Compliance Glossary: Audit, Privacy & Security Terms

Compliance Glossary

A glossary of compliance, audit, privacy, and security terms - written by the people who actually perform the audits.

365 of 365 terms shown

Compliance Frameworks

23 NYCRR 500

A New York State Department of Financial Services regulation requiring banks, insurers, and other covered financial entities to maintain a cybersecurity program meeting specific minimum standards.

Cybersecurity

Access Control

The mechanisms and policies that determine who or what is allowed to view, use, or modify resources within a system, forming a foundational layer of information security.

GDPR

Accountability Principle (GDPR)

The GDPR requirement that organizations not only comply with data protection principles but be able to demonstrate that compliance through documentation and evidence.

PIPEDA

Accountability Principle (PIPEDA)

The PIPEDA principle making an organization responsible for personal information under its control, including information transferred to third parties for processing.

Privacy

Adequacy Decision

A determination by a regulatory body (such as the European Commission) that another country provides an adequate level of data protection, allowing personal data to flow there without additional safeguards.

HIPAA

Administrative Safeguards

Policies, procedures, and workforce training requirements that govern how an organization manages the security measures protecting electronic protected health information (ePHI).

Audit & Assurance

Adverse Opinion

An auditor's conclusion that the subject matter of an engagement is not fairly presented, issued when misstatements or control failures are both material and pervasive.

Audit & Assurance

Agreed-Upon Procedures

An engagement in which the auditor performs specific procedures agreed to in advance with the client and intended users, reporting only factual findings without expressing an opinion or assurance conclusion.

AI Governance

AI Assurance

A structured, audit-like discipline for providing confidence that an AI system behaves as intended and meets relevant safety, fairness, and governance requirements.

AI Governance

AI Audit

An independent assurance engagement evaluating an AI system or an organization's AI governance program against a defined set of criteria, such as ISO 42001 or an internal control framework.

AI Governance

AI Governance

The overall set of policies, processes, and oversight structures an organization uses to ensure AI systems are developed and used responsibly, safely, and in compliance with applicable laws.

ISO 42001

AI Governance Framework

The overarching set of policies, roles, and accountability structures an organization establishes to manage AI risk, aligned with ISO 42001 requirements.

AI Governance

AI Incident Response

The process an organization follows to detect, investigate, and remediate an AI system's harmful or unexpected behavior after deployment.

ISO 42001

AI Management System (AIMS)

The structured framework an organization uses to govern the development, deployment, and oversight of AI systems, covering risk management and continual improvement.

AI Governance

AI Risk Categorization

The tiered classification of AI systems by risk level - typically unacceptable, high, limited, and minimal risk - used by the EU AI Act to determine which obligations apply.

AI Governance

AI Risk Management

The structured process of identifying, assessing, and mitigating risks specific to AI systems, including risks related to bias, safety, security, and unintended behavior.

ISO 42001

AI Risk Register

A documented log of risks specific to an organization's AI systems, including bias, safety, and oversight risks, tracked under an ISO 42001 management system.

ISO 42001

AI System Lifecycle

The full span of stages - design, development, deployment, monitoring, and retirement - that ISO 42001 requires organizations to govern for each AI system.

AI Governance

AI Transparency

The degree to which information about an AI system's purpose, function, and decision-making process is made available and understandable to relevant stakeholders.

SOC 2

AICPA

The American Institute of CPAs, the professional body that sets the attestation standards - including AT-C Section 205 - under which SOC 2 audits are performed.

AICPA

AICPA AT-C Section 105

The AICPA attestation standard establishing the general concepts and requirements that apply to all attestation engagements, serving as the foundation for the more specific AT-C sections.

AICPA

AICPA AT-C Section 205

The AICPA attestation standard governing examination engagements, including the procedures and reporting requirements that underlie SOC 2 Type 1 and Type 2 examinations.

AICPA

AICPA AT-C Section 320

The AICPA attestation standard specifically governing reporting on controls at a service organization, forming the basis for SOC 1 and SOC 2 engagements.

AICPA

AICPA Code of Professional Conduct

The ethical framework governing CPAs, including principles related to integrity, objectivity, independence, and due care, that underlies all AICPA attestation work.

Compliance Frameworks

AICPA SSAE 18

Statement on Standards for Attestation Engagements No. 18, the authoritative AICPA standard that governs how SOC 1 and SOC 2 examinations are planned, performed, and reported.

Cybersecurity

Air Gap

A security measure that physically isolates a system or network from unsecured networks, including the internet, to prevent remote compromise.

AI Governance

Algorithmic Accountability

The principle that organizations deploying algorithmic systems should be answerable for their outcomes, including the ability to explain, justify, and correct decisions the system makes.

AI Governance

Algorithmic Bias

Systematic and unfair skew in an AI system's outputs, typically arising from imbalanced training data or flawed model design, that disadvantages certain groups.

ISO 42001

Algorithmic Impact Assessment

A structured evaluation of how an AI system's outputs could affect individuals or groups, used to identify and mitigate risks before and during deployment.

ISO 27001

Annex A Controls

The reference set of information security controls listed in ISO 27001 Annex A, used as the basis for building an organization's Statement of Applicability.

Compliance Frameworks

APPI (Japan)

Japan's Act on the Protection of Personal Information, regulating how businesses handle personal information, including requirements for cross-border data transfers.

ISO 27001

Asset Register

An inventory of information assets - systems, data, and equipment - used as the foundation for the ISO 27001 risk assessment.

Cybersecurity

Attack Surface

The total sum of points where an unauthorized user could attempt to enter or extract data from a system, including all exposed services, endpoints, and interfaces.

Audit & Assurance

Attestation Engagement

A broad category of engagements, governed by AICPA attestation standards, in which a practitioner expresses a conclusion about the reliability of subject matter that is the responsibility of another party.

Audit & Assurance

Audit Committee

A subset of an organization's board of directors responsible for overseeing financial reporting, internal controls, and the relationship with internal and external auditors.

Audit & Assurance

Audit Evidence

The information an auditor gathers and evaluates to support the conclusions and opinion expressed in an audit report, which must be sufficient and appropriate to provide a reasonable basis for that opinion.

Audit & Assurance

Audit Opinion

The auditor's formal conclusion on whether the subject matter of an engagement - such as a system description or set of controls - is fairly presented and free of material misstatement.

Audit & Assurance

Audit Readiness

The state of an organization's documentation, controls, and evidence collection being sufficiently mature and complete to begin a formal audit with minimal risk of significant gaps or exceptions.

Audit & Assurance

Audit Trail

A chronological record of system activity or transactions that allows an auditor to trace an event from origin to outcome, supporting both control testing and incident investigation.

Audit & Assurance

Audit Universe

The complete inventory of auditable entities, processes, or risks within an organization, used by internal audit to plan which areas to review and how frequently.

Audit & Assurance

Auditor Independence

A requirement under AICPA professional standards that an auditor have no financial, employment, or other relationships with the audited organization that could impair objectivity or the appearance of objectivity.

Audit & Assurance

Auditor Rotation

A requirement or practice of periodically changing the engagement partner or audit firm to reduce familiarity threats to independence over long client relationships.

Privacy

Automated Decision-Making

Decisions made about an individual without human involvement, based solely on automated processing - subject to specific rights and restrictions under laws like GDPR when the decision has significant effects.

Cybersecurity

Backup and Recovery

The practice of creating copies of data that can be restored in the event of loss, corruption, or a security incident such as ransomware.

ISO 42001

Bias Mitigation

Documented measures taken to identify and reduce unfair or discriminatory outcomes produced by an AI system's training data or model design.

