Core IT terminology, system components, data flow, and organizational roles.
This chapter establishes the vocabulary used throughout ISC. The goal is not to memorize isolated buzzwords, but to understand the terms well enough to follow control, governance, and assurance discussions accurately.
Terminology becomes exam-relevant when it changes who is responsible, where data moves, what risk exists, or which control would address the risk. Treat the terms as working language for systems and controls, not as a separate glossary exercise.
| Term category | Why it matters on ISC | Common ISC trap |
|---|---|---|
| System component | Identifies where processing, storage, transmission, or control occurs. | Treating all technology layers as if the same control applies everywhere. |
| Network or data flow term | Shows how information moves and where it can be intercepted, altered, delayed, or lost. | Ignoring the path data takes before it becomes evidence. |
| Role or responsibility | Determines ownership, authorization, segregation of duties, and accountability. | Describing a process without identifying who performs or approves it. |
| Control-related vocabulary | Connects the technology term to risk response. | Memorizing the term without explaining what risk it reduces. |
| Step | ISC question to ask | Why it matters |
|---|---|---|
| 1. Locate the term in the system | Does the term describe infrastructure, application logic, data, network movement, or a user role? | Controls differ depending on where the concept sits in the information system. |
| 2. Identify the risk connection | What could go wrong if the component, data flow, or role is weakly controlled? | Vocabulary becomes useful when it connects to completeness, accuracy, authorization, or availability. |
| 3. Match the control type | Is the likely response preventive, detective, corrective, administrative, technical, or physical? | A correct definition is not enough if the control response is mismatched. |
| 4. Assign responsibility | Who owns, administers, approves, monitors, or reviews the activity? | ISC questions often test accountability and segregation of duties through role language. |
| 5. Translate into evidence | What documentation, configuration, log, or report would support the conclusion? | Assurance work depends on turning technical terms into reviewable evidence. |
| Checkpoint | Ask before choosing an answer | ISC effect |
|---|---|---|
| System location | Does the term describe infrastructure, application logic, data, network flow, device, or user role? | Control relevance depends on where the term sits in the system. |
| Risk connection | What could go wrong with completeness, accuracy, authorization, confidentiality, integrity, or availability? | Vocabulary matters when it changes the risk being evaluated. |
| Responsibility owner | Who configures, approves, monitors, reviews, or is restricted by the role or component? | Role language often tests segregation and accountability. |
| Control type | Is the likely response preventive, detective, corrective, administrative, technical, or physical? | A definition is incomplete without a matched control response. |
| Evidence source | What configuration, log, ticket, policy, diagram, or report would support the conclusion? | ISC turns terminology into assurance evidence. |