Compliance Glossary
A glossary of compliance, audit, privacy, and security terms - written by the people who actually perform the audits.
23 NYCRR 500
A New York State Department of Financial Services regulation requiring banks, insurers, and other covered financial entities to maintain a cybersecurity program meeting specific minimum standards.
Access Control
The mechanisms and policies that determine who or what is allowed to view, use, or modify resources within a system, forming a foundational layer of information security.
Accountability Principle (GDPR)
The GDPR requirement that organizations not only comply with data protection principles but be able to demonstrate that compliance through documentation and evidence.
Accountability Principle (PIPEDA)
The PIPEDA principle making an organization responsible for personal information under its control, including information transferred to third parties for processing.
Adequacy Decision
A determination by a regulatory body (such as the European Commission) that another country provides an adequate level of data protection, allowing personal data to flow there without additional safeguards.
Administrative Safeguards
Policies, procedures, and workforce training requirements that govern how an organization manages the security measures protecting electronic protected health information (ePHI).
Adverse Opinion
An auditor's conclusion that the subject matter of an engagement is not fairly presented, issued when misstatements or control failures are both material and pervasive.
Agreed-Upon Procedures
An engagement in which the auditor performs specific procedures agreed to in advance with the client and intended users, reporting only factual findings without expressing an opinion or assurance conclusion.
AI Assurance
A structured, audit-like discipline for providing confidence that an AI system behaves as intended and meets relevant safety, fairness, and governance requirements.
AI Audit
An independent assurance engagement evaluating an AI system or an organization's AI governance program against a defined set of criteria, such as ISO 42001 or an internal control framework.
AI Governance
The overall set of policies, processes, and oversight structures an organization uses to ensure AI systems are developed and used responsibly, safely, and in compliance with applicable laws.
AI Governance Framework
The overarching set of policies, roles, and accountability structures an organization establishes to manage AI risk, aligned with ISO 42001 requirements.
AI Incident Response
The process an organization follows to detect, investigate, and remediate an AI system's harmful or unexpected behavior after deployment.
AI Management System (AIMS)
The structured framework an organization uses to govern the development, deployment, and oversight of AI systems, covering risk management and continual improvement.
AI Risk Categorization
The tiered classification of AI systems by risk level - typically unacceptable, high, limited, and minimal risk - used by the EU AI Act to determine which obligations apply.
AI Risk Management
The structured process of identifying, assessing, and mitigating risks specific to AI systems, including risks related to bias, safety, security, and unintended behavior.
AI Risk Register
A documented log of risks specific to an organization's AI systems, including bias, safety, and oversight risks, tracked under an ISO 42001 management system.
AI System Lifecycle
The full span of stages - design, development, deployment, monitoring, and retirement - that ISO 42001 requires organizations to govern for each AI system.
AI Transparency
The degree to which information about an AI system's purpose, function, and decision-making process is made available and understandable to relevant stakeholders.
AICPA
The American Institute of CPAs, the professional body that sets the attestation standards - including AT-C Section 205 - under which SOC 2 audits are performed.
AICPA AT-C Section 105
The AICPA attestation standard establishing the general concepts and requirements that apply to all attestation engagements, serving as the foundation for the more specific AT-C sections.
AICPA AT-C Section 205
The AICPA attestation standard governing examination engagements, including the procedures and reporting requirements that underlie SOC 2 Type 1 and Type 2 examinations.
AICPA AT-C Section 320
The AICPA attestation standard specifically governing reporting on controls at a service organization, forming the basis for SOC 1 and SOC 2 engagements.
AICPA Code of Professional Conduct
The ethical framework governing CPAs, including principles related to integrity, objectivity, independence, and due care, that underlies all AICPA attestation work.
AICPA SSAE 18
Statement on Standards for Attestation Engagements No. 18, the authoritative AICPA standard that governs how SOC 1 and SOC 2 examinations are planned, performed, and reported.
Air Gap
A security measure that physically isolates a system or network from unsecured networks, including the internet, to prevent remote compromise.
Algorithmic Accountability
The principle that organizations deploying algorithmic systems should be answerable for their outcomes, including the ability to explain, justify, and correct decisions the system makes.
Algorithmic Bias
Systematic and unfair skew in an AI system's outputs, typically arising from imbalanced training data or flawed model design, that disadvantages certain groups.
Algorithmic Impact Assessment
A structured evaluation of how an AI system's outputs could affect individuals or groups, used to identify and mitigate risks before and during deployment.
Annex A Controls
The reference set of information security controls listed in ISO 27001 Annex A, used as the basis for building an organization's Statement of Applicability.
APPI (Japan)
Japan's Act on the Protection of Personal Information, regulating how businesses handle personal information, including requirements for cross-border data transfers.
Asset Register
An inventory of information assets - systems, data, and equipment - used as the foundation for the ISO 27001 risk assessment.
Attack Surface
The total sum of points where an unauthorized user could attempt to enter or extract data from a system, including all exposed services, endpoints, and interfaces.
Attestation Engagement
A broad category of engagements, governed by AICPA attestation standards, in which a practitioner expresses a conclusion about the reliability of subject matter that is the responsibility of another party.
Audit Committee
A subset of an organization's board of directors responsible for overseeing financial reporting, internal controls, and the relationship with internal and external auditors.
Audit Evidence
The information an auditor gathers and evaluates to support the conclusions and opinion expressed in an audit report, which must be sufficient and appropriate to provide a reasonable basis for that opinion.
Audit Opinion
The auditor's formal conclusion on whether the subject matter of an engagement - such as a system description or set of controls - is fairly presented and free of material misstatement.
Audit Readiness
The state of an organization's documentation, controls, and evidence collection being sufficiently mature and complete to begin a formal audit with minimal risk of significant gaps or exceptions.
Audit Trail
A chronological record of system activity or transactions that allows an auditor to trace an event from origin to outcome, supporting both control testing and incident investigation.
Audit Universe
The complete inventory of auditable entities, processes, or risks within an organization, used by internal audit to plan which areas to review and how frequently.
Auditor Independence
A requirement under AICPA professional standards that an auditor have no financial, employment, or other relationships with the audited organization that could impair objectivity or the appearance of objectivity.
Auditor Rotation
A requirement or practice of periodically changing the engagement partner or audit firm to reduce familiarity threats to independence over long client relationships.
Automated Decision-Making
Decisions made about an individual without human involvement, based solely on automated processing - subject to specific rights and restrictions under laws like GDPR when the decision has significant effects.
Backup and Recovery
The practice of creating copies of data that can be restored in the event of loss, corruption, or a security incident such as ransomware.
Bias Mitigation
Documented measures taken to identify and reduce unfair or discriminatory outcomes produced by an AI system's training data or model design.