Privacy

Binding Corporate Rules (BCR)

Internal data protection policies adopted by a multinational corporate group and approved by regulators, allowing intra-group international transfers of personal data without relying on other transfer mechanisms.

Governance & Risk

Board Oversight

The board of directors' responsibility for monitoring management's execution of strategy, risk management, and control activities, typically exercised through committees such as audit or risk committees.

GDPR

Breach Notification (72-Hour Rule)

The GDPR requirement that organizations report qualifying personal data breaches to their supervisory authority within 72 hours of becoming aware of them.

HIPAA

Breach Notification Rule

The HIPAA requirement that covered entities and business associates notify affected individuals, HHS, and in some cases the media following a breach of unsecured PHI.

PIPEDA

Breach of Security Safeguards

A PIPEDA term for the loss, unauthorized access to, or unauthorized disclosure of personal information, triggering notification obligations where real risk of significant harm exists.

SOC 2

Bridge Letter

A letter covering the gap between the end of a SOC 2 report period and a customer's current request date, confirming no material changes to controls occurred.

HIPAA

Business Associate Agreement (BAA)

A contract required between a HIPAA covered entity and any vendor that creates, receives, or transmits PHI on its behalf, defining each party's compliance responsibilities.

Governance & Risk

Business Continuity Planning

The process of creating documented procedures that guide an organization's response to a disruptive event, aimed at maintaining or quickly resuming critical functions.

Cybersecurity

Business Email Compromise (BEC)

A targeted social engineering attack in which an attacker impersonates an executive or trusted partner via email, typically to trick an employee into making a fraudulent payment or disclosing sensitive data.

Governance & Risk

Business Impact Analysis (BIA)

A process that identifies and evaluates the potential effects of a disruption on critical business functions, used to prioritize recovery efforts and set recovery objectives.

SOC 2

Carve-Out Method

An approach to handling a subservice organization in a SOC 2 report where the vendor's controls are excluded from testing and covered instead by CUECs.

Compliance Frameworks

CCPA

The California Consumer Privacy Act, a state law granting California residents rights over their personal information, including the right to know, delete, and opt out of the sale or sharing of their data.

ISO 27001

Certification Body

An independent, accredited organization, such as BSI, DNV, SGS, Bureau Veritas, or TÜV SÜD, authorized to issue ISO 27001 certificates after successfully completing the Stage 1 and Stage 2 audit process.

Cybersecurity

Chain of Custody (Cyber Forensics)

Documentation tracking who handled a piece of digital evidence, when, and what was done with it, ensuring the evidence remains admissible and uncontaminated.

Privacy

Children's Data / Parental Consent

Personal data belonging to minors, which most privacy laws subject to additional protections, often requiring verifiable parental consent before collection.

Cybersecurity

CIA Triad

The foundational model of information security, consisting of Confidentiality (preventing unauthorized access), Integrity (ensuring data isn't improperly altered), and Availability (ensuring systems and data are accessible when needed).

Compliance Frameworks

CJIS Security Policy

The Criminal Justice Information Services Security Policy, an FBI-issued framework establishing minimum security requirements for organizations that access criminal justice information.

Cybersecurity

Cloud Access Security Broker (CASB)

A security tool that sits between an organization's users and cloud service providers, enforcing security policies and providing visibility into cloud application usage.

ISO 27018

Cloud PII Processor Controls

A supplementary code of practice to ISO 27002 that defines controls for protecting personally identifiable information (PII) processed by public cloud service providers acting as data processors.

Cybersecurity

Cloud Security Posture Management (CSPM)

Tools that continuously monitor cloud environments for misconfigurations and compliance violations, helping organizations maintain a secure cloud posture at scale.

Compliance Frameworks

CMMC

The Cybersecurity Maturity Model Certification, a U.S. Department of Defense program requiring defense contractors to demonstrate specific cybersecurity practices and processes based on the sensitivity of information they handle.

Compliance Frameworks

CMMC Level 1/2/3

The three maturity tiers within CMMC, ranging from basic safeguarding of federal contract information (Level 1) to the more rigorous protection of controlled unclassified information against advanced threats (Level 3).

Governance & Risk

COBIT

A framework for IT governance and management published by ISACA, providing a structured approach to aligning IT processes, controls, and objectives with broader business goals.

Governance & Risk

Code of Conduct

A formal document outlining the ethical standards and expected behaviors for an organization's employees, often referenced during audits of the control environment.

Compliance Frameworks

Colorado Privacy Act

A Colorado state law granting residents rights to access, correct, delete, and port their personal data, and requiring data protection assessments for higher-risk processing activities.

SOC 2

Complementary User Entity Controls (CUECs)

Controls a SOC 2 report assumes the customer (user entity) has implemented on its own side for the overall control environment to operate effectively.

Audit & Assurance

Compliance Audit

An audit performed to determine whether an organization is adhering to the requirements of a specific law, regulation, contract, or framework.

Governance & Risk

Compliance Program

The overall structure of policies, training, monitoring, and reporting an organization establishes to ensure adherence to applicable laws, regulations, and internal standards.

Governance & Risk

Concentration Risk

Risk arising from over-reliance on a single vendor, customer, geography, or system, where a single point of failure could have outsized consequences.

ISO 27018

Confidentiality Commitment

A contractual or policy-level obligation under ISO 27018 that cloud provider personnel handling PII are bound by confidentiality requirements.

Cybersecurity

Configuration Management

The discipline of establishing and maintaining systems in a known, secure, and consistent state, tracking and controlling changes to that configuration over time.

Governance & Risk

Conflict of Interest Policy

A policy requiring individuals to disclose situations where personal interests could improperly influence their professional judgment or decisions on behalf of the organization.

AI Governance

Conformity Assessment (EU AI Act)

The process by which a high-risk AI system is evaluated against EU AI Act requirements before it can be placed on the market, sometimes requiring third-party review.

Privacy

Consent

A data subject's freely given, specific, informed, and unambiguous agreement to the processing of their personal data, one of several lawful bases recognized across privacy laws.

Privacy

Consent Management Platform (CMP)

Software that allows organizations to collect, record, and manage individuals' consent preferences, commonly used to implement cookie consent banners and related compliance workflows.

CCPA

Consumer Rights Request

A formal request from a California consumer to know, delete, correct, or opt out of the sale/sharing of their personal information within statutory timelines.

ISO 27001

Continual Improvement

An ISO 27001 requirement that an organization consistently look for ways to strengthen its ISMS based on audit findings, incidents, and changing risks.

Audit & Assurance

Continuous Auditing

An audit approach that uses automated, ongoing testing of controls and transactions throughout the period, rather than testing only at discrete points in time.

Audit & Assurance

Control Deficiency

A shortfall in the design or operation of a control such that it does not allow management or employees to prevent or detect issues in the normal course of performing their duties - the broadest of the three deficiency classifications.

SOC 2

Control Environment

The foundational layer of an organization's internal controls, covering governance, ethics, and the tone set by leadership that influences how all other controls operate.

ISO 27001

Control Objective

The intended outcome a specific Annex A control is designed to achieve, used to justify its inclusion in the Statement of Applicability.

Audit & Assurance

Control Self-Assessment

A process in which an organization's own personnel evaluate the design and operation of their controls, often as a precursor to or supplement of independent audit testing.

Audit & Assurance

Control Testing

The audit procedures performed to determine whether a control is operating as designed, including inspection of evidence, inquiry of personnel, observation, and re-performance.

Compliance Frameworks

COPPA

The Children's Online Privacy Protection Act, a U.S. law imposing specific requirements on operators of websites and online services directed at children under 13, including parental consent for data collection.

