Security & Compliance Glossary

Clear definitions for SOC 2, ISO 27001, GDPR, and security terminology. Everything you need to understand compliance.

Lire en français

DevSecOps & Application Security

14 terms

Terms related to secure software development and application security testing

SAST / Static Application Security Testing
A white-box testing method that analyzes source code, bytecode, or binaries for security vulnerabilities without executing the application. SAST tools scan code early in the development lifecycle to find issues like SQL injection, XSS, and insecure configurations before deployment.
Related:DAST / Dynamic Application Security Testing, SCA / Software Composition Analysis, CI/CD Pipeline Security +1 more
DAST / Dynamic Application Security Testing
A black-box testing method that tests running applications for vulnerabilities by simulating attacks from the outside. Unlike SAST, DAST doesn't require source code access and finds runtime issues like authentication flaws, server misconfigurations, and injection vulnerabilities.
Related:SAST / Static Application Security Testing, Penetration Testing, OWASP Top 10 +1 more
SCA / Software Composition Analysis
Automated tools that identify open source components in your codebase, detect known vulnerabilities (CVEs), and flag license compliance issues. Critical for managing supply chain risk since modern applications often contain 80%+ open source code.
Related:SBOM / Software Bill of Materials, CVE / Common Vulnerabilities and Exposures, Open Source Dependencies +1 more
SBOM / Software Bill of Materials
A formal, machine-readable inventory of all software components, libraries, and dependencies in an application. Required by US Executive Order 14028 for federal software vendors. Enables rapid vulnerability response when new CVEs are disclosed.
Related:SCA / Software Composition Analysis, Open Source Dependencies, Software Supply Chain Security +1 more
CI/CD Pipeline Security
Security practices integrated into Continuous Integration/Continuous Deployment pipelines, including automated SAST/DAST scans, dependency checks, secrets detection, and infrastructure-as-code validation. Enables 'shift left' security by catching issues before production.
Related:SAST / Static Application Security Testing, DAST / Dynamic Application Security Testing, Secrets Detection +1 more
Secrets Detection
Automated scanning of code repositories, configuration files, and CI/CD pipelines to identify exposed credentials, API keys, tokens, and other sensitive data. Prevents accidental exposure of secrets that could lead to data breaches or unauthorized access.
Related:CI/CD Pipeline Security, SAST / Static Application Security Testing, Encryption at Rest
IaC Scanning
Infrastructure as Code Scanning - Automated security analysis of infrastructure definitions (Terraform, CloudFormation, Kubernetes manifests) to detect misconfigurations before deployment. Catches issues like public S3 buckets, overly permissive IAM policies, and unencrypted resources.
Related:Cloud Misconfiguration, CSPM / Cloud Security Posture Management, CI/CD Pipeline Security
Container Scanning
Security analysis of container images to identify vulnerabilities in base images, installed packages, and application dependencies. Should run in CI/CD pipelines and container registries. Critical as containers often inherit vulnerabilities from their base images.
Related:SCA / Software Composition Analysis, CVE / Common Vulnerabilities and Exposures, CI/CD Pipeline Security +1 more
Open Source Dependencies
Third-party libraries and packages incorporated into applications from public repositories (npm, PyPI, Maven, etc.). While accelerating development, they introduce supply chain risk through vulnerabilities, malicious packages, and license compliance issues.
Related:SCA / Software Composition Analysis, SBOM / Software Bill of Materials, Software Supply Chain Security +1 more
Software Supply Chain Security
Protecting the integrity of software from development through deployment, including securing build systems, verifying dependencies, signing artifacts, and maintaining SBOMs. High-profile attacks (SolarWinds, Log4j) have made this a board-level concern.
Related:SBOM / Software Bill of Materials, SCA / Software Composition Analysis, Open Source Dependencies +1 more
False Positive
A security alert that incorrectly identifies benign code or behavior as a vulnerability or threat. High false positive rates waste developer time and lead to alert fatigue. Quality security tools balance detection accuracy with minimizing false positives.
Related:SAST / Static Application Security Testing, Vulnerability Scanning, DAST / Dynamic Application Security Testing
Open Source License Scanning
Automated analysis of open source components to identify their licenses and detect potential compliance issues. Ensures your use of libraries complies with license terms, whether permissive (MIT, Apache) or copyleft (GPL). Critical for avoiding legal risk when shipping software containing third-party code.
Related:SCA / Software Composition Analysis, Open Source Dependencies, SBOM / Software Bill of Materials
Shift-Left Security
The practice of integrating security testing earlier in the software development lifecycle rather than treating it as a final gate before deployment. By shifting security left on the development timeline, teams catch vulnerabilities when they're cheaper and faster to fix.
Related:CI/CD Pipeline Security, SAST / Static Application Security Testing, DevSecOps
DevSecOps
A culture and practice that integrates security into every phase of the software development lifecycle. Combines development, security, and operations teams to automate security testing, enforce policies as code, and build security into the CI/CD pipeline rather than bolting it on at the end.
Related:CI/CD Pipeline Security, Shift-Left Security, SAST / Static Application Security Testing +1 more