Binding Corporate Rules (BCR)
Internal data protection policies adopted by a multinational corporate group and approved by regulators, allowing intra-group international transfers of personal data without relying on other transfer mechanisms.
Board Oversight
The board of directors' responsibility for monitoring management's execution of strategy, risk management, and control activities, typically exercised through committees such as audit or risk committees.
Breach Notification (72-Hour Rule)
The GDPR requirement that organizations report qualifying personal data breaches to their supervisory authority within 72 hours of becoming aware of them.
Breach Notification Rule
The HIPAA requirement that covered entities and business associates notify affected individuals, HHS, and in some cases the media following a breach of unsecured PHI.
Breach of Security Safeguards
A PIPEDA term for the loss, unauthorized access to, or unauthorized disclosure of personal information, triggering notification obligations where real risk of significant harm exists.
Bridge Letter
A letter covering the gap between the end of a SOC 2 report period and a customer's current request date, confirming no material changes to controls occurred.
Business Associate Agreement (BAA)
A contract required between a HIPAA covered entity and any vendor that creates, receives, or transmits PHI on its behalf, defining each party's compliance responsibilities.
Business Continuity Planning
The process of creating documented procedures that guide an organization's response to a disruptive event, aimed at maintaining or quickly resuming critical functions.
Business Email Compromise (BEC)
A targeted social engineering attack in which an attacker impersonates an executive or trusted partner via email, typically to trick an employee into making a fraudulent payment or disclosing sensitive data.
Business Impact Analysis (BIA)
A process that identifies and evaluates the potential effects of a disruption on critical business functions, used to prioritize recovery efforts and set recovery objectives.
Carve-Out Method
An approach to handling a subservice organization in a SOC 2 report where the vendor's controls are excluded from testing and covered instead by CUECs.
CCPA
The California Consumer Privacy Act, a state law granting California residents rights over their personal information, including the right to know, delete, and opt out of the sale or sharing of their data.
Certification Body
An independent, accredited organization, such as BSI, DNV, SGS, Bureau Veritas, or TÜV SÜD, authorized to issue ISO 27001 certificates after successfully completing the Stage 1 and Stage 2 audit process.
Chain of Custody (Cyber Forensics)
Documentation tracking who handled a piece of digital evidence, when, and what was done with it, ensuring the evidence remains admissible and uncontaminated.
Children's Data / Parental Consent
Personal data belonging to minors, which most privacy laws subject to additional protections, often requiring verifiable parental consent before collection.
CIA Triad
The foundational model of information security, consisting of Confidentiality (preventing unauthorized access), Integrity (ensuring data isn't improperly altered), and Availability (ensuring systems and data are accessible when needed).
CJIS Security Policy
The Criminal Justice Information Services Security Policy, an FBI-issued framework establishing minimum security requirements for organizations that access criminal justice information.
Cloud Access Security Broker (CASB)
A security tool that sits between an organization's users and cloud service providers, enforcing security policies and providing visibility into cloud application usage.
Cloud PII Processor Controls
A supplementary code of practice to ISO 27002 that defines controls for protecting personally identifiable information (PII) processed by public cloud service providers acting as data processors.
Cloud Security Posture Management (CSPM)
Tools that continuously monitor cloud environments for misconfigurations and compliance violations, helping organizations maintain a secure cloud posture at scale.
CMMC
The Cybersecurity Maturity Model Certification, a U.S. Department of Defense program requiring defense contractors to demonstrate specific cybersecurity practices and processes based on the sensitivity of information they handle.
CMMC Level 1/2/3
The three maturity tiers within CMMC, ranging from basic safeguarding of federal contract information (Level 1) to the more rigorous protection of controlled unclassified information against advanced threats (Level 3).
COBIT
A framework for IT governance and management published by ISACA, providing a structured approach to aligning IT processes, controls, and objectives with broader business goals.
Code of Conduct
A formal document outlining the ethical standards and expected behaviors for an organization's employees, often referenced during audits of the control environment.
Colorado Privacy Act
A Colorado state law granting residents rights to access, correct, delete, and port their personal data, and requiring data protection assessments for higher-risk processing activities.
Complementary User Entity Controls (CUECs)
Controls a SOC 2 report assumes the customer (user entity) has implemented on its own side for the overall control environment to operate effectively.
Compliance Audit
An audit performed to determine whether an organization is adhering to the requirements of a specific law, regulation, contract, or framework.
Compliance Program
The overall structure of policies, training, monitoring, and reporting an organization establishes to ensure adherence to applicable laws, regulations, and internal standards.
Concentration Risk
Risk arising from over-reliance on a single vendor, customer, geography, or system, where a single point of failure could have outsized consequences.
Confidentiality Commitment
A contractual or policy-level obligation under ISO 27018 that cloud provider personnel handling PII are bound by confidentiality requirements.
Configuration Management
The discipline of establishing and maintaining systems in a known, secure, and consistent state, tracking and controlling changes to that configuration over time.
Conflict of Interest Policy
A policy requiring individuals to disclose situations where personal interests could improperly influence their professional judgment or decisions on behalf of the organization.
Conformity Assessment (EU AI Act)
The process by which a high-risk AI system is evaluated against EU AI Act requirements before it can be placed on the market, sometimes requiring third-party review.
Consent
A data subject's freely given, specific, informed, and unambiguous agreement to the processing of their personal data, one of several lawful bases recognized across privacy laws.
Consent Management Platform (CMP)
Software that allows organizations to collect, record, and manage individuals' consent preferences, commonly used to implement cookie consent banners and related compliance workflows.
Consumer Rights Request
A formal request from a California consumer to know, delete, correct, or opt out of the sale/sharing of their personal information within statutory timelines.
Continual Improvement
An ISO 27001 requirement that an organization consistently look for ways to strengthen its ISMS based on audit findings, incidents, and changing risks.
Continuous Auditing
An audit approach that uses automated, ongoing testing of controls and transactions throughout the period, rather than testing only at discrete points in time.
Control Deficiency
A shortfall in the design or operation of a control such that it does not allow management or employees to prevent or detect issues in the normal course of performing their duties - the broadest of the three deficiency classifications.
Control Environment
The foundational layer of an organization's internal controls, covering governance, ethics, and the tone set by leadership that influences how all other controls operate.
Control Objective
The intended outcome a specific Annex A control is designed to achieve, used to justify its inclusion in the Statement of Applicability.
Control Self-Assessment
A process in which an organization's own personnel evaluate the design and operation of their controls, often as a precursor to or supplement of independent audit testing.
Control Testing
The audit procedures performed to determine whether a control is operating as designed, including inspection of evidence, inquiry of personnel, observation, and re-performance.
COPPA
The Children's Online Privacy Protection Act, a U.S. law imposing specific requirements on operators of websites and online services directed at children under 13, including parental consent for data collection.
