Security & Compliance Glossary

Clear definitions for SOC 2, ISO 27001, GDPR, and security terminology. Everything you need to understand compliance.

SOC 2

8 terms

Terms related to SOC 2 compliance and auditing

SOC 2
System and Organization Controls 2 - An auditing procedure developed by the AICPA that evaluates a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy. Unlike a certification, SOC 2 produces an audit report issued by a licensed CPA firm.
Related terms:
Learn more: What is SOC 2?
Trust Services Criteria (TSC)
The five categories of controls evaluated in a SOC 2 audit: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Developed by the AICPA, these criteria define the control objectives organizations must meet.
Related terms:
Learn more: Trust Services Criteria Explained
SOC 2 Type 1
A point-in-time audit that evaluates whether controls are designed appropriately on a specific date. It proves controls exist but not that they work consistently over time. Most enterprise customers do not accept Type 1 as real compliance.
Related terms:
Learn more: SOC 2 Type 1 vs Type 2
SOC 2 Type 2
A period-of-time audit that evaluates whether controls are designed appropriately AND operating effectively over a minimum 3-month observation period. This is the industry standard that enterprise customers expect.
Related terms:
Learn more: SOC 2 Type 1 vs Type 2
Observation Period
The mandatory 3-month (minimum) timeframe during which auditors monitor and test controls for a SOC 2 Type 2 report. This period is set by AICPA standards and cannot be compressed or shortened.
Related terms:
Learn more: How Long Does SOC 2 Take?
Common Criteria (CC)
The nine control categories (CC1-CC9) that make up the Security criterion in SOC 2. Includes Control Environment, Communication, Risk Assessment, Monitoring, Control Activities, Access Controls, System Operations, Change Management, and Risk Mitigation.
Related terms:
AICPA
American Institute of Certified Public Accountants - The organization that developed and maintains the SOC 2 framework, Trust Services Criteria, and auditing standards. Only licensed CPA firms can issue SOC 2 reports.
Related terms:
In-Progress Letter
A letter from auditors confirming that an organization has engaged in the SOC 2 audit process. Used to satisfy procurement requirements while the observation period is ongoing. Includes the security controls being audited and estimated completion date.
Related terms:

ISO 27001

8 terms

Terms related to ISO 27001 certification

ISO 27001
An international standard for information security management systems (ISMS), published by the International Organization for Standardization. Unlike SOC 2, it produces an actual certificate valid for 3 years, with annual surveillance audits.
Related terms:
Learn more: What is ISO 27001?
ISMS
Information Security Management System - A systematic approach to managing sensitive company information through people, processes, and technology. Required for ISO 27001 certification and includes policies, procedures, risk assessments, and continuous improvement.
Related terms:
Learn more: What is an ISMS?
Statement of Applicability (SoA)
A key ISO 27001 document that lists all 93 controls from Annex A and indicates which are applicable, which are implemented, and justification for any exclusions. Required for certification.
Related terms:
Learn more: Statement of Applicability Guide
Stage 1 Audit
The first phase of ISO 27001 certification where auditors review documentation to verify ISMS readiness. Covers policies, risk assessment methodology, Statement of Applicability, and management commitment. Identifies gaps before Stage 2.
Related terms:
Learn more: ISO 27001 Certification Process
Stage 2 Audit
The main ISO 27001 certification audit where auditors verify controls are implemented and operating effectively. Includes interviews, evidence review, and testing. Results in certification if passed.
Related terms:
Learn more: ISO 27001 Certification Process
Surveillance Audit
Annual audits in years 2 and 3 of the ISO 27001 certification cycle. Shorter than initial certification, they verify continued compliance and continuous improvement of the ISMS.
Related terms:
Learn more: Maintaining ISO 27001 Certification
Annex A Controls
The 93 security controls organized in 4 categories (Organizational, People, Physical, Technological) that organizations select from when building their ISO 27001 ISMS. Not all controls are mandatory - selection is risk-based.
Related terms:
Learn more: ISO 27001 Annex A Controls
Certification Body
An accredited organization authorized to conduct ISO 27001 audits and issue certificates. Must be accredited by a national accreditation body (e.g., UKAS in UK, COFRAC in France) to ensure audit quality.
Related terms:

GDPR & Privacy

9 terms

Terms related to data protection and privacy regulations

GDPR
General Data Protection Regulation - The European Union's comprehensive data protection law effective since May 25, 2018. Applies to any organization processing personal data of EU residents, regardless of company location. Maximum penalty is €20 million or 4% of global annual revenue.
Related terms:
Learn more: What is GDPR?
Personal Data
Any information relating to an identified or identifiable natural person (data subject). Includes direct identifiers (name, email), online identifiers (IP address, cookies), and any data that can be combined to identify someone.
Related terms:
Data Controller
The organization that determines the purposes and means of processing personal data. Responsible for compliance, must have legal basis for processing, and is liable for processor actions. Typically your company when you collect customer data.
Related terms:
Learn more: GDPR Principles
Data Processor
An organization that processes personal data on behalf of a controller. Must follow controller instructions, have a Data Processing Agreement (DPA), and implement appropriate security. Examples: cloud providers, CRM vendors, analytics tools.
Related terms:
Learn more: Data Processing Agreements
Data Processing Agreement (DPA)
A legally binding contract between data controller and processor that defines data processing terms, security requirements, sub-processor rules, and GDPR compliance obligations. Required by Article 28 of GDPR.
Related terms:
Learn more: Data Processing Agreements
Lawful Basis
One of six legal grounds required to process personal data under GDPR: Consent, Contract, Legal Obligation, Vital Interests, Public Task, or Legitimate Interests. Most B2B SaaS companies rely on Contract or Legitimate Interests.
Related terms:
Learn more: Legal Bases for Processing
Data Subject Rights
Rights granted to individuals under GDPR including: Right of Access, Right to Rectification, Right to Erasure (Right to be Forgotten), Right to Restrict Processing, Right to Data Portability, Right to Object, and rights related to automated decision-making.
Related terms:
Learn more: Data Subject Rights
DSAR
Data Subject Access Request - A formal request from an individual to access their personal data held by an organization. Must be responded to within one month under GDPR, free of charge.
Related terms:
Learn more: Data Subject Rights
DPO
Data Protection Officer - A designated individual responsible for overseeing GDPR compliance. Required for public authorities, organizations doing large-scale systematic monitoring, or those processing special category data at scale.
Related terms:
Learn more: Data Protection Officer Guide

Security Controls

10 terms

Common security and technical control terminology

MFA / Multi-Factor Authentication
A security mechanism requiring two or more verification factors to access an account or system. Typically combines something you know (password), something you have (phone/token), or something you are (biometrics). Required for SOC 2 compliance on all critical systems.
Related terms:
Encryption at Rest
The practice of encrypting stored data (in databases, file systems, backups) so it cannot be read without the decryption key. Standard is AES-256. Required for SOC 2 and most compliance frameworks.
Related terms:
Encryption in Transit
The practice of encrypting data as it moves between systems or networks using protocols like TLS 1.2+. Protects against man-in-the-middle attacks. Required for all external connections in compliance frameworks.
Related terms:
Penetration Testing
Authorized simulated cyber attacks performed by security professionals to identify vulnerabilities before malicious hackers do. Typically 20+ hours of manual testing. Required annually for SOC 2; not required for ISO 27001.
Related terms:
Vulnerability Scanning
Automated tools that scan systems, applications, and networks for known vulnerabilities. Should run regularly (weekly or on code changes). Complements but does not replace penetration testing.
Related terms:
RBAC / Role-Based Access Control
A method of restricting system access based on user roles rather than individual permissions. Implements least privilege by granting only the access needed for each role. Core requirement for SOC 2 and ISO 27001.
Related terms:
Least Privilege
The security principle that users and systems should have only the minimum access necessary to perform their functions. Reduces attack surface and limits damage from compromised accounts.
Related terms:
MDM / Mobile Device Management
Software that enables organizations to secure, monitor, and manage employee mobile devices and laptops. Can enforce encryption, remote wipe, and security policies. Required for endpoint security in most compliance frameworks.
Related terms:
EDR / Endpoint Detection and Response
Security technology that monitors endpoint devices (laptops, servers) for suspicious activity, detects threats, and enables rapid response. More advanced than traditional antivirus.
Related terms:
SIEM
Security Information and Event Management - A system that aggregates and analyzes log data from across an organization's IT infrastructure to detect security threats and enable incident response.
Related terms:

Compliance & Governance

10 terms

General compliance and governance terminology

Compliance Framework
A structured set of guidelines, controls, and best practices that organizations follow to meet regulatory requirements or industry standards. Examples: SOC 2, ISO 27001, GDPR, HIPAA, PCI DSS.
Related terms:
vCISO
Virtual Chief Information Security Officer - An outsourced security executive who provides strategic security leadership on a part-time or fractional basis. Cost-effective alternative to full-time CISO for startups and SMBs.
Related terms:
Risk Assessment
The systematic process of identifying, analyzing, and evaluating security risks to an organization's information assets. Required for both SOC 2 and ISO 27001. Includes threat identification, vulnerability assessment, and impact analysis.
Related terms:
Learn more: ISO 27001 Risk Assessment
Risk Register
A documented list of identified risks including their likelihood, impact, risk level, treatment decision, controls applied, and residual risk. Central document for risk management in ISO 27001.
Related terms:
Control
A safeguard or countermeasure implemented to reduce risk to an acceptable level. Can be technical (firewalls, encryption), administrative (policies, training), or physical (locks, cameras).
Related terms:
Evidence Collection
The process of gathering documentation and proof that controls are implemented and operating effectively. Can be automated through integrations or manual through screenshots, logs, and documents.
Related terms:
Learn more: SOC 2 Evidence Collection
Access Review
The periodic review of user access rights to ensure they remain appropriate. Typically conducted quarterly. Verifies least privilege is maintained and removes inappropriate access.
Related terms:
Incident Response
The organized approach to detecting, responding to, and recovering from security incidents. Includes preparation, detection, containment, eradication, recovery, and post-incident review phases.
Related terms:
Business Continuity
The capability to continue essential business functions during and after a disaster or disruption. Includes Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP).
Related terms:
Vendor Risk Management
The process of identifying, assessing, and mitigating risks associated with third-party vendors who have access to your data or systems. Required for SOC 2 (CC9) and ISO 27001 (Supplier Relationships).
Related terms:

Other Frameworks

8 terms

Additional compliance frameworks and standards

Cyber Essentials
A UK government-backed cybersecurity certification scheme with 5 technical controls: Firewalls, Secure Configuration, Security Updates, User Access Control, and Malware Protection. Required for many UK government contracts. Valid for 12 months.
Related terms:
Learn more: What is Cyber Essentials?
HIPAA
Health Insurance Portability and Accountability Act - US legislation that sets standards for protecting sensitive patient health information (PHI). Applies to healthcare providers, health plans, and their business associates.
Related terms:
PCI DSS
Payment Card Industry Data Security Standard - Security standard for organizations that handle credit card data. Required for any business that stores, processes, or transmits cardholder data. 12 requirement categories.
Related terms:
DORA
Digital Operational Resilience Act - EU regulation requiring financial entities to ensure they can withstand, respond to, and recover from ICT-related disruptions. Effective January 2025.
Related terms:
NIS 2
Network and Information Security Directive 2 - EU directive expanding cybersecurity requirements to more sectors including digital infrastructure, ICT services, and public administration. Broader scope than NIS 1.
Related terms:
HDS
Hébergeur de Données de Santé - French certification required for hosting health data. Based on ISO 27001 with additional healthcare-specific requirements. Required for any organization hosting French patient data.
Related terms:
SOC 1
System and Organization Controls 1 - An audit report focused on internal controls relevant to financial reporting. Used by service organizations whose services affect their customers' financial statements. Different from SOC 2 (security controls).
Related terms:
Learn more: SOC 1 vs SOC 2 vs SOC 3
SOC 3
A publicly distributable version of the SOC 2 report. Contains the auditor's opinion but less detail than SOC 2. Used for marketing purposes when the full SOC 2 report cannot be shared.
Related terms:
Learn more: SOC 1 vs SOC 2 vs SOC 3

Learn More

What is SOC 2?

Complete guide to SOC 2 compliance, including costs, timeline, and requirements.

What is ISO 27001?

Everything you need to know about ISO 27001 certification and ISMS implementation.

What is GDPR?

Guide to GDPR compliance for startups, including key requirements and terminology.

Other platforms check the box

We secure the box

Get in touch and learn why hundreds of companies trust Bastion to manage their security and fast-track their compliance.

Get Started