Security & Compliance Glossary

Clear definitions for SOC 2, ISO 27001, GDPR, and security terminology. Everything you need to understand compliance.

DevSecOps & Application Security

14 terms

Terms related to secure software development and application security testing

SAST / Static Application Security Testing
A white-box testing method that analyzes source code, bytecode, or binaries for security vulnerabilities without executing the application. SAST tools scan code early in the development lifecycle to find issues like SQL injection, XSS, and insecure configurations before deployment.
Related terms:
DAST / Dynamic Application Security Testing
A black-box testing method that tests running applications for vulnerabilities by simulating attacks from the outside. Unlike SAST, DAST doesn't require source code access and finds runtime issues like authentication flaws, server misconfigurations, and injection vulnerabilities.
Related terms:
SCA / Software Composition Analysis
Automated tools that identify open source components in your codebase, detect known vulnerabilities (CVEs), and flag license compliance issues. Critical for managing supply chain risk since modern applications often contain 80%+ open source code.
Related terms:
SBOM / Software Bill of Materials
A formal, machine-readable inventory of all software components, libraries, and dependencies in an application. Required by US Executive Order 14028 for federal software vendors. Enables rapid vulnerability response when new CVEs are disclosed.
Related terms:
CI/CD Pipeline Security
Security practices integrated into Continuous Integration/Continuous Deployment pipelines, including automated SAST/DAST scans, dependency checks, secrets detection, and infrastructure-as-code validation. Enables 'shift left' security by catching issues before production.
Related terms:
Secrets Detection
Automated scanning of code repositories, configuration files, and CI/CD pipelines to identify exposed credentials, API keys, tokens, and other sensitive data. Prevents accidental exposure of secrets that could lead to data breaches or unauthorized access.
Related terms:
IaC Scanning
Infrastructure as Code Scanning - Automated security analysis of infrastructure definitions (Terraform, CloudFormation, Kubernetes manifests) to detect misconfigurations before deployment. Catches issues like public S3 buckets, overly permissive IAM policies, and unencrypted resources.
Related terms:
Container Scanning
Security analysis of container images to identify vulnerabilities in base images, installed packages, and application dependencies. Should run in CI/CD pipelines and container registries. Critical as containers often inherit vulnerabilities from their base images.
Related terms:
Open Source Dependencies
Third-party libraries and packages incorporated into applications from public repositories (npm, PyPI, Maven, etc.). While accelerating development, they introduce supply chain risk through vulnerabilities, malicious packages, and license compliance issues.
Related terms:
Software Supply Chain Security
Protecting the integrity of software from development through deployment, including securing build systems, verifying dependencies, signing artifacts, and maintaining SBOMs. High-profile attacks (SolarWinds, Log4j) have made this a board-level concern.
Related terms:
False Positive
A security alert that incorrectly identifies benign code or behavior as a vulnerability or threat. High false positive rates waste developer time and lead to alert fatigue. Quality security tools balance detection accuracy with minimizing false positives.
Related terms:
Open Source License Scanning
Automated analysis of open source components to identify their licenses and detect potential compliance issues. Ensures your use of libraries complies with license terms, whether permissive (MIT, Apache) or copyleft (GPL). Critical for avoiding legal risk when shipping software containing third-party code.
Related terms:
Shift-Left Security
The practice of integrating security testing earlier in the software development lifecycle rather than treating it as a final gate before deployment. By shifting security left on the development timeline, teams catch vulnerabilities when they're cheaper and faster to fix.
Related terms:
DevSecOps
A culture and practice that integrates security into every phase of the software development lifecycle. Combines development, security, and operations teams to automate security testing, enforce policies as code, and build security into the CI/CD pipeline rather than bolting it on at the end.
Related terms:

