Compliance Glossary

Purpose: Quick reference for compliance terminology and definitions.

This glossary provides definitions for key terms used in ISO 27001, SOC 2, GDPR, and general compliance contexts.

A

Asset: Any item of value to an organization, including information, systems, people, and physical resources.

Attestation: A formal statement by a qualified professional (usually a CPA) that certain criteria have been met.

Audit: A systematic examination of controls, policies, and procedures to determine compliance with standards.

Availability: The property of being accessible and usable upon demand by an authorized entity.

Adequacy Decision: A decision by the European Commission that a non-EU country provides an adequate level of data protection, enabling personal data transfers without additional safeguards.

B

Business Continuity: The capability of an organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.

Business Impact Analysis (BIA): A process that identifies and evaluates the potential effects of an interruption to critical business operations.

C

Certification: A formal process by which an accredited body verifies that an organization meets specified standards.

Change Management: The process of controlling changes to systems, processes, or procedures in a systematic manner.

Compliance: The act of adhering to laws, regulations, standards, or policies.

Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Control: A measure that modifies risk, including policies, procedures, guidelines, practices, or organizational structures.

Control Environment: The set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.

Corrective Action: Action taken to eliminate the cause of a detected nonconformity or other undesirable situation.

Consent (GDPR): A freely given, specific, informed, and unambiguous indication of a data subject's agreement to the processing of their personal data.

D

Data Classification: The process of categorizing data based on its sensitivity, value, and criticality to the organization.

Data Controller: The entity that determines the purposes and means of processing personal data under GDPR.

Data Processing Agreement (DPA): A legally binding contract between a data controller and data processor that governs how personal data is processed.

Data Processor: An entity that processes personal data on behalf of a data controller under GDPR.

Data Protection Impact Assessment (DPIA): An assessment required by GDPR when processing is likely to result in a high risk to data subjects' rights and freedoms.

Data Protection Officer (DPO): A person designated under GDPR to advise the organization on data protection obligations and monitor compliance.

Data Subject: An identified or identifiable natural person whose personal data is processed.

Data Protection: The process of safeguarding important information from corruption, compromise, or loss.

Defense in Depth: A security strategy that uses multiple layers of security controls to protect assets.

Due Diligence: The investigation or exercise of care that a reasonable business or person is expected to take before entering into an agreement or contract.

E

Evidence: Records, statements of fact, or other information that is relevant to the audit criteria and verifiable.

External Audit: An audit conducted by an independent third party, such as a certification body or CPA firm.

Exposure: The potential for loss, harm, or damage to an asset.

F

Framework: A structured approach for organizing and managing information security or compliance activities.

Fraud: An intentional act to deceive or mislead for personal gain or to cause loss to another party.

G

Governance: The framework of rules, relationships, systems, and processes by which an organization is controlled and directed.

Gap Analysis: A comparison of current state versus desired state to identify areas for improvement.

GDPR (General Data Protection Regulation): The European Union regulation (EU 2016/679) that governs the processing and protection of personal data of individuals in the EU/EEA.

H

High-Risk: A risk level that requires immediate attention and mitigation due to its potential impact.

Human Resources Security: Controls related to the security of personnel, including screening, training, and disciplinary processes.

I

Incident: An event that could lead to loss of, or disruption to, an organization's operations, services, or functions.

Incident Response: The process of responding to and managing security incidents.

Information Asset: Any information that has value to the organization.

Information Security: The protection of information from unauthorized access, use, disclosure, disruption, modification, or destruction.

Information Security Management System (ISMS): A systematic approach to managing sensitive company information so that it remains secure.

Internal Audit: An audit conducted by personnel within the organization.

Internal Control: A process designed to provide reasonable assurance regarding the achievement of objectives.

J

Job Rotation: A control that involves periodically changing job assignments to reduce the risk of fraud or error.

K

Key Performance Indicator (KPI): A measurable value that demonstrates how effectively an organization is achieving key business objectives.

L

Least Privilege: The principle that users should have the minimum level of access necessary to perform their job functions.

Logging: The process of recording events and activities for monitoring, analysis, and audit purposes.

M

Management Review: A formal process where management evaluates the effectiveness of the ISMS and compliance program.

Mitigation: Actions taken to reduce the likelihood or impact of a risk.

N

Nonconformity: A failure to meet specified requirements or standards.

Non-repudiation: The ability to prove that a specific action occurred and that it was performed by a specific entity.

O

Objective Evidence: Information that can be proven true based on facts obtained through observation, measurement, test, or other means.

Operational Controls: Day-to-day procedures and mechanisms designed to ensure that security policies are followed.

P

Policy: A high-level statement of management intent and direction regarding information security.

Personal Data: Any information relating to an identified or identifiable natural person, as defined by GDPR.

Privacy by Design: An approach that integrates data protection into the design and development of systems and processes from the outset.

Procedure: A detailed, step-by-step instruction for performing a specific task or process.

Pseudonymization: The processing of personal data so that it can no longer be attributed to a specific data subject without additional information kept separately.

Process: A set of interrelated activities that transform inputs into outputs.

Q

Qualitative Risk Assessment: A risk assessment that uses descriptive terms (e.g., High, Medium, Low) to evaluate risk levels.

Quantitative Risk Assessment: A risk assessment that uses numerical values to evaluate risk levels.

R

Recovery Time Objective (RTO): The maximum acceptable time for restoring a system or process after a disruption.

Recovery Point Objective (RPO): The maximum acceptable amount of data loss measured in time.

Risk: The potential for loss, harm, or damage to an asset.

Risk Assessment: The process of identifying, analyzing, and evaluating risks.

Risk Treatment: The process of selecting and implementing measures to modify risk.

Records of Processing Activities (ROPA): A documented record of all personal data processing activities, required under GDPR Article 30.

S

Scope: The boundaries and extent of the ISMS or compliance program.

SBOM (Software Bill of Materials): A formal, machine-readable inventory of all components, libraries, and dependencies that make up a software product.

SCA (Software Composition Analysis): The process of scanning software to identify open-source components and known vulnerabilities.

Standard Contractual Clauses (SCCs): Pre-approved contractual terms adopted by the European Commission for transferring personal data outside the EU/EEA.

Security Control: A measure designed to protect assets and reduce risk.

Segregation of Duties: A control that ensures that no single individual has complete control over a critical process.

Service Level Agreement (SLA): A formal agreement that defines the level of service expected from a service provider.

Statement on Standards for Attestation Engagements (SSAE): A set of standards for attestation engagements, including SOC reports.

Supervisory Authority: An independent public authority established by an EU member state to monitor and enforce GDPR compliance.

T

Threat: Any circumstance or event with the potential to cause harm to an asset.

Training: The process of providing knowledge and skills to personnel to enable them to perform their duties effectively.

U

User Access Management: The process of managing user accounts and access rights throughout their lifecycle.

V

Vulnerability: A weakness in a system, process, or control that could be exploited by a threat.

Vulnerability Assessment: The process of identifying and evaluating vulnerabilities in systems and processes.

VEX (Vulnerability Exploitability Exchange): A companion to SBOMs that communicates whether a product is affected by a known vulnerability and its exploitation status.

W

Work Instructions: Detailed, step-by-step instructions for performing specific tasks or activities.

Z

Zero Trust: A security model that assumes that threats exist both inside and outside the network and requires verification for every access request.