Corporate Governance
The system of rules, practices, and processes by which an organization is directed and controlled, encompassing the relationships among the board, management, shareholders, and other stakeholders.
Corrective Action
The documented steps taken to fix the root cause of a nonconformity identified during an ISO 27001 audit, rather than just the symptom.
Corrective Action Plan (CAP)
A formal, often auditor-reviewed plan describing how an organization will fix the root cause of an identified deficiency, distinct from a general remediation plan in that it's typically tied to a specific finding requiring sign-off.
COSO
The Committee of Sponsoring Organizations of the Treadway Commission, the organization behind the widely used Internal Control–Integrated Framework and Enterprise Risk Management framework referenced in most internal control programs, including SOX compliance.
COSO ERM Framework
COSO's framework specifically addressing enterprise risk management, emphasizing the integration of risk consideration into strategy-setting and performance management.
COSO Internal Control Framework
COSO's widely adopted model defining internal control through five integrated components: control environment, risk assessment, control activities, information and communication, and monitoring activities.
Covered Entity
A health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically and is directly subject to HIPAA's requirements.
CPRA
The California Privacy Rights Act, which amended and expanded the CCPA, adding new categories of protected information and creating the California Privacy Protection Agency to enforce the law.
Cross-Border Data Transfer
The movement of personal data from the EU/EEA to a country outside it, which under GDPR requires an approved legal safeguard such as Standard Contractual Clauses.
Cross-Border PII Transfer (ISO 27701)
The movement of personally identifiable information across jurisdictional borders, which ISO 27701 requires organizations to document and control.
CSA STAR
A cloud security assurance program from the Cloud Security Alliance, offering tiered levels of assessment - from self-assessment to third-party certification and continuous monitoring - based on the CSA's Cloud Controls Matrix.
CVE (Common Vulnerabilities and Exposures)
A standardized identifier and public catalog used to uniquely reference known software vulnerabilities, allowing organizations and tools to communicate about the same issue consistently.
CVSS (Common Vulnerability Scoring System)
A standardized scoring system used to rate the severity of a vulnerability, typically on a scale of 0 to 10, helping organizations prioritize remediation efforts.
Data Breach
An incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen without authorization.
Data Classification
The process of categorizing data based on its sensitivity and the level of protection it requires, commonly using labels such as public, internal, confidential, and restricted.
Data Controller
The entity that determines the purposes and means of processing personal data, carrying primary responsibility for GDPR compliance.
Data Governance for AI
The policies and controls governing the quality, provenance, and appropriate use of data throughout an AI system's training and operation, a specific focus area under ISO 42001.
Data Loss Prevention (DLP)
Technology and policies designed to detect and prevent sensitive data from leaving an organization's control, whether through email, file transfer, or removable media.
Data Minimization
A privacy principle requiring that only the personal data necessary to accomplish a specified purpose be collected and retained, rather than collecting data broadly in case it becomes useful later.
Data Processing Agreement (DPA)
A contract between a data controller and a data processor that sets out the scope, purpose, and security requirements governing the processor's handling of personal data.
Data Processor
An entity that processes personal data on behalf of and under the instructions of a data controller, with its own set of GDPR obligations.
Data Protection Officer (DPO)
A role required for certain organizations under GDPR to oversee data protection compliance, advise on DPIAs, and act as a contact point for regulators.
Data Retention Schedule
A documented policy under ISO 27701 specifying how long different categories of personal information are kept before secure deletion or anonymization.
Data Subject
An identified or identifiable individual whose personal data is being collected or processed - the person the privacy protections in laws like GDPR exist to protect.
Data Subject Access Request (DSAR)
A formal request from an individual asking an organization to confirm whether it processes their personal data and, if so, to provide a copy of it along with related details.
Data Subject Rights
The set of rights granted to individuals under GDPR, including access, rectification, erasure, portability, and objection to processing.
De-identification
The process of removing identifying details from health information so it no longer qualifies as PHI and falls outside HIPAA's restrictions.
Designated Record Set
The group of records maintained by a covered entity - including medical and billing records - used to make decisions about individuals, subject to HIPAA access rights.
DevSecOps
An approach that integrates security practices directly into the software development and operations lifecycle, rather than treating security as a separate, later-stage review.
Digital Forensics
The discipline of collecting, preserving, and analyzing digital evidence in a manner that maintains its integrity, often in support of incident investigation or legal proceedings.
Disaster Recovery Plan
A documented set of procedures for restoring IT systems, data, and infrastructure following a disruptive event, typically a technical subset of a broader business continuity plan.
Disclaimer of Opinion
A statement from an auditor that no opinion is being expressed, typically issued when the auditor was unable to obtain sufficient evidence to form a conclusion.
Do Not Sell or Share My Personal Information
The CCPA-required link businesses must display, allowing consumers to easily exercise their opt-out rights regarding the sale or sharing of their data.
DORA
The EU's Digital Operational Resilience Act, requiring financial entities and their critical ICT third-party providers to meet specific standards for managing information and communication technology risk.
DPDP Act
India's Digital Personal Data Protection Act, establishing requirements for the processing of digital personal data, including consent obligations and rights for data principals (individuals).
DPIA (Data Protection Impact Assessment)
A required assessment for processing activities likely to result in high risk to individuals' rights, documenting the risk and the mitigations applied.
Due Professional Care
The standard requiring an auditor to exercise the skill and diligence of a reasonably prudent and competent practitioner throughout an engagement.
Dynamic Application Security Testing (DAST)
A testing method that analyzes a running application for vulnerabilities by simulating attacks against it from the outside, without access to its source code.
EAR
The Export Administration Regulations, a U.S. export control framework governing dual-use commercial and military items, distinct from but often referenced alongside ITAR.
Emerging Risk
A risk that is newly identified or rapidly evolving, often lacking established historical data or precedent, making it harder to assess using traditional methods.
Encryption (At Rest, In Transit)
The process of converting data into an unreadable format to protect it from unauthorized access; "at rest" refers to stored data, while "in transit" refers to data moving across a network.
Endpoint Detection and Response (EDR)
Security software that continuously monitors endpoint devices for suspicious activity, providing detection, investigation, and automated response capabilities.
Engagement Letter
A formal document signed before an audit begins, defining the scope, responsibilities, timeline, and terms of the engagement between the auditor and the audited organization.
Engagement Quality Review
An internal review performed by a qualified reviewer, separate from the engagement team, before a report is issued, to evaluate the significant judgments made and conclusions reached.
Enterprise Risk Management
A structured, organization-wide approach to identifying, assessing, and managing risk in alignment with strategic objectives, rather than managing risk in isolated silos.
ePHI
Protected health information that is created, stored, transmitted, or received in electronic form, subject to HIPAA's Security Rule.
