirements that govern an organization – such as industry-specific standards, the GDPR, and ethical norms.
The goal of compliance is to ensure that an organization avoids breaches of these rules, thereby upholding high-quality standards, building stakeholder trust, and enhancing transparency in its operations. Compliance is an ongoing process that demands continuous vigilance and adaptation to new regulations or changing business conditions.
Compliance culture is about embedding compliance into the fabric of the organization so that it becomes a natural part of everyday operations. It’s not just about processes but about building a shared mindset where everyone acts responsibly and ethically, regardless of the situation.
When compliance becomes part of the culture, it strengthens the organization’s ability to minimize risks and ensure sustainable and effective compliance with laws and standards. A strong compliance culture forms the foundation for full compliance.
Compliance excellence is an organization’s ability to adhere to laws and regulations consistently. It unites risk management and compliance in a single strategy, making it easier to navigate complex regulations such as NIS2 and DORA through a flexible and scalable approach.
The goal is to create a culture where compliance is not a burden, but an integrated part of the business. It is about building trust, reducing risks, and strengthening resilience. Compliance excellence is based on proactive processes, automation, continuous monitoring, and clear ownership, enabling the organization to quickly adapt to new requirements and changes in the risk landscape.
Contract management is the comprehensive process of managing an organization's contracts from inception to completion. This process involves drafting contracts, negotiating terms, fulfilling contractual obligations, renegotiating agreements when necessary, and formally closing legally binding documents. The objective is to streamline contract administration and enhance value creation by ensuring that contracts align with the organization's overall business strategy and goals.
COSO is an international framework for the development, implementation, and evaluation of internal controls. The framework is based on five key components: control environment, risk assessment, control activities, information and communication, and monitoring. COSO helps organizations achieve their objectives, reduce risks, and ensure compliance.
CSDDD stands for Corporate Sustainability Due Diligence Directive. It is an EU directive that imposes obligations on organizations to perform due diligence on environmental and human rights issues.
In practice, this means that organizations subject to the directive must implement due diligence processes related to their activities and value chains to identify, prevent, and mitigate negative impacts on human rights and the environment. The directive aims to ensure that certain companies are held accountable for their societal and environmental impacts through binding legal obligations rather than mere recommendations.
CSR, which stands for Corporate Social Responsibility, describes an organization's efforts to integrate social and environmental considerations into its daily operations. Through a well-defined CSR strategy, an organization sets goals and implements initiatives that positively contribute to society and the environment. This approach is crucial for achieving sustainability goals and plays a vital role in enhancing the company's reputation and long-term success.
CSRD stands for Corporate Sustainability Reporting Directive, and it is an EU directive that establishes a range of requirements for companies’ sustainability reporting. The aim of the directive is to standardize reporting processes and enhance transparency in sustainability across Europe, making it easier for investors, suppliers, and customers to understand and evaluate an organization's sustainability efforts.
Cyber resilience is about an organization’s ability to withstand, absorb, adapt to, and quickly recover from security incidents, whether caused by cyberattacks, technical failures, or human errors.
It is a strategic discipline that connects IT security, risk management, and business to protect operations, customer trust, and the organization’s reputation.
The data controller is the person or organization that bears the primary responsibility for the personal data that is collected and processed. This means that the data controller is responsible for ensuring that the processing complies with GDPR.
The data controller determines, among other things:
-
The purpose for which personal data is collected and used
-
How the data is processed in practice
-
Who has access to process the data
-
If a data subject wishes to exercise their rights, such as access or deletion, the request is directed to the data controller.
Data ethics focuses on the responsible and careful collection, processing, and use of data. In addition to ensuring compliance with the law, data ethics entails a deep respect for individuals’ data, recognizing its value and safeguarding its protection. This principle should not merely be viewed as a legal obligation but should be embedded as a core value within the company’s culture from management to every employee.
Data minimization is a principle of GDPR that emphasizes that personal data should only be collected and processed when necessary for a clearly defined purpose. According to GDPR Article 5(1)(c), data must be relevant and limited to what is necessary in relation to the purpose, and organizations must avoid collecting unnecessary information.
LEARN ABOUT DATA DATA MINIMIZATION →
Data governance is a strategic and operational discipline aimed at controlling and managing an organization’s data resources. The primary purpose of data governance is to maximize the value of data and ensure that data is used both effectively and responsibly. It includes the overall control of availability, usability, integrity and security of the data used in an organization.