Governance & Risk

Corporate Governance

The system of rules, practices, and processes by which an organization is directed and controlled, encompassing the relationships among the board, management, shareholders, and other stakeholders.

ISO 27001

Corrective Action

The documented steps taken to fix the root cause of a nonconformity identified during an ISO 27001 audit, rather than just the symptom.

Audit & Assurance

Corrective Action Plan (CAP)

A formal, often auditor-reviewed plan describing how an organization will fix the root cause of an identified deficiency, distinct from a general remediation plan in that it's typically tied to a specific finding requiring sign-off.

Governance & Risk

COSO

The Committee of Sponsoring Organizations of the Treadway Commission, the organization behind the widely used Internal Control–Integrated Framework and Enterprise Risk Management framework referenced in most internal control programs, including SOX compliance.

COSO

COSO ERM Framework

COSO's framework specifically addressing enterprise risk management, emphasizing the integration of risk consideration into strategy-setting and performance management.

COSO

COSO Internal Control Framework

COSO's widely adopted model defining internal control through five integrated components: control environment, risk assessment, control activities, information and communication, and monitoring activities.

HIPAA

Covered Entity

A health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically and is directly subject to HIPAA's requirements.

Compliance Frameworks

CPRA

The California Privacy Rights Act, which amended and expanded the CCPA, adding new categories of protected information and creating the California Privacy Protection Agency to enforce the law.

GDPR

Cross-Border Data Transfer

The movement of personal data from the EU/EEA to a country outside it, which under GDPR requires an approved legal safeguard such as Standard Contractual Clauses.

ISO 27701

Cross-Border PII Transfer (ISO 27701)

The movement of personally identifiable information across jurisdictional borders, which ISO 27701 requires organizations to document and control.

Compliance Frameworks

CSA STAR

A cloud security assurance program from the Cloud Security Alliance, offering tiered levels of assessment - from self-assessment to third-party certification and continuous monitoring - based on the CSA's Cloud Controls Matrix.

Cybersecurity

CVE (Common Vulnerabilities and Exposures)

A standardized identifier and public catalog used to uniquely reference known software vulnerabilities, allowing organizations and tools to communicate about the same issue consistently.

Cybersecurity

CVSS (Common Vulnerability Scoring System)

A standardized scoring system used to rate the severity of a vulnerability, typically on a scale of 0 to 10, helping organizations prioritize remediation efforts.

Cybersecurity

Data Breach

An incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen without authorization.

Cybersecurity

Data Classification

The process of categorizing data based on its sensitivity and the level of protection it requires, commonly using labels such as public, internal, confidential, and restricted.

GDPR

Data Controller

The entity that determines the purposes and means of processing personal data, carrying primary responsibility for GDPR compliance.

AI Governance

Data Governance for AI

The policies and controls governing the quality, provenance, and appropriate use of data throughout an AI system's training and operation, a specific focus area under ISO 42001.

Cybersecurity

Data Loss Prevention (DLP)

Technology and policies designed to detect and prevent sensitive data from leaving an organization's control, whether through email, file transfer, or removable media.

Privacy

Data Minimization

A privacy principle requiring that only the personal data necessary to accomplish a specified purpose be collected and retained, rather than collecting data broadly in case it becomes useful later.

Privacy

Data Processing Agreement (DPA)

A contract between a data controller and a data processor that sets out the scope, purpose, and security requirements governing the processor's handling of personal data.

GDPR

Data Processor

An entity that processes personal data on behalf of and under the instructions of a data controller, with its own set of GDPR obligations.

GDPR

Data Protection Officer (DPO)

A role required for certain organizations under GDPR to oversee data protection compliance, advise on DPIAs, and act as a contact point for regulators.

ISO 27701

Data Retention Schedule

A documented policy under ISO 27701 specifying how long different categories of personal information are kept before secure deletion or anonymization.

Privacy

Data Subject

An identified or identifiable individual whose personal data is being collected or processed - the person the privacy protections in laws like GDPR exist to protect.

Privacy

Data Subject Access Request (DSAR)

A formal request from an individual asking an organization to confirm whether it processes their personal data and, if so, to provide a copy of it along with related details.

GDPR

Data Subject Rights

The set of rights granted to individuals under GDPR, including access, rectification, erasure, portability, and objection to processing.

HIPAA

De-identification

The process of removing identifying details from health information so it no longer qualifies as PHI and falls outside HIPAA's restrictions.

HIPAA

Designated Record Set

The group of records maintained by a covered entity - including medical and billing records - used to make decisions about individuals, subject to HIPAA access rights.

Cybersecurity

DevSecOps

An approach that integrates security practices directly into the software development and operations lifecycle, rather than treating security as a separate, later-stage review.

Cybersecurity

Digital Forensics

The discipline of collecting, preserving, and analyzing digital evidence in a manner that maintains its integrity, often in support of incident investigation or legal proceedings.

Governance & Risk

Disaster Recovery Plan

A documented set of procedures for restoring IT systems, data, and infrastructure following a disruptive event, typically a technical subset of a broader business continuity plan.

Audit & Assurance

Disclaimer of Opinion

A statement from an auditor that no opinion is being expressed, typically issued when the auditor was unable to obtain sufficient evidence to form a conclusion.

CCPA

Do Not Sell or Share My Personal Information

The CCPA-required link businesses must display, allowing consumers to easily exercise their opt-out rights regarding the sale or sharing of their data.

Compliance Frameworks

DORA

The EU's Digital Operational Resilience Act, requiring financial entities and their critical ICT third-party providers to meet specific standards for managing information and communication technology risk.

Compliance Frameworks

DPDP Act

India's Digital Personal Data Protection Act, establishing requirements for the processing of digital personal data, including consent obligations and rights for data principals (individuals).

GDPR

DPIA (Data Protection Impact Assessment)

A required assessment for processing activities likely to result in high risk to individuals' rights, documenting the risk and the mitigations applied.

Audit & Assurance

Due Professional Care

The standard requiring an auditor to exercise the skill and diligence of a reasonably prudent and competent practitioner throughout an engagement.

Cybersecurity

Dynamic Application Security Testing (DAST)

A testing method that analyzes a running application for vulnerabilities by simulating attacks against it from the outside, without access to its source code.

Compliance Frameworks

EAR

The Export Administration Regulations, a U.S. export control framework governing dual-use commercial and military items, distinct from but often referenced alongside ITAR.

Governance & Risk

Emerging Risk

A risk that is newly identified or rapidly evolving, often lacking established historical data or precedent, making it harder to assess using traditional methods.

Cybersecurity

Encryption (At Rest, In Transit)

The process of converting data into an unreadable format to protect it from unauthorized access; "at rest" refers to stored data, while "in transit" refers to data moving across a network.

Cybersecurity

Endpoint Detection and Response (EDR)

Security software that continuously monitors endpoint devices for suspicious activity, providing detection, investigation, and automated response capabilities.

Audit & Assurance

Engagement Letter

A formal document signed before an audit begins, defining the scope, responsibilities, timeline, and terms of the engagement between the auditor and the audited organization.

Audit & Assurance

Engagement Quality Review

An internal review performed by a qualified reviewer, separate from the engagement team, before a report is issued, to evaluate the significant judgments made and conclusions reached.

Governance & Risk

Enterprise Risk Management

A structured, organization-wide approach to identifying, assessing, and managing risk in alignment with strategic objectives, rather than managing risk in isolated silos.

HIPAA

ePHI

Protected health information that is created, stored, transmitted, or received in electronic form, subject to HIPAA's Security Rule.

AI Governance

EU AI Act

The European Union's comprehensive AI regulation, which classifies AI systems by risk level - from minimal to unacceptable - and imposes corresponding obligations on providers and users.