EU AI Act
The European Union's comprehensive AI regulation, which classifies AI systems by risk level - from minimal to unacceptable - and imposes corresponding obligations on providers and users.
EU-US Data Privacy Framework
An adequacy mechanism allowing personal data to flow from the EU to certified U.S. organizations, replacing the earlier Privacy Shield framework that was invalidated by the Court of Justice of the EU.
Examination Period
The defined start and end dates over which a service auditor tests the operating effectiveness of controls for a SOC 2 Type 2 report.
Exception (Deviation)
An instance where a tested control did not operate as designed during the SOC 2 review period, noted in the final report along with management's response.
Explainability
The degree to which an AI system's decisions or outputs can be understood and reasonably explained to the people affected by them.
Extended Detection and Response (XDR)
An evolution of EDR that correlates and responds to threats across multiple security layers - endpoints, network, cloud, and email - rather than endpoints alone.
Fairness Metrics
Quantitative measures used to evaluate whether an AI system's outcomes are distributed equitably across different groups or populations.
FedRAMP
The Federal Risk and Authorization Management Program, a U.S. government-wide program that standardizes security assessment and authorization for cloud products and services used by federal agencies.
FERPA
The Family Educational Rights and Privacy Act, a U.S. law protecting the privacy of student education records and governing how educational institutions may disclose them.
Firewall
A network security device or software that monitors and controls incoming and outgoing traffic based on a defined set of rules, acting as a barrier between trusted and untrusted networks.
Foundation Model
A large-scale AI model trained on broad data that can be adapted to a wide variety of downstream tasks, serving as the base for many applied AI systems.
Fourth-Party Risk
Risk introduced by a vendor's own subcontractors or service providers - entities the organization doesn't contract with directly but whose failures can still create exposure.
Gap Assessment
A pre-audit review comparing an organization's current controls and documentation against a target framework's requirements, used to identify deficiencies before a formal audit begins.
GDPR
The EU's General Data Protection Regulation, a comprehensive data protection law governing how organizations collect, process, and protect the personal data of individuals in the EU/EEA, regardless of where the organization is based.
General Purpose AI (GPAI)
AI models designed to perform a wide range of tasks across many contexts, rather than being built for one narrow application - a category receiving specific regulatory attention under the EU AI Act.
GLBA
The Gramm-Leach-Bliley Act, a U.S. law requiring financial institutions to explain their information-sharing practices and to safeguard sensitive customer financial data.
Global Privacy Control
A browser-based signal that automatically communicates a consumer's opt-out preference to websites, which CCPA requires businesses to honor as a valid request.
Governance, Risk, and Compliance (GRC)
An umbrella term for the integrated approach organizations use to coordinate governance activities, risk management, and regulatory compliance, often supported by dedicated GRC software platforms.
High-Risk AI System
A category defined under frameworks like the EU AI Act for AI systems whose use carries significant potential for harm, triggering the most stringent compliance obligations.
HIPAA
A U.S. federal law establishing national standards for protecting the privacy and security of individuals' health information, enforced through its Privacy Rule, Security Rule, and Breach Notification Rule.
HITRUST
An organization that maintains a certifiable framework (the HITRUST CSF) widely used in healthcare to demonstrate compliance with multiple regulations and standards, including HIPAA, through a single assessment.
HITRUST CSF
The Common Security Framework maintained by HITRUST, which harmonizes requirements from HIPAA, NIST, ISO 27001, and other standards into a single certifiable control set.
Honeypot
A decoy system or resource deliberately set up to attract attackers, allowing an organization to detect, study, or delay malicious activity without risking real assets.
Human Oversight
An ISO 42001 principle requiring that AI systems remain subject to meaningful human review and intervention, rather than operating without accountability.
Human-in-the-Loop
An AI system design in which a human reviews, approves, or can override the system's outputs before they take effect, as a specific form of human oversight.
IAF Accreditation
Recognition from the International Accreditation Forum confirming that a certification body's ISO 27001 certificates meet globally consistent standards.
Identity and Access Management (IAM)
The systems and processes an organization uses to ensure the right individuals have appropriate access to the right resources, at the right times, for the right reasons.
Incident Response
The organized process an organization follows to detect, contain, investigate, and recover from a security incident, typically guided by a documented incident response plan.
Inclusive Method
An approach to handling a subservice organization in a SOC 2 report where the vendor's controls are tested directly as part of the audit.
Inherent Risk
The level of risk that exists before any controls are applied, reflecting the raw exposure of an activity or process.
Inquiry (Audit Procedure)
An audit procedure involving questioning of knowledgeable personnel, used to gather evidence but generally considered insufficient on its own to support a conclusion.
Insider Threat
A security risk originating from individuals within an organization - employees, contractors, or partners - who have authorized access and may misuse it, intentionally or accidentally.
Inspection (Audit Procedure)
An audit procedure involving the examination of records, documents, or physical assets to gather evidence of a control's existence or operation.
Intended Use Statement
Documentation defining the specific purpose and boundaries an AI system is designed for, used to evaluate whether deployment outside that scope introduces new risk.
Internal Audit vs. External Audit
Internal audit is performed by an organization's own staff (or outsourced function) reporting to its audit committee or board, focused on operational improvement; external audit is performed by an independent third-party firm, focused on providing assurance to outside parties.
Internal Controls
The policies, procedures, and activities an organization puts in place to provide reasonable assurance that its objectives - operational, reporting, and compliance - will be achieved.
Intrusion Detection System (IDS)
A system that monitors network or system activity for signs of malicious behavior or policy violations and alerts administrators, without taking direct action to block the activity.
Intrusion Prevention System (IPS)
A system similar to an IDS but capable of actively blocking or preventing detected malicious activity in real time, rather than only alerting on it.
IRS Pub 1075
An IRS publication establishing safeguarding requirements for agencies and contractors that receive, store, process, or transmit federal tax information (FTI).
ISMS (Information Security Management System)
The overall system of policies, risk assessments, and controls an organization uses to manage information security - the basis of ISO 27001 certification.
ISO 20000
The international standard for IT service management, specifying requirements for planning, delivering, and continually improving IT services within an organization.
ISO 22301
The international standard for business continuity management systems, specifying requirements for planning, establishing, and improving an organization's ability to respond to and recover from disruptive incidents.
ISO 27001
An international standard specifying requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS), certifiable by an accredited third party.
ISO 27017
A code of practice that extends ISO 27001/27002 with cloud-specific information security controls, addressing the shared responsibilities between cloud service providers and their customers.
ISO 27018
A code of practice that extends ISO 27002 with controls specifically addressing the protection of personally identifiable information (PII) processed by public cloud service providers.
ISO 27701
An extension to ISO 27001 and ISO 27002 that adds requirements and guidance for establishing a privacy information management system (PIMS), supporting organizations acting as PII controllers or processors.