A data processor is an external person, company, or organization that processes personal data on behalf of a data controller. The data processor acts according to the instructions of the data controller and does not have authority over the purpose or means of the processing. The data processor is responsible for ensuring that the processing is carried out in compliance with GDPR and respects the rights of the data subject.
A retention policy outlines guidelines and procedures for handling personal data from collection to deletion. It should specify deletion timelines, methods, and confirmation processes. By using deletion policies and procedures, you ensure that you do not inadvertently store data that should have been deleted.
DORA, Digital Operational Resilience Act, is an EU regulation aimed at strengthening the digital operational resilience of the financial sector and providers of information and communication technology (ICT services). The regulation focuses on safeguarding the financial sector’s critical infrastructure by mandating supplier management and regular threat-based assessments, thereby ensuring enhanced protection of information systems.
The DORA Information Register, or Register of Information, is a mandatory register of ICT third-party providers that financial organizations under DORA must establish and maintain. The register documents contractual agreements and shows how providers’ services support the organization’s critical functions.
The purpose is to provide both the organization and regulators with a clear overview of dependencies and risks related to ICT third-party providers.
The concept of 'double materiality' embodies the idea that organizations not only impact the environment and society (Impact Materiality), but also that sustainability risks can financially affect the organization (financial materiality).
The Corporate Sustainability Reporting Directive (CSRD) requires companies to integrate the double materiality principle into their reporting to provide transparent and reliable insight into how their activities impact the environment and society, as well as the sustainability risks they face.
DPIA stands for Data Protection Impact Assessment, a mandatory process under the EU’s General Data Protection Regulation (GDPR). It is a process that helps organizations identify and mitigate data protection risks that may affect an individual's privacy.
DPO stands for Data Protection Officer. The DPO's role is to advise and monitor the data controller's compliance with the General Data Protection Regulation. While all public authorities are required to appoint a DPO, private companies are only obligated to do so if they meet specific conditions related to the processing of personal data.
EBA, or the European Banking Authority, is an EU authority responsible for ensuring consistent regulation and supervision of the banking sector across EU member states. Its objective is to promote financial stability and efficiency.
EIOPA, or the European Insurance and Occupational Pensions Authority, is an EU authority whose mission is to protect the public interesst by contributing to the stability and effectiveness of the financial system for the EU’s economy, citizens, and businesses. This is achieved through regulation and supervisory practices.
ESG, which stands for Environmental, Social, and Governance, represents an approach where organizations assess and improve their sustainability efforts across these three key areas. This method is used, among other things, in relation to the CSRD, enabling organizations to quantify and communicate their sustainable contributions and impact within the areas of environment, social responsibility, and good corporate governance.
An ESG report provides a detailed and transparent overview of an organization’s performance across environmental, social, and governance aspects. It enables comparison and assessment of sustainability initiatives across companies and sectors. Through the report, the organization’s core values, culture, and sustainability strategy are showcased, offering stakeholders insight into how ESG-related risks and opportunities are managed.
ESRS, or European Sustainability Reporting Standards, developed by EFRAG, sets the framework for how companies must report on their sustainability efforts. The standards include 12 topics covering environmental, social, and governance areas, and require companies to disclose their strategy, targets, and value chains in relation to cross-cutting matters, as well as define materiality.
Overall, the 12 ESRSs cover the following:
-
General principles for sustainability reporting
-
General disclosure requirements
-
Specific disclosure requirements focusing on 10 ESG topics
The EU Green Deal is a set of initiatives aimed at enabling a 55% reduction in current CO2 emissions by 2030 (compared to 1990) and achieving climate neutrality. The European Green Deal aims to increase resource efficiency by moving to a clean, circular economy, halting climate change, reversing biodiversity loss, and reducing pollution.
The EU taxonomy is part of the EU’s climate strategy aimed at achieving climate neutrality by 2050. It introduces a unified classification system that defines which economic activities are considered environmentally sustainable. This creates a standardized approach to defining sustainability, making it easier for companies to demonstrate and communicate their sustainability efforts.
Financial controls are safeguards established to ensure effective, robust, and reliable financial reporting while mitigating the risk of material errors. They are relevant for both large and small businesses, and there are several reasons to maintain a strong control environment and practical tools in this area.
Financial Materiality refers to the aspects of an organization’s activities that have a significant impact on its financial performance. This can include a wide range of factors, from operational and legal risks to environmental and social consequences.