Compliance Frameworks

EU-US Data Privacy Framework

An adequacy mechanism allowing personal data to flow from the EU to certified U.S. organizations, replacing the earlier Privacy Shield framework that was invalidated by the Court of Justice of the EU.

SOC 2

Examination Period

The defined start and end dates over which a service auditor tests the operating effectiveness of controls for a SOC 2 Type 2 report.

SOC 2

Exception (Deviation)

An instance where a tested control did not operate as designed during the SOC 2 review period, noted in the final report along with management's response.

ISO 42001

Explainability

The degree to which an AI system's decisions or outputs can be understood and reasonably explained to the people affected by them.

Cybersecurity

Extended Detection and Response (XDR)

An evolution of EDR that correlates and responds to threats across multiple security layers - endpoints, network, cloud, and email - rather than endpoints alone.

AI Governance

Fairness Metrics

Quantitative measures used to evaluate whether an AI system's outcomes are distributed equitably across different groups or populations.

Compliance Frameworks

FedRAMP

The Federal Risk and Authorization Management Program, a U.S. government-wide program that standardizes security assessment and authorization for cloud products and services used by federal agencies.

Compliance Frameworks

FERPA

The Family Educational Rights and Privacy Act, a U.S. law protecting the privacy of student education records and governing how educational institutions may disclose them.

Cybersecurity

Firewall

A network security device or software that monitors and controls incoming and outgoing traffic based on a defined set of rules, acting as a barrier between trusted and untrusted networks.

AI Governance

Foundation Model

A large-scale AI model trained on broad data that can be adapted to a wide variety of downstream tasks, serving as the base for many applied AI systems.

Governance & Risk

Fourth-Party Risk

Risk introduced by a vendor's own subcontractors or service providers - entities the organization doesn't contract with directly but whose failures can still create exposure.

Audit & Assurance

Gap Assessment

A pre-audit review comparing an organization's current controls and documentation against a target framework's requirements, used to identify deficiencies before a formal audit begins.

Compliance Frameworks

GDPR

The EU's General Data Protection Regulation, a comprehensive data protection law governing how organizations collect, process, and protect the personal data of individuals in the EU/EEA, regardless of where the organization is based.

AI Governance

General Purpose AI (GPAI)

AI models designed to perform a wide range of tasks across many contexts, rather than being built for one narrow application - a category receiving specific regulatory attention under the EU AI Act.

Compliance Frameworks

GLBA

The Gramm-Leach-Bliley Act, a U.S. law requiring financial institutions to explain their information-sharing practices and to safeguard sensitive customer financial data.

CCPA

Global Privacy Control

A browser-based signal that automatically communicates a consumer's opt-out preference to websites, which CCPA requires businesses to honor as a valid request.

Governance & Risk

Governance, Risk, and Compliance (GRC)

An umbrella term for the integrated approach organizations use to coordinate governance activities, risk management, and regulatory compliance, often supported by dedicated GRC software platforms.

AI Governance

High-Risk AI System

A category defined under frameworks like the EU AI Act for AI systems whose use carries significant potential for harm, triggering the most stringent compliance obligations.

Compliance Frameworks

HIPAA

A U.S. federal law establishing national standards for protecting the privacy and security of individuals' health information, enforced through its Privacy Rule, Security Rule, and Breach Notification Rule.

Compliance Frameworks

HITRUST

An organization that maintains a certifiable framework (the HITRUST CSF) widely used in healthcare to demonstrate compliance with multiple regulations and standards, including HIPAA, through a single assessment.

Compliance Frameworks

HITRUST CSF

The Common Security Framework maintained by HITRUST, which harmonizes requirements from HIPAA, NIST, ISO 27001, and other standards into a single certifiable control set.

Cybersecurity

Honeypot

A decoy system or resource deliberately set up to attract attackers, allowing an organization to detect, study, or delay malicious activity without risking real assets.

ISO 42001

Human Oversight

An ISO 42001 principle requiring that AI systems remain subject to meaningful human review and intervention, rather than operating without accountability.

AI Governance

Human-in-the-Loop

An AI system design in which a human reviews, approves, or can override the system's outputs before they take effect, as a specific form of human oversight.

ISO 27001

IAF Accreditation

Recognition from the International Accreditation Forum confirming that a certification body's ISO 27001 certificates meet globally consistent standards.

Cybersecurity

Identity and Access Management (IAM)

The systems and processes an organization uses to ensure the right individuals have appropriate access to the right resources, at the right times, for the right reasons.

Cybersecurity

Incident Response

The organized process an organization follows to detect, contain, investigate, and recover from a security incident, typically guided by a documented incident response plan.

SOC 2

Inclusive Method

An approach to handling a subservice organization in a SOC 2 report where the vendor's controls are tested directly as part of the audit.

Governance & Risk

Inherent Risk

The level of risk that exists before any controls are applied, reflecting the raw exposure of an activity or process.

Audit & Assurance

Inquiry (Audit Procedure)

An audit procedure involving questioning of knowledgeable personnel, used to gather evidence but generally considered insufficient on its own to support a conclusion.

Cybersecurity

Insider Threat

A security risk originating from individuals within an organization - employees, contractors, or partners - who have authorized access and may misuse it, intentionally or accidentally.

Audit & Assurance

Inspection (Audit Procedure)

An audit procedure involving the examination of records, documents, or physical assets to gather evidence of a control's existence or operation.

ISO 42001

Intended Use Statement

Documentation defining the specific purpose and boundaries an AI system is designed for, used to evaluate whether deployment outside that scope introduces new risk.

Audit & Assurance

Internal Audit vs. External Audit

Internal audit is performed by an organization's own staff (or outsourced function) reporting to its audit committee or board, focused on operational improvement; external audit is performed by an independent third-party firm, focused on providing assurance to outside parties.

Governance & Risk

Internal Controls

The policies, procedures, and activities an organization puts in place to provide reasonable assurance that its objectives - operational, reporting, and compliance - will be achieved.

Cybersecurity

Intrusion Detection System (IDS)

A system that monitors network or system activity for signs of malicious behavior or policy violations and alerts administrators, without taking direct action to block the activity.

Cybersecurity

Intrusion Prevention System (IPS)

A system similar to an IDS but capable of actively blocking or preventing detected malicious activity in real time, rather than only alerting on it.

Compliance Frameworks

IRS Pub 1075

An IRS publication establishing safeguarding requirements for agencies and contractors that receive, store, process, or transmit federal tax information (FTI).

ISO 27001

ISMS (Information Security Management System)

The overall system of policies, risk assessments, and controls an organization uses to manage information security - the basis of ISO 27001 certification.

Compliance Frameworks

ISO 20000

The international standard for IT service management, specifying requirements for planning, delivering, and continually improving IT services within an organization.

Compliance Frameworks

ISO 22301

The international standard for business continuity management systems, specifying requirements for planning, establishing, and improving an organization's ability to respond to and recover from disruptive incidents.

Compliance Frameworks

ISO 27001

An international standard specifying requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS), certifiable by an accredited third party.

Compliance Frameworks

ISO 27017

A code of practice that extends ISO 27001/27002 with cloud-specific information security controls, addressing the shared responsibilities between cloud service providers and their customers.

Compliance Frameworks

ISO 27018

A code of practice that extends ISO 27002 with controls specifically addressing the protection of personally identifiable information (PII) processed by public cloud service providers.

Compliance Frameworks

ISO 27701

An extension to ISO 27001 and ISO 27002 that adds requirements and guidance for establishing a privacy information management system (PIMS), supporting organizations acting as PII controllers or processors.

