Technology Services Glossary: Key Terms and Definitions

The language of IT consulting and technology services carries precise meanings that differ significantly from casual or marketing usage. This glossary defines the core terms professionals encounter across IT consulting engagements, managed services agreements, and infrastructure projects. Understanding these definitions supports clearer vendor evaluation, contract negotiation, and governance decisions across organizations of all sizes.

Definition and scope

A technology services glossary is a structured reference vocabulary covering the terms, acronyms, frameworks, and role designations used within the IT consulting and managed services industry. The scope spans procurement language, delivery model classifications, regulatory compliance terminology, and technical infrastructure concepts.

The National Institute of Standards and Technology (NIST) maintains the Computer Security Resource Center Glossary (NIST IR 7298), which defines foundational terms in information security and technology management. Industry bodies including ISACA, the IT Infrastructure Library (ITIL) framework published by Axelos, and the Project Management Institute (PMI) each publish terminology standards that shape how practitioners describe service delivery, risk, and governance.

The glossary below covers 4 primary term categories: delivery model terms, contract and engagement terms, infrastructure and architecture terms, and compliance and risk terms. Each category carries distinct definitional boundaries; a term that has one meaning in a contract context may carry a different technical meaning in an infrastructure context.

How it works

Standardized glossaries function as shared reference layers between clients, vendors, and regulators. When two parties in a service agreement use the same word with different definitions, disputes, missed service levels, and compliance gaps follow. Glossaries resolve ambiguity by anchoring every term to a specific, verifiable source or industry consensus definition.

The mechanism for using a glossary in a technology services context follows a structured process:

1. Identify the governing framework. Determine whether the term originates in a regulatory body (e.g., HIPAA, defined at 45 CFR Part 164), a standards body (NIST, ISO), or a commercial framework (ITIL, COBIT 2019 published by ISACA).
2. Establish the operative definition. Use the definition from the highest-authority source applicable to the engagement — regulatory definitions override framework definitions, which override vendor-defined terms.
3. Document scope boundaries. Record which definition applies within a specific contract or statement of work, because the same term (e.g., "incident") carries different meanings under ITIL versus NIST SP 800-61.
4. Apply consistently across deliverables. Service level agreements, project charters, and compliance reports should reference the same term set to prevent drift.

For IT compliance and risk management engagements specifically, terminological precision is a regulatory requirement, not merely a best practice.

Common scenarios

Managed Services vs. IT Consulting
The distinction between a managed service provider (MSP) and an IT consultant is definitional, not qualitative. An MSP assumes ongoing operational responsibility for a defined technology environment under a subscription model, typically measured by uptime SLAs and mean time to repair (MTTR). An IT consultant provides advisory or project-based expertise without taking operational ownership. The IT consulting vs. managed services distinction shapes billing structure, liability exposure, and contract duration.

SLA vs. OLA vs. UC
Three agreement types operate in layered service delivery:
- A Service Level Agreement (SLA) governs the relationship between a provider and an external client.
- An Operational Level Agreement (OLA) governs internal teams within a provider organization supporting an SLA.
- An Underpinning Contract (UC) governs a third-party vendor whose services underpin the SLA.

ITIL 4, published by Axelos, defines all three in its Service Management practice guides.

RTO vs. RPO
Recovery Time Objective (RTO) is the maximum tolerable downtime before business impact becomes unacceptable. Recovery Point Objective (RPO) is the maximum data age at the point of recovery — the acceptable data loss window. Both are defined in NIST SP 800-34 Rev. 1 (Contingency Planning Guide for Federal Information Systems). These terms are central to disaster recovery and business continuity consulting engagements.

CapEx vs. OpEx in Technology Procurement
Capital expenditure (CapEx) covers purchases of long-lived assets; operating expenditure (OpEx) covers recurring service costs. Cloud migration strategies, as explored in cloud consulting services, often shift technology spending from CapEx to OpEx, which carries direct implications under GAAP accounting standards governed by the Financial Accounting Standards Board (FASB).

Decision boundaries

Choosing which definition of a term governs a specific engagement depends on 3 hierarchical factors:

Regulatory jurisdiction takes precedence. If a term appears in a statute or regulation (e.g., "protected health information" under HIPAA at 45 CFR §160.103), that statutory definition controls regardless of how a vendor or framework defines the same term.

Framework authority applies in the absence of regulation. NIST, ISO/IEC, and ISACA definitions carry recognized authority in the absence of a controlling statute. COBIT 2019, for example, defines "IT governance" with explicit scope boundaries distinguishing governance from management — a distinction that matters in virtual CIO services and board-level reporting.

Contract-level definitions are binding within the engagement. Parties to a services agreement may define terms differently from both regulatory and framework standards, provided no regulatory obligation is violated. A contract glossary appended to a master services agreement overrides informal usage within that engagement's scope.

The critical boundary to maintain: descriptive terms (e.g., "cloud-native") carry no fixed legal meaning and are governed only by contract, while regulatory terms (e.g., "covered entity," "critical infrastructure") carry statutory definitions that cannot be overridden by private agreement.

References

• NIST IR 7298 Rev. 3 – Glossary of Key Information Security Terms
• NIST SP 800-34 Rev. 1 – Contingency Planning Guide for Federal Information Systems
• NIST SP 800-61 Rev. 2 – Computer Security Incident Handling Guide
• eCFR – 45 CFR Part 164 (HIPAA Security and Privacy)
• eCFR – 45 CFR §160.103 (HIPAA Definitions)
• ISACA – COBIT 2019 Framework
• Axelos – ITIL 4 Foundation
• FASB – Accounting Standards Codification
• Project Management Institute – PMBOK Guide