Compliance, in plain language.

Independent CPA opinion on whether a service organization's controls meet the AICPA Trust Services Criteria. Type 1 is point-in-time; Type 2 covers an observation window of three to twelve months.

Auditor opinion on whether controls were suitably designed at a specific date. Useful as a sales artifact while accumulating operating history for Type 2.

Auditor opinion that controls were suitably designed and operated effectively over an observation window, typically three to twelve months. The artifact most enterprise procurement teams want to see.

Five criteria categories used in SOC 2: Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy. Maintained by the AICPA Assurance Services Executive Committee.

Short, public version of a SOC 2 Type 2 report intended for general distribution. No detailed test results; suitable for marketing pages.

International standard for an Information Security Management System. Certification by an accredited certification body, valid three years with annual surveillance audits. The 2022 revision restructured Annex A into 93 controls across four themes.

The set of policies, procedures, controls, and processes that an organization runs to manage information security risk. ISO 27001 certifies whether an ISMS meets the standard's requirements.

The catalog of reference controls in ISO/IEC 27001:2022, organized into organizational, people, physical, and technological themes. Selection of which controls to include is captured in the Statement of Applicability.

Required artifact listing every Annex A control with a determination of inclusion, exclusion, or partial inclusion, plus rationale for each. Among the most-scrutinized documents in the Stage 1 audit.

United States federal law governing protected health information held by covered entities and business associates. The Security Rule covers ePHI safeguards; the Privacy Rule covers PHI use and disclosure.

Individually identifiable health information held or transmitted by a covered entity or business associate, in any form. Subject to HIPAA Privacy Rule.

PHI created, received, maintained, or transmitted in electronic form. Subject to HIPAA Security Rule technical safeguards.

Contract between covered entity and business associate (or business associate and downstream subcontractor) with specific terms required by 45 CFR §164.504(e). Required before PHI is disclosed.

Payment Card Industry Data Security Standard. Current version v4.0 with phased enforcement through 2025. Compliance level depends on transaction volume.

Formal Report on Compliance signed by a Qualified Security Assessor for Level 1 PCI DSS merchants. Includes detailed test results and is submitted to the acquirer.

PCI DSS questionnaire merchants complete themselves, in variants A through D depending on processing method. SAQ A applies when card data flow is fully outsourced to a processor.

One-page summary attesting to PCI DSS compliance, signed by the merchant or the QSA. Submitted to acquirers; the public-facing artifact.

Vendor approved by the PCI SSC to perform external vulnerability scans against the cardholder data environment. Quarterly scans are required.

Firm or individual approved by the PCI SSC to perform PCI DSS assessments and issue Reports on Compliance. Required for Level 1 merchants.

European Union regulation governing the processing of personal data of EU and EEA residents. Effective 2018. Penalties tier to four percent of global turnover.

Digital Personal Data Protection Act 2023, India's data protection law. Uses the terms Data Fiduciary and Data Principal. Implementation rules phased through 2024 and 2025.

Under GDPR, the natural or legal person that determines the purposes and means of processing personal data. The party with primary responsibility for compliance.

Under GDPR, the natural or legal person that processes personal data on behalf of a controller. Article 28 contracts govern the relationship.

Under GDPR Article 26, two or more controllers that jointly determine the purposes and means of processing. Must arrange transparency about responsibilities.

Under India's DPDP Act, the entity that determines the purpose and means of processing personal data. Equivalent in concept to GDPR controller.

Under India's DPDP Act, the individual to whom the personal data relates. Equivalent in concept to GDPR data subject.

A Data Fiduciary designated by the central government based on volume and sensitivity of processing. SDFs face additional obligations including DPO based in India and annual independent data audit.

Required under GDPR Article 37 for some processing types and under DPDP for Significant Data Fiduciaries. Independent role responsible for monitoring compliance and advising the organization.

A vendor a processor engages to process personal data on behalf of the processor's customer. Requires controller authorization and a flow-down processor agreement.

Under HIPAA, a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically in connection with a covered transaction.

Any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Direct HIPAA obligations under the Omnibus Rule.

Accredited organization that performs ISO 27001 audits and issues the certificate. Must be accredited under an IAF member such as UKAS or ANAB for the certificate to be internationally recognized.

Independent firm that performs the audit and issues the report or certificate. For SOC 2 a licensed CPA firm; for ISO 27001 an accredited certification body.

An auditor's opinion on whether management's assertions about controls are fairly stated. SOC 2 reports are attestation engagements under AICPA SSAE 18.

An accredited body's affirmation that an organization meets the requirements of a standard. ISO 27001 is a certification; SOC 2 is an attestation.

A national or international body's recognition that a certification body is competent to perform certifications. UKAS and ANAB are accreditation bodies for certification bodies that issue ISO 27001 certificates.

Auditor procedure where they walk through a process step by step with the responsible party to understand how a control operates in practice. Common during SOC 2 fieldwork.

Auditor obtains information by asking responsible parties. Lowest-evidence procedure; usually combined with corroborating procedures.

Auditor examines records, documents, or assets. Higher-evidence procedure than inquiry.

Auditor independently executes the control to test its operation. Strongest single procedure, used selectively.

Auditor selects a representative subset of items from a population (such as access reviews or change tickets) to test rather than examining every instance. Sample size depends on control frequency and risk.

A control that is missing, poorly designed, or not operating as intended. Identified during the audit; severity ranges from minor to material weakness.

A deficiency, or combination of deficiencies, that creates a reasonable possibility of a material misstatement of the entity's assertions. Triggers a qualified or adverse opinion.

Auditor opinion that is favorable except for specific identified exceptions, which are described in the report. Better than adverse but worse than unqualified.

Auditor opinion without exceptions. The cleanest result; what most service organizations target.

First of two ISO 27001 certification audit stages. Reviews ISMS documentation, Statement of Applicability, internal audit results, and management review records before fieldwork.

Second ISO 27001 certification audit stage. Fieldwork against the operating ISMS; certification decision based on findings. Usually two to six weeks after Stage 1.

Annual ISO 27001 audit performed by the certification body to confirm the ISMS continues to meet the standard. Lighter than Stage 2 but reviews specific clauses each year.

Letter from auditor or service organization addressing the period between the SOC 2 report end date and the customer's reliance date. Common when reports lag the request.

Umbrella term for the disciplines and tooling around