Compliance Frameworks

ISO 31000

An international standard providing principles and generic guidelines for risk management, used as a reference framework rather than a certifiable standard.

Compliance Frameworks

ISO 42001

The first international standard specifying requirements for an AI management system, addressing how organizations govern the development, deployment, and oversight of AI throughout its lifecycle.

Compliance Frameworks

ISO 9001

The international standard for quality management systems, used by organizations to demonstrate consistent ability to meet customer and regulatory requirements through documented processes and continual improvement.

Governance & Risk

IT General Controls

Controls that apply broadly across an organization's IT environment - such as access management, change management, and backup procedures - supporting the reliability of all applications and data that depend on that environment.

Governance & Risk

IT Governance

The framework of leadership, structures, and processes that ensure an organization's IT investments and activities support and enable its broader business strategy.

Compliance Frameworks

ITAR

The International Traffic in Arms Regulations, a U.S. export control regime governing defense-related articles and services, which imposes strict access and citizenship-based handling requirements on covered technical data.

Privacy

Joint Controller

A situation where two or more organizations jointly determine the purposes and means of processing the same personal data, sharing responsibility for compliance.

Governance & Risk

Key Control Indicator (KCI)

A measurable metric used to monitor whether a specific control is operating within expected parameters, distinct from a KRI in that it tracks control performance rather than underlying risk levels.

Governance & Risk

Key Risk Indicator (KRI)

A measurable metric used to provide early warning of increasing risk exposure in a particular area, allowing management to act before a risk materializes into an incident.

GDPR

Lawful Basis for Processing

One of six legal grounds - such as consent, contract, or legitimate interest - that GDPR requires an organization to identify before processing personal data.

Cybersecurity

Least Privilege

A security principle stating that users and systems should be granted only the minimum level of access necessary to perform their function, nothing more.

GDPR

Legitimate Interest

A lawful basis under GDPR allowing processing of personal data when an organization's interest is balanced against the individual's rights and reasonably expected by them.

Compliance Frameworks

LGPD

Brazil's Lei Geral de Proteção de Dados, a comprehensive data protection law closely modeled on the GDPR, governing the processing of personal data of individuals in Brazil.

Governance & Risk

Likelihood and Impact

The two dimensions typically used to score a risk during assessment - how probable the risk is to occur, and how severe the consequences would be if it did.

Audit & Assurance

Limited vs. Reasonable Assurance

Two levels of assurance an attestation engagement can provide: reasonable assurance (a high but not absolute level of confidence, typical of SOC 2 examinations) and limited assurance (a lower level, typical of review-level engagements).

PIPEDA

Limiting Collection Principle

A PIPEDA principle requiring organizations to collect only the personal information necessary for the purposes they have identified, not more.

Cybersecurity

Logging and Monitoring

The practice of recording system and application activity (logging) and actively reviewing that activity for signs of anomalies or security issues (monitoring).

Cybersecurity

Malware

A broad category of malicious software, including viruses, worms, trojans, and ransomware, designed to damage, disrupt, or gain unauthorized access to a system.

Cybersecurity

Managed Detection and Response (MDR)

An outsourced service in which a third-party provider monitors an organization's environment and responds to threats on its behalf, typically combining technology with human analysts.

SOC 2

Management Assertion

A written statement from company leadership describing the system and confirming that controls were suitably designed and, for Type 2, operated effectively during the period.

Audit & Assurance

Management Representation Letter

A letter signed by an organization's management, provided to the auditor near the end of an engagement, formally affirming the accuracy of information and representations made during the audit.

ISO 27001

Management Review

A scheduled meeting where leadership evaluates the performance of the ISMS, including audit results, risk treatment progress, and opportunities for improvement.

Audit & Assurance

Material Weakness

A deficiency in internal control significant enough that there is a reasonable possibility a material misstatement or control failure will not be prevented or detected on a timely basis.

Audit & Assurance

Materiality (Audit)

The threshold above which a misstatement, omission, or control failure would be expected to influence the decisions of someone relying on the audit's results.

PIPEDA

Meaningful Consent (PIPEDA)

The PIPEDA requirement that an individual's consent to the collection, use, or disclosure of personal information be informed, specific, and reasonably understood - not buried in lengthy or unclear terms.

HIPAA

Minimum Necessary Standard

The HIPAA principle that covered entities should limit the use, disclosure, and request of PHI to the smallest amount needed to accomplish the intended purpose.

Cybersecurity

Mobile Device Management (MDM)

Software that allows an organization to manage, secure, and enforce policies on mobile devices - whether company-owned or personal - that access corporate data.

AI Governance

Model Card

A short, standardized document describing an AI model's intended use, performance characteristics, limitations, and training data, intended to promote transparency.

AI Governance

Model Documentation

Comprehensive records describing how an AI model was developed, trained, validated, and deployed, supporting both internal governance and external audit requirements.

ISO 42001

Model Monitoring

The ongoing process of tracking an AI system's performance and outputs after deployment to detect drift, degradation, or unexpected behavior.

Cybersecurity

Multi-Factor Authentication (MFA)

An authentication method requiring two or more independent forms of verification - such as a password plus a one-time code - before granting access.

Compliance Frameworks

NERC CIP

The North American Electric Reliability Corporation's Critical Infrastructure Protection standards, a set of mandatory cybersecurity requirements for organizations involved in the bulk power system.

Cybersecurity

Network Segmentation

The practice of dividing a network into smaller, isolated sections to limit how far an attacker can move laterally if one segment is compromised.

Compliance Frameworks

NIS2

The EU's updated Network and Information Security Directive, expanding cybersecurity and incident-reporting obligations to a broader range of essential and important entities across member states.

Compliance Frameworks

NIST 800-171

A NIST publication specifying security requirements for protecting Controlled Unclassified Information (CUI) when it resides in non-federal systems, forming the technical basis for CMMC.

Compliance Frameworks

NIST 800-53

A NIST publication providing a comprehensive catalog of security and privacy controls for federal information systems, widely referenced as a control baseline well beyond government use.

AI Governance

NIST AI RMF

The NIST AI Risk Management Framework, a voluntary framework providing guidance for organizations to manage risks associated with the design, development, and use of AI systems.

Compliance Frameworks

NIST CSF

The NIST Cybersecurity Framework, a voluntary framework of standards and best practices organized around five core functions - Identify, Protect, Detect, Respond, and Recover - used to manage cybersecurity risk.

ISO 27001

Nonconformity (Major/Minor)

A finding where a control or process fails to meet ISO 27001 requirements; major nonconformities can block certification, while minor ones require a corrective action plan.

HIPAA

Notice of Privacy Practices

The HIPAA-required document a covered entity provides to patients explaining how their health information may be used and disclosed.

ISO 27018

Notification of Data Requests

An ISO 27018 control requiring a cloud provider to inform customers of legally binding requests for disclosure of their PII, where legally permitted.

AI Governance

Notified Body (EU AI Act)

An organization formally designated by an EU member state to perform conformity assessments for certain high-risk AI systems under the EU AI Act.

Audit & Assurance

Observation (Audit Procedure)

An audit procedure in which the auditor watches a process or control being performed by client personnel, providing evidence of operation at that specific point in time.

HIPAA

Office for Civil Rights (OCR)

The division of HHS responsible for enforcing HIPAA, investigating complaints, and issuing penalties for noncompliance.

Audit & Assurance

Operational Audit

An audit focused on evaluating the efficiency and effectiveness of an organization's operations and processes, rather than financial reporting or compliance specifically.

Governance & Risk

Operational Resilience

An organization's ability to continue delivering critical operations through disruption, encompassing business continuity, disaster recovery, and the ability to adapt processes under stress.