ISO 31000
An international standard providing principles and generic guidelines for risk management, used as a reference framework rather than a certifiable standard.
ISO 42001
The first international standard specifying requirements for an AI management system, addressing how organizations govern the development, deployment, and oversight of AI throughout its lifecycle.
ISO 9001
The international standard for quality management systems, used by organizations to demonstrate consistent ability to meet customer and regulatory requirements through documented processes and continual improvement.
IT General Controls
Controls that apply broadly across an organization's IT environment - such as access management, change management, and backup procedures - supporting the reliability of all applications and data that depend on that environment.
IT Governance
The framework of leadership, structures, and processes that ensure an organization's IT investments and activities support and enable its broader business strategy.
ITAR
The International Traffic in Arms Regulations, a U.S. export control regime governing defense-related articles and services, which imposes strict access and citizenship-based handling requirements on covered technical data.
Joint Controller
A situation where two or more organizations jointly determine the purposes and means of processing the same personal data, sharing responsibility for compliance.
Key Control Indicator (KCI)
A measurable metric used to monitor whether a specific control is operating within expected parameters, distinct from a KRI in that it tracks control performance rather than underlying risk levels.
Key Risk Indicator (KRI)
A measurable metric used to provide early warning of increasing risk exposure in a particular area, allowing management to act before a risk materializes into an incident.
Lawful Basis for Processing
One of six legal grounds - such as consent, contract, or legitimate interest - that GDPR requires an organization to identify before processing personal data.
Least Privilege
A security principle stating that users and systems should be granted only the minimum level of access necessary to perform their function, nothing more.
Legitimate Interest
A lawful basis under GDPR allowing processing of personal data when an organization's interest is balanced against the individual's rights and reasonably expected by them.
LGPD
Brazil's Lei Geral de Proteção de Dados, a comprehensive data protection law closely modeled on the GDPR, governing the processing of personal data of individuals in Brazil.
Likelihood and Impact
The two dimensions typically used to score a risk during assessment - how probable the risk is to occur, and how severe the consequences would be if it did.
Limited vs. Reasonable Assurance
Two levels of assurance an attestation engagement can provide: reasonable assurance (a high but not absolute level of confidence, typical of SOC 2 examinations) and limited assurance (a lower level, typical of review-level engagements).
Limiting Collection Principle
A PIPEDA principle requiring organizations to collect only the personal information necessary for the purposes they have identified, not more.
Logging and Monitoring
The practice of recording system and application activity (logging) and actively reviewing that activity for signs of anomalies or security issues (monitoring).
Malware
A broad category of malicious software, including viruses, worms, trojans, and ransomware, designed to damage, disrupt, or gain unauthorized access to a system.
Managed Detection and Response (MDR)
An outsourced service in which a third-party provider monitors an organization's environment and responds to threats on its behalf, typically combining technology with human analysts.
Management Assertion
A written statement from company leadership describing the system and confirming that controls were suitably designed and, for Type 2, operated effectively during the period.
Management Representation Letter
A letter signed by an organization's management, provided to the auditor near the end of an engagement, formally affirming the accuracy of information and representations made during the audit.
Management Review
A scheduled meeting where leadership evaluates the performance of the ISMS, including audit results, risk treatment progress, and opportunities for improvement.
Material Weakness
A deficiency in internal control significant enough that there is a reasonable possibility a material misstatement or control failure will not be prevented or detected on a timely basis.
Materiality (Audit)
The threshold above which a misstatement, omission, or control failure would be expected to influence the decisions of someone relying on the audit's results.
Meaningful Consent (PIPEDA)
The PIPEDA requirement that an individual's consent to the collection, use, or disclosure of personal information be informed, specific, and reasonably understood - not buried in lengthy or unclear terms.
Minimum Necessary Standard
The HIPAA principle that covered entities should limit the use, disclosure, and request of PHI to the smallest amount needed to accomplish the intended purpose.
Mobile Device Management (MDM)
Software that allows an organization to manage, secure, and enforce policies on mobile devices - whether company-owned or personal - that access corporate data.
Model Card
A short, standardized document describing an AI model's intended use, performance characteristics, limitations, and training data, intended to promote transparency.
Model Documentation
Comprehensive records describing how an AI model was developed, trained, validated, and deployed, supporting both internal governance and external audit requirements.
Model Monitoring
The ongoing process of tracking an AI system's performance and outputs after deployment to detect drift, degradation, or unexpected behavior.
Multi-Factor Authentication (MFA)
An authentication method requiring two or more independent forms of verification - such as a password plus a one-time code - before granting access.
NERC CIP
The North American Electric Reliability Corporation's Critical Infrastructure Protection standards, a set of mandatory cybersecurity requirements for organizations involved in the bulk power system.
Network Segmentation
The practice of dividing a network into smaller, isolated sections to limit how far an attacker can move laterally if one segment is compromised.
NIS2
The EU's updated Network and Information Security Directive, expanding cybersecurity and incident-reporting obligations to a broader range of essential and important entities across member states.
NIST 800-171
A NIST publication specifying security requirements for protecting Controlled Unclassified Information (CUI) when it resides in non-federal systems, forming the technical basis for CMMC.
NIST 800-53
A NIST publication providing a comprehensive catalog of security and privacy controls for federal information systems, widely referenced as a control baseline well beyond government use.
NIST AI RMF
The NIST AI Risk Management Framework, a voluntary framework providing guidance for organizations to manage risks associated with the design, development, and use of AI systems.
NIST CSF
The NIST Cybersecurity Framework, a voluntary framework of standards and best practices organized around five core functions - Identify, Protect, Detect, Respond, and Recover - used to manage cybersecurity risk.
Nonconformity (Major/Minor)
A finding where a control or process fails to meet ISO 27001 requirements; major nonconformities can block certification, while minor ones require a corrective action plan.
Notice of Privacy Practices
The HIPAA-required document a covered entity provides to patients explaining how their health information may be used and disclosed.
Notification of Data Requests
An ISO 27018 control requiring a cloud provider to inform customers of legally binding requests for disclosure of their PII, where legally permitted.
Notified Body (EU AI Act)
An organization formally designated by an EU member state to perform conformity assessments for certain high-risk AI systems under the EU AI Act.
Observation (Audit Procedure)
An audit procedure in which the auditor watches a process or control being performed by client personnel, providing evidence of operation at that specific point in time.
Office for Civil Rights (OCR)
The division of HHS responsible for enforcing HIPAA, investigating complaints, and issuing penalties for noncompliance.
Operational Audit
An audit focused on evaluating the efficiency and effectiveness of an organization's operations and processes, rather than financial reporting or compliance specifically.
Operational Resilience
An organization's ability to continue delivering critical operations through disruption, encompassing business continuity, disaster recovery, and the ability to adapt processes under stress.