Vulnerabilities & Threats

9 terms

Common vulnerability types and security threat terminology

OWASP Top 10
A regularly updated list of the ten most critical web application security risks, published by the Open Web Application Security Project. Commonly includes risks like Broken Access Control, Cryptographic Failures, Injection, Insecure Design, and Security Misconfiguration. Updated periodically and widely used as the industry standard for web security awareness and developer training.
Related:SQL Injection, XSS / Cross-Site Scripting, SAST / Static Application Security Testing +1 more
CVE / Common Vulnerabilities and Exposures
A standardized identifier system for publicly known cybersecurity vulnerabilities. Each CVE ID (e.g., CVE-2021-44228 for Log4Shell) uniquely identifies a vulnerability, enabling consistent communication and tracking across security tools and databases.
Related:SCA / Software Composition Analysis, Vulnerability Scanning, SBOM / Software Bill of Materials +1 more
SQL Injection
An attack technique that inserts malicious SQL code into application queries through user input, potentially allowing attackers to read, modify, or delete database contents. Prevented through parameterized queries, input validation, and ORM frameworks. Consistently in OWASP Top 10.
Related:OWASP Top 10, SAST / Static Application Security Testing, DAST / Dynamic Application Security Testing +1 more
XSS / Cross-Site Scripting
A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. Can steal session cookies, redirect users, or deface websites. Types include Stored XSS, Reflected XSS, and DOM-based XSS. Prevented through output encoding and Content Security Policy.
Related:OWASP Top 10, SQL Injection, SAST / Static Application Security Testing +1 more
SSRF / Server-Side Request Forgery
A vulnerability where an attacker can make a server perform requests to unintended locations, potentially accessing internal services, cloud metadata endpoints, or other protected resources. New addition to OWASP Top 10 in 2021 due to increased cloud adoption.
Related:OWASP Top 10, Cloud Misconfiguration, DAST / Dynamic Application Security Testing
Technical Vulnerability Management
The systematic process of identifying, evaluating, prioritizing, and remediating security vulnerabilities in systems and applications. Includes regular scanning, risk-based prioritization, patch management, and verification. Required by SOC 2, ISO 27001, and most compliance frameworks.
Related:CVE / Common Vulnerabilities and Exposures, Vulnerability Scanning, Penetration Testing +1 more
Zero-Day Vulnerability
A software vulnerability unknown to the vendor and without an available patch. Called 'zero-day' because developers have had zero days to fix it. Highly valuable to attackers and often exploited before detection. Requires defense-in-depth strategies to mitigate.
Related:CVE / Common Vulnerabilities and Exposures, Technical Vulnerability Management, Vulnerability Scanning
Vulnerability Mitigation
The process of reducing or eliminating the risk posed by a security vulnerability. Includes applying patches, implementing compensating controls, adjusting configurations, or accepting residual risk when remediation is not immediately feasible. Part of a comprehensive vulnerability management program.
Related:Technical Vulnerability Management, Vulnerability Scanning, Risk Assessment
Sensitive Data Exposure
A vulnerability category where applications fail to adequately protect sensitive information such as credentials, financial data, or personal information. Often results from weak encryption, improper access controls, or logging sensitive data. A common finding in security assessments and compliance audits.
Related:Encryption at Rest, Encryption in Transit, OWASP Top 10 +1 more

Cloud Security

6 terms

Terms related to securing cloud infrastructure and services

CSPM / Cloud Security Posture Management
Automated tools that continuously monitor cloud infrastructure for misconfigurations, compliance violations, and security risks across AWS, Azure, GCP, and other providers. Identifies issues like public storage buckets, overly permissive IAM policies, and unencrypted resources.
Related:Cloud Misconfiguration, IaC Scanning, Compliance Framework
Cloud Misconfiguration
Security vulnerabilities caused by incorrectly configured cloud resources, such as public S3 buckets, open security groups, or disabled logging. The #1 cause of cloud data breaches. Prevented through IaC scanning, CSPM tools, and cloud security best practices.
Related:CSPM / Cloud Security Posture Management, IaC Scanning, Encryption at Rest
Shared Responsibility Model
The security framework where cloud providers secure the infrastructure (physical security, hypervisor, network) while customers secure what they put in the cloud (data, applications, access management, configurations). Understanding this division is critical for cloud compliance.
Related:CSPM / Cloud Security Posture Management, Cloud Misconfiguration, SOC 2 +1 more
IAM / Identity and Access Management
The framework of policies, processes, and technologies for managing digital identities and controlling access to cloud resources. Includes user provisioning, authentication, authorization, and access governance. Foundation of cloud security and compliance.
Related:RBAC / Role-Based Access Control, MFA / Multi-Factor Authentication, Least Privilege +1 more
Cloud Security Alliance (CSA)
A nonprofit organization dedicated to defining and raising awareness of best practices for securing cloud computing environments. Publishes the Cloud Controls Matrix (CCM) and administers the Security, Trust, Assurance, and Risk (STAR) certification program.
Related:Cloud Controls Matrix (CCM), CSPM / Cloud Security Posture Management, Compliance Framework
Cloud Controls Matrix (CCM)
A cybersecurity control framework published by the Cloud Security Alliance that maps security controls to major compliance standards including SOC 2, ISO 27001, PCI DSS, and GDPR. Provides a baseline for cloud security assessments and vendor evaluations.
Related:Cloud Security Alliance (CSA), CSPM / Cloud Security Posture Management, Compliance Framework +1 more