Cybersecurity

Patch Management

The process of identifying, testing, and deploying software updates that fix known vulnerabilities or bugs across an organization's systems.

Compliance Frameworks

PCI DSS

The Payment Card Industry Data Security Standard, a set of security requirements established by major card brands for any organization that stores, processes, or transmits cardholder data.

Compliance Frameworks

PDPA (Singapore)

Singapore's Personal Data Protection Act, governing the collection, use, and disclosure of personal data by organizations operating in Singapore.

AICPA

Peer Review

An AICPA program requiring CPA firms that perform attestation engagements to undergo periodic, independent review of their audit quality by another qualified firm or reviewer.

Cybersecurity

Penetration Testing

An authorized, simulated attack on a system performed to identify exploitable vulnerabilities before a real attacker can find and use them.

Privacy

Personal Data

Generically, any information relating to an identified or identifiable individual - the broad category that specific terms like "Personal Information" under various laws further define and scope.

CCPA

Personal Information (CCPA)

Any information that identifies, relates to, or could reasonably be linked with a particular California consumer or household, as defined under the CCPA.

PIPEDA

Personal Information (PIPEDA)

Information about an identifiable individual, as defined under Canada's federal private-sector privacy law, excluding an individual's business contact information used for business purposes.

Cybersecurity

Phishing

A social engineering attack in which an attacker impersonates a trusted party, typically via email, to trick a victim into revealing credentials, sensitive data, or installing malware.

HIPAA

Physical Safeguards

HIPAA-required controls over physical access to facilities and equipment that store or process ePHI, such as workstation security and device disposal procedures.

ISO 27701

PII Controller (ISO 27701)

An organization that determines the purposes and means of processing personally identifiable information, a role defined under the ISO 27701 privacy extension.

ISO 27701

PII Processor (ISO 27701)

An organization that processes personally identifiable information on behalf of a PII controller, with a distinct set of obligations under ISO 27701.

Compliance Frameworks

PIPEDA

Canada's federal private-sector privacy law, governing how organizations collect, use, and disclose personal information in the course of commercial activity.

Governance & Risk

Policy vs. Procedure vs. Standard vs. Guideline

A policy states what must be done and why; a standard specifies the measurable requirements that satisfy the policy; a procedure details the step-by-step how; a guideline offers recommended, non-mandatory practices.

Compliance Frameworks

POPIA

South Africa's Protection of Personal Information Act, establishing conditions for the lawful processing of personal information by public and private bodies.

GDPR

Privacy by Design

A GDPR principle requiring data protection safeguards to be built into systems and processes from the outset, rather than added afterward.

PIPEDA

Privacy Commissioner of Canada

The federal regulator responsible for overseeing compliance with PIPEDA, investigating complaints, and issuing guidance to organizations.

ISO 27701

Privacy Information Management System (PIMS)

The privacy extension to ISO 27001 that adds requirements and controls for managing personally identifiable information (PII), supporting organizations acting as either PII controllers or processors.

Privacy

Privacy Notice vs. Privacy Policy

A privacy notice is typically the external-facing disclosure telling individuals how their data will be used at the point of collection; a privacy policy is often the broader governing document - though the terms are frequently used interchangeably in practice.

ISO 27701

Privacy Risk Assessment

An ISO 27701 process for identifying and evaluating risks to individuals arising from how their personal information is collected, used, or shared.

Cybersecurity

Privileged Access Management (PAM)

A specialized subset of IAM focused on securing, monitoring, and controlling accounts with elevated permissions, such as system administrators.

Audit & Assurance

Professional Skepticism

An auditor's mindset that includes a questioning attitude and critical assessment of evidence, rather than assuming management's representations are accurate without corroboration.

Privacy

Profiling

The automated processing of personal data to evaluate or predict aspects of an individual, such as their preferences, behavior, or location.

HIPAA

Protected Health Information (PHI)

Individually identifiable health information created, received, or maintained by a covered entity or business associate that is protected under HIPAA.

GDPR

Pseudonymization

A GDPR-recognized technique that replaces identifying details in a dataset with reversible tokens, reducing risk while still allowing the data to be re-linked under controlled conditions.

ISO 27018

Public Cloud PII Processor

A cloud service provider that processes personally identifiable information on behalf of its customers - the specific role ISO 27018 was written to govern.

Cybersecurity

Public Key Infrastructure (PKI)

The set of roles, policies, and procedures used to create, manage, and revoke digital certificates and public-key encryption, underpinning secure communications like TLS.

Privacy

Purpose Limitation

A privacy principle requiring that personal data collected for one specified purpose not be used for a materially different purpose without additional notice or consent.

SOC 2

Qualified Opinion

An auditor's conclusion that one or more controls did not meet the criteria, as opposed to an unqualified opinion where all tested controls passed.

Cybersecurity

Ransomware

Malicious software that encrypts an organization's data or systems, with attackers demanding payment in exchange for restoring access.

Audit & Assurance

Re-performance

An audit procedure in which the auditor independently executes a control or procedure to confirm it produces the same result as when originally performed by the organization's personnel.

SOC 2

Readiness Assessment

A preliminary evaluation conducted before the formal SOC 2 audit period to identify control gaps and reduce the risk of exceptions in the final report.

Privacy

Record of Processing Activities (ROPA)

A documented inventory, required under GDPR, of an organization's data processing activities, including what data is processed, why, and with whom it's shared.

Governance & Risk

Recovery Point Objective (RPO)

The maximum acceptable amount of data loss, measured in time, that an organization can tolerate following a disruption - for example, the maximum time since the last backup.

Governance & Risk

Recovery Time Objective (RTO)

The maximum acceptable amount of time a system or process can be unavailable after a disruption before causing unacceptable harm to the organization.

Cybersecurity

Red Team vs. Blue Team

A red team simulates real-world attackers to test an organization's defenses; a blue team is the defending side responsible for detecting and responding to those simulated (or real) attacks.

Governance & Risk

Regulatory Risk

The risk that changes in laws or regulations, or failure to comply with existing ones, will result in penalties, restrictions, or increased cost of doing business.

Audit & Assurance

Remediation Plan

A documented set of actions, owners, and timelines created to address a deficiency, exception, or gap identified during an audit or assessment.

Governance & Risk

Reputational Risk

The risk that negative public perception - arising from an incident, scandal, or failure - damages an organization's brand, customer trust, or market position.

Governance & Risk

Residual Risk

The level of risk that remains after controls have been applied, representing the exposure an organization actually carries day to day.

AI Governance

Responsible AI

An approach to developing and deploying AI that prioritizes fairness, transparency, accountability, and safety throughout the system's lifecycle.

ISO 27018

Return and Deletion of PII

An ISO 27018 obligation requiring a cloud provider to return or securely delete a customer's personally identifiable information at the end of a service agreement.

Privacy

Right to Data Portability

An individual's right to receive their personal data in a structured, commonly used format and to transmit it to another organization.

GDPR

Right to Erasure

Also known as the "right to be forgotten" - a GDPR provision allowing individuals to request deletion of their personal data under specific conditions.

Privacy

Right to Object

An individual's right to object to certain types of processing of their personal data, such as processing for direct marketing purposes.

CCPA

Right to Opt-Out

The CCPA right allowing California consumers to direct a business to stop selling or sharing their personal information.

Privacy

Right to Rectification

An individual's right to have inaccurate personal data corrected, and incomplete data completed, typically found alongside the right to erasure in comprehensive privacy laws.

Privacy

Right to Restriction of Processing

An individual's right to require an organization to limit how it uses their personal data under certain circumstances, without necessarily deleting it.

Governance & Risk

Risk Acceptance

A deliberate decision to take no further action on an identified risk because its likelihood and impact fall within the organization's risk appetite.