Patch Management
The process of identifying, testing, and deploying software updates that fix known vulnerabilities or bugs across an organization's systems.
PCI DSS
The Payment Card Industry Data Security Standard, a set of security requirements established by major card brands for any organization that stores, processes, or transmits cardholder data.
PDPA (Singapore)
Singapore's Personal Data Protection Act, governing the collection, use, and disclosure of personal data by organizations operating in Singapore.
Peer Review
An AICPA program requiring CPA firms that perform attestation engagements to undergo periodic, independent review of their audit quality by another qualified firm or reviewer.
Penetration Testing
An authorized, simulated attack on a system performed to identify exploitable vulnerabilities before a real attacker can find and use them.
Personal Data
Generically, any information relating to an identified or identifiable individual - the broad category that specific terms like "Personal Information" under various laws further define and scope.
Personal Information (CCPA)
Any information that identifies, relates to, or could reasonably be linked with a particular California consumer or household, as defined under the CCPA.
Personal Information (PIPEDA)
Information about an identifiable individual, as defined under Canada's federal private-sector privacy law, excluding an individual's business contact information used for business purposes.
Phishing
A social engineering attack in which an attacker impersonates a trusted party, typically via email, to trick a victim into revealing credentials, sensitive data, or installing malware.
Physical Safeguards
HIPAA-required controls over physical access to facilities and equipment that store or process ePHI, such as workstation security and device disposal procedures.
PII Controller (ISO 27701)
An organization that determines the purposes and means of processing personally identifiable information, a role defined under the ISO 27701 privacy extension.
PII Processor (ISO 27701)
An organization that processes personally identifiable information on behalf of a PII controller, with a distinct set of obligations under ISO 27701.
PIPEDA
Canada's federal private-sector privacy law, governing how organizations collect, use, and disclose personal information in the course of commercial activity.
Policy vs. Procedure vs. Standard vs. Guideline
A policy states what must be done and why; a standard specifies the measurable requirements that satisfy the policy; a procedure details the step-by-step how; a guideline offers recommended, non-mandatory practices.
POPIA
South Africa's Protection of Personal Information Act, establishing conditions for the lawful processing of personal information by public and private bodies.
Privacy by Design
A GDPR principle requiring data protection safeguards to be built into systems and processes from the outset, rather than added afterward.
Privacy Commissioner of Canada
The federal regulator responsible for overseeing compliance with PIPEDA, investigating complaints, and issuing guidance to organizations.
Privacy Information Management System (PIMS)
The privacy extension to ISO 27001 that adds requirements and controls for managing personally identifiable information (PII), supporting organizations acting as either PII controllers or processors.
Privacy Notice vs. Privacy Policy
A privacy notice is typically the external-facing disclosure telling individuals how their data will be used at the point of collection; a privacy policy is often the broader governing document - though the terms are frequently used interchangeably in practice.
Privacy Risk Assessment
An ISO 27701 process for identifying and evaluating risks to individuals arising from how their personal information is collected, used, or shared.
Privileged Access Management (PAM)
A specialized subset of IAM focused on securing, monitoring, and controlling accounts with elevated permissions, such as system administrators.
Professional Skepticism
An auditor's mindset that includes a questioning attitude and critical assessment of evidence, rather than assuming management's representations are accurate without corroboration.
Profiling
The automated processing of personal data to evaluate or predict aspects of an individual, such as their preferences, behavior, or location.
Protected Health Information (PHI)
Individually identifiable health information created, received, or maintained by a covered entity or business associate that is protected under HIPAA.
Pseudonymization
A GDPR-recognized technique that replaces identifying details in a dataset with reversible tokens, reducing risk while still allowing the data to be re-linked under controlled conditions.
Public Cloud PII Processor
A cloud service provider that processes personally identifiable information on behalf of its customers - the specific role ISO 27018 was written to govern.
Public Key Infrastructure (PKI)
The set of roles, policies, and procedures used to create, manage, and revoke digital certificates and public-key encryption, underpinning secure communications like TLS.
Purpose Limitation
A privacy principle requiring that personal data collected for one specified purpose not be used for a materially different purpose without additional notice or consent.
Qualified Opinion
An auditor's conclusion that one or more controls did not meet the criteria, as opposed to an unqualified opinion where all tested controls passed.
Ransomware
Malicious software that encrypts an organization's data or systems, with attackers demanding payment in exchange for restoring access.
Re-performance
An audit procedure in which the auditor independently executes a control or procedure to confirm it produces the same result as when originally performed by the organization's personnel.
Readiness Assessment
A preliminary evaluation conducted before the formal SOC 2 audit period to identify control gaps and reduce the risk of exceptions in the final report.
Record of Processing Activities (ROPA)
A documented inventory, required under GDPR, of an organization's data processing activities, including what data is processed, why, and with whom it's shared.
Recovery Point Objective (RPO)
The maximum acceptable amount of data loss, measured in time, that an organization can tolerate following a disruption - for example, the maximum time since the last backup.
Recovery Time Objective (RTO)
The maximum acceptable amount of time a system or process can be unavailable after a disruption before causing unacceptable harm to the organization.
Red Team vs. Blue Team
A red team simulates real-world attackers to test an organization's defenses; a blue team is the defending side responsible for detecting and responding to those simulated (or real) attacks.
Regulatory Risk
The risk that changes in laws or regulations, or failure to comply with existing ones, will result in penalties, restrictions, or increased cost of doing business.
Remediation Plan
A documented set of actions, owners, and timelines created to address a deficiency, exception, or gap identified during an audit or assessment.
Reputational Risk
The risk that negative public perception - arising from an incident, scandal, or failure - damages an organization's brand, customer trust, or market position.
Residual Risk
The level of risk that remains after controls have been applied, representing the exposure an organization actually carries day to day.
Responsible AI
An approach to developing and deploying AI that prioritizes fairness, transparency, accountability, and safety throughout the system's lifecycle.
Return and Deletion of PII
An ISO 27018 obligation requiring a cloud provider to return or securely delete a customer's personally identifiable information at the end of a service agreement.
Right to Data Portability
An individual's right to receive their personal data in a structured, commonly used format and to transmit it to another organization.
Right to Erasure
Also known as the "right to be forgotten" - a GDPR provision allowing individuals to request deletion of their personal data under specific conditions.
Right to Object
An individual's right to object to certain types of processing of their personal data, such as processing for direct marketing purposes.
Right to Opt-Out
The CCPA right allowing California consumers to direct a business to stop selling or sharing their personal information.
Right to Rectification
An individual's right to have inaccurate personal data corrected, and incomplete data completed, typically found alongside the right to erasure in comprehensive privacy laws.
Right to Restriction of Processing
An individual's right to require an organization to limit how it uses their personal data under certain circumstances, without necessarily deleting it.
