Compliance Glossary

Every compliance term, defined.

Search hundreds of governance, risk, compliance, and cybersecurity terms — explained in plain English.

30 terms

Annex A

ISO 27001

The reference set of information security controls in ISO/IEC 27001. The 2022 revision organizes 93 controls into organizational, people, physical, and technological themes.

Attestation

Audit

An examination and opinion issued by a licensed CPA firm, such as a SOC 2 report, on whether an organization’s controls meet defined criteria.

Audit

Audit

A systematic, independent examination of controls and evidence to determine whether requirements are met. Can be internal or external.

BAA

HIPAA

Business Associate Agreement — a contract required under HIPAA between a covered entity and a vendor that handles PHI on its behalf.

BC/DR

Security

Business Continuity and Disaster Recovery — plans and controls that keep an organization operating and recover systems after disruption.

CAPA

Audit

Corrective and Preventive Action — the process of resolving a non-conformity and preventing its recurrence.

Certification

Audit

Formal recognition by an accredited certification body that an organization meets a standard such as ISO/IEC 27001, following a successful audit.

CIA Triad

Security

Confidentiality, Integrity, and Availability — the three core principles that underpin information security.

Continuous Compliance

Compliance

An operating model where controls and evidence are monitored continuously, keeping an organization audit-ready at all times rather than only before an audit.

Control

Security

A safeguard or countermeasure — technical, administrative, or physical — implemented to reduce risk and meet a compliance requirement.

Data Subject

GDPR

An identified or identifiable individual whose personal data is processed. Under GDPR, data subjects have rights such as access and erasure.

DPIA

GDPR

Data Protection Impact Assessment — a GDPR process to identify and reduce data protection risks of high-risk processing activities.

Encryption

Security

The process of encoding data so only authorized parties can read it, protecting confidentiality in transit and at rest.

Evidence

Audit

Proof that a control is designed and operating effectively, such as configuration exports, logs, tickets, screenshots, or records reviewed during an audit.

Gap Assessment

Compliance

An analysis comparing current controls against a framework’s requirements to identify what is missing before an audit.

Incident Response

Security

The structured process for detecting, containing, eradicating, and recovering from a security incident.

ISMS

ISO 27001

Information Security Management System — the framework of policies, processes, and controls an organization uses to manage information security risk, central to ISO/IEC 27001.

Least Privilege

Security

The principle of granting users only the access they need to do their job, and nothing more.

Management Review

ISO 27001

A periodic review by leadership of the ISMS’s performance, required by ISO 27001 to ensure it remains effective and aligned to objectives.

MFA

Security

Multi-Factor Authentication — requiring two or more independent factors to verify identity, a foundational access control.

NCR

Audit

Non-Conformity Report — a documented finding that a requirement has not been met, raised during an audit and tracked to resolution.

PHI

HIPAA

Protected Health Information — individually identifiable health information covered by HIPAA’s Privacy and Security Rules.

Residual Risk

Risk

The level of risk that remains after controls and treatments have been applied. Organizations accept residual risk within their defined risk appetite.

Risk Appetite

Risk

The amount and type of risk an organization is willing to accept in pursuit of its objectives, set by leadership and used to guide treatment decisions.

ROPA

GDPR

Records of Processing Activities — documentation required under GDPR describing what personal data an organization processes and why.

SoA

ISO 27001

Statement of Applicability — a document listing the ISO 27001 Annex A controls, whether each applies, the justification, and its implementation status.

SOC 2 Type I

SOC 2

A SOC 2 report evaluating whether controls are suitably designed at a single point in time.

SOC 2 Type II

SOC 2

A SOC 2 report evaluating whether controls operated effectively over a period, typically three to twelve months.

Trust Services Criteria

SOC 2

The five criteria a SOC 2 report can address: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Vendor Risk

Risk

The risk introduced by third parties that access your systems or data, managed through assessment, contracts, and monitoring.

Ready to simplify compliance?

Put these resources into practice. Start a free trial or book a demo and see Qireon automate compliance across SOC 2, ISO 27001, HIPAA, and GDPR.