Governance & Risk

Risk Appetite

The amount and type of risk an organization is willing to accept in pursuit of its objectives, typically set by the board or senior leadership.

Governance & Risk

Risk Assessment

The process of identifying, analyzing, and evaluating risks to determine their likelihood and potential impact, forming the basis for deciding how each risk should be treated.

ISO 27001

Risk Assessment Methodology

The documented, repeatable process an organization uses to identify, analyze, and evaluate information security risks under ISO 27001.

Governance & Risk

Risk Avoidance

Eliminating exposure to a risk entirely by discontinuing or not undertaking the activity that creates it.

Governance & Risk

Risk Culture

The shared values, attitudes, and behaviors that influence how an organization's people identify, discuss, and respond to risk in their day-to-day decisions.

Governance & Risk

Risk Heat Map

A visual tool that plots risks according to their likelihood and impact, typically using a color-coded grid to help prioritize which risks need the most attention.

Governance & Risk

Risk Matrix

A structured grid used to rate and compare risks based on predefined likelihood and impact scales, often the underlying data behind a risk heat map.

Governance & Risk

Risk Mitigation

Actions taken to reduce the likelihood or impact of a risk, typically through additional controls, process changes, or technology investments.

Governance & Risk

Risk Register

A documented log of identified risks, their likelihood and impact ratings, and assigned treatment owners, maintained as a living record throughout an organization's risk management program.

Governance & Risk

Risk Tolerance

The acceptable level of variation around a specific risk or objective that an organization is willing to withstand, more granular and tactical than the broader risk appetite.

Governance & Risk

Risk Transfer

Shifting the financial or operational impact of a risk to a third party, most commonly through insurance or contractual indemnification.

Governance & Risk

Risk Treatment

The overall process of selecting and implementing measures to modify risk, encompassing mitigation, acceptance, transfer, and avoidance as available options.

ISO 27001

Risk Treatment Plan

The documented set of actions an organization takes to reduce, transfer, accept, or avoid each risk identified during its ISO 27001 risk assessment.

Audit & Assurance

Risk-Based Audit Approach

An audit planning method that allocates audit resources and testing effort in proportion to the assessed risk of each area, rather than testing everything equally.

Cybersecurity

Role-Based Access Control (RBAC)

An access control model that assigns permissions based on a user's role within an organization, rather than granting permissions to individuals one at a time.

Audit & Assurance

Roll-Forward Procedures

Audit procedures used to extend conclusions from an interim testing date to the end of the examination period, confirming no significant changes occurred in between.

Audit & Assurance

Root Cause Analysis

A structured method for identifying the underlying cause of a control failure or deficiency, rather than just addressing its immediate symptoms.

CCPA

Sale of Personal Information

Under CCPA, the exchange of a consumer's personal information for monetary or other valuable consideration, which triggers specific opt-out rights.

SOC 2

Sampling Methodology

The approach an auditor uses to select a representative subset of transactions or instances to test a control's operation, rather than reviewing every instance.

Audit & Assurance

Sampling Risk

The risk that an auditor's conclusion based on a sample of transactions or controls would differ from the conclusion reached if the entire population had been tested.

SOC 2

Scope of Engagement

The boundaries of a SOC 2 audit, defining which systems, locations, and trust services criteria are included in the review.

ISO 27001

Scope Statement

The defined boundary of what is covered by an organization's ISMS, including locations, departments, and systems included in certification.

Cybersecurity

Secure Software Development Lifecycle (SSDLC)

A framework that embeds security activities - such as threat modeling and code review - into each phase of the software development process, from design through deployment.

Cybersecurity

Security Baseline

A documented minimum set of security configurations and controls that all systems of a given type must meet before being considered acceptably secure.

Cybersecurity

Security Incident vs. Security Event

A security event is any observable occurrence in a system (e.g., a login attempt); a security incident is an event - or series of events - confirmed to violate security policy or threaten the confidentiality, integrity, or availability of a system.

Cybersecurity

Security Information and Event Management (SIEM)

A technology platform that aggregates and analyzes log data from across an organization's systems, enabling centralized monitoring and detection of security events.

Cybersecurity

Security Operations Center

A dedicated team and facility responsible for continuously monitoring, detecting, and responding to security incidents across an organization's environment.

Cybersecurity

Security Orchestration, Automation and Response (SOAR)

A technology category that automates incident response workflows, often integrated with a SIEM to speed up detection-to-resolution time.

HIPAA

Security Rule vs. Privacy Rule

The Privacy Rule governs how PHI may be used and disclosed; the Security Rule specifically governs the safeguards required to protect ePHI.

Governance & Risk

Segregation of Duties

A control principle ensuring that no single individual has end-to-end control over a critical process, reducing the risk of error or fraud going undetected.

Privacy

Sensitive Personal Data / Special Category Data

A subset of personal data - such as health, biometric, racial, or religious information - that receives heightened protection and stricter processing conditions under most privacy laws.

Audit & Assurance

Service Auditor

The CPA firm, such as CertPro, engaged to perform and report on a SOC examination of a service organization's controls.

CCPA

Service Provider (CCPA)

An entity that processes personal information on behalf of a business under a written contract, with restrictions on using that data for its own purposes.

AI Governance

Shadow AI

The unsanctioned use of AI tools or models within an organization, outside the visibility or approval of IT and governance functions.

Compliance Frameworks

Shared Assessments (SIG)

A Standardized Information Gathering questionnaire and program used by organizations to assess third-party vendor risk consistently, reducing the need for each vendor relationship to use a custom questionnaire.

Audit & Assurance

Significant Deficiency

A deficiency in internal control that is less severe than a material weakness but still important enough to merit attention from those responsible for oversight.

Cybersecurity

Single Sign-On (SSO)

An authentication method that allows a user to log in once and gain access to multiple connected systems or applications without re-authenticating for each.

Compliance Frameworks

SOC 1

An AICPA attestation framework focused specifically on controls relevant to a service organization's impact on its customers' financial reporting, commonly required by companies that handle financial transactions or data on behalf of clients.

SOC 1

SOC 1 Report

The report issued from a SOC 1 examination, containing the auditor's opinion on the design (Type 1) or design and operating effectiveness (Type 2) of controls relevant to a service organization's impact on customer financial reporting.

Compliance Frameworks

SOC 2

An attestation framework defined by the AICPA that evaluates an organization's controls against one or more Trust Services Criteria - security, availability, processing integrity, confidentiality, and privacy - resulting in an independent auditor's report rather than a certificate.

SOC 2

SOC 2 Report

The formal output of a SOC 2 examination - a CPA firm's report containing the auditor's opinion, the description of the system, and (for Type 2) the results of control testing over the examination period.

Compliance Frameworks

SOC 3

A general-use version of a SOC 2 report, presenting the auditor's opinion and a system overview without the detailed control descriptions and test results - intended for public distribution, such as a trust seal on a website.

SOC 3

SOC 3 Report

The publicly distributable version of a SOC 2 report, omitting the detailed system description and control test results in favor of a summary opinion suitable for general audiences.

Compliance Frameworks

SOC for Cybersecurity

An AICPA attestation framework that evaluates an organization's enterprise-wide cybersecurity risk management program, intended for a broad audience including boards and investors, rather than the narrower customer-facing scope of SOC 2.

SOC 2

SOC Report Distribution

The restrictions governing who may receive a SOC report - Type 1 and Type 2 reports are restricted-use documents intended only for the organization, its customers, and their auditors, unlike a SOC 3 report.

Cybersecurity

Social Engineering

Manipulation tactics that exploit human psychology - rather than technical vulnerabilities - to trick individuals into divulging information or taking actions that compromise security.