SOC 2

15 terms

Terms related to SOC 2 compliance and auditing

SOC 2
System and Organization Controls 2 - An auditing procedure developed by the AICPA that evaluates a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy. Unlike a certification, SOC 2 produces an audit report issued by a licensed CPA firm.
Related:Trust Services Criteria (TSC), SOC 2 Type 1, SOC 2 Type 2 +3 more
Learn article available
Trust Services Criteria (TSC)
The five categories of controls evaluated in a SOC 2 audit: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Developed by the AICPA, these criteria define the control objectives organizations must meet.
Related:SOC 2, Common Criteria (CC), AICPA
Learn article available
SOC 2 Type 1
A point-in-time audit that evaluates whether controls are designed appropriately on a specific date. It proves controls exist but not that they work consistently over time. Most enterprise customers do not accept Type 1 as real compliance.
Related:SOC 2, SOC 2 Type 2, Observation Period
Learn article available
SOC 2 Type 2
A period-of-time audit that evaluates whether controls are designed appropriately AND operating effectively over a minimum 3-month observation period. This is the industry standard that enterprise customers expect.
Related:SOC 2, SOC 2 Type 1, Observation Period +1 more
Learn article available
Observation Period
The mandatory 3-month (minimum) timeframe during which auditors monitor and test controls for a SOC 2 Type 2 report. This period is set by AICPA standards and cannot be compressed or shortened.
Related:SOC 2 Type 2, Evidence Collection, AICPA
Learn article available
Common Criteria (CC)
The nine control categories (CC1-CC9) that make up the Security criterion in SOC 2. Includes Control Environment, Communication, Risk Assessment, Monitoring, Control Activities, Access Controls, System Operations, Change Management, and Risk Mitigation.
Related:SOC 2, Trust Services Criteria (TSC), Control
AICPA
American Institute of Certified Public Accountants - The organization that developed and maintains the SOC 2 framework, Trust Services Criteria, and auditing standards. Only licensed CPA firms can issue SOC 2 reports.
Related:SOC 2, Trust Services Criteria (TSC), SOC 1 +1 more
In-Progress Letter
A letter from auditors confirming that an organization has engaged in the SOC 2 audit process. Used to satisfy procurement requirements while the observation period is ongoing. Includes the security controls being audited and estimated completion date.
Related:SOC 2, Observation Period, SOC 2 Type 2
SOC 2 Readiness Assessment
A pre-audit evaluation that identifies gaps between your current security posture and SOC 2 requirements. Typically performed by consultants or compliance platforms before engaging auditors. Helps organizations remediate issues before the formal audit begins, reducing risk of findings.
Related:SOC 2, SOC 2 Type 2, Trust Services Criteria (TSC) +1 more
System Description
A required section of a SOC 2 report that describes the service organization's system, including infrastructure, software, people, procedures, and data. Written by the organization and validated by auditors. Defines the scope of what is being audited.
Related:SOC 2, SOC 2 Type 2, Trust Services Criteria (TSC)
SOC Reports
Audit reports issued by licensed CPA firms that evaluate a service organization's controls. SOC 1 focuses on financial reporting controls, SOC 2 on security and operational controls, and SOC 3 is a public summary. The most common request from enterprise customers is SOC 2 Type 2.
Related:SOC 2, SOC 1, SOC 3 +1 more
SOC 2 Auditor
A licensed CPA or CPA firm authorized to perform SOC 2 examinations and issue audit reports. Must be independent from the organization being audited and follow AICPA professional standards. The auditor evaluates whether controls are designed appropriately (Type 1) and operating effectively (Type 2).
Related:SOC 2, SOC 2 Type 1, SOC 2 Type 2 +3 more
SSAE 18
Statement on Standards for Attestation Engagements No. 18, the current AICPA standard governing SOC audits. Replaced SSAE 16 in May 2017 and added requirements for vendor management oversight. All SOC 1, SOC 2, and SOC 3 reports are issued under SSAE 18.
Related:SSAE 16, SOC 2, SOC 1 +1 more
SSAE 16
Statement on Standards for Attestation Engagements No. 16, the predecessor to SSAE 18 that governed SOC audits from 2011 to 2017. Replaced SAS 70 and introduced the modern SOC reporting framework. Organizations may still reference SSAE 16 in older contracts, but all current audits follow SSAE 18.
Related:SSAE 18, SOC 2, SOC 1 +1 more
Gap Analysis
A systematic comparison of your current controls and processes against the requirements of a compliance framework. Identifies what you have, what you need, and the work required to close the gap. The first step in any compliance program.
Related:SOC 2 Readiness Assessment, Risk Assessment, Compliance Framework

