Compliance Glossary
Every compliance term, defined.
Search hundreds of governance, risk, compliance, and cybersecurity terms — explained in plain English.
30 terms
Annex A
ISO 27001The reference set of information security controls in ISO/IEC 27001. The 2022 revision organizes 93 controls into organizational, people, physical, and technological themes.
Attestation
AuditAn examination and opinion issued by a licensed CPA firm, such as a SOC 2 report, on whether an organization’s controls meet defined criteria.
Audit
AuditA systematic, independent examination of controls and evidence to determine whether requirements are met. Can be internal or external.
BAA
HIPAABusiness Associate Agreement — a contract required under HIPAA between a covered entity and a vendor that handles PHI on its behalf.
BC/DR
SecurityBusiness Continuity and Disaster Recovery — plans and controls that keep an organization operating and recover systems after disruption.
CAPA
AuditCorrective and Preventive Action — the process of resolving a non-conformity and preventing its recurrence.
Certification
AuditFormal recognition by an accredited certification body that an organization meets a standard such as ISO/IEC 27001, following a successful audit.
CIA Triad
SecurityConfidentiality, Integrity, and Availability — the three core principles that underpin information security.
Continuous Compliance
ComplianceAn operating model where controls and evidence are monitored continuously, keeping an organization audit-ready at all times rather than only before an audit.
Control
SecurityA safeguard or countermeasure — technical, administrative, or physical — implemented to reduce risk and meet a compliance requirement.
Data Subject
GDPRAn identified or identifiable individual whose personal data is processed. Under GDPR, data subjects have rights such as access and erasure.
DPIA
GDPRData Protection Impact Assessment — a GDPR process to identify and reduce data protection risks of high-risk processing activities.
Encryption
SecurityThe process of encoding data so only authorized parties can read it, protecting confidentiality in transit and at rest.
Evidence
AuditProof that a control is designed and operating effectively, such as configuration exports, logs, tickets, screenshots, or records reviewed during an audit.
Gap Assessment
ComplianceAn analysis comparing current controls against a framework’s requirements to identify what is missing before an audit.
Incident Response
SecurityThe structured process for detecting, containing, eradicating, and recovering from a security incident.
ISMS
ISO 27001Information Security Management System — the framework of policies, processes, and controls an organization uses to manage information security risk, central to ISO/IEC 27001.
Least Privilege
SecurityThe principle of granting users only the access they need to do their job, and nothing more.
Management Review
ISO 27001A periodic review by leadership of the ISMS’s performance, required by ISO 27001 to ensure it remains effective and aligned to objectives.
MFA
SecurityMulti-Factor Authentication — requiring two or more independent factors to verify identity, a foundational access control.
NCR
AuditNon-Conformity Report — a documented finding that a requirement has not been met, raised during an audit and tracked to resolution.
PHI
HIPAAProtected Health Information — individually identifiable health information covered by HIPAA’s Privacy and Security Rules.
Residual Risk
RiskThe level of risk that remains after controls and treatments have been applied. Organizations accept residual risk within their defined risk appetite.
Risk Appetite
RiskThe amount and type of risk an organization is willing to accept in pursuit of its objectives, set by leadership and used to guide treatment decisions.
ROPA
GDPRRecords of Processing Activities — documentation required under GDPR describing what personal data an organization processes and why.
SoA
ISO 27001Statement of Applicability — a document listing the ISO 27001 Annex A controls, whether each applies, the justification, and its implementation status.
SOC 2 Type I
SOC 2A SOC 2 report evaluating whether controls are suitably designed at a single point in time.
SOC 2 Type II
SOC 2A SOC 2 report evaluating whether controls operated effectively over a period, typically three to twelve months.
Trust Services Criteria
SOC 2The five criteria a SOC 2 report can address: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Vendor Risk
RiskThe risk introduced by third parties that access your systems or data, managed through assessment, contracts, and monitoring.
Ready to simplify compliance?
Put these resources into practice. Start a free trial or book a demo and see Qireon automate compliance across SOC 2, ISO 27001, HIPAA, and GDPR.