Compliance Frameworks

SOX (IT Controls)

Internal controls over financial reporting required under the Sarbanes-Oxley Act; the IT-specific subset covers access controls, change management, and system reliability for systems that affect financial statements.

ISO 27001

Stage 1 vs. Stage 2 Audit

The two-part ISO 27001 certification audit: Stage 1 reviews documentation and readiness, Stage 2 tests whether controls are implemented and operating effectively.

GDPR

Standard Contractual Clauses (SCCs)

Pre-approved contract terms issued by the European Commission that organizations use to legally transfer personal data outside the EU/EEA.

ISO 27001

Statement of Applicability (SoA)

The core ISO 27001 document listing which Annex A controls apply to the organization, the justification for inclusion or exclusion, and implementation status.

Compliance Frameworks

StateRAMP

A security authorization program modeled on FedRAMP, designed for state and local governments to assess and approve cloud service providers for use by public sector agencies.

Cybersecurity

Static Application Security Testing (SAST)

A testing method that analyzes an application's source code or binaries for security vulnerabilities without executing the program.

ISO 27018

Sub-Processor Disclosure

An ISO 27018 requirement that a cloud provider inform customers before engaging another vendor (a sub-processor) to handle their PII.

Audit & Assurance

Subsequent Events

Events occurring after the end of an examination period but before the audit report is issued, which may need to be evaluated for their effect on the report if significant enough.

SOC 2

Subservice Organization

A third-party vendor whose services are relevant to a company's system but excluded from the audit's direct testing, typically addressed via the carve-out or inclusive method.

Privacy

Supervisory Authority

An independent public body responsible for monitoring and enforcing data protection law within a jurisdiction, such as a national data protection authority under GDPR.

Governance & Risk

Supply Chain Risk Management

The discipline of identifying and managing risks introduced through an organization's supply chain, including suppliers of both physical goods and software/services.

ISO 27001

Surveillance Audit

A periodic audit conducted during the three-year ISO 27001 certification cycle to confirm the management system continues to meet requirements.

Compliance Frameworks

SWIFT CSP

The SWIFT Customer Security Programme, a set of mandatory and advisory security controls that financial institutions using the SWIFT messaging network must implement and self-attest to annually.

SOC 2

System Description

The narrative section of a SOC 2 report describing the infrastructure, software, people, procedures, and data that make up the system being audited.

Cybersecurity

System Hardening

The process of reducing a system's attack surface by disabling unnecessary services, closing unused ports, and applying secure configuration settings.

Cybersecurity

Tabletop Exercise

A discussion-based simulation in which stakeholders walk through their roles and decisions during a hypothetical incident, used to test and improve an incident response plan without a live system disruption.

HIPAA

Technical Safeguards

HIPAA-required technology controls - like access controls, audit logs, and encryption - that protect ePHI from unauthorized access.

Audit & Assurance

Test of Controls vs. Substantive Testing

Tests of controls evaluate whether a control is operating as designed; substantive testing directly examines transactions or balances for misstatement, regardless of control design.

AI Governance

Third-Party AI Risk

Risk arising from an organization's use of AI systems, models, or tools developed or operated by external vendors, requiring its own due-diligence considerations beyond standard vendor risk management.

Governance & Risk

Third-Party Risk Management

The discipline of identifying, assessing, and monitoring risks introduced by external parties an organization relies on, including vendors, partners, and contractors.

Cybersecurity

Threat Intelligence

Information about current and emerging threats - including attacker tactics, indicators of compromise, and vulnerabilities - collected and analyzed to inform an organization's defenses.

Cybersecurity

Threat Modeling

A structured process for identifying potential threats to a system early in its design, helping teams prioritize which risks to address before development is complete.

Audit & Assurance

Three Lines of Defense

A risk governance model dividing responsibility across operational management (first line), risk and compliance functions (second line), and internal audit (third line), each providing an independent layer of oversight.

Cybersecurity

TLS/SSL

Cryptographic protocols that encrypt data transmitted over a network, most commonly used to secure web traffic between a browser and a server (the "S" in HTTPS).

Audit & Assurance

Tolerable Error Rate

The maximum rate of deviation or error an auditor is willing to accept in a sample while still concluding that a control is operating effectively.

Governance & Risk

Tone at the Top

The ethical and risk-management example set by senior leadership, widely regarded as the single biggest influence on an organization's overall control environment and risk culture.

AI Governance

Training Data Governance

Controls and documentation specifically addressing how data used to train an AI model was sourced, validated, and assessed for quality and bias.

SOC 2

Trust Services Criteria

The five categories - security, availability, processing integrity, confidentiality, and privacy - selected from when scoping a SOC 2 audit.

Compliance Frameworks

TX-RAMP

A Texas-specific cloud security certification program required for cloud computing services used by Texas state agencies, modeled on FedRAMP's authorization approach.

SOC 2

Type 1 Report

A SOC report that evaluates whether controls were suitably designed as of a specific point in time, without testing whether they operated effectively over a period.

SOC 2

Type 2 Report

A SOC report that evaluates both the design and the operating effectiveness of controls over a defined examination period, typically three to twelve months.

Compliance Frameworks

UK GDPR

The UK's version of the GDPR, retained in domestic law after Brexit, which largely mirrors the EU GDPR but is enforced independently by the UK's Information Commissioner's Office.

Audit & Assurance

Unqualified Opinion

An auditor's conclusion that the subject matter of an engagement is fairly presented in all material respects, with no exceptions noted - the most favorable opinion an audit can receive.

Audit & Assurance

User Auditor

The auditor of a service organization's customer (the user entity), who relies on a SOC report to evaluate controls relevant to their own client's financial statement audit or vendor risk assessment.

Compliance Frameworks

VCDPA

The Virginia Consumer Data Protection Act, a state privacy law granting Virginia residents rights over their personal data and imposing obligations on businesses similar in structure to the CCPA/CPRA.

Governance & Risk

Vendor Risk Management

The subset of third-party risk management focused specifically on suppliers and vendors, typically involving due diligence questionnaires, contractual safeguards, and ongoing monitoring.

CCPA

Verifiable Consumer Request

A request from a consumer exercising CCPA rights that a business can reasonably confirm was made by the person (or their authorized agent) about whom the data relates.

Cybersecurity

VPN

A Virtual Private Network, which creates an encrypted connection over a public network, allowing remote users to securely access an organization's internal systems.

Cybersecurity

Vulnerability Management

The ongoing process of identifying, evaluating, prioritizing, and remediating security weaknesses across an organization's systems and software.

Audit & Assurance

Walkthrough (Audit Procedure)

An audit procedure in which the auditor traces a transaction or process from initiation to completion, observing and confirming how a control actually operates in practice.

Governance & Risk

Whistleblower Policy

A formal policy establishing a confidential channel and protections for employees or others to report suspected misconduct without fear of retaliation.

Cybersecurity

Zero Trust

A security model based on the principle of never automatically trusting any user or device, inside or outside the network, requiring continuous verification before granting access to resources.

Cybersecurity

Zero-Day Vulnerability

A previously unknown software vulnerability that is exploited by attackers before the vendor has released a patch, leaving organizations with no immediate fix available.

No terms found

Try a different search term or clear the framework filter.

This glossary is provided for general informational purposes and does not constitute legal advice or a compliance determination.
Get Started Today

Begin your compliance audit with a licensed CPA firm.

Schedule a 30-minute scoping call with a credentialed auditor. We will identify the right framework, discuss audit scope and outline a clear path based on your current state.

Licensed CPA firm Peer Review Enrolled
Schedule A Meeting