ISO 27001

22 terms

Terms related to ISO 27001 certification

ISO 27001
An international standard for information security management systems (ISMS), published by the International Organization for Standardization. Unlike SOC 2, it produces an actual certificate valid for 3 years, with annual surveillance audits.
Related:ISMS, Annex A Controls, Statement of Applicability (SoA) +2 more
Learn article available
ISMS
Information Security Management System - A systematic approach to managing sensitive company information through people, processes, and technology. Required for ISO 27001 certification and includes policies, procedures, risk assessments, and continuous improvement.
Related:ISO 27001, Risk Assessment, Statement of Applicability (SoA) +1 more
Learn article available
Statement of Applicability (SoA)
A key ISO 27001 document that lists all 93 controls from Annex A and indicates which are applicable, which are implemented, and justification for any exclusions. Required for certification.
Related:ISO 27001, Annex A Controls, ISMS +1 more
Learn article available
Stage 1 Audit
The first phase of ISO 27001 certification where auditors review documentation to verify ISMS readiness. Covers policies, risk assessment methodology, Statement of Applicability, and management commitment. Identifies gaps before Stage 2.
Related:ISO 27001, Stage 2 Audit, ISMS +1 more
Learn article available
Stage 2 Audit
The main ISO 27001 certification audit where auditors verify controls are implemented and operating effectively. Includes interviews, evidence review, and testing. Results in certification if passed.
Related:ISO 27001, Stage 1 Audit, Surveillance Audit +1 more
Learn article available
Surveillance Audit
Annual audits in years 2 and 3 of the ISO 27001 certification cycle. Shorter than initial certification, they verify continued compliance and continuous improvement of the ISMS.
Related:ISO 27001, Stage 2 Audit, ISMS +1 more
Learn article available
Annex A Controls
The 93 security controls organized in 4 categories (Organizational, People, Physical, Technological) that organizations select from when building their ISO 27001 ISMS. Not all controls are mandatory - selection is risk-based.
Related:ISO 27001, Statement of Applicability (SoA), ISMS +2 more
Learn article available
Certification Body
An accredited organization authorized to conduct ISO 27001 audits and issue certificates. Must be accredited by a national accreditation body (e.g., UKAS in UK, COFRAC in France) to ensure audit quality.
Related:ISO 27001, Stage 1 Audit, Stage 2 Audit +1 more
ISMS Scope
The boundaries of your Information Security Management System, defining which business units, systems, locations, and data types are covered by ISO 27001 certification. A well-defined scope is required before beginning certification. Broader scope means more controls but greater customer confidence.
Related:ISO 27001, ISMS, Statement of Applicability (SoA)
ISO 22301
The international standard for Business Continuity Management Systems (BCMS). Provides a framework for planning, establishing, implementing, and maintaining business continuity capabilities. Often pursued alongside ISO 27001 by organizations requiring strong resilience guarantees.
Related:Business Continuity, ISO 27001, Incident Response +1 more
ISO 27002
A guidance standard providing implementation advice for the security controls referenced in ISO 27001 Annex A. The 2022 version reorganized controls into four themes: Organizational, People, Physical, and Technological. While not certifiable itself, it helps organizations understand how to implement each control effectively.
Related:ISO 27001, Annex A Controls, Control +1 more
ISO 27003
The international standard providing guidance on implementing an Information Security Management System. Offers practical advice for planning and establishing an ISMS based on ISO 27001 requirements, including project approach, leadership engagement, and documentation strategies.
Related:ISO 27001, ISMS, ISO 27002 +1 more
ISO 27004
The international standard for information security monitoring, measurement, analysis, and evaluation. Provides guidance on developing metrics and KPIs to assess ISMS effectiveness, as required by ISO 27001 Clause 9.1. Helps organizations demonstrate continuous improvement through quantifiable security measures.
Related:ISO 27001, ISMS, ISMS KPIs +2 more
ISO 27005
The international standard providing guidelines for information security risk management. Supports ISO 27001 by detailing how to establish context, assess risks, treat risks, and monitor the risk management process. Helps organizations build a systematic, repeatable approach to security risk assessment.
Related:ISO 27001, Risk Assessment, Risk Register +2 more
ISO 27006
The international standard specifying requirements for certification bodies that audit and certify Information Security Management Systems. Ensures consistency and competence among auditors worldwide. Organizations do not implement this standard directly but benefit from it through reliable, accredited certification audits.
Related:ISO 27001, Certification Body, Stage 1 Audit +1 more
ISO 27007
The international standard providing guidance on conducting ISMS audits, both internal and external. Complements ISO 19011 (general auditing guidance) with information security-specific considerations. Useful for internal audit teams preparing for or conducting ISO 27001 audits.
Related:ISO 27001, Internal Audit, Certification Body +2 more
Internal Audit
A required ISO 27001 activity where organizations evaluate their own ISMS effectiveness before external certification audits. Must be conducted by personnel independent of the areas being audited. Identifies nonconformities and opportunities for improvement.
Related:ISO 27001, ISMS, Stage 1 Audit +2 more
Risk Treatment Plan
A documented plan specifying how identified risks will be addressed, including the controls to be implemented, responsible parties, timelines, and required resources. Required by ISO 27001 Clause 6.1.3. Each risk must be treated by accepting, avoiding, sharing (transferring), or modifying (mitigating) it.
Related:ISO 27001, Risk Assessment, Risk Register +3 more
Management Review
A required ISO 27001 activity where top management evaluates the ISMS performance, audit results, risk treatment status, and opportunities for improvement. Must occur at planned intervals (typically annually). Demonstrates management commitment and drives continuous improvement.
Related:ISO 27001, ISMS, Internal Audit +2 more
Nonconformity
A failure to meet an ISO 27001 requirement, whether from the standard itself, the organization's own ISMS policies, or legal/contractual obligations. When identified, requires corrective action to address the root cause and prevent recurrence. Documented in audit reports and tracked to closure.
Related:ISO 27001, Internal Audit, Stage 2 Audit +2 more
ISMS KPIs
Key Performance Indicators for measuring ISMS effectiveness as required by ISO 27001 Clause 9.1. Common metrics include incident response times, vulnerability remediation rates, access review completion, security training coverage, and audit finding closure times. Must be monitored and reported to management.
Related:ISO 27001, ISMS, Management Review +1 more
ISMS Governing Body
The group or committee responsible for overseeing the Information Security Management System at the strategic level. Typically includes executive leadership who approve policies, allocate resources, review performance, and ensure ISMS alignment with business objectives. Required for demonstrating top management commitment under ISO 27001.
Related:ISO 27001, ISMS, Management Review +1 more

