Compliance Simplified LogoCompliance Simplified

Compliance Glossary

Purpose: Quick reference for compliance terminology and definitions.

This glossary provides definitions for key terms used in ISO 27001, SOC 2, and general compliance contexts.

A

Asset: Any item of value to an organization, including information, systems, people, and physical resources.

Attestation: A formal statement by a qualified professional (usually a CPA) that certain criteria have been met.

Audit: A systematic examination of controls, policies, and procedures to determine compliance with standards.

Availability: The property of being accessible and usable upon demand by an authorized entity.

B

Business Continuity: The capability of an organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.

Business Impact Analysis (BIA): A process that identifies and evaluates the potential effects of an interruption to critical business operations.

C

Certification: A formal process by which an accredited body verifies that an organization meets specified standards.

Change Management: The process of controlling changes to systems, processes, or procedures in a systematic manner.

Compliance: The act of adhering to laws, regulations, standards, or policies.

Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Control: A measure that modifies risk, including policies, procedures, guidelines, practices, or organizational structures.

Control Environment: The set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.

Corrective Action: Action taken to eliminate the cause of a detected nonconformity or other undesirable situation.

D

Data Classification: The process of categorizing data based on its sensitivity, value, and criticality to the organization.

Data Protection: The process of safeguarding important information from corruption, compromise, or loss.

Defense in Depth: A security strategy that uses multiple layers of security controls to protect assets.

Due Diligence: The investigation or exercise of care that a reasonable business or person is expected to take before entering into an agreement or contract.

E

Evidence: Records, statements of fact, or other information that is relevant to the audit criteria and verifiable.

External Audit: An audit conducted by an independent third party, such as a certification body or CPA firm.

Exposure: The potential for loss, harm, or damage to an asset.

F

Framework: A structured approach for organizing and managing information security or compliance activities.

Fraud: An intentional act to deceive or mislead for personal gain or to cause loss to another party.

G

Governance: The framework of rules, relationships, systems, and processes by which an organization is controlled and directed.

Gap Analysis: A comparison of current state versus desired state to identify areas for improvement.

H

High-Risk: A risk level that requires immediate attention and mitigation due to its potential impact.

Human Resources Security: Controls related to the security of personnel, including screening, training, and disciplinary processes.

I

Incident: An event that could lead to loss of, or disruption to, an organization's operations, services, or functions.

Incident Response: The process of responding to and managing security incidents.

Information Asset: Any information that has value to the organization.

Information Security: The protection of information from unauthorized access, use, disclosure, disruption, modification, or destruction.

Information Security Management System (ISMS): A systematic approach to managing sensitive company information so that it remains secure.

Internal Audit: An audit conducted by personnel within the organization.

Internal Control: A process designed to provide reasonable assurance regarding the achievement of objectives.

J

Job Rotation: A control that involves periodically changing job assignments to reduce the risk of fraud or error.

K

Key Performance Indicator (KPI): A measurable value that demonstrates how effectively an organization is achieving key business objectives.

L

Least Privilege: The principle that users should have the minimum level of access necessary to perform their job functions.

Logging: The process of recording events and activities for monitoring, analysis, and audit purposes.

M

Management Review: A formal process where management evaluates the effectiveness of the ISMS and compliance program.

Mitigation: Actions taken to reduce the likelihood or impact of a risk.

N

Nonconformity: A failure to meet specified requirements or standards.

Non-repudiation: The ability to prove that a specific action occurred and that it was performed by a specific entity.

O

Objective Evidence: Information that can be proven true based on facts obtained through observation, measurement, test, or other means.

Operational Controls: Day-to-day procedures and mechanisms designed to ensure that security policies are followed.

P

Policy: A high-level statement of management intent and direction regarding information security.

Procedure: A detailed, step-by-step instruction for performing a specific task or process.

Process: A set of interrelated activities that transform inputs into outputs.

Q

Qualitative Risk Assessment: A risk assessment that uses descriptive terms (e.g., High, Medium, Low) to evaluate risk levels.

Quantitative Risk Assessment: A risk assessment that uses numerical values to evaluate risk levels.

R

Recovery Time Objective (RTO): The maximum acceptable time for restoring a system or process after a disruption.

Recovery Point Objective (RPO): The maximum acceptable amount of data loss measured in time.

Risk: The potential for loss, harm, or damage to an asset.

Risk Assessment: The process of identifying, analyzing, and evaluating risks.

Risk Treatment: The process of selecting and implementing measures to modify risk.

S

Scope: The boundaries and extent of the ISMS or compliance program.

Security Control: A measure designed to protect assets and reduce risk.

Segregation of Duties: A control that ensures that no single individual has complete control over a critical process.

Service Level Agreement (SLA): A formal agreement that defines the level of service expected from a service provider.

Statement on Standards for Attestation Engagements (SSAE): A set of standards for attestation engagements, including SOC reports.

T

Threat: Any circumstance or event with the potential to cause harm to an asset.

Training: The process of providing knowledge and skills to personnel to enable them to perform their duties effectively.

U

User Access Management: The process of managing user accounts and access rights throughout their lifecycle.

V

Vulnerability: A weakness in a system, process, or control that could be exploited by a threat.

Vulnerability Assessment: The process of identifying and evaluating vulnerabilities in systems and processes.

W

Work Instructions: Detailed, step-by-step instructions for performing specific tasks or activities.

Z

Zero Trust: A security model that assumes that threats exist both inside and outside the network and requires verification for every access request.