Compliance Glossary
Key terms from ISO 27001, SOC 2, GDPR, and information security — explained in plain language.
A
Acceptable Use Policy
A document that defines the rules and guidelines for how employees and other authorized users may use the organization's information assets, systems, networks, and data, including permitted activities, prohibited behaviors, and consequences for violations.
Access Control
The set of policies, procedures, and technical mechanisms that govern who can access which information assets, systems, and resources. Access control ensures that only authorized individuals can view, modify, or interact with sensitive data and systems.
Annex A
The appendix to ISO 27001 that contains a reference set of 93 information security controls organized into four themes: Organizational, People, Physical, and Technological. Organizations use Annex A as a checklist to ensure their ISMS addresses all relevant control areas.
API Security
The practices and technologies used to protect Application Programming Interfaces (APIs) from malicious attacks, unauthorized access, and data exposure, encompassing authentication, authorization, rate limiting, input validation, and monitoring of API traffic.
Asset Management
The process of identifying, classifying, documenting, and managing the lifecycle of information assets — including hardware, software, data, and cloud services — to ensure they are appropriately protected according to their value and sensitivity.
Audit Evidence
The documented records, observations, test results, and other verifiable information collected during an audit to determine whether the organization's controls and processes conform to the specified requirements and are operating effectively.
Audit Trail
A chronological record of system activities that provides documentary evidence of the sequence of events — including who accessed what, when, and what actions were taken. Audit trails are essential for security monitoring, incident investigation, and compliance evidence.
B
Backup and Recovery
The processes and technologies for creating copies of data and system configurations at regular intervals and restoring them when needed due to data loss, corruption, accidental deletion, or disaster scenarios.
Business Continuity
The capability of an organization to continue delivering products and services at acceptable predefined levels following a disruptive incident. Business continuity planning covers the strategies, plans, and procedures needed to ensure operational resilience.
Business Continuity Plan
A comprehensive document that outlines the procedures and strategies an organization will follow to maintain or rapidly resume critical business functions during and after a significant disruption, covering people, processes, technology, and communication.
Business Impact Analysis
A systematic process for evaluating the potential effects of disruptions to critical business operations, identifying recovery priorities, and determining the resources needed to maintain or restore essential functions within acceptable timeframes.
C
Certification Body
An accredited third-party organization authorized to conduct audits and issue certifications confirming that an organization's management system conforms to a specific standard, such as ISO 27001. Certification bodies must be accredited by a national accreditation body to ensure their competence and impartiality.
Change Management
A structured process for evaluating, approving, implementing, and documenting changes to information systems, infrastructure, and processes in a controlled manner that minimizes the risk of unintended disruptions or security vulnerabilities.
Cloud Security
The comprehensive set of policies, controls, technologies, and practices designed to protect cloud-based infrastructure, applications, and data from threats, ensuring confidentiality, integrity, and availability in cloud computing environments.
Compliance Automation
The use of technology tools and platforms to automate the collection, management, and reporting of compliance evidence, control monitoring, policy management, and audit preparation, reducing manual effort and enabling continuous compliance assurance.
Compliance Gap Analysis
A structured assessment that compares an organization's current security posture and practices against the requirements of a specific compliance framework. Gap analysis identifies areas where the organization falls short and helps prioritize remediation efforts.
Consent Management
The processes, tools, and policies an organization uses to collect, record, manage, and honor individuals' consent for the processing of their personal data, ensuring compliance with requirements for freely given, specific, informed, and unambiguous consent.
Container Security
The practices and tools used to protect containerized applications throughout their lifecycle, from securing container images and registries to runtime protection, orchestration security (e.g., Kubernetes), and network policies within container environments.
Continuous Monitoring
An ongoing, automated process of observing and evaluating the security posture, compliance status, and operational health of an organization's systems and controls in real time or near-real time, enabling rapid detection of deviations, vulnerabilities, and threats.
Control Objective
A statement describing what a specific security control is intended to achieve. Control objectives define the desired outcome — such as preventing unauthorized access or ensuring data integrity — while allowing organizations flexibility in how they implement the control to meet that objective.
Corrective Action
A documented action taken to eliminate the root cause of a detected nonconformity or other undesirable situation, preventing its recurrence. Corrective actions go beyond simply fixing the immediate problem to address the underlying systemic issue.
Cross-Border Data Transfer
The transmission or making available of personal data from one jurisdiction to another, which under GDPR and similar regulations requires specific legal mechanisms to ensure adequate data protection standards are maintained when data leaves the originating country or region.
Cryptographic Controls
The policies, procedures, and technical mechanisms governing the use of cryptography to protect the confidentiality, integrity, and authenticity of information, including encryption algorithms, key management, digital signatures, and certificate management.
D
Data Breach Notification
The legal obligation to report personal data breaches to supervisory authorities and, in cases of high risk, to affected individuals within mandated timeframes. GDPR requires notification to authorities within 72 hours of becoming aware of a qualifying breach.