Vulnerabilities & Threats

9 terms

Common vulnerability types and security threat terminology

OWASP Top 10
A regularly updated list of the ten most critical web application security risks, published by the Open Web Application Security Project. The 2021 version includes Broken Access Control, Cryptographic Failures, Injection, Insecure Design, and Security Misconfiguration. Industry standard for web security awareness.
Related terms:
CVE / Common Vulnerabilities and Exposures
A standardized identifier system for publicly known cybersecurity vulnerabilities. Each CVE ID (e.g., CVE-2021-44228 for Log4Shell) uniquely identifies a vulnerability, enabling consistent communication and tracking across security tools and databases.
Related terms:
SQL Injection
An attack technique that inserts malicious SQL code into application queries through user input, potentially allowing attackers to read, modify, or delete database contents. Prevented through parameterized queries, input validation, and ORM frameworks. Consistently in OWASP Top 10.
Related terms:
XSS / Cross-Site Scripting
A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. Can steal session cookies, redirect users, or deface websites. Types include Stored XSS, Reflected XSS, and DOM-based XSS. Prevented through output encoding and Content Security Policy.
Related terms:
SSRF / Server-Side Request Forgery
A vulnerability where an attacker can make a server perform requests to unintended locations, potentially accessing internal services, cloud metadata endpoints, or other protected resources. New addition to OWASP Top 10 in 2021 due to increased cloud adoption.
Related terms:
Technical Vulnerability Management
The systematic process of identifying, evaluating, prioritizing, and remediating security vulnerabilities in systems and applications. Includes regular scanning, risk-based prioritization, patch management, and verification. Required by SOC 2, ISO 27001, and most compliance frameworks.
Related terms:
Zero-Day Vulnerability
A software vulnerability unknown to the vendor and without an available patch. Called 'zero-day' because developers have had zero days to fix it. Highly valuable to attackers and often exploited before detection. Requires defense-in-depth strategies to mitigate.
Related terms:
Vulnerability Mitigation
The process of reducing or eliminating the risk posed by a security vulnerability. Includes applying patches, implementing compensating controls, adjusting configurations, or accepting residual risk when remediation is not immediately feasible. Part of a comprehensive vulnerability management program.
Related terms:
Sensitive Data Exposure
A vulnerability category where applications fail to adequately protect sensitive information such as credentials, financial data, or personal information. Often results from weak encryption, improper access controls, or logging sensitive data. A common finding in security assessments and compliance audits.
Related terms:

Cloud Security

6 terms

Terms related to securing cloud infrastructure and services

CSPM / Cloud Security Posture Management
Automated tools that continuously monitor cloud infrastructure for misconfigurations, compliance violations, and security risks across AWS, Azure, GCP, and other providers. Identifies issues like public storage buckets, overly permissive IAM policies, and unencrypted resources.
Related terms:
Cloud Misconfiguration
Security vulnerabilities caused by incorrectly configured cloud resources, such as public S3 buckets, open security groups, or disabled logging. The #1 cause of cloud data breaches. Prevented through IaC scanning, CSPM tools, and cloud security best practices.
Related terms:
Shared Responsibility Model
The security framework where cloud providers secure the infrastructure (physical security, hypervisor, network) while customers secure what they put in the cloud (data, applications, access management, configurations). Understanding this division is critical for cloud compliance.
Related terms:
IAM / Identity and Access Management
The framework of policies, processes, and technologies for managing digital identities and controlling access to cloud resources. Includes user provisioning, authentication, authorization, and access governance. Foundation of cloud security and compliance.
Related terms:
Cloud Security Alliance (CSA)
A nonprofit organization dedicated to defining and raising awareness of best practices for securing cloud computing environments. Publishes the Cloud Controls Matrix (CCM) and administers the Security, Trust, Assurance, and Risk (STAR) certification program.
Related terms:
Cloud Controls Matrix (CCM)
A cybersecurity control framework published by the Cloud Security Alliance that maps security controls to major compliance standards including SOC 2, ISO 27001, PCI DSS, and GDPR. Provides a baseline for cloud security assessments and vendor evaluations.
Related terms:

SOC 2

12 terms

Terms related to SOC 2 compliance and auditing

SOC 2
System and Organization Controls 2 - An auditing procedure developed by the AICPA that evaluates a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy. Unlike a certification, SOC 2 produces an audit report issued by a licensed CPA firm.
Related terms:
Learn more: What is SOC 2?
Trust Services Criteria (TSC)
The five categories of controls evaluated in a SOC 2 audit: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Developed by the AICPA, these criteria define the control objectives organizations must meet.
Related terms:
Learn more: Trust Services Criteria Explained
SOC 2 Type 1
A point-in-time audit that evaluates whether controls are designed appropriately on a specific date. It proves controls exist but not that they work consistently over time. Most enterprise customers do not accept Type 1 as real compliance.
Related terms:
Learn more: SOC 2 Type 1 vs Type 2
SOC 2 Type 2
A period-of-time audit that evaluates whether controls are designed appropriately AND operating effectively over a minimum 3-month observation period. This is the industry standard that enterprise customers expect.
Related terms:
Learn more: SOC 2 Type 1 vs Type 2
Observation Period
The mandatory 3-month (minimum) timeframe during which auditors monitor and test controls for a SOC 2 Type 2 report. This period is set by AICPA standards and cannot be compressed or shortened.
Related terms:
Learn more: How Long Does SOC 2 Take?
Common Criteria (CC)
The nine control categories (CC1-CC9) that make up the Security criterion in SOC 2. Includes Control Environment, Communication, Risk Assessment, Monitoring, Control Activities, Access Controls, System Operations, Change Management, and Risk Mitigation.
Related terms:
AICPA
American Institute of Certified Public Accountants - The organization that developed and maintains the SOC 2 framework, Trust Services Criteria, and auditing standards. Only licensed CPA firms can issue SOC 2 reports.
Related terms:
In-Progress Letter
A letter from auditors confirming that an organization has engaged in the SOC 2 audit process. Used to satisfy procurement requirements while the observation period is ongoing. Includes the security controls being audited and estimated completion date.
Related terms:
SOC 2 Readiness Assessment
A pre-audit evaluation that identifies gaps between your current security posture and SOC 2 requirements. Typically performed by consultants or compliance platforms before engaging auditors. Helps organizations remediate issues before the formal audit begins, reducing risk of findings.
Related terms:
System Description
A required section of a SOC 2 report that describes the service organization's system, including infrastructure, software, people, procedures, and data. Written by the organization and validated by auditors. Defines the scope of what is being audited.
Related terms:
SOC Reports
Audit reports issued by licensed CPA firms that evaluate a service organization's controls. SOC 1 focuses on financial reporting controls, SOC 2 on security and operational controls, and SOC 3 is a public summary. The most common request from enterprise customers is SOC 2 Type 2.
Related terms:
Gap Analysis
A systematic comparison of your current controls and processes against the requirements of a compliance framework. Identifies what you have, what you need, and the work required to close the gap. The first step in any compliance program.
Related terms:

ISO 27001

11 terms

Terms related to ISO 27001 certification

ISO 27001
An international standard for information security management systems (ISMS), published by the International Organization for Standardization. Unlike SOC 2, it produces an actual certificate valid for 3 years, with annual surveillance audits.
Related terms:
Learn more: What is ISO 27001?
ISMS
Information Security Management System - A systematic approach to managing sensitive company information through people, processes, and technology. Required for ISO 27001 certification and includes policies, procedures, risk assessments, and continuous improvement.
Related terms:
Learn more: What is an ISMS?
Statement of Applicability (SoA)
A key ISO 27001 document that lists all 93 controls from Annex A and indicates which are applicable, which are implemented, and justification for any exclusions. Required for certification.
Related terms:
Learn more: Statement of Applicability Guide
Stage 1 Audit
The first phase of ISO 27001 certification where auditors review documentation to verify ISMS readiness. Covers policies, risk assessment methodology, Statement of Applicability, and management commitment. Identifies gaps before Stage 2.
Related terms:
Learn more: ISO 27001 Certification Process
Stage 2 Audit
The main ISO 27001 certification audit where auditors verify controls are implemented and operating effectively. Includes interviews, evidence review, and testing. Results in certification if passed.
Related terms:
Learn more: ISO 27001 Certification Process
Surveillance Audit
Annual audits in years 2 and 3 of the ISO 27001 certification cycle. Shorter than initial certification, they verify continued compliance and continuous improvement of the ISMS.
Related terms:
Learn more: Maintaining ISO 27001 Certification
Annex A Controls
The 93 security controls organized in 4 categories (Organizational, People, Physical, Technological) that organizations select from when building their ISO 27001 ISMS. Not all controls are mandatory - selection is risk-based.
Related terms:
Learn more: ISO 27001 Annex A Controls
Certification Body
An accredited organization authorized to conduct ISO 27001 audits and issue certificates. Must be accredited by a national accreditation body (e.g., UKAS in UK, COFRAC in France) to ensure audit quality.
Related terms:
ISMS Scope
The boundaries of your Information Security Management System, defining which business units, systems, locations, and data types are covered by ISO 27001 certification. A well-defined scope is required before beginning certification. Broader scope means more controls but greater customer confidence.
Related terms:
ISO 22301
The international standard for Business Continuity Management Systems (BCMS). Provides a framework for planning, establishing, implementing, and maintaining business continuity capabilities. Often pursued alongside ISO 27001 by organizations requiring strong resilience guarantees.
Related terms:
Internal Audit
A required ISO 27001 activity where organizations evaluate their own ISMS effectiveness before external certification audits. Must be conducted by personnel independent of the areas being audited. Identifies nonconformities and opportunities for improvement.
Related terms:

GDPR & Privacy

14 terms

Terms related to data protection and privacy regulations

GDPR
General Data Protection Regulation - The European Union's comprehensive data protection law effective since May 25, 2018. Applies to any organization processing personal data of EU residents, regardless of company location. Maximum penalty is €20 million or 4% of global annual revenue.
Related terms:
Learn more: What is GDPR?
Personal Data
Any information relating to an identified or identifiable natural person (data subject). Includes direct identifiers (name, email), online identifiers (IP address, cookies), and any data that can be combined to identify someone.
Related terms:
Data Controller
The organization that determines the purposes and means of processing personal data. Responsible for compliance, must have legal basis for processing, and is liable for processor actions. Typically your company when you collect customer data.
Related terms:
Learn more: GDPR Principles
Data Processor
An organization that processes personal data on behalf of a controller. Must follow controller instructions, have a Data Processing Agreement (DPA), and implement appropriate security. Examples: cloud providers, CRM vendors, analytics tools.
Related terms:
Learn more: Data Processing Agreements
Data Processing Agreement (DPA)
A legally binding contract between data controller and processor that defines data processing terms, security requirements, sub-processor rules, and GDPR compliance obligations. Required by Article 28 of GDPR.
Related terms:
Learn more: Data Processing Agreements
Lawful Basis
One of six legal grounds required to process personal data under GDPR: Consent, Contract, Legal Obligation, Vital Interests, Public Task, or Legitimate Interests. Most B2B SaaS companies rely on Contract or Legitimate Interests.
Related terms:
Learn more: Legal Bases for Processing
Data Subject Rights
Rights granted to individuals under GDPR including: Right of Access, Right to Rectification, Right to Erasure (Right to be Forgotten), Right to Restrict Processing, Right to Data Portability, Right to Object, and rights related to automated decision-making.
Related terms:
Learn more: Data Subject Rights
DSAR
Data Subject Access Request - A formal request from an individual to access their personal data held by an organization. Must be responded to within one month under GDPR, free of charge.
Related terms:
Learn more: Data Subject Rights
DPO
Data Protection Officer - A designated individual responsible for overseeing GDPR compliance. Required for public authorities, organizations doing large-scale systematic monitoring, or those processing special category data at scale.
Related terms:
Learn more: Data Protection Officer Guide
DPIA / Data Protection Impact Assessment
A structured process required under GDPR when processing is likely to result in high risk to individuals' rights. Identifies privacy risks, evaluates necessity and proportionality, and documents mitigation measures. Required before launching new products or features that process personal data at scale.
Related terms:
Privacy by Design
A development approach that embeds privacy considerations into systems, products, and business practices from the outset rather than as an afterthought. Required by GDPR Article 25. Includes principles like data minimization, purpose limitation, and security by default.
Related terms:
Special Category Data
Sensitive personal data that requires extra protection under GDPR Article 9. Includes racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and data about sex life or sexual orientation. Processing requires explicit consent or another specific legal basis.
Related terms:
Cross-Border Data Transfer
The movement of personal data from one country to another, subject to strict GDPR rules when data leaves the European Economic Area. Requires adequate protection through mechanisms like Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules.
Related terms:
Data Mapping
The process of documenting what personal data your organization collects, where it is stored, how it flows through systems, who has access, and how long it is retained. Required for GDPR compliance and forms the foundation for Records of Processing Activities (RoPA).
Related terms:

Security Controls

17 terms

Common security and technical control terminology

MFA / Multi-Factor Authentication
A security mechanism requiring two or more verification factors to access an account or system. Typically combines something you know (password), something you have (phone/token), or something you are (biometrics). Required for SOC 2 compliance on all critical systems.
Related terms:
Encryption at Rest
The practice of encrypting stored data (in databases, file systems, backups) so it cannot be read without the decryption key. Standard is AES-256. Required for SOC 2 and most compliance frameworks.
Related terms:
Encryption in Transit
The practice of encrypting data as it moves between systems or networks using protocols like TLS 1.2+. Protects against man-in-the-middle attacks. Required for all external connections in compliance frameworks.
Related terms:
Penetration Testing
Authorized simulated cyber attacks performed by security professionals to identify vulnerabilities before malicious hackers do. Typically 20+ hours of manual testing. Required annually for SOC 2; not required for ISO 27001.
Related terms:
Vulnerability Scanning
Automated tools that scan systems, applications, and networks for known vulnerabilities. Should run regularly (weekly or on code changes). Complements but does not replace penetration testing.
Related terms:
RBAC / Role-Based Access Control
A method of restricting system access based on user roles rather than individual permissions. Implements least privilege by granting only the access needed for each role. Core requirement for SOC 2 and ISO 27001.
Related terms:
Least Privilege
The security principle that users and systems should have only the minimum access necessary to perform their functions. Reduces attack surface and limits damage from compromised accounts.
Related terms:
MDM / Mobile Device Management
Software that enables organizations to secure, monitor, and manage employee mobile devices and laptops. Can enforce encryption, remote wipe, and security policies. Required for endpoint security in most compliance frameworks.
Related terms:
EDR / Endpoint Detection and Response
Security technology that monitors endpoint devices (laptops, servers) for suspicious activity, detects threats, and enables rapid response. More advanced than traditional antivirus.
Related terms:
SIEM
Security Information and Event Management - A system that aggregates and analyzes log data from across an organization's IT infrastructure to detect security threats and enable incident response.
Related terms:
Access Control Policy
A documented set of rules governing who can access which systems, data, and physical locations within an organization. Defines authentication requirements, authorization levels, and access provisioning/deprovisioning procedures. A foundational policy for SOC 2 and ISO 27001 compliance.
Related terms:
Security Awareness Training
Educational programs that teach employees to recognize and respond to security threats like phishing, social engineering, and data handling risks. Required by SOC 2 and ISO 27001. Should be conducted at onboarding and refreshed annually, with additional training for high-risk roles.
Related terms:
Phishing Simulation
Controlled exercises that send simulated phishing emails to employees to test awareness and measure susceptibility to social engineering attacks. Results identify training needs and track improvement over time. Common evidence for SOC 2 security awareness controls.
Related terms:
DLP / Data Loss Prevention
Technologies and policies that prevent sensitive data from leaving the organization through unauthorized channels. Monitors and controls data in use, in motion, and at rest. Can block or alert on attempts to email, upload, or copy protected information.
Related terms:
Audit Trail
A chronological record of system activities that documents who did what, when, and from where. Essential for security investigations, compliance audits, and detecting unauthorized access. Must be tamper-evident and retained according to your retention policy.
Related terms:
User Activity Monitoring
Tools and processes that track user actions within systems and applications. Captures login events, data access, configuration changes, and administrative actions. Required for detecting insider threats and demonstrating compliance with access controls.
Related terms:
Data Retention Policy
A documented policy specifying how long different types of data must be kept and when they should be securely deleted. Balances legal requirements, business needs, and privacy principles. Required by GDPR (storage limitation) and relevant to multiple compliance frameworks.
Related terms:

Compliance & Governance

20 terms

General compliance and governance terminology

Compliance Framework
A structured set of guidelines, controls, and best practices that organizations follow to meet regulatory requirements or industry standards. Examples: SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS.
Related terms:
vCISO
Virtual Chief Information Security Officer - An outsourced security executive who provides strategic security leadership on a part-time or fractional basis. Cost-effective alternative to full-time CISO for startups and SMBs.
Related terms:
Risk Assessment
The systematic process of identifying, analyzing, and evaluating security risks to an organization's information assets. Required for both SOC 2 and ISO 27001. Includes threat identification, vulnerability assessment, and impact analysis.
Related terms:
Learn more: ISO 27001 Risk Assessment
Risk Register
A documented list of identified risks including their likelihood, impact, risk level, treatment decision, controls applied, and residual risk. Central document for risk management in ISO 27001.
Related terms:
Control
A safeguard or countermeasure implemented to reduce risk to an acceptable level. Can be technical (firewalls, encryption), administrative (policies, training), or physical (locks, cameras).
Related terms:
Evidence Collection
The process of gathering documentation and proof that controls are implemented and operating effectively. Can be automated through integrations or manual through screenshots, logs, and documents.
Related terms:
Learn more: SOC 2 Evidence Collection
Access Review
The periodic review of user access rights to ensure they remain appropriate. Typically conducted quarterly. Verifies least privilege is maintained and removes inappropriate access.
Related terms:
Incident Response
The organized approach to detecting, responding to, and recovering from security incidents. Includes preparation, detection, containment, eradication, recovery, and post-incident review phases.
Related terms:
Business Continuity
The capability to continue essential business functions during and after a disaster or disruption. Includes Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
Related terms:
Vendor Risk Management
The process of identifying, assessing, and mitigating risks associated with third-party vendors who have access to your data or systems. Required for SOC 2 (CC9) and ISO 27001 (Supplier Relationships).
Related terms:
Vendor Risk Assessment
A structured evaluation of the security risks posed by a third-party vendor before and during the business relationship. Reviews the vendor's security certifications, data handling practices, incident history, and contractual protections. Part of vendor due diligence.
Related terms:
Vendor Due Diligence
The investigation process conducted before engaging a vendor to evaluate their reliability, security posture, financial stability, and compliance status. Includes reviewing SOC 2 reports, penetration test results, insurance coverage, and references.
Related terms:
Security Questionnaires
Standardized forms used to assess a vendor's security practices during procurement. Common formats include SIG (Standardized Information Gathering), CAIQ (Consensus Assessment Initiative Questionnaire), and custom questionnaires. Completing these is a routine part of B2B sales for SaaS companies.
Related terms:
GRC / Governance, Risk, and Compliance
An integrated approach to aligning IT with business objectives, managing risk effectively, and meeting regulatory requirements. GRC platforms help organizations coordinate policies, automate control testing, and maintain compliance documentation in one place.
Related terms:
Compliance Risk Assessment
The process of identifying potential compliance violations, evaluating their likelihood and impact, and prioritizing remediation efforts. Should be conducted when regulations change, before entering new markets, or when launching new products.
Related terms:
Continuous Compliance
An approach that automates compliance monitoring rather than treating audits as periodic events. Uses integrations to continuously collect evidence, detect control failures, and alert teams to compliance drift. The modern alternative to scrambling before each audit cycle.
Related terms:
Continuous Monitoring
The ongoing, automated assessment of security controls and system configurations to detect deviations from the desired state. Provides real-time visibility into your security posture and enables rapid response to issues.
Related terms:
Risk Control Matrix
A document that maps identified risks to the controls implemented to mitigate them. Shows the relationship between risks, control objectives, specific controls, control owners, and testing procedures. Used by auditors to understand your control environment.
Related terms:
COSO Framework
A widely recognized framework for designing and evaluating internal controls, published by the Committee of Sponsoring Organizations of the Treadway Commission. Defines five components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.
Related terms:
IT General Controls (ITGC)
Foundational controls that apply across an organization's IT infrastructure and support the reliability of application-specific controls. Include access management, change management, computer operations, and system development. Audited in SOC 1 and SOC 2 examinations.
Related terms:

Other Frameworks

19 terms

Additional compliance frameworks and standards

Cyber Essentials
A UK government-backed cybersecurity certification scheme with 5 technical controls: Firewalls, Secure Configuration, Security Updates, User Access Control, and Malware Protection. Required for many UK government contracts. Valid for 12 months.
Related terms:
Learn more: What is Cyber Essentials?
HIPAA
Health Insurance Portability and Accountability Act - US legislation that sets standards for protecting sensitive patient health information (PHI). Applies to healthcare providers, health plans, and their business associates.
Related terms:
PCI DSS
Payment Card Industry Data Security Standard - Security standard for organizations that handle credit card data. Required for any business that stores, processes, or transmits cardholder data. 12 requirement categories.
Related terms:
DORA
Digital Operational Resilience Act - EU regulation requiring financial entities to ensure they can withstand, respond to, and recover from ICT-related disruptions. Effective January 2025.
Related terms:
NIS 2
Network and Information Security Directive 2 - EU directive expanding cybersecurity requirements to more sectors including digital infrastructure, ICT services, and public administration. Broader scope than NIS 1.
Related terms:
HDS
Hébergeur de Données de Santé - French certification required for hosting health data. Based on ISO 27001 with additional healthcare-specific requirements. Required for any organization hosting French patient data.
Related terms:
SOC 1
System and Organization Controls 1 - An audit report focused on internal controls relevant to financial reporting. Used by service organizations whose services affect their customers' financial statements. Different from SOC 2 (security controls).
Related terms:
Learn more: SOC 1 vs SOC 2 vs SOC 3
SOC 3
A publicly distributable version of the SOC 2 report. Contains the auditor's opinion but less detail than SOC 2. Used for marketing purposes when the full SOC 2 report cannot be shared.
Related terms:
Learn more: SOC 1 vs SOC 2 vs SOC 3
NIST Cybersecurity Framework (CSF)
A voluntary framework developed by the National Institute of Standards and Technology that provides guidelines for managing cybersecurity risk. Organized around five functions: Identify, Protect, Detect, Respond, and Recover. Widely adopted across industries and often referenced in enterprise security questionnaires.
Related terms:
CCPA / California Consumer Privacy Act
A California state privacy law granting residents rights over their personal information, including the right to know, delete, and opt out of sales. Applies to businesses meeting revenue or data volume thresholds. Amended by CPRA which added the right to correct and created a dedicated enforcement agency.
Related terms:
Learn more: What is CCPA?
TISAX
Trusted Information Security Assessment Exchange, a security assessment standard for the automotive industry managed by the ENX Association. Required by major automotive manufacturers for suppliers handling sensitive information. Based on ISO 27001 with automotive-specific requirements.
Related terms:
VAPT / Vulnerability Assessment and Penetration Testing
A combined approach that uses automated vulnerability scanning alongside manual penetration testing to identify security weaknesses. The assessment finds vulnerabilities while the penetration test validates exploitability and business impact. Often required annually for compliance.
Related terms:
Penetration Testing as a Service (PTaaS)
A delivery model for penetration testing that combines continuous or frequent testing with a platform for managing findings and retesting. Unlike traditional annual pentests, PTaaS enables ongoing security validation integrated into the development lifecycle.
Related terms:
Approved Scanning Vendor (ASV)
An organization approved by the PCI Security Standards Council to conduct external vulnerability scans for PCI DSS compliance. Quarterly ASV scans are required for merchants and service providers handling payment card data.
Related terms:
PHI / Protected Health Information
Under HIPAA, any individually identifiable health information held by a covered entity or business associate. Includes medical records, test results, prescription information, and billing data when linked to personal identifiers. Requires specific safeguards for storage, transmission, and access.
Related terms:
ISACA
A global professional association focused on IT governance, risk management, and cybersecurity. Administers certifications including CISA (Certified Information Systems Auditor), CISM (Certified Information Security Manager), and CRISC (Certified in Risk and Information Systems Control).
Related terms:
Attestation of Compliance (AoC)
A formal document confirming that an organization has met the requirements of a compliance standard. Most commonly used in PCI DSS contexts, where merchants and service providers sign an AoC after completing their assessment. Similar in purpose to a SOC 2 report or ISO 27001 certificate.
Related terms:
Security Posture
The overall security status of an organization, encompassing its policies, controls, risk tolerance, and ability to defend against and respond to threats. A strong security posture requires continuous assessment and improvement, not just point-in-time compliance.
Related terms:
Cybersecurity Policy
A high-level document that defines an organization's approach to protecting its information systems and data. Establishes security objectives, roles and responsibilities, and acceptable use standards. The foundation upon which specific security procedures and controls are built.
Related terms:

Learn More

What is SOC 2?

Complete guide to SOC 2 compliance, including costs, timeline, and requirements.

What is ISO 27001?

Everything you need to know about ISO 27001 certification and ISMS implementation.

What is GDPR?

Guide to GDPR compliance for startups, including key requirements and terminology.

Other platforms check the box

We secure the box

Get in touch and learn why hundreds of companies trust Bastion to manage their security and fast-track their compliance.

Get Started