FREE · 81 TERMS · MAPPED TO FRAMEWORKS

The compliance glossary that doesn't pretend

81 plain-English definitions of the terms that come up in real audits and procurement: SOC 2 TSC, ISO 27001 Annex A, GDPR Art. 28, HIPAA PHI/BAA, PCI CDE, NIST 800-53, CMMC, FedRAMP — each mapped to the frameworks it lives in, with a worked example and the next step.

Browse all terms Run free audit
ABCDEFGHIKLMNPQRSTUV

By category

Frameworks · 15 terms

CCPA / CPRA
California's omnibus consumer privacy law, expanded by CPRA; enforced by the CPPA.
CCPA
CMMC
DoD certification model required of defense contractors handling FCI / CUI; three levels (Foundational, Advanced, Expert).
CMMC
FedRAMP
Standardised US government program for cloud-service authorisation, based on NIST 800-53.
FedRAMP
FISMA
US law requiring federal agencies (and their contractors) to implement an information-security program based on NIST standards.
FISMA
GDPR
EU regulation governing processing of personal data of EU/EEA data subjects; fines up to €20M or 4% of global turnover.
GDPR
GLBA
US law governing how financial institutions handle non-public personal information (NPI); FTC Safeguards Rule applies.
GLBA
HIPAA
US law protecting PHI; Privacy, Security, and Breach Notification Rules apply to covered entities and business associates.
HIPAA
ISO/IEC 27001
International standard for an Information Security Management System (ISMS) with 93 Annex A controls.
ISO 27001
ITAR
US State Department regulations controlling export of defense articles and technical data on the USML.
ITAR
NIST CSF
Voluntary NIST framework organising cybersecurity outcomes into six Functions: Govern, Identify, Protect, Detect, Respond, Recover.
NIST
NIST SP 800-53
NIST catalogue of 1000+ security and privacy controls for federal information systems (Rev 5).
NISTFedRAMPFISMA
PCI DSS
Card-brand mandated standard for any entity that stores, processes, or transmits cardholder data.
PCI DSS
SOC 2
AICPA attestation report on a service organisation's controls across five Trust Services Criteria.
SOC 2
SOX
US federal law on financial reporting; Section 404 mandates internal controls over financial reporting (ICFR).
SOX
Trust Services Criteria (TSC)
The five AICPA criteria categories underpinning SOC 2: Security, Availability, Confidentiality, Processing Integrity, Privacy.
SOC 2

Controls · 6 terms

Change Management
Documented process for approving, testing, and deploying changes to production systems.
SOC 2ISO 27001PCI DSS
Common Criteria (CC1–CC9)
The nine Common Criteria categories that make up the Security TSC in SOC 2 — control environment through change management.
SOC 2
ISO 27001 Annex A
The catalogue of 93 reference controls (2022 edition) across Organisational, People, Physical, and Technological themes.
ISO 27001
IT General Controls (ITGC)
Pervasive IT controls supporting reliable processing — access, change management, operations, development.
SOXSOC 2
Segregation of Duties (SoD)
Splitting critical tasks across multiple individuals so no single person can execute fraud or untraceable error.
SOC 2ISO 27001SOX
User Access Review
Periodic review by data owners confirming each user's access remains appropriate; typically quarterly.
SOC 2ISO 27001HIPAA