Data Controller
Under GDPR, the entity that determines the purposes and means of processing personal data. The data controller decides why personal data is collected and how it will be used, and bears primary responsibility for compliance with data protection obligations.
Data Loss Prevention
A set of strategies, tools, and processes designed to detect and prevent the unauthorized transmission, exfiltration, or leakage of sensitive data outside an organization's controlled environment.
Data Minimization
The principle that organizations should collect, process, and retain only the minimum amount of personal data necessary to fulfill a specific, stated purpose. Data minimization limits exposure risk by ensuring unnecessary data is never gathered in the first place.
Data Portability
The right of data subjects under GDPR (Article 20) to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
Data Processor
Under GDPR, an entity that processes personal data on behalf of a data controller. The processor acts on the controller's instructions and must not process data for its own purposes. A Data Processing Agreement (DPA) governs the relationship between controller and processor.
Data Protection Impact Assessment
A structured process required by GDPR for assessing the potential impact of a data processing activity on individuals' privacy. DPIAs are mandatory when processing is likely to result in a high risk to the rights and freedoms of natural persons.
Data Protection Officer
A designated role within an organization responsible for overseeing data protection strategy and compliance with GDPR. Appointment of a DPO is mandatory for public authorities, organizations conducting large-scale systematic monitoring, and those processing special category data at scale.
Disaster Recovery
The strategies, plans, and procedures for restoring IT infrastructure, systems, and data following a catastrophic disruption such as a natural disaster, cyberattack, hardware failure, or other event that renders primary systems unavailable.
E
Encryption
The process of converting data into an encoded format that can only be read by authorized parties who possess the correct decryption key. Encryption protects data confidentiality both at rest (stored data) and in transit (data being transmitted over networks).
Endpoint Protection
Security solutions and practices designed to protect end-user devices such as laptops, desktops, mobile phones, and servers from cyber threats including malware, ransomware, and unauthorized access.
External Audit
An independent assessment conducted by a third-party auditor or certification body to evaluate an organization's compliance with a specific standard or framework, such as ISO 27001 certification audits or SOC 2 examinations.
F
I
Identity and Access Management
The framework of policies, processes, and technologies that manages digital identities and controls user access to critical systems and data. IAM encompasses identity lifecycle management, authentication, authorization, single sign-on, directory services, and privileged access management.
Incident Response
The organized approach to detecting, containing, investigating, and recovering from security incidents. An incident response plan defines roles, procedures, and communication protocols to minimize the impact of security breaches and other adverse events.
Incident Response Plan
A documented, structured set of procedures that defines how an organization will detect, respond to, contain, eradicate, and recover from security incidents, including roles and responsibilities, communication protocols, escalation procedures, and post-incident review processes.
Information Security Management System
A systematic framework of policies, processes, and controls that an organization establishes to manage and protect its information assets. An ISMS addresses people, processes, and technology to ensure the confidentiality, integrity, and availability of information.
Information Security Policy
A high-level document approved by top management that establishes the organization's overall direction and principles for information security, defines the scope of the ISMS, demonstrates management commitment, and sets the framework for establishing security objectives and controls.
Internal Audit
A systematic, independent evaluation conducted by an organization's own personnel or contracted auditors to assess the effectiveness of its management system, controls, and processes against defined criteria such as ISO 27001 requirements or internal policies.
Intrusion Detection System
A security technology that monitors network traffic or system activities for malicious behavior, policy violations, or suspicious patterns, and generates alerts when potential threats are detected.
M
Management Review
A formal, periodic evaluation by top management of the organization's information security management system to ensure its continuing suitability, adequacy, effectiveness, and alignment with strategic direction. Required by ISO 27001 Clause 9.3.
Multi-Factor Authentication
A security mechanism that requires users to provide two or more independent verification factors before granting access to a system or resource. Factors typically include something you know (password), something you have (token or device), and something you are (biometric).
N
Network Segmentation
The practice of dividing a computer network into smaller, isolated segments or subnets to limit lateral movement, contain security breaches, and enforce granular access policies between network zones.
Nonconformity
A failure to fulfill a requirement of a standard, policy, procedure, regulation, or contractual obligation. In the context of management systems like ISO 27001, nonconformities are categorized as major (systemic failure or significant gap) or minor (isolated or partial failure).
P
Patch Management
The systematic process of identifying, evaluating, testing, and deploying software updates (patches) to fix security vulnerabilities, address bugs, and maintain the integrity of systems and applications across the organization's infrastructure.
Penetration Testing
A simulated cyberattack performed by security professionals to identify vulnerabilities in an organization's systems, networks, and applications. Penetration tests go beyond automated scanning by using the techniques and methodologies that real attackers employ.
Privacy by Design
An approach to system engineering and business practices that embeds privacy protections into the design and architecture of IT systems, processes, and products from the outset, rather than adding them as an afterthought.
Purpose Limitation
The principle that personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those original purposes.