GDPR & Privacy

14 terms

Terms related to data protection and privacy regulations

GDPR
General Data Protection Regulation - The European Union's comprehensive data protection law effective since May 25, 2018. Applies to any organization processing personal data of EU residents, regardless of company location. Maximum penalty is 20 million euros or 4% of global annual revenue.
Related:Personal Data, Data Controller, Data Processor +3 more
Learn article available
Personal Data
Any information relating to an identified or identifiable natural person (data subject). Includes direct identifiers (name, email), online identifiers (IP address, cookies), and any data that can be combined to identify someone.
Related:GDPR, Data Controller, Data Processor +1 more
Data Controller
The organization that determines the purposes and means of processing personal data. Responsible for compliance, must have legal basis for processing, and is liable for processor actions. Typically your company when you collect customer data.
Related:GDPR, Data Processor, Data Processing Agreement (DPA) +1 more
Learn article available
Data Processor
An organization that processes personal data on behalf of a controller. Must follow controller instructions, have a Data Processing Agreement (DPA), and implement appropriate security. Examples: cloud providers, CRM vendors, analytics tools.
Related:GDPR, Data Controller, Data Processing Agreement (DPA) +1 more
Learn article available
Data Processing Agreement (DPA)
A legally binding contract between data controller and processor that defines data processing terms, security requirements, sub-processor rules, and GDPR compliance obligations. Required by Article 28 of GDPR.
Related:GDPR, Data Controller, Data Processor +1 more
Learn article available
Lawful Basis
One of six legal grounds required to process personal data under GDPR: Consent, Contract, Legal Obligation, Vital Interests, Public Task, or Legitimate Interests. Most B2B SaaS companies rely on Contract or Legitimate Interests.
Related:GDPR, Personal Data, Data Controller
Learn article available
Data Subject Rights
Rights granted to individuals under GDPR including: Right of Access, Right to Rectification, Right to Erasure (Right to be Forgotten), Right to Restrict Processing, Right to Data Portability, Right to Object, and rights related to automated decision-making.
Related:GDPR, Personal Data, DSAR
Learn article available
DSAR
Data Subject Access Request - A formal request from an individual to access their personal data held by an organization. Must be responded to within one month under GDPR, free of charge.
Related:GDPR, Data Subject Rights, Personal Data
Learn article available
DPO
Data Protection Officer - A designated individual responsible for overseeing GDPR compliance. Required for public authorities, organizations doing large-scale systematic monitoring, or those processing special category data at scale.
Related:GDPR, Data Controller, vCISO
Learn article available
DPIA / Data Protection Impact Assessment
A structured process required under GDPR when processing is likely to result in high risk to individuals' rights. Identifies privacy risks, evaluates necessity and proportionality, and documents mitigation measures. Required before launching new products or features that process personal data at scale.
Related:GDPR, Privacy by Design, Risk Assessment +1 more
Privacy by Design
A development approach that embeds privacy considerations into systems, products, and business practices from the outset rather than as an afterthought. Required by GDPR Article 25. Includes principles like data minimization, purpose limitation, and security by default.
Related:GDPR, DPIA / Data Protection Impact Assessment, Personal Data +1 more
Special Category Data
Sensitive personal data that requires extra protection under GDPR Article 9. Includes racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and data about sex life or sexual orientation. Processing requires explicit consent or another specific legal basis.
Related:GDPR, Personal Data, Lawful Basis +1 more
Cross-Border Data Transfer
The movement of personal data from one country to another, subject to strict GDPR rules when data leaves the European Economic Area. Requires adequate protection through mechanisms like Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules.
Related:GDPR, Data Processor, Data Processing Agreement (DPA) +1 more
Data Mapping
The process of documenting what personal data your organization collects, where it is stored, how it flows through systems, who has access, and how long it is retained. Required for GDPR compliance and forms the foundation for Records of Processing Activities (RoPA).
Related:GDPR, Personal Data, Data Controller +1 more

Security Controls

18 terms

Common security and technical control terminology

MFA / Multi-Factor Authentication
A security mechanism requiring two or more verification factors to access an account or system. Typically combines something you know (password), something you have (phone/token), or something you are (biometrics). Required for SOC 2 compliance on all critical systems.
Related:RBAC / Role-Based Access Control, Least Privilege, Control +1 more
Encryption at Rest
The practice of encrypting stored data (in databases, file systems, backups) so it cannot be read without the decryption key. Standard is AES-256. Required for SOC 2 and most compliance frameworks.
Related:Encryption in Transit, Control, SOC 2 +1 more
Encryption in Transit
The practice of encrypting data as it moves between systems or networks using protocols like TLS 1.2+. Protects against man-in-the-middle attacks. Required for all external connections in compliance frameworks.
Related:Encryption at Rest, Control, SOC 2 +1 more
Penetration Testing
Authorized simulated cyber attacks performed by security professionals to identify vulnerabilities before malicious hackers do. Typically 20+ hours of manual testing. Required annually for SOC 2; not required for ISO 27001.
Related:Vulnerability Scanning, SOC 2, Risk Assessment
Vulnerability Scanning
Automated tools that scan systems, applications, and networks for known vulnerabilities. Should run regularly (weekly or on code changes). Complements but does not replace penetration testing.
Related:Penetration Testing, Risk Assessment, Control
RBAC / Role-Based Access Control
A method of restricting system access based on user roles rather than individual permissions. Implements least privilege by granting only the access needed for each role. Core requirement for SOC 2 and ISO 27001.
Related:Least Privilege, Access Review, MFA / Multi-Factor Authentication +1 more
Least Privilege
The security principle that users and systems should have only the minimum access necessary to perform their functions. Reduces attack surface and limits damage from compromised accounts.
Related:RBAC / Role-Based Access Control, Access Review, Control
MDM / Mobile Device Management
Software that enables organizations to secure, monitor, and manage employee mobile devices and laptops. Can enforce encryption, remote wipe, and security policies. Required for endpoint security in most compliance frameworks.
Related:EDR / Endpoint Detection and Response, Control, Encryption at Rest
EDR / Endpoint Detection and Response
Security technology that monitors endpoint devices (laptops, servers) for suspicious activity, detects threats, and enables rapid response. More advanced than traditional antivirus.
Related:MDM / Mobile Device Management, SIEM, Incident Response
SIEM
Security Information and Event Management - A system that aggregates and analyzes log data from across an organization's IT infrastructure to detect security threats and enable incident response.
Related:EDR / Endpoint Detection and Response, Incident Response, Evidence Collection
Access Control Policy
A documented set of rules governing who can access which systems, data, and physical locations within an organization. Defines authentication requirements, authorization levels, and access provisioning/deprovisioning procedures. A foundational policy for SOC 2 and ISO 27001 compliance.
Related:RBAC / Role-Based Access Control, Least Privilege, IAM / Identity and Access Management +1 more
Security Awareness Training
Educational programs that teach employees to recognize and respond to security threats like phishing, social engineering, and data handling risks. Required by SOC 2 and ISO 27001. Should be conducted at onboarding and refreshed annually, with additional training for high-risk roles.
Related:Control, SOC 2, ISO 27001 +1 more
Phishing Simulation
Controlled exercises that send simulated phishing emails to employees to test awareness and measure susceptibility to social engineering attacks. Results identify training needs and track improvement over time. Common evidence for SOC 2 security awareness controls.
Related:Security Awareness Training, Control, Evidence Collection
DLP / Data Loss Prevention
Technologies and policies that prevent sensitive data from leaving the organization through unauthorized channels. Monitors and controls data in use, in motion, and at rest. Can block or alert on attempts to email, upload, or copy protected information.
Related:Encryption at Rest, Encryption in Transit, Personal Data +1 more
Audit Trail
A chronological record of system activities that documents who did what, when, and from where. Essential for security investigations, compliance audits, and detecting unauthorized access. Must be tamper-evident and retained according to your retention policy.
Related:SIEM, Evidence Collection, Access Review +1 more
User Activity Monitoring
Tools and processes that track user actions within systems and applications. Captures login events, data access, configuration changes, and administrative actions. Required for detecting insider threats and demonstrating compliance with access controls.
Related:Audit Trail, SIEM, Access Review +1 more
Data Retention Policy
A documented policy specifying how long different types of data must be kept and when they should be securely deleted. Balances legal requirements, business needs, and privacy principles. Required by GDPR (storage limitation) and relevant to multiple compliance frameworks.
Related:GDPR, Personal Data, Control +1 more
Asset Management
The process of identifying, inventorying, classifying, and managing an organization's information assets throughout their lifecycle. Includes hardware, software, data, and cloud resources. A foundational control for both SOC 2 and ISO 27001, as you cannot protect assets you do not know you have.
Related:ISMS, Control, ISO 27001 +2 more