Privacy · 21 terms

Anonymisation vs Pseudonymisation
Anonymisation: irreversibly de-identified, out of GDPR scope. Pseudonymisation: reversible, still personal data.
GDPR
Breach Notification
Legal duty to notify regulators and affected individuals after a security incident affecting personal data.
GDPRHIPAACCPA
Consent (GDPR)
Freely given, specific, informed, unambiguous indication by the data subject — must be as easy to withdraw as to give.
GDPR
Data Controller
The entity that determines the purposes and means of personal data processing (GDPR Art. 4(7)).
GDPR
Data Minimisation
GDPR Art. 5(1)(c) principle: personal data must be adequate, relevant, and limited to what is necessary.
GDPRHIPAA
Data Processing Agreement (DPA)
Contract between a controller and processor codifying GDPR Art. 28 obligations.
GDPR
Data Processor
An entity processing personal data on behalf of a controller, governed by a written DPA (GDPR Art. 28).
GDPR
Data Subject
The identified or identifiable natural person to whom personal data relates (GDPR Art. 4(1)).
GDPR
Data Subject Rights (DSAR)
Rights granted to individuals over their personal data — access, rectification, erasure, portability, restriction, objection.
GDPRCCPA
Do Not Sell or Share My Personal Information
CCPA/CPRA-mandated link allowing California consumers to opt out of sale/sharing of personal information.
CCPA
ePHI
PHI in electronic form — the scope of the HIPAA Security Rule (45 CFR §164.302–318).
HIPAA
Lawful Basis (Legal Basis for Processing)
One of six GDPR Art. 6 grounds that must apply for personal data processing to be lawful.
GDPR
Minimum Necessary Standard
HIPAA principle (45 CFR §164.502(b)) requiring use/disclosure of only the minimum PHI needed for the purpose.
HIPAA
Personal Data (GDPR)
Any information relating to an identified or identifiable natural person (data subject) — Art. 4(1).
GDPR
PHI (Protected Health Information)
Individually identifiable health information held or transmitted by a HIPAA covered entity or business associate.
HIPAA
PII (Personally Identifiable Information)
Information that can identify a specific individual, directly or in combination with other data.
GDPRCCPAHIPAA
Purpose Limitation
GDPR Art. 5(1)(b): personal data must be collected for specified, explicit, legitimate purposes and not further processed incompatibly.
GDPR
Schrems II
2020 CJEU ruling invalidating Privacy Shield and requiring case-by-case TIA for EU→US data transfers.
GDPR
Sensitive Personal Information (SPI)
Special category of personal data — health, biometrics, race, religion, sexual orientation, precise geolocation, etc.
GDPRCCPA
Standard Contractual Clauses (SCCs)
EU Commission-approved clauses providing a lawful basis for personal-data transfers outside the EEA.
GDPR
Sub-Processor
A third party engaged by a processor to carry out specific processing activities on behalf of a controller.
GDPR

Security · 15 terms

Audit Logging
Tamper-resistant recording of security-relevant events for monitoring, investigation, and evidence.
SOC 2ISO 27001PCI DSS
Encryption at Rest
Cryptographic protection of stored data — typically AES-256 with KMS-managed keys.
SOC 2ISO 27001HIPAA
Encryption in Transit
TLS protection of data moving across networks — TLS 1.2+ is the floor; TLS 1.3 preferred.
SOC 2ISO 27001HIPAA
Incident Response (IR)
Documented, tested process for detecting, containing, eradicating, and recovering from security incidents.
SOC 2ISO 27001HIPAA
Key Management Service (KMS)
Managed service for creating, rotating, and authorising use of cryptographic keys.
SOC 2ISO 27001HIPAA
Least Privilege (Principle of)
Users and services receive only the minimum access required to perform their function.
SOC 2ISO 27001HIPAA
MFA (Multi-Factor Authentication)
Authentication requiring two or more factors from independent categories (knowledge, possession, inherence).
SOC 2ISO 27001PCI DSS
Patch Management
Process of applying vendor security updates to systems within defined SLAs.
SOC 2ISO 27001HIPAA
Penetration Test (Pen Test)
Authorised offensive simulation of an attacker to identify exploitable vulnerabilities.
SOC 2ISO 27001PCI DSS
RBAC (Role-Based Access Control)
Access control model granting permissions to roles, and assigning users to roles.
SOC 2ISO 27001HIPAA
SCIM
Open standard for automated user provisioning/deprovisioning from an IdP to SaaS apps.
SOC 2ISO 27001
SIEM
Platform aggregating, correlating, and alerting on security log data across an environment.
SOC 2ISO 27001PCI DSS
SSO (Single Sign-On)
Federated authentication via SAML 2.0 or OIDC against a central identity provider (Okta, Entra ID, Google).
SOC 2ISO 27001
Tokenisation
Replacing sensitive data (typically PAN) with a non-sensitive surrogate value (token).
PCI DSS
Vulnerability Management
Continuous discover-prioritise-remediate cycle for software vulnerabilities (CVEs) and misconfigurations.
SOC 2ISO 27001PCI DSS

