Glossary of Terms
This glossary defines terms as they are used within Thinkwerke documentation. Where industry-standard definitions exist, they are respected; where ambiguity commonly exists in regulated environments, additional clarification is provided.
The goal is shared understanding across engineering, security, compliance, and audit stakeholders.
Audit-ready evidence
Documented, reproducible proof that demonstrates a control is implemented, operating, and effective. Evidence is generated through systems, workflows, and logs — not created ad hoc for audits.
CI/CD (Continuous Integration / Continuous Delivery)
Automated pipelines that build, test, validate, and deploy software. In this documentation, CI/CD pipelines are treated as control execution points and evidence generators.
CNAPP (Cloud-Native Application Protection Platform)
An integrated approach combining CSPM, workload protection, identity visibility, and runtime security for cloud-native environments, including Kubernetes.
Compliance mapping
The structured translation of regulatory, standard, or contractual requirements into technical controls, implementations, and evidence artifacts.
Control
A technical, procedural, or organisational mechanism designed to mitigate risk or satisfy a regulatory or security requirement.
Control-to-proof
A traceable relationship between a defined control, its implementation, and the evidence that proves it is operating as intended.
CSPM (Cloud Security Posture Management)
Continuous assessment of cloud configurations against security baselines, regulatory requirements, and organisational policies.
Evidence by design
An approach where systems and processes are designed to produce evidence continuously, rather than generating documentation manually for audits.
Operating model
The defined ownership, workflows, escalation paths, and reporting structures that ensure security controls function consistently across teams and systems.
SIEM (Security Information and Event Management)
A system for collecting, correlating, and analysing security-relevant logs and events to support detection, investigation, and compliance reporting.
SSLM (Secure Software Lifecycle Management)
An approach to embedding security controls across the full software lifecycle, including design, development, testing, deployment, and operation.
Supply-chain security
Controls and processes that manage risk introduced through third-party software, open-source dependencies, build systems, and delivery pipelines.
Tender evidence
Pre-packaged, reusable evidence artifacts used to respond consistently and accurately to security and compliance sections of procurement processes.
Vendor-hosted environment
Infrastructure or platforms operated by third-party providers (e.g. cloud or SaaS vendors) where the customer retains defined security responsibilities.
Vulnerability lifecycle
The end-to-end process for identifying, prioritising, remediating, tracking, and evidencing vulnerabilities, including ownership and SLAs.