Compliance & Governance

21 terms

General compliance and governance terminology

Compliance Framework
A structured set of guidelines, controls, and best practices that organizations follow to meet regulatory requirements or industry standards. Examples: SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS.
Related:SOC 2, ISO 27001, GDPR +2 more
vCISO
Virtual Chief Information Security Officer - An outsourced security executive who provides strategic security leadership on a part-time or fractional basis. Cost-effective alternative to full-time CISO for startups and SMBs.
Related:DPO, Risk Assessment, Compliance Framework
Risk Assessment
The systematic process of identifying, analyzing, and evaluating security risks to an organization's information assets. Required for both SOC 2 and ISO 27001. Includes threat identification, vulnerability assessment, and impact analysis.
Related:Risk Register, Control, SOC 2 +2 more
Learn article available
Risk Register
A documented list of identified risks including their likelihood, impact, risk level, treatment decision, controls applied, and residual risk. Central document for risk management in ISO 27001.
Related:Risk Assessment, Control, ISO 27001 +1 more
Control
A safeguard or countermeasure implemented to reduce risk to an acceptable level. Can be technical (firewalls, encryption), administrative (policies, training), or physical (locks, cameras).
Related:Risk Assessment, Annex A Controls, Trust Services Criteria (TSC) +1 more
Evidence Collection
The process of gathering documentation and proof that controls are implemented and operating effectively. Can be automated through integrations or manual through screenshots, logs, and documents.
Related:SOC 2 Type 2, Observation Period, Control +1 more
Learn article available
Access Review
The periodic review of user access rights to ensure they remain appropriate. Typically conducted quarterly. Verifies least privilege is maintained and removes inappropriate access.
Related:RBAC / Role-Based Access Control, Least Privilege, Control
Incident Response
The organized approach to detecting, responding to, and recovering from security incidents. Includes preparation, detection, containment, eradication, recovery, and post-incident review phases.
Related:SIEM, EDR / Endpoint Detection and Response, Business Continuity
Business Continuity
The capability to continue essential business functions during and after a disaster or disruption. Includes Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
Related:Incident Response, Risk Assessment, ISO 27001 +1 more
Vendor Risk Management
The process of identifying, assessing, and mitigating risks associated with third-party vendors who have access to your data or systems. Required for SOC 2 (CC9) and ISO 27001 (Supplier Relationships).
Related:Data Processor, Data Processing Agreement (DPA), Risk Assessment +1 more
Vendor Risk Assessment
A structured evaluation of the security risks posed by a third-party vendor before and during the business relationship. Reviews the vendor's security certifications, data handling practices, incident history, and contractual protections. Part of vendor due diligence.
Related:Vendor Risk Management, Vendor Due Diligence, Security Questionnaires +1 more
Vendor Due Diligence
The investigation process conducted before engaging a vendor to evaluate their reliability, security posture, financial stability, and compliance status. Includes reviewing SOC 2 reports, penetration test results, insurance coverage, and references.
Related:Vendor Risk Assessment, Vendor Risk Management, Security Questionnaires +1 more
Security Questionnaires
Standardized forms used to assess a vendor's security practices during procurement. Common formats include SIG (Standardized Information Gathering), CAIQ (Consensus Assessment Initiative Questionnaire), and custom questionnaires. Completing these is a routine part of B2B sales for SaaS companies.
Related:Vendor Risk Assessment, Vendor Due Diligence, SOC 2 +1 more
GRC / Governance, Risk, and Compliance
An integrated approach to aligning IT with business objectives, managing risk effectively, and meeting regulatory requirements. GRC platforms help organizations coordinate policies, automate control testing, and maintain compliance documentation in one place.
Related:Risk Assessment, Compliance Framework, Control +1 more
Compliance Risk Assessment
The process of identifying potential compliance violations, evaluating their likelihood and impact, and prioritizing remediation efforts. Should be conducted when regulations change, before entering new markets, or when launching new products.
Related:Risk Assessment, Gap Analysis, Compliance Framework +1 more
Continuous Compliance
An approach that automates compliance monitoring rather than treating audits as periodic events. Uses integrations to continuously collect evidence, detect control failures, and alert teams to compliance drift. The modern alternative to scrambling before each audit cycle.
Related:Evidence Collection, Compliance Framework, GRC / Governance, Risk, and Compliance +1 more
Continuous Monitoring
The ongoing, automated assessment of security controls and system configurations to detect deviations from the desired state. Provides real-time visibility into your security posture and enables rapid response to issues.
Related:Continuous Compliance, SIEM, CSPM / Cloud Security Posture Management +1 more
Risk Control Matrix
A document that maps identified risks to the controls implemented to mitigate them. Shows the relationship between risks, control objectives, specific controls, control owners, and testing procedures. Used by auditors to understand your control environment.
Related:Risk Register, Control, Risk Assessment +1 more
COSO Framework
A widely recognized framework for designing and evaluating internal controls, published by the Committee of Sponsoring Organizations of the Treadway Commission. Defines five components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring.
Related:Control, Risk Assessment, GRC / Governance, Risk, and Compliance +1 more
IT General Controls (ITGC)
Foundational controls that apply across an organization's IT infrastructure and support the reliability of application-specific controls. Include access management, change management, computer operations, and system development. Audited in SOC 1 and SOC 2 examinations.
Related:Control, SOC 2, SOC 1 +1 more
Compliance Automation Software
Platforms that automate the collection of compliance evidence, continuous control monitoring, and audit preparation. Integrate with cloud providers, identity systems, and development tools to reduce manual evidence gathering. Examples of compliance automation vendors include Vanta, Drata, and Bastion.
Related:Evidence Collection, Continuous Compliance, SOC 2 +2 more