R
Residual Risk
The level of risk that remains after security controls and risk treatment measures have been applied. Residual risk must be formally evaluated and accepted by management to ensure it falls within the organization's defined risk appetite.
Right to Erasure
A data subject's right under GDPR (Article 17) to request the deletion of their personal data when it is no longer necessary, when consent is withdrawn, or when the data was unlawfully processed. Also commonly known as the 'right to be forgotten.'
Risk Appetite
The level and type of risk an organization is willing to accept in pursuit of its objectives. Risk appetite defines the boundaries within which the organization operates and guides decision-making about which risks to accept, mitigate, transfer, or avoid.
Risk Assessment
A structured process for identifying, analyzing, and evaluating information security risks. Risk assessments determine the likelihood and potential impact of threats to an organization's information assets, guiding decisions about which controls to implement.
Risk Register
A structured document or database that records all identified risks, their assessment details (likelihood, impact, rating), assigned risk owners, selected treatment options, current control status, and residual risk levels. It serves as the central repository for an organization's risk management activities.
Risk Treatment
The process of selecting and implementing measures to modify identified risks. The four primary risk treatment options are risk mitigation (applying controls to reduce risk), risk acceptance (acknowledging and tolerating the risk), risk transfer (sharing risk with a third party such as an insurer), and risk avoidance (eliminating the risk by ceasing the activity).
Role-Based Access Control
An authorization model that assigns permissions to users based on their organizational roles rather than individual identities. RBAC simplifies access management by grouping permissions into roles such as administrator, editor, or viewer, and assigning users to the appropriate roles.
Root Cause Analysis
A systematic investigation methodology used to identify the fundamental underlying cause of a security incident, system failure, or nonconformity, going beyond surface-level symptoms to determine why the event occurred and how to prevent its recurrence.
S
Secure Software Development
A methodology that integrates security practices throughout the entire software development lifecycle (SDLC), from requirements and design through coding, testing, deployment, and maintenance, ensuring that security is built into applications rather than added afterward.
Security Awareness Training
A structured program designed to educate employees and other authorized users about information security threats, policies, and best practices, equipping them to recognize and respond appropriately to security risks in their daily work.
Security Information and Event Management
A technology platform that aggregates, correlates, and analyzes security log data from across an organization's infrastructure to detect threats, support incident investigation, and meet compliance requirements for centralized security monitoring.
Segregation of Duties
A governance control that divides critical functions and responsibilities among different individuals to prevent any single person from having the ability to authorize, execute, and conceal errors or fraud. Also known as separation of duties (SoD).
Service Level Agreement
A formal contract between a service provider and a customer that defines the expected level of service, including measurable metrics such as uptime guarantees, response times, support availability, and the remedies or penalties for failing to meet these commitments.
SOC 2 Type 1
A SOC 2 audit report that evaluates whether an organization's security controls are suitably designed at a specific point in time. Type 1 provides a snapshot of control design without testing whether controls operate effectively over a period.
SOC 2 Type 2
A SOC 2 audit report that evaluates whether an organization's security controls are both suitably designed and operating effectively over a defined observation period, typically 3 to 12 months. Type 2 is the gold standard for third-party assurance in the US market.
Statement of Applicability
A key ISO 27001 document that lists all 93 Annex A controls and states whether each is applicable to the organization, along with justification for inclusion or exclusion and a description of how applicable controls are implemented.
Supply Chain Risk
The potential for security breaches, service disruptions, or compliance failures arising from an organization's dependence on third-party suppliers, vendors, service providers, and their sub-contractors throughout the technology and business supply chain.
Surveillance Audit
A periodic audit conducted by a certification body between initial certification and recertification to verify that an organization continues to maintain and improve its management system in conformity with the standard. Surveillance audits typically occur annually during the three-year certification cycle.
T
Third-Party Assurance
The independent validation of a service provider's security controls, processes, and compliance posture through recognized frameworks such as SOC 2 reports, ISO 27001 certification, or other standardized assessments that customers can rely upon to evaluate the provider's trustworthiness.
Threat Modeling
A structured approach to identifying, categorizing, and prioritizing potential security threats to a system or application by systematically analyzing its architecture, data flows, and trust boundaries to determine where vulnerabilities might be exploited.
Trust Services Criteria
The five principles defined by the AICPA that form the basis for SOC 2 audits: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Organizations select which criteria to include in their SOC 2 scope based on their services and customer requirements.
V
Vendor Risk Management
A systematic program for evaluating, monitoring, and mitigating the security and compliance risks introduced by third-party vendors, suppliers, and service providers throughout the entire vendor relationship lifecycle.
Vulnerability Assessment
A systematic process of identifying, quantifying, and prioritizing security vulnerabilities in systems, networks, and applications. Unlike penetration testing, vulnerability assessments focus on discovering weaknesses rather than exploiting them.
Z
Put these terms into practice
Run structured self-assessments for ISO 27001, SOC 2, GDPR, NIS2, and Tech DD — and see how these concepts apply to your organization.
Start free assessment