Compliance Glossary

Welcome to our list of commonly used security and compliance terms.

Watch Video
hero-image
G2 Crowd

G2 Crowd

Capterra

Capterra

Global InfoSec Awards

Global InfoSec Awards

Product Hunt

Product Hunt

Software Advice

Software Advice

  • AICPA

    AICPA standards for the American Institute of Certified Public Accountants (AICPA) who created the Service Organizational Controls standard. It is the largest organization of accountants in the United States. 

    Read More
  • Annex A Controls

    Annex A is part of the ISO 27001 standard document.

    Read More
  • Auditor

    An auditor is an accounting firm hired by a company to assess whether it meets a compliance standard such as SOC 2 or ISO 27001. Compliance standards require companies to implement a long list of security controls.

    Read More
  • CCPA

    The California Consumer Privacy Act (CCPA) declares that companies must inform consumers about how their data is being used and empowers consumers to decide how or if their data is shared. 

    Read More
  • Cardholder Data

    Read More
  • Compliance risk management

    Compliance risk management is an organization’s process for regularly identifying, analyzing, and mitigating risks. In the context of SOC 2 and ISO 27001, risk management refers to security and compliance risk management, meaning you’ll want to understand risks to sector and geography specific regulation and compliance standards.

    Read More
  • Compliance software

    Compliance software is a software tool an organization can use to scan and monitor its vendors, systems, and controls to ensure they are compliant with certain security standards or regulations. Compliance software can be part of an organization's compliance risk management strategy to continuously track, monitor, and remediate any compliance risks that would jeopardize an organization's ability to stay compliant with relevant security standards and regulations.

    Read More
  • Control

    A control is a specific rule or safeguard used to improve a company’s security and compliance. Common types of safeguards include management, physical, legal, operational, and technical controls.

    Read More
  • Cybersecurity

    Cybersecurity is the body of technologies, processes, and practices designed to protect data, information, programs, systems, networks, and devices from digital attacks from unauthorized users on the internet. 

    Read More
  • GDPR

    In May 2018, the European Union implemented the General Data Protection Regulation (GDPR) to create one legal framework for collecting and processing personal information from individuals who live inside the European Economic Area. 

    Read More
  • HIPAA

    Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 in order to create national standards to protect sensitive patient health data.

    Read More
  • HIPAA Employee Training

    Healthcare organizations are legally required to have certain administrative safeguards, like employee training, in place to protect patient data against breaches and comply with HIPAA.

    Read More
  • HIPAA Enforcement Rule

    The HIPAA Enforcement Rule governs violation investigations and penalties.

    Read More
  • HIPAA Rules

    Read More
  • HIPAA Safeguards

    Read More
  • HITECH

    The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was enacted under Title XIII of the American Recovery and Reinvestment Act (ARRA) of 2009.

    Read More
  • ISO 27001

    The ISO 27001 is a security and compliance standard created jointly by the International Organization for Standardization and the International Electrotechnical Commission.

    Read More
  • ISO 27001 Stage 1 Audit

    An ISO 27001 certification audit happens in multiple stages. For organizations pursuing certification for the first time, the audit process begins with a Stage 1 audit, also referred to as an ISMS design review. 

    Read More
  • Information Security Management System (ISMS)

    The ISO 27001 standard evaluates an organization’s information security management system, or ISMS. 

    Read More
  • PCI DSS

    Payment card industry Data Security Standard (PCI DSS) is a set of security standards intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

    Read More
  • Pen Test

    A penetration test (or “pen test”) is a simulated attack on an organization’s system and services, often conducted by a white hat or ethical hacker. The SOC 2 and ISO 27001 audits both require a penetration test. 

    Read More
  • Policy

    A policy is a governing document describing what an organization does to ensure security and compliance. It outlines responsibilities and general procedures meant to implement and maintain specific security and compliance controls.

    Read More
  • Protected Health Information (PHI)

    Read More
  • SOC 1

    The Service Organization Control 1 Report (SOC 1) is an auditor report assessing controls for financial reporting. The SOC 1 targets companies providing services that could affect clients’ financial statements or internal controls over financial reporting. 

    Read More
  • SOC 2

    The Service Organization Control 2 Report (SOC 2) is an auditor report assessing controls for security and compliance. Any company offering a B2B service, along with any B2C company handling sensitive information, should think about getting a SOC 2 report completed. 

    Read More
  • SOC 2 Auditor

    Read More
  • SOC 2 Report

    A SOC 2 report summarizes the results of the compliance audit and the auditor’s findings.

    Read More
  • SOC 2 Trust Services Criteria

    AICPA’s Trust Services Criteria are the framework used by auditors to determine which security and compliance controls they will test for in a company.

    Read More
  • SOC 2 Type II

    Read More
  • SOC 3

    The Service Organizational Control 3 Report (SOC 3) is a more concise and high level version of the SOC 2 meant to be released publicly as marketing material.

    Read More
  • SSAE 16

    The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of standards developed specifically for certified public accountants (CPAs) to evaluate an organization’s internal controls and how service companies report on these controls.

    Read More
  • SSAE 18

    The Statement on Standards for Attestation Engagements No. 18 (SSAE 18) is a new set of standards that have replaced SSAE 16 to help increase the usefulness and quality of a SOC 1 report.

    Read More
  • Security questionnaires

    Read More
  • Test

    A test refers to an auditor’s independent review of a security or compliance control. Auditors may assess a control’s design or implementation by requesting a copy of a relevant policy, conducting interviews, asking for related procedures, or even taking a sample of evidence, such as screenshots or tickets.

    Read More
  • Vendor Assessment

    Vendor assessment is the process of evaluating a third party’s information security posture and data privacy practices during the vendor procurement process.

    Read More
  • Vendor Assessment Program

    A vendor assessment program is an organization’s process of reviewing vendor security practices in order to ensure information is properly protected.

    Read More
  • Vendor Management

    As an organization outsources more services and processes to vendors, vendor management becomes a critical part of an organization’s approach to risk management.

    Read More

Join the thousands of companies using Secureframe