Use this glossary when governance, crypto, IAM, operations, and security-model terms start to blur together. Keep it beside the cheat sheet and resources rather than using it as a substitute for scenario practice.
| Term |
Short meaning |
| CBK |
Common Body of Knowledge, the eight-domain foundation of CISSP |
| BIA |
Business impact analysis used to prioritize continuity and recovery needs |
| SLE |
Single loss expectancy, the estimated loss from one occurrence |
| ALE |
Annualized loss expectancy, expected annual loss derived from SLE and ARO |
| RTO |
Recovery Time Objective, acceptable restoration time after a disruption |
| RPO |
Recovery Point Objective, acceptable data-loss window after a disruption |
| Bell-LaPadula |
Security model focused on confidentiality |
| Biba |
Security model focused on integrity |
| Clark-Wilson |
Integrity model focused on well-formed transactions and separation of duties |
| SoD |
Separation of duties, splitting sensitive actions across roles |
| OCSP |
Online Certificate Status Protocol used to check certificate revocation status |
| DLP |
Data loss prevention controls for monitoring and protecting sensitive data |
| Zero trust |
Security model based on explicit verification, least privilege, and assumed breach |
| Due care |
Acting prudently to reduce foreseeable security risk |
| Due diligence |
Investigating and validating that security responsibilities are being handled appropriately |
| Data owner |
Business role responsible for classification and protection decisions about data |
| Custodian |
Role responsible for implementing and operating data protection controls |
| ABAC |
Attribute-based access control using contextual attributes rather than only static roles |
Commonly confused pairs
| Pair |
Keep this distinction clear |
| ALE vs SLE |
annualized expected loss versus one-event loss |
| RTO vs RPO |
restore time target versus acceptable data-loss target |
| RBAC vs ABAC |
role-based access versus attribute-driven contextual access |
| Bell-LaPadula vs Biba |
confidentiality-focused model versus integrity-focused model |
| encryption vs hashing |
reversible confidentiality control versus one-way integrity function |
| due care vs due diligence |
taking prudent protective action versus verifying that security oversight is being performed |
| data owner vs custodian |
business authority over the data versus operational responsibility for safeguards |
| policy vs standard |
high-level direction versus more specific mandatory control requirement |
| guideline vs procedure |
recommended practice versus exact step-by-step way to perform a task |
Fast boundary reminders
| If the term really points to… |
Think of it as… |
| risk and financial reasoning |
SLE, ALE, BIA |
| continuity and recovery |
RTO, RPO |
| formal models and control logic |
Bell-LaPadula, Biba, Clark-Wilson |
| ownership and accountability |
data owner, custodian, due care, due diligence |
| identity and access decisions |
RBAC, ABAC, least privilege, SoD |
If the confusion is really about…
| Topic family |
Best page to revisit |
| high-yield contrasts and decision heuristics |
Cheat Sheet |
| current ISC2 facts and primary frameworks |
Resources |
| pacing and review order |
Study Plan |
| overall exam framing |
Guide root |