# Glossary | Concept | Explanation | | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Domain |

A division within your organisation on which you want to enforce an isolation of objects and the RBAC.
Demo and Starter are reserved for internal features.

| | Perimeter | An organisation can split a domain and link its audits, risk assessments, and other relevant objects to it. Doesn't enforce RBAC. | | Role |

A bundle of permissions. Four roles are built-in:

- Domain Manager: can set up and access everything on a domain - Analyst: can input and read data, but cannot change the settings of a domain - Reader: can only read the items of a domain - Approver: can validate workflows on objects for a domain (eg, Risk Acceptance)

| | User group |

A combination of a role and a domain, on which you can have your users.
User groups are automatically created on your behalf whenever you create a domain

| | Reference Control | A template for a control that can be used as a reference and re-instantiated when needed. | | Applied Control | **The main component of the action plan**. The actual action that you have implemented or will implement. It could be technical, process, policy, documentation, etc. | | Evidence | A document, screenshot, config sample, etc., that can prove that an applied control has been properly implemented. | | Task | Main component of the task management module. It can be a one-time thing, a periodic one. It supports assignment. | | Catalog objects |

Reusable objects of CISO Assistant, and are the building blocks of the library (Frameworks, threats, matrix, etc.)


| | Library |

Container object that holds one or multiple catalog objects for CISO Assistant (e.g. Framework, matrix, etc.)


| | Framework |

A set of requirements that covers patterns and expectations to comply with a regulation, prepare a certification, or establish a foundation.


| | Mapping |

Based on the OLIR initiative and allows moving between a framework A to framework B while reusing the previous assessment.


| | Entity |

Scope of an external review, usually the vendor / third party.


| | Solution |

Product or service provided by the entity


| | Entity assessment |

The actual review of the entity, which can trigger or be linked to an audit


| | Representative |

The person that needs to answer the questionnaire and requirement of the entity assessment.


| | URN |

Uniform Resource Name, used as a unique identifier to link to multiple CISO Assistant catalog objects.


|