A gap analysis is a systematic assessment that compares an organization’s current state with a desired future state to identify the differences between the two. The purpose is to reveal where the organization lacks resources, processes, and competencies to achieve its goals, and which measures need to be implemented to close the gaps.
In the context of compliance, a gap analysis can identify differences between applicable requirements and the organization’s current practices. It can help highlight areas where controls or activities are missing, while also providing a basis for prioritizing actions so the organization can ensure compliance with laws and internal regulations.
GDPR stands for General Data Protection Regulation. GDPR strengthens individuals’ rights over their personal data and places responsibility on organizations to ensure secure data processing and protection. Organizations are required to meet specific data protection obligations and demonstrate compliance by documenting that their internal procedures and policies align with GDPR requirements.
Governance, also known as corporate governance, refers to the rules, structures, processes, and guidelines that form the foundation of how a company is operated and managed. It includes principles related to ethics, risk management, compliance, and effective administration, with the aim of ensuring responsible decision-making, accountability, and transparency throughout the organization.
GRC stands for Governance, Risk, and Compliance, representing a holistic approach to managing and aligning governance, risk management, and regulatory compliance within an organization. It involves setting objectives, defining strategy, and making decisions (governance), assessing potential risks (risk), and ensuring adherence to laws and regulations (compliance) — all to safeguard organizational integrity and promote efficient operations.
GRC maturity (Governance, Risk, and Compliance maturity) refers to an organization's ability to effectively manage and integrate governance, risk management, and compliance into its processes. It concerns how well an organization has developed its methods and systems to ensure that these areas are structured, consistent, and aligned with relevant regulations and guidelines.
A GRC strategy is a unified and integrated approach to Governance, Risk, and Compliance in an organization. It ensures that the organization steers its decisions, manages risks, and complies with laws and internal rules in a coordinated and effective way.
Without a unified strategy, these functions often operate in silos and inefficiently. The GRC strategy harmonizes these areas and provides a comprehensive overview, enabling the organization to act more proactively and purposefully.
ICT stands for Information and Communication Technology, encompassing all technological solutions and services that enable the processing, transmission, and sharing of information digitally. ICT services are the foundation of digital operations, and any failure can have serious consequences for a business’s functionality and security.
Impact Materiality is a key component of the broader ESG approach, focusing on how an organization’s activities impact various external factors, such as climate change, human rights, labor rights, corruption, and other related issues. It emphasizes the organization’s responsibility to assess and report on its social and environmental impact, in addition to its financial performance.
Incident management is a critical process that involves a structured approach to identifying, reporting, assessing, handling, and learning from incidents within an organization. This process involves establishing clear guidelines and policies to ensure a swift and effective response, aiming to minimize damage and downtime while enhancing overall security measures.
Information security is about protecting information from unauthorized access, alteration, or deletion, whether intentional or accidental. It involves tools and processes related to physical security, data encryption, networks, systems, testing, and auditing.
The goal is to ensure the confidentiality, integrity, and availability of information.
Internal controls are implemented to ensure effective operations, reliable reporting, compliance, and asset protection. The purpose is to manage risks, prevent errors, and build confidence in the organization’s activities.
Controls can be divided into different types:
-
Preventive controls: access management, segregation of duties, and authorizations that prevent errors or misuse before they occur.
-
Detective controls: reconciliations, log reviews, or manual checks that identify errors or irregularities after they have occurred.
-
Automated controls: enhance operational reliability and reduce the risk of human error.
-
Manual controls: provide flexibility and allow for nuanced assessments, but often require more resources.
An ISAE 3000 report is an auditor’s statement that documents an organization’s implementation of the necessary procedures and controls to comply with data protection regulations and their security requirements.
ISAE 3402 is an international standard used for auditing an organization’s IT controls. The report serves as evidence that the organization complies with all applicable legal requirements related to IT security and demonstrates good IT practices.
ISMS, or Information Security Management System, is a structured approach to managing information security that integrates processes, technology, and personnel to protect an organization’s information through effective risk management.
ISO 27001 is commonly used as a foundation for information security efforts. While the standard does not prescribe specific security measures, it provides a framework of best practices to safeguard data both internally and externally.
ISO 9001 is an international standard for quality management that helps organizations improve efficiency and ensure that products and services meet customer expectations. The standard is based on a structured approach to planning, controlling, and continuously improving processes to reduce errors and enhance quality.
