Compliance Glossary
Plain-English definitions for compliance, audit, and security terminology.
41 terms
A
- Access Control: Definition, Types, and Compliance RequirementsSecurity measures that regulate who can view, use, or modify information assets and systems based on defined policies and authorization levels.
- Audit Readiness: Definition, Checklist, and Preparation GuideThe state of preparedness an organization achieves when its controls, documentation, and evidence are sufficient to successfully pass a compliance audit.
- Audit Trail: Definition, Importance, and RequirementsA chronological record of system activities and user actions that provides documentary evidence of the sequence of events for security and compliance purposes.
B
C
- Change Management: Definition and Compliance RequirementsA structured process for requesting, reviewing, approving, and implementing changes to information systems while minimizing risk and disruption.
- Compliance Automation: Definition, Tools, and BenefitsThe use of software platforms to automate evidence collection, control monitoring, and compliance management tasks that were traditionally performed manually.
- Compliance Framework: Definition, Types, and ExamplesA structured set of guidelines, controls, and best practices that organizations follow to meet regulatory, legal, or industry security requirements.
- Continuous Monitoring: Definition and Implementation GuideThe ongoing, automated observation of an organization's security controls, configurations, and compliance status to detect issues in real time.
- Control Objective: Definition, Examples, and FrameworksA statement describing what a specific security control is intended to achieve, serving as the measurable goal against which control effectiveness is evaluated.
- Control Testing: Definition, Methods, and Audit RequirementsThe process of evaluating whether security controls are designed appropriately and operating effectively to achieve their stated objectives.
D
- Data Breach: Definition, Response, and Compliance RequirementsA security incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen by an unauthorized party.
- Data Classification: Definition, Levels, and Best PracticesThe process of categorizing data based on its sensitivity level to determine the appropriate security controls and handling procedures.
- Data Controller: Definition, Obligations, and ComplianceAn entity that determines the purposes and means of processing personal data, bearing primary responsibility for data protection compliance.
- Data Processor: Definition, Responsibilities, and ComplianceAn entity that processes personal data on behalf of a data controller, following the controller's instructions and subject to contractual obligations.
- Data Residency: Definition, Requirements, and ComplianceThe requirement that data be stored and processed within specific geographic boundaries, typically driven by regulatory, contractual, or sovereignty obligations.
E
- Encryption: Definition, Types, and Compliance RequirementsThe process of converting readable data into an encoded format that can only be accessed by authorized parties with the correct decryption key.
- Evidence Collection: Definition and Audit Preparation GuideThe systematic process of gathering, organizing, and preserving documentation that demonstrates compliance controls are designed and operating effectively.
G
- Gap Analysis: Definition, Process, and Compliance Use CasesA systematic comparison of an organization's current security posture against the requirements of a target compliance framework to identify deficiencies.
- GRC Platform: Definition, Features, and Selection GuideAn integrated software platform that helps organizations manage governance, risk management, and compliance activities in a unified system.
I
- Incident Response: Definition, Plan, and Framework RequirementsThe organized approach to detecting, containing, eradicating, and recovering from security incidents while minimizing damage and preserving evidence.
- Information Security Management System (ISMS): Definition and GuideA systematic framework of policies, processes, and controls that an organization uses to manage and protect its information assets.
- Internal Audit: Definition, Process, and Compliance RoleAn independent, systematic evaluation of an organization's own controls, processes, and compliance posture conducted by internal personnel or contracted assessors.
P
- Penetration Testing: Definition, Types, and Compliance RequirementsA simulated cyberattack against an organization's systems, networks, or applications to identify exploitable vulnerabilities before real attackers do.
- Policy Management: Definition, Process, and Best PracticesThe lifecycle process of creating, approving, distributing, reviewing, and updating organizational security and compliance policies.
- Privacy Impact Assessment (PIA): Definition and GuideA systematic evaluation of how a project, system, or process collects, uses, and protects personal data to identify and mitigate privacy risks.
R
- Regulatory Compliance: Definition, Requirements, and GuideThe process of adhering to laws, regulations, and government requirements that apply to an organization based on its industry, geography, and activities.
- Remediation: Definition, Process, and Compliance ContextThe process of addressing identified security vulnerabilities, audit findings, or compliance gaps by implementing corrective actions within a defined timeline.
- Risk Assessment: Definition, Process, and FrameworksA systematic process of identifying, analyzing, and evaluating information security risks to determine their likelihood and potential impact on an organization.
- Risk Register: Definition, Examples, and TemplatesA structured document or database that records identified information security risks, their likelihood, impact, current controls, and treatment plans.
- Risk Treatment: Definition, Options, and Best PracticesThe process of selecting and implementing measures to modify identified information security risks, including mitigation, transfer, acceptance, or avoidance.
S
- Scope Statement: Definition and Compliance GuideA formal document that defines the boundaries of an audit, certification, or compliance engagement, specifying what systems, processes, and locations are included.
- Security Awareness Training: Definition and Compliance GuideA formal program that educates employees about information security threats, policies, and best practices to reduce human-related security risks.
- Segregation of Duties (SoD): Definition and ImplementationA security principle that divides critical functions among different people to prevent any single individual from having excessive control over a process.
- Service Level Agreement (SLA): Definition and Compliance RoleA formal contract between a service provider and customer that defines measurable performance standards, availability targets, and remedies for non-compliance.
- SOC Report: Definition, Types, and GuideAn independent audit report issued by a CPA firm that evaluates a service organization's controls relevant to security, availability, and other trust criteria.
- Statement of Applicability (SoA): Definition and GuideA required ISO 27001 document that lists all Annex A controls, states whether each is applicable, and justifies any exclusions.
T
- Third-Party Risk: Definition, Management, and ComplianceThe potential threats and vulnerabilities introduced to an organization through its relationships with external vendors, suppliers, and service providers.
- Threat Modeling: Definition, Methodologies, and GuideA structured process for identifying potential threats to a system, analyzing attack vectors, and prioritizing security controls based on the threat landscape.
- Trust Service Criteria (TSC): Definition and SOC 2 GuideThe five categories — Security, Availability, Processing Integrity, Confidentiality, and Privacy — that define the scope and requirements of a SOC 2 audit.