Other Frameworks

29 terms

Additional compliance frameworks and standards

Cyber Essentials
A UK government-backed cybersecurity certification scheme with 5 technical controls: Firewalls, Secure Configuration, Security Updates, User Access Control, and Malware Protection. Required for many UK government contracts. Valid for 12 months.
Related:ISO 27001, Compliance Framework, Control
Learn article available
HIPAA
Health Insurance Portability and Accountability Act - US legislation that sets standards for protecting sensitive patient health information (PHI). Applies to healthcare providers, health plans, and their business associates. Includes Privacy, Security, and Breach Notification Rules enforced by the HHS Office for Civil Rights.
Related:PHI / Protected Health Information, HIPAA Covered Entity, HIPAA Business Associate +2 more
HIPAA Covered Entity
Organizations directly regulated by HIPAA: healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses. Covered entities must implement HIPAA safeguards and can only share PHI with business associates who sign a Business Associate Agreement (BAA).
Related:HIPAA, HIPAA Business Associate, PHI / Protected Health Information +1 more
HIPAA Business Associate
A person or organization that performs functions or activities on behalf of a covered entity involving the use or disclosure of PHI. Examples include cloud hosting providers, billing companies, EHR vendors, and consultants. Must sign a Business Associate Agreement (BAA) and comply with HIPAA Security Rule requirements.
Related:HIPAA, HIPAA Covered Entity, PHI / Protected Health Information +1 more
HITECH Act
Health Information Technology for Economic and Clinical Health Act - A 2009 US law that expanded HIPAA requirements and enforcement. Introduced breach notification requirements, extended direct liability to business associates, and increased penalties for violations up to $1.5 million per violation category per year.
Related:HIPAA, HIPAA Business Associate, HIPAA Covered Entity +1 more
PCI DSS
Payment Card Industry Data Security Standard - Security standard for organizations that handle credit card data. Required for any business that stores, processes, or transmits cardholder data. 12 requirement categories covering network security, access control, monitoring, and information security policies.
Related:Compliance Framework, Cardholder Data (CHD), Cardholder Data Environment (CDE) +2 more
Qualified Security Assessor (QSA)
An individual certified by the PCI Security Standards Council to perform on-site PCI DSS assessments and validate compliance for Level 1 merchants and service providers. QSAs undergo rigorous training and must be re-qualified annually. Required for organizations processing over 6 million card transactions per year.
Related:PCI DSS, Report on Compliance (ROC), Cardholder Data Environment (CDE) +1 more
Report on Compliance (ROC)
The formal PCI DSS compliance report produced by a Qualified Security Assessor after an on-site audit. Documents the assessment scope, methodology, findings, and compliance status for each of the 12 PCI DSS requirements. Required for Level 1 merchants and service providers; submitted to payment brands and acquiring banks.
Related:PCI DSS, Qualified Security Assessor (QSA), Attestation of Compliance (AoC) +1 more
Self-Assessment Questionnaire (SAQ)
A validation tool for smaller merchants and service providers to self-certify PCI DSS compliance without a formal QSA audit. Multiple SAQ types (A, A-EP, B, B-IP, C, C-VT, D, P2PE) correspond to different payment processing methods. Most e-commerce businesses complete SAQ A or SAQ D.
Related:PCI DSS, Report on Compliance (ROC), Attestation of Compliance (AoC) +1 more
Cardholder Data (CHD)
Payment card information that must be protected under PCI DSS, including the primary account number (PAN), cardholder name, expiration date, and service code. The PAN is the defining element; if PAN is present, all associated data must be protected according to PCI DSS requirements.
Related:PCI DSS, Cardholder Data Environment (CDE), Encryption at Rest +1 more
Cardholder Data Environment (CDE)
The people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. Defines the scope of a PCI DSS assessment. Reducing CDE scope through network segmentation, tokenization, or outsourcing significantly simplifies compliance.
Related:PCI DSS, Cardholder Data (CHD), Qualified Security Assessor (QSA) +1 more
DORA
Digital Operational Resilience Act - EU regulation requiring financial entities to ensure they can withstand, respond to, and recover from ICT-related disruptions. Effective January 2025.
Related:NIS 2, Business Continuity, Incident Response +1 more
NIS 2
Network and Information Security Directive 2 - EU directive expanding cybersecurity requirements to more sectors including digital infrastructure, ICT services, and public administration. Broader scope than NIS 1.
Related:DORA, GDPR, Compliance Framework +1 more
HDS
Hebergeur de Donnees de Sante - French certification required for hosting health data. Based on ISO 27001 with additional healthcare-specific requirements. Required for any organization hosting French patient data.
Related:ISO 27001, HIPAA, Personal Data +1 more
SOC 1
System and Organization Controls 1 - An audit report focused on internal controls relevant to financial reporting. Used by service organizations whose services affect their customers' financial statements. Different from SOC 2 (security controls).
Related:SOC 2, SOC 3, AICPA
Learn article available
SOC 3
A publicly distributable version of the SOC 2 report. Contains the auditor's opinion but less detail than SOC 2. Used for marketing purposes when the full SOC 2 report cannot be shared.