It is built on seven principles, including customer focus, leadership, employee engagement, process optimization, and continuous improvement – all of which strengthen an organization’s ability to deliver high quality and remain competitive.
ISO 14001 is an international standard that helps organizations establish and improve their environmental management. The purpose is to reduce environmental impacts and ensure compliance with legislation.
The standard supports the identification of environmental risks and opportunities, as well as ensuring compliance with relevant environmental regulations.
ISO 27001 is an international standard that forms the foundation for an effective information security management system. The standard focuses on best practices and guidelines for managing information security both internally and externally.
The purpose of ISO 27001 is to protect the confidentiality, integrity, and availability of an organization’s information.
ISO 27002 is an international standard that guides information security controls and best practices to protect organizations’ information.
The standard includes 93 recommended measures covering policies, processes, procedures, organizational structures, and technical solutions within organizational, behavioral, physical, and technological security.
ISO 27002 supports the implementation of ISO 27001 by offering detailed guidance on how to select and implement appropriate information security controls. In other words, ISO 27001 defines the framework and requirements for an information security management system, while ISO 27002 serves as a practical toolbox that helps organizations translate the requirements into concrete actions and controls
ISO 27701 – the privacy protection standard – is an extension of ISO 27001. It introduces specific workflows and measures that enhance privacy protection within an organization. Focusing on aspects such as data classification, access control, risk assessment, and incident management, ISO 27701 serves as a practical tool to support compliance with GDPR.
ISO 45001 is an international standard for occupational health and safety management that helps companies prevent workplace accidents and illnesses. It provides a structured framework for reducing risks, improving employee well-being, and increasing workplace safety.
ISO standards are international benchmarks that provide organizations with a practical framework across various areas, including finance, social responsibility, and the environment. Implementing an ISO standard within an organization means standardizing processes and procedures, ensuring consistency and quality in task execution.
An IT security policy is the foundation of an organization’s overall security efforts. It sets clear guidelines, procedures, and security measures to protect the organization’s assets and information.
The policy covers technology, behavior, and organizational initiatives and defines responsibilities so that all employees are engaged in achieving the organization’s IT security goals.
Legal bases for processing are the lawful grounds an organization can choose to rely on when processing personal data under the GDPR. For data processing to be lawful, at least one valid legal basis must apply and fit the specific processing activity.
The GDPR defines six main legal bases for processing:
-
Consent
-
Contract
-
Legal obligation
-
Vital interests
-
Public interest or exercise of official authority
-
Legitimate interests
LIA stands for Legitimate Interests Assessment. An LIA is conducted to document the balancing test that an organization is required to perform when it intends to process personal data based on the legitimate interests legal basis.
NFRD stands for the Non-Financial Reporting Directive. It was an EU directive requiring large EU companies with more than 500 employees, including publicly listed companies, insurance firms, and banks, to disclose non-financial and diversity information related to ESG (environmental, social responsibility, and corporate governance).
NFRD has since been replaced by the CSRD (Corporate Sustainability Reporting Directive), which revises and strengthens the current requirements for corporate sustainability reporting.
NIS2 is an updated version of the original NIS Directive (also known as the Network and Information Security Directive). Focused on enhancing cybersecurity and protecting critical infrastructures and services, NIS2 broadens its scope to include a wider range of sectors and companies.
NIS2 requires both public authorities and private companies to implement technical, operational, and organizational security measures to manage the risks threatening their information systems and networks effectively.
NSIS stands for National Standard for Identity Assurance Levels. NSIS is the Danish implementation of the European eIDAS Regulation, designed to ensure that EU citizens can access public systems across member states. NSIS plays a crucial role in identity solutions such as MitID, MitID Erhverv, and NemLog-in, as well as various decentralized solutions.
OHS, or Occupational Health and Safety, refers to the practices and policies that aim to ensure a safe and healthy work environment for employees by preventing work-related injuries and illnesses.
Omnibus is an EU legislative package from 2025 that consolidates and adjusts existing sustainability rules such as CSRD, CSDDD, the Taxonomy Regulation, and ESRS. Its purpose is to make the requirements more practical and reduce administrative burdens, especially for smaller companies. The package does not change the EU’s overall sustainability goals but simplifies reporting, due diligence, and technical standards, making it easier for companies to comply with the rules.
