Glossary

Every term MAST uses in plain English and auditor language, with links back to where each one appears. Toggle the mode on the right to switch which name leads.

After controls
Risk
Also known as Residual risk

In plain English

How bad a risk still is once your current controls are working.

Auditor definition

Likelihood × impact after mitigating controls; the value the risk owner accepts, transfers, mitigates further, or avoids.

Before controls
Risk
Also known as Inherent risk

In plain English

How bad a risk would be if you had no controls in place at all.

Auditor definition

The likelihood × impact score of a risk assuming no mitigating controls are operating.

Done
Tasks
Also known as Completed

In plain English

Finished — with evidence linked where relevant.

Auditor definition

Task closed; contributes to stage completion % and audit-window evidence.

Where it appears

How well it works
Gap assessment
Also known as Maturity level

In plain English

A 0–5 score of how consistent and repeatable a control is — 0 means we don't do it, 5 means we measure and improve it.

Auditor definition

Capability maturity score (0=None, 1=Initial, 2=Managed, 3=Defined, 4=Quantitatively managed, 5=Optimising) applied per control.

Importance
Tasks
Also known as Priority

In plain English

How urgent it is — Nice to have, Should do, Important, Urgent.

Auditor definition

Priority classification (Low / Medium / High / Critical) used for filtering and SLA reporting.

Where it appears

Issue found
Evidence
Also known as Nonconformity

In plain English

Something an auditor spots that doesn't meet the standard, big or small.

Auditor definition

Non-fulfilment of a requirement (ISO 9000 §3.6.9). Recorded as major or minor and driving a CAPA.

Missing piece
Gap assessment
Also known as Gap

In plain English

A requirement of the standard you don't fully meet yet, and what you'll do to close it.

Auditor definition

A delta between the requirement and current state, tracked with owner, target date and evidence link on the gap register.

Must do
Tasks
Also known as Required

In plain English

You can't skip this one — it's needed for the standard.

Auditor definition

Activity flagged as required by the standard; missing = automatic nonconformity.

Where it appears

Needs check
Tasks
Also known as Review

In plain English

The work is done but someone needs to check it before we call it finished.

Auditor definition

Awaiting reviewer sign-off before transition to Completed.

Where it appears

Owner map
Roles
Also known as RACI Matrix

In plain English

A table that says, for each task, who does the work, who owns the outcome, who to consult, and who to keep informed.

Auditor definition

A Responsible / Accountable / Consulted / Informed matrix evidencing ISO Clause 5.3 assignment of roles, responsibilities and authorities.

Where it appears

People involved
Planning
Also known as Stakeholder

In plain English

Anyone affected by, or needed for, your compliance programme — customers, staff, suppliers, regulators.

Auditor definition

An 'interested party' under ISO 27001 Clause 4.2 / ISO 9001 Clause 4.2 whose needs and expectations the management system must consider.

Plan of action
Risk
Also known as Risk treatment

In plain English

What you'll do about a risk: accept it, reduce it, hand it to someone else, or avoid it.

Auditor definition

One of Accept / Mitigate / Transfer / Avoid, per ISO 31000 §6.5 risk-treatment options.

Project charter
Planning
Also known as Project charter

In plain English

The one-page contract for your compliance programme: sponsor, scope, budget, target date, success criteria.

Auditor definition

Foundational document evidencing top-management commitment (Clause 5.1) and defining the scope of the management system (Clause 4.3).

Proof
Evidence
Also known as Evidence

In plain English

Something an auditor can look at that shows a control is really running — a screenshot, log, signed record.

Auditor definition

Documented information (Clause 7.5) generated by an operating control, retained as objective evidence for audit sampling.

Where it appears

Risk heatmap
Risk
Also known as 5×5 risk heatmap

In plain English

A grid that plots each risk by how likely and how bad it is, so red risks jump out.

Auditor definition

5×5 likelihood × impact matrix used in management review and Stage 2 audit evidence packs.

Where it appears

Safeguard
Implementation
Also known as Control

In plain English

Something you put in place — a rule, a tool, a process — to reduce a risk.

Auditor definition

A measure that modifies risk (ISO 27000 §3.14), typically drawn from Annex A / a chosen control catalogue.

Where it appears

Starter checklist
Gap assessment
Also known as Gap template

In plain English

A ready-made list of questions to start your assessment from instead of a blank page.

Auditor definition

Reusable question set (clause / control / category / weight) applied to seed a new gap assessment.

Step
Implementation
Also known as Implementation action

In plain English

One concrete thing to do to move a control from paper into practice (roll out the policy, run the training, do the review).

Auditor definition

A trackable unit of work whose completion feeds Stage 4 evaluation and generates operating evidence.

Stuck
Tasks
Also known as Blocked

In plain English

Waiting on something or someone else before it can move.

Auditor definition

Task blocked pending a dependency; surfaces in the overdue / blocked KPIs.

Where it appears

Task
Tasks
Also known as Activity

In plain English

One item of work to do.

Auditor definition

A tracked activity in the stage task register, with owner, status, priority and due date.

Where it appears

To do
Tasks
Also known as Not Started

In plain English

Nobody has picked it up yet.

Auditor definition

Task in the 'Not Started' state; excluded from in-flight metrics.

Where it appears

Where we stand
Gap assessment
Also known as Compliance status

In plain English

For one requirement: are we fully doing it, partly, not at all, or does it not apply?

Auditor definition

Compliance verdict per requirement — one of Compliant, Partially compliant, Non-compliant, Not applicable, Not assessed.

Working on it
Tasks
Also known as In Progress

In plain English

Someone is actively working on it right now.

Auditor definition

Task in the 'In Progress' state; counted toward in-flight WIP.

Where it appears