Related:SOC 2, SOC 1, AICPA
Learn article available
NIST Cybersecurity Framework (CSF)
A voluntary framework developed by the National Institute of Standards and Technology that provides guidelines for managing cybersecurity risk. Organized around five functions: Identify, Protect, Detect, Respond, and Recover. Widely adopted across industries and often referenced in enterprise security questionnaires.
Related:Compliance Framework, Risk Assessment, Control +2 more
FedRAMP
Federal Risk and Authorization Management Program - A US government program that standardizes security assessment and authorization for cloud products and services used by federal agencies. Based on NIST SP 800-53 controls with three impact levels: Low, Moderate, and High. Required for selling cloud services to the US federal government.
Related:NIST Cybersecurity Framework (CSF), Compliance Framework, SOC 2 +1 more
CMMC
Cybersecurity Maturity Model Certification - A US Department of Defense framework that measures a contractor's cybersecurity capabilities across three maturity levels (Foundational, Advanced, Expert) in the current CMMC 2.0 model. Required for DoD contractors handling Controlled Unclassified Information (CUI). Builds on NIST SP 800-171 with third-party assessment requirements for higher levels.
Related:NIST Cybersecurity Framework (CSF), FedRAMP, Compliance Framework +1 more
CCPA / California Consumer Privacy Act
A California state privacy law granting residents rights over their personal information, including the right to know, delete, and opt out of sales. Applies to businesses meeting revenue or data volume thresholds. Amended by CPRA which added the right to correct and created a dedicated enforcement agency.
Related:GDPR, Personal Data, Data Subject Rights +1 more
Learn article available
TISAX
Trusted Information Security Assessment Exchange, a security assessment standard for the automotive industry managed by the ENX Association. Required by major automotive manufacturers for suppliers handling sensitive information. Based on ISO 27001 with automotive-specific requirements.
Related:ISO 27001, Compliance Framework, Vendor Risk Assessment
VAPT / Vulnerability Assessment and Penetration Testing
A combined approach that uses automated vulnerability scanning alongside manual penetration testing to identify security weaknesses. The assessment finds vulnerabilities while the penetration test validates exploitability and business impact. Often required annually for compliance.
Related:Penetration Testing, Vulnerability Scanning, Technical Vulnerability Management +1 more
Penetration Testing as a Service (PTaaS)
A delivery model for penetration testing that combines continuous or frequent testing with a platform for managing findings and retesting. Unlike traditional annual pentests, PTaaS enables ongoing security validation integrated into the development lifecycle.
Related:Penetration Testing, VAPT / Vulnerability Assessment and Penetration Testing, Continuous Compliance
Approved Scanning Vendor (ASV)
An organization approved by the PCI Security Standards Council to conduct external vulnerability scans for PCI DSS compliance. Quarterly ASV scans are required for merchants and service providers handling payment card data.
Related:PCI DSS, Vulnerability Scanning, Compliance Framework
PHI / Protected Health Information
Under HIPAA, any individually identifiable health information held by a covered entity or business associate. Includes medical records, test results, prescription information, and billing data when linked to personal identifiers. Requires specific safeguards for storage, transmission, and access.
Related:HIPAA, Personal Data, Encryption at Rest +1 more
ISACA
A global professional association focused on IT governance, risk management, and cybersecurity. Administers certifications including CISA (Certified Information Systems Auditor), CISM (Certified Information Security Manager), and CRISC (Certified in Risk and Information Systems Control).
Related:GRC / Governance, Risk, and Compliance, Risk Assessment, Compliance Framework
Attestation of Compliance (AoC)
A formal document confirming that an organization has met the requirements of a compliance standard. Most commonly used in PCI DSS contexts, where merchants and service providers sign an AoC after completing their assessment. Similar in purpose to a SOC 2 report or ISO 27001 certificate.
Related:PCI DSS, Compliance Framework, SOC 2 +1 more
Security Posture
The overall security status of an organization, encompassing its policies, controls, risk tolerance, and ability to defend against and respond to threats. A strong security posture requires continuous assessment and improvement, not just point-in-time compliance.
Related:Risk Assessment, Continuous Monitoring, Vulnerability Scanning +1 more
Cybersecurity Policy
A high-level document that defines an organization's approach to protecting its information systems and data. Establishes security objectives, roles and responsibilities, and acceptable use standards. The foundation upon which specific security procedures and controls are built.
Related:Access Control Policy, Control, ISMS +1 more

Learn More

What is SOC 2?

Complete guide to SOC 2 compliance, including costs, timeline, and requirements.

What is ISO 27001?

Everything you need to know about ISO 27001 certification and ISMS implementation.

What is GDPR?

Guide to GDPR compliance for startups, including key requirements and terminology.

Other platforms check the box

We secure the box

Get in touch and learn why hundreds of companies trust Bastion to manage their security and fast-track their compliance.

Get Started