The legislative package aims to:
-
Simplify and harmonize requirements in existing sustainability rules
-
Postpone reporting obligations for certain types of companies
-
Reduce duplicate work in data collection and reporting
-
Make technical standards more practical and usable
-
Coordinate requirements across CSRD, CSDDD, and the Taxonomy Regulation
Policy management is the process of creating, maintaining, and ensuring compliance with policies within an organisation. The purpose of policy management is to ensure that the organisation's actions align with its values, goals, legal requirements, and industry standards.
Privacy by Design is an approach where the protection of personal data is considered from the very beginning in systems, processes, and policies. The goal is to make data protection an integrated part of an organization’s culture and operations. This means organizations must consider how personal data is processed, stored, and protected right from the start.
Privacy by Design is a core requirement under the GDPR, obligating organizations to protect personal data proactively and systematically.
QMS, or Quality Management System, is a structured framework of procedures and processes designed to enhance the efficiency and quality of an organization’s products, services, and operations.
Risk appetite describes the amount of risk an organization is willing to accept to achieve its objectives. The concept is used in risk management to define frameworks for decision-making, risk handling, and control activities, allowing the organization to balance opportunities and risks in a structured manner.
A risk assessment is a process through which organizations identify, analyze, and evaluate risks associated with their operations or a specific activity. The purpose of assessing these risks is to understand the likelihood of undesirable events occurring and to determine the potential consequences if the organization is unable to prevent them.
Risk management is the process of identifying risks, assessing their potential impact, and determining the most effective way to address them within an organization. It equips the organization with strategies to balance risk-taking with risk mitigation, with the overall goal of preventing or minimizing potential events that could reduce revenue, lead to insolvency, or damage the organization’s reputation.
Security by design involves integrating security from the beginning as a fundamental aspect of system design, workflows, and decision-making. This encompasses everything from IT system development to access control and risk assessments.
SFDR stands for Sustainable Finance Disclosure Regulation and is an EU regulation that provides specific guidelines regarding the disclosure obligations of financial market participants and financial advisors in relation to the integration of environmental, social, and governance (ESG) factors.
The disclosure requirements are designed to help investors understand how financial institutions approach sustainability, ensuring a stronger basis for informed decision-making before investing.
The EU’s Sustainable Finance Package (SFP) is a set of measures designed to support sustainable financing and investment in Europe. The SFP is an integral part of the EU’s strategy to achieve its climate goals. It should be seen as a step toward transforming the financial sector into a key driver of growth in the sustainable economy within the EU.
SoA stands for “Statement of Applicability” and is an integral and essential part of the ISO 27001 standard for information security. The SoA document is a mandatory list of the control measures specified in the standard. It serves as the link between risk assessment and risk treatment by documenting the organization's current level of information security, as well as the controls that have been selected or excluded during the process.
Supply Chain Management involves evaluating, managing, and monitoring an organization’s relationships with external suppliers to ensure their products and services meet established quality and safety standards. This process includes everything from initial due diligence and supplier selection to ongoing evaluation and risk management of the business relationships.
TIA stands for "Transfer Impact Assessment". In practice, it is an assessment that must be carried out by the parties involved in transferring personal data from a country within the EU/EEA to a country outside the EU/EEA. The parties are referred to as the data importer and the data exporter.
Third-party risk Management (TPRM) is an integral part of an organization's overall risk management strategy and contributes to supply chain security. This process focuses on identifying, assessing, and managing the risks associated with entering into business relationships with third parties such as suppliers, distributors, subcontractors, service providers, and partners.
The UN Sustainable Development Goals consist of 17 specific goals and 169 targets. They commit the 193 UN member states to fighting poverty and hunger, reducing inequality, ensuring education, health, decent jobs, and sustainable growth.
The aim is to recognize that social, economic, and environmental development, peace, security, and international cooperation are all interconnected
VSME, or Voluntary Reporting Standards for SMEs, is a voluntary sustainability reporting standard specifically designed for small and medium-sized enterprises. EFRAG developed it to help smaller companies document sustainability efforts, improve ESG performance, and adapt to future ESG regulations. VSME provides a structured approach for reporting on ESG initiatives, while remaining flexible enough to accommodate the diverse business models and capabilities of SMEs.
The Transparency Act or Åpenhetsloven is a Norwegian law that gives consumers the right to request documentation showing that human rights and working conditions for all workers in the production chain are respected and upheld. This law obligates companies to account for the conditions underlying the production of the goods purchased by consumers.