Compliance Glossary
Key terms from ISO 27001, SOC 2, GDPR, and information security - explained in plain language.
A
Annex A
The appendix to ISO 27001 that contains a reference set of 93 information security controls organized into four themes: Organizational, People, Physical, and Technological. Organizations use Annex A as a checklist to ensure their ISMS addresses all relevant control areas.
Audit Evidence
The documented records, observations, test results, and other verifiable information collected during an audit to determine whether the organization's controls and processes conform to the specified requirements and are operating effectively.
Audit Trail
A chronological record of system activities that provides documentary evidence of the sequence of events - including who accessed what, when, and what actions were taken. Audit trails are essential for security monitoring, incident investigation, and compliance evidence.
C
Certification Body
An accredited third-party organization authorized to conduct audits and issue certifications confirming that an organization's management system conforms to a specific standard, such as ISO 27001. Certification bodies must be accredited by a national accreditation body to ensure their competence and impartiality.
Compliance Automation
The use of technology tools and platforms to automate the collection, management, and reporting of compliance evidence, control monitoring, policy management, and audit preparation, reducing manual effort and enabling continuous compliance assurance.
Compliance Gap Analysis
A structured assessment that compares an organization's current security posture and practices against the requirements of a specific compliance framework. Gap analysis identifies areas where the organization falls short and helps prioritize remediation efforts.
Consent Management
The processes, tools, and policies an organization uses to collect, record, manage, and honor individuals' consent for the processing of their personal data, ensuring compliance with requirements for freely given, specific, informed, and unambiguous consent.
Control Objective
A statement describing what a specific security control is intended to achieve. Control objectives define the desired outcome - such as preventing unauthorized access or ensuring data integrity - while allowing organizations flexibility in how they implement the control to meet that objective.
Corrective Action
A documented action taken to eliminate the root cause of a detected nonconformity or other undesirable situation, preventing its recurrence. Corrective actions go beyond simply fixing the immediate problem to address the underlying systemic issue.
Cross-Border Data Transfer
The transmission or making available of personal data from one jurisdiction to another, which under GDPR and similar regulations requires specific legal mechanisms to ensure adequate data protection standards are maintained when data leaves the originating country or region.
Cryptographic Controls
The policies, procedures, and technical mechanisms governing the use of cryptography to protect the confidentiality, integrity, and authenticity of information, including encryption algorithms, key management, digital signatures, and certificate management.
D
Data Breach Notification
The legal obligation to report personal data breaches to supervisory authorities and, in cases of high risk, to affected individuals within mandated timeframes. GDPR requires notification to authorities within 72 hours of becoming aware of a qualifying breach.
Data Controller
Under GDPR, the entity that determines the purposes and means of processing personal data. The data controller decides why personal data is collected and how it will be used, and bears primary responsibility for compliance with data protection obligations.
Data Minimization
The principle that organizations should collect, process, and retain only the minimum amount of personal data necessary to fulfill a specific, stated purpose. Data minimization limits exposure risk by ensuring unnecessary data is never gathered in the first place.
Data Portability
The right of data subjects under GDPR (Article 20) to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
Data Processor
Under GDPR, an entity that processes personal data on behalf of a data controller. The processor acts on the controller's instructions and must not process data for its own purposes. A Data Processing Agreement (DPA) governs the relationship between controller and processor.
Data Protection Impact Assessment
A structured process required by GDPR for assessing the potential impact of a data processing activity on individuals' privacy. DPIAs are mandatory when processing is likely to result in a high risk to the rights and freedoms of natural persons.
Data Protection Officer
A designated role within an organization responsible for overseeing data protection strategy and compliance with GDPR. Appointment of a DPO is mandatory for public authorities, organizations conducting large-scale systematic monitoring, and those processing special category data at scale.
E
I
Information Security Management System
A systematic framework of policies, processes, and controls that an organization establishes to manage and protect its information assets. An ISMS addresses people, processes, and technology to ensure the confidentiality, integrity, and availability of information.
Information Security Policy
A high-level document approved by top management that establishes the organization's overall direction and principles for information security, defines the scope of the ISMS, demonstrates management commitment, and sets the framework for establishing security objectives and controls.
Internal Audit
A systematic, independent evaluation conducted by an organization's own personnel or contracted auditors to assess the effectiveness of its management system, controls, and processes against defined criteria such as ISO 27001 requirements or internal policies.
M
N
P
Privacy by Design
An approach to system engineering and business practices that embeds privacy protections into the design and architecture of IT systems, processes, and products from the outset, rather than adding them as an afterthought.
Purpose Limitation
The principle that personal data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those original purposes.
R
Residual Risk
The level of risk that remains after security controls and risk treatment measures have been applied. Residual risk must be formally evaluated and accepted by management to ensure it falls within the organization's defined risk appetite.
Right to Erasure
A data subject's right under GDPR (Article 17) to request the deletion of their personal data when it is no longer necessary, when consent is withdrawn, or when the data was unlawfully processed. Also commonly known as the 'right to be forgotten.'
Risk Appetite
The level and type of risk an organization is willing to accept in pursuit of its objectives. Risk appetite defines the boundaries within which the organization operates and guides decision-making about which risks to accept, mitigate, transfer, or avoid.
Risk Register
A structured document or database that records all identified risks, their assessment details (likelihood, impact, rating), assigned risk owners, selected treatment options, current control status, and residual risk levels. It serves as the central repository for an organization's risk management activities.
Risk Treatment
The process of selecting and implementing measures to modify identified risks. The four primary risk treatment options are risk mitigation (applying controls to reduce risk), risk acceptance (acknowledging and tolerating the risk), risk transfer (sharing risk with a third party such as an insurer), and risk avoidance (eliminating the risk by ceasing the activity).
S
Segregation of Duties
A governance control that divides critical functions and responsibilities among different individuals to prevent any single person from having the ability to authorize, execute, and conceal errors or fraud. Also known as separation of duties (SoD).
SOC 2 Type 1
A SOC 2 audit report that evaluates whether an organization's security controls are suitably designed at a specific point in time. Type 1 provides a snapshot of control design without testing whether controls operate effectively over a period.
SOC 2 Type 2
A SOC 2 audit report that evaluates whether an organization's security controls are both suitably designed and operating effectively over a defined observation period, typically 3 to 12 months. Type 2 is the gold standard for third-party assurance in the US market.
Statement of Applicability
A key ISO 27001 document that lists all 93 Annex A controls and states whether each is applicable to the organization, along with justification for inclusion or exclusion and a description of how applicable controls are implemented.
Supply Chain Risk
The potential for security breaches, service disruptions, or compliance failures arising from an organization's dependence on third-party suppliers, vendors, service providers, and their sub-contractors throughout the technology and business supply chain.
Surveillance Audit
A periodic audit conducted by a certification body between initial certification and recertification to verify that an organization continues to maintain and improve its management system in conformity with the standard. Surveillance audits typically occur annually during the three-year certification cycle.
T
Third-Party Assurance
The independent validation of a service provider's security controls, processes, and compliance posture through recognized frameworks such as SOC 2 reports, ISO 27001 certification, or other standardized assessments that customers can rely upon to evaluate the provider's trustworthiness.
Trust Services Criteria
The five principles defined by the AICPA that form the basis for SOC 2 audits: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Organizations select which criteria to include in their SOC 2 scope based on their services and customer requirements.
V
Put these terms into practice
Run structured self-assessments for ISO 27001, SOC 2, GDPR, NIS2, and Tech DD - and see how these concepts apply to your organization.
Start free assessmentFree plan · No credit card required