Risk Acceptance
A deliberate decision to take no further action on an identified risk because its likelihood and impact fall within the organization's risk appetite.
Risk Appetite
The amount and type of risk an organization is willing to accept in pursuit of its objectives, typically set by the board or senior leadership.
Risk Assessment
The process of identifying, analyzing, and evaluating risks to determine their likelihood and potential impact, forming the basis for deciding how each risk should be treated.
Risk Assessment Methodology
The documented, repeatable process an organization uses to identify, analyze, and evaluate information security risks under ISO 27001.
Risk Avoidance
Eliminating exposure to a risk entirely by discontinuing or not undertaking the activity that creates it.
Risk Culture
The shared values, attitudes, and behaviors that influence how an organization's people identify, discuss, and respond to risk in their day-to-day decisions.
Risk Heat Map
A visual tool that plots risks according to their likelihood and impact, typically using a color-coded grid to help prioritize which risks need the most attention.
Risk Matrix
A structured grid used to rate and compare risks based on predefined likelihood and impact scales, often the underlying data behind a risk heat map.
Risk Mitigation
Actions taken to reduce the likelihood or impact of a risk, typically through additional controls, process changes, or technology investments.
Risk Register
A documented log of identified risks, their likelihood and impact ratings, and assigned treatment owners, maintained as a living record throughout an organization's risk management program.
Risk Tolerance
The acceptable level of variation around a specific risk or objective that an organization is willing to withstand, more granular and tactical than the broader risk appetite.
Risk Transfer
Shifting the financial or operational impact of a risk to a third party, most commonly through insurance or contractual indemnification.
Risk Treatment
The overall process of selecting and implementing measures to modify risk, encompassing mitigation, acceptance, transfer, and avoidance as available options.
Risk Treatment Plan
The documented set of actions an organization takes to reduce, transfer, accept, or avoid each risk identified during its ISO 27001 risk assessment.
Risk-Based Audit Approach
An audit planning method that allocates audit resources and testing effort in proportion to the assessed risk of each area, rather than testing everything equally.
Role-Based Access Control (RBAC)
An access control model that assigns permissions based on a user's role within an organization, rather than granting permissions to individuals one at a time.
Roll-Forward Procedures
Audit procedures used to extend conclusions from an interim testing date to the end of the examination period, confirming no significant changes occurred in between.
Root Cause Analysis
A structured method for identifying the underlying cause of a control failure or deficiency, rather than just addressing its immediate symptoms.
Sale of Personal Information
Under CCPA, the exchange of a consumer's personal information for monetary or other valuable consideration, which triggers specific opt-out rights.
Sampling Methodology
The approach an auditor uses to select a representative subset of transactions or instances to test a control's operation, rather than reviewing every instance.
Sampling Risk
The risk that an auditor's conclusion based on a sample of transactions or controls would differ from the conclusion reached if the entire population had been tested.
Scope of Engagement
The boundaries of a SOC 2 audit, defining which systems, locations, and trust services criteria are included in the review.
Scope Statement
The defined boundary of what is covered by an organization's ISMS, including locations, departments, and systems included in certification.
Secure Software Development Lifecycle (SSDLC)
A framework that embeds security activities - such as threat modeling and code review - into each phase of the software development process, from design through deployment.
Security Baseline
A documented minimum set of security configurations and controls that all systems of a given type must meet before being considered acceptably secure.
Security Incident vs. Security Event
A security event is any observable occurrence in a system (e.g., a login attempt); a security incident is an event - or series of events - confirmed to violate security policy or threaten the confidentiality, integrity, or availability of a system.
Security Information and Event Management (SIEM)
A technology platform that aggregates and analyzes log data from across an organization's systems, enabling centralized monitoring and detection of security events.
Security Operations Center
A dedicated team and facility responsible for continuously monitoring, detecting, and responding to security incidents across an organization's environment.
Security Orchestration, Automation and Response (SOAR)
A technology category that automates incident response workflows, often integrated with a SIEM to speed up detection-to-resolution time.
Security Rule vs. Privacy Rule
The Privacy Rule governs how PHI may be used and disclosed; the Security Rule specifically governs the safeguards required to protect ePHI.
Segregation of Duties
A control principle ensuring that no single individual has end-to-end control over a critical process, reducing the risk of error or fraud going undetected.
Sensitive Personal Data / Special Category Data
A subset of personal data - such as health, biometric, racial, or religious information - that receives heightened protection and stricter processing conditions under most privacy laws.
Service Auditor
The CPA firm, such as CertPro, engaged to perform and report on a SOC examination of a service organization's controls.
Service Provider (CCPA)
An entity that processes personal information on behalf of a business under a written contract, with restrictions on using that data for its own purposes.
Shadow AI
The unsanctioned use of AI tools or models within an organization, outside the visibility or approval of IT and governance functions.
Shared Assessments (SIG)
A Standardized Information Gathering questionnaire and program used by organizations to assess third-party vendor risk consistently, reducing the need for each vendor relationship to use a custom questionnaire.
Significant Deficiency
A deficiency in internal control that is less severe than a material weakness but still important enough to merit attention from those responsible for oversight.
Single Sign-On (SSO)
An authentication method that allows a user to log in once and gain access to multiple connected systems or applications without re-authenticating for each.
SOC 1
An AICPA attestation framework focused specifically on controls relevant to a service organization's impact on its customers' financial reporting, commonly required by companies that handle financial transactions or data on behalf of clients.
SOC 1 Report
The report issued from a SOC 1 examination, containing the auditor's opinion on the design (Type 1) or design and operating effectiveness (Type 2) of controls relevant to a service organization's impact on customer financial reporting.
SOC 2
An attestation framework defined by the AICPA that evaluates an organization's controls against one or more Trust Services Criteria - security, availability, processing integrity, confidentiality, and privacy - resulting in an independent auditor's report rather than a certificate.
SOC 2 Report
The formal output of a SOC 2 examination - a CPA firm's report containing the auditor's opinion, the description of the system, and (for Type 2) the results of control testing over the examination period.
SOC 3
A general-use version of a SOC 2 report, presenting the auditor's opinion and a system overview without the detailed control descriptions and test results - intended for public distribution, such as a trust seal on a website.
SOC 3 Report
The publicly distributable version of a SOC 2 report, omitting the detailed system description and control test results in favor of a summary opinion suitable for general audiences.
SOC for Cybersecurity
An AICPA attestation framework that evaluates an organization's enterprise-wide cybersecurity risk management program, intended for a broad audience including boards and investors, rather than the narrower customer-facing scope of SOC 2.
SOC Report Distribution
The restrictions governing who may receive a SOC report - Type 1 and Type 2 reports are restricted-use documents intended only for the organization, its customers, and their auditors, unlike a SOC 3 report.
