TPCRM :
Third-Party Cyber Risk Management (TPCRM) is a strategic process designed to identify, assess, and mitigate cybersecurity risks originating from an organization's external ecosystem (vendors, partners, subcontractors).
TPRM :
Third-Party Risk Management is a comprehensive discipline covering all potential risks a third-party partner may pose to an organization, including financial, legal, operational, reputational, and cybersecurity risks.
Vendor Risk :
The potential threat that a service provider poses to an organization, whether through service interruption, financial failure, or a security breach impacting business continuity.
Vendor Audit :
A formal verification process to ensure a provider complies with defined requirements (contractual, security, or regulatory). It can be conducted via documentation, on-site visits, or automated scoring tools.
Cyber Score :
A numerical performance indicator used to evaluate an organization's cybersecurity maturity and posture, often based on the analysis of its external attack surface.
Vulnerability :
A weakness or flaw in an information system, process, or internal control that can be exploited by a threat to compromise data confidentiality, integrity, or availability.
Tenant :
In Cloud computing (SaaS), a tenant is an isolated instance of an application or software infrastructure dedicated to a specific customer, ensuring their data remains inaccessible to others.
Pentest :
Short for "Penetration Test." A simulated real-world cyberattack conducted by security experts to identify exploitable vulnerabilities in a system before actual attackers find them.
Due Diligence :
The set of reasonable investigations conducted by a company before entering into a contract with a third party to ensure its financial stability, ethical compliance, and cyber security level.
Human Risk :
The probability that an error, negligence, or malicious action by an individual (employee or contractor) will result in a security incident, such as phishing or credential loss.
CTI :
Cyber Threat Intelligence (CTI) involves collecting and analyzing information about current and future cyberattacks to anticipate threat actor tactics and strengthen defenses.
NIS2 :
A European directive aimed at harmonizing and strengthening cybersecurity for critical and important entities within the EU by imposing strict risk management and incident reporting obligations.
DORA :
The Digital Operational Resilience Act is an EU regulation targeting the financial sector to ensure banks, insurance companies, and their critical IT providers can withstand and respond to ICT disruptions.
ISO 27001 :
The international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
CRA :
The Cyber Resilience Act is a European regulation that sets standardized security requirements for products with digital elements (hardware and software) placed on the EU market.
NIST :
The National Institute of Standards and Technology. A US agency that provides widely used cybersecurity frameworks (such as the NIST CSF) to structure defense strategies.
CIS :
The Center for Internet Security. A nonprofit organization that issues "CIS Controls," a prioritized list of essential actions to secure systems and networks.
HDS :
Hébergeur de Données de Santé. A mandatory French certification for any entity hosting personal health data, ensuring high levels of protection and confidentiality.
Shadow IT :
The use of software, Cloud services, or hardware by employees or departments without the formal approval or oversight of the IT department (CIO).
EASM (External Attack Surface Management) :
The continuous process of identifying, monitoring, and securing an organization's internet-facing assets (domains, IPs, certificates) to reduce entry points for attackers.
Remediation (MTTR) :
Remediation is the action of fixing a security vulnerability. MTTR (Mean Time To Remediate) measures the average time taken to resolve a flaw once detected.
GRC :
Governance, Risk, and Compliance. An integrated approach to aligning IT with business goals while managing risks and meeting regulatory requirements.
OIV :
Opérateur d'Importance Vitale (Operator of Vital Importance). A French designation for organizations whose disruption would seriously impact national security or survival.
OSE :
Operator of Essential Services (OES). An entity providing a service essential to the economy or society, subject to enhanced security obligations under the NIS directive.
CISO (RSSI) :
The Chief Information Security Officer (RSSI in French) is the executive responsible for defining and implementing an organization’s digital security policy.
IS / ISS :
An Information System (IS) refers to all of an organization's digital resources. Information Systems Security (ISS) refers to the measures implemented to protect them.
MFA :
Multi-Factor Authentication. A security method requiring at least two different pieces of evidence (e.g., password + SMS code) to verify a user's identity.
SSP (Security Assurance Plan) :
A contractual document (Plan d'Assurance Sécurité in French) where a provider details the technical and organizational measures implemented to ensure the security of their services.
PCI-DSS :
Payment Card Industry Data Security Standard. A set of security controls mandatory for all entities that store, process, or transmit credit card data.
Certification :
Official recognition by an independent third party that a company, process, or product meets a specific security standard (e.g., ISO 27001, SOC 2).
Supply Chain :
In cybersecurity, the network of software and hardware providers that can be targeted to reach a final organization through a "supply chain attack."
Continuous Rating :
An automated and real-time evaluation of an organization's cyber posture, providing ongoing visibility as opposed to a one-time, point-in-the-future audit.
Data Breach / Data Leak :
A data breach is an incident where data is stolen or accessed illegally. A data leak usually refers to the accidental exposure of data on the internet.
Shadow Vendors :
Third-party providers or SaaS solutions used by business units without the knowledge of the IT or Security departments, creating unassessed risks.
GRC Audit :
An evaluation focusing on the governance structure, risk management effectiveness, and compliance with regulatory frameworks (GDPR, NIS2, etc.).
Evidence Deposit :
The act of a third party providing supporting documents (certificates, test reports, security policies) to validate their claims during an audit process.
Penetration Test :
(See Pentest). A technical operation aimed at testing the resilience of a system by attempting to exploit its vulnerabilities in a controlled manner.
Self-Assessment Questionnaire :
A form completed by a vendor to self-evaluate their security maturity and the protective measures they claim to have in place.
Desk Audit :
A compliance check based on the rigorous examination of documents and evidence provided by the audited entity, without direct technical testing.
SOC 2 Type 2 :
An audit report certifying that a service organization manages customer data securely over a period of time, based on trust principles like security and confidentiality.
Risk Manager :
A professional responsible for identifying, analyzing, and prioritizing an organization's risks and defining strategies to reduce, transfer, or accept them.
Ebios RM :
A risk analysis methodology developed by the ANSSI in France, used to build attack scenarios and define security measures based on business stakes.
FAIR Model :
Factor Analysis of Information Risk. An international framework for the quantitative analysis of cyber risk, assigning financial values to potential losses.
SIG :
Standard Information Gathering. A globally recognized, standardized security questionnaire used to assess third-party risks in a uniform manner.