Audit · 6 terms

ATO (Authority to Operate)
Formal federal authorisation that an information system may operate at an accepted level of risk.
FedRAMPFISMANIST
Audit Period (Observation Window)
The continuous date range during which a SOC 2 Type II or ISO 27001 surveillance audit tests operating effectiveness.
SOC 2ISO 27001
PCI SAQ (Self-Assessment Questionnaire)
PCI DSS self-assessment for merchants meeting eligibility criteria; nine SAQ types (A, A-EP, B, B-IP, C, C-VT, D, P2PE).
PCI DSS
QSA (Qualified Security Assessor)
PCI SSC-certified individual or firm authorised to perform PCI DSS assessments.
PCI DSS
SOC 2 Type I vs Type II
Type I = design of controls at a point in time. Type II = design + operating effectiveness over a period (typically 3–12 months).
SOC 2
Statement of Applicability (SoA)
ISO 27001 document declaring which Annex A controls apply, why, and how — central artefact for certification.
ISO 27001

Risk · 9 terms

Business Continuity & Disaster Recovery (BC/DR)
Tested plans to maintain or restore operations after disruptive events; measured by RTO/RPO.
SOC 2ISO 27001HIPAA
CAIQ
Cloud Security Alliance's standardised cloud-provider security questionnaire (aligned to CCM).
SOC 2ISO 27001
DPIA (Data Protection Impact Assessment)
Mandatory GDPR risk assessment for processing likely to result in a high risk to data subjects (Art. 35).
GDPR
Risk Assessment
Structured identification, analysis, and evaluation of risks to assets, processes, or data.
SOC 2ISO 27001HIPAA
Risk Treatment
The action chosen for each identified risk: avoid, mitigate, transfer, or accept.
ISO 27001SOC 2
RTO / RPO
RTO = time to restore service after disruption. RPO = max acceptable data loss measured in time.
SOC 2ISO 27001HIPAA
SIG Questionnaire
Shared Assessments' standardised vendor security questionnaire (Core, Lite, custom).
SOC 2ISO 27001
Tabletop Exercise
Discussion-based simulation walking through a hypothetical incident scenario with the response team.
SOC 2ISO 27001HIPAA
Vendor / Third-Party Risk Management (TPRM)
Process for assessing, monitoring, and contracting security risk introduced by third parties.
SOC 2ISO 27001HIPAA

Data · 5 terms

Cardholder Data (CHD)
PAN — alone or together with cardholder name, expiration, service code — defined by PCI DSS.
PCI DSS
CDE (Cardholder Data Environment)
The people, processes, and technology that store, process, or transmit cardholder data — and connected systems.
PCI DSS
CUI (Controlled Unclassified Information)
Federal information requiring safeguarding or dissemination controls per Executive Order 13556; protected by NIST SP 800-171.
CMMCNIST
Data Retention Policy
Documented schedule for how long each data category is retained and how it is securely disposed of.
GDPRHIPAASOC 2
FCI (Federal Contract Information)
Non-public information provided by or generated for the federal government under a contract; protected by FAR 52.204-21.
CMMC

Governance · 4 terms

BAA (Business Associate Agreement)
HIPAA contract between a covered entity and a business associate handling PHI; mandatory under 45 CFR §164.504(e).
HIPAA
Data Protection Officer (DPO)
Independent role mandated by GDPR Art. 37 for public authorities and certain large-scale processors.
GDPR
ISMS (Information Security Management System)
A documented, risk-based management system for information security — the object of ISO 27001 certification.
ISO 27001
Trust Page / Trust Center
Customer-facing page publishing security posture, compliance reports, sub-processors, status, and policies.
SOC 2ISO 27001

A–Z

Knowing the terms is the easy part.

Drop your policy into our free audit and we'll show you which of these controls you're actually missing — mapped to the specific clauses you have to fix before the auditor finds them.

Run a free auditBrowse readiness checklists