Social Engineering
Manipulation tactics that exploit human psychology - rather than technical vulnerabilities - to trick individuals into divulging information or taking actions that compromise security.
SOX (IT Controls)
Internal controls over financial reporting required under the Sarbanes-Oxley Act; the IT-specific subset covers access controls, change management, and system reliability for systems that affect financial statements.
Stage 1 vs. Stage 2 Audit
The two-part ISO 27001 certification audit: Stage 1 reviews documentation and readiness, Stage 2 tests whether controls are implemented and operating effectively.
Standard Contractual Clauses (SCCs)
Pre-approved contract terms issued by the European Commission that organizations use to legally transfer personal data outside the EU/EEA.
Statement of Applicability (SoA)
The core ISO 27001 document listing which Annex A controls apply to the organization, the justification for inclusion or exclusion, and implementation status.
StateRAMP
A security authorization program modeled on FedRAMP, designed for state and local governments to assess and approve cloud service providers for use by public sector agencies.
Static Application Security Testing (SAST)
A testing method that analyzes an application's source code or binaries for security vulnerabilities without executing the program.
Sub-Processor Disclosure
An ISO 27018 requirement that a cloud provider inform customers before engaging another vendor (a sub-processor) to handle their PII.
Subsequent Events
Events occurring after the end of an examination period but before the audit report is issued, which may need to be evaluated for their effect on the report if significant enough.
Subservice Organization
A third-party vendor whose services are relevant to a company's system but excluded from the audit's direct testing, typically addressed via the carve-out or inclusive method.
Supervisory Authority
An independent public body responsible for monitoring and enforcing data protection law within a jurisdiction, such as a national data protection authority under GDPR.
Supply Chain Risk Management
The discipline of identifying and managing risks introduced through an organization's supply chain, including suppliers of both physical goods and software/services.
Surveillance Audit
A periodic audit conducted during the three-year ISO 27001 certification cycle to confirm the management system continues to meet requirements.
SWIFT CSP
The SWIFT Customer Security Programme, a set of mandatory and advisory security controls that financial institutions using the SWIFT messaging network must implement and self-attest to annually.
System Description
The narrative section of a SOC 2 report describing the infrastructure, software, people, procedures, and data that make up the system being audited.
System Hardening
The process of reducing a system's attack surface by disabling unnecessary services, closing unused ports, and applying secure configuration settings.
Tabletop Exercise
A discussion-based simulation in which stakeholders walk through their roles and decisions during a hypothetical incident, used to test and improve an incident response plan without a live system disruption.
Technical Safeguards
HIPAA-required technology controls - like access controls, audit logs, and encryption - that protect ePHI from unauthorized access.
Test of Controls vs. Substantive Testing
Tests of controls evaluate whether a control is operating as designed; substantive testing directly examines transactions or balances for misstatement, regardless of control design.
Third-Party AI Risk
Risk arising from an organization's use of AI systems, models, or tools developed or operated by external vendors, requiring its own due-diligence considerations beyond standard vendor risk management.
Third-Party Risk Management
The discipline of identifying, assessing, and monitoring risks introduced by external parties an organization relies on, including vendors, partners, and contractors.
Threat Intelligence
Information about current and emerging threats - including attacker tactics, indicators of compromise, and vulnerabilities - collected and analyzed to inform an organization's defenses.
Threat Modeling
A structured process for identifying potential threats to a system early in its design, helping teams prioritize which risks to address before development is complete.
Three Lines of Defense
A risk governance model dividing responsibility across operational management (first line), risk and compliance functions (second line), and internal audit (third line), each providing an independent layer of oversight.
TLS/SSL
Cryptographic protocols that encrypt data transmitted over a network, most commonly used to secure web traffic between a browser and a server (the "S" in HTTPS).
Tolerable Error Rate
The maximum rate of deviation or error an auditor is willing to accept in a sample while still concluding that a control is operating effectively.
Tone at the Top
The ethical and risk-management example set by senior leadership, widely regarded as the single biggest influence on an organization's overall control environment and risk culture.
Training Data Governance
Controls and documentation specifically addressing how data used to train an AI model was sourced, validated, and assessed for quality and bias.
Trust Services Criteria
The five categories - security, availability, processing integrity, confidentiality, and privacy - selected from when scoping a SOC 2 audit.
TX-RAMP
A Texas-specific cloud security certification program required for cloud computing services used by Texas state agencies, modeled on FedRAMP's authorization approach.
Type 1 Report
A SOC report that evaluates whether controls were suitably designed as of a specific point in time, without testing whether they operated effectively over a period.
Type 2 Report
A SOC report that evaluates both the design and the operating effectiveness of controls over a defined examination period, typically three to twelve months.
UK GDPR
The UK's version of the GDPR, retained in domestic law after Brexit, which largely mirrors the EU GDPR but is enforced independently by the UK's Information Commissioner's Office.
Unqualified Opinion
An auditor's conclusion that the subject matter of an engagement is fairly presented in all material respects, with no exceptions noted - the most favorable opinion an audit can receive.
User Auditor
The auditor of a service organization's customer (the user entity), who relies on a SOC report to evaluate controls relevant to their own client's financial statement audit or vendor risk assessment.
VCDPA
The Virginia Consumer Data Protection Act, a state privacy law granting Virginia residents rights over their personal data and imposing obligations on businesses similar in structure to the CCPA/CPRA.
Vendor Risk Management
The subset of third-party risk management focused specifically on suppliers and vendors, typically involving due diligence questionnaires, contractual safeguards, and ongoing monitoring.
Verifiable Consumer Request
A request from a consumer exercising CCPA rights that a business can reasonably confirm was made by the person (or their authorized agent) about whom the data relates.
VPN
A Virtual Private Network, which creates an encrypted connection over a public network, allowing remote users to securely access an organization's internal systems.
Vulnerability Management
The ongoing process of identifying, evaluating, prioritizing, and remediating security weaknesses across an organization's systems and software.
Walkthrough (Audit Procedure)
An audit procedure in which the auditor traces a transaction or process from initiation to completion, observing and confirming how a control actually operates in practice.
Whistleblower Policy
A formal policy establishing a confidential channel and protections for employees or others to report suspected misconduct without fear of retaliation.
Zero Trust
A security model based on the principle of never automatically trusting any user or device, inside or outside the network, requiring continuous verification before granting access to resources.
Zero-Day Vulnerability
A previously unknown software vulnerability that is exploited by attackers before the vendor has released a patch, leaving organizations with no immediate fix available.
No terms found
Try a different search term or clear the framework filter.
Begin your compliance audit with a licensed CPA firm.
Schedule a 30-minute scoping call with a credentialed auditor. We will identify the right framework, discuss audit scope and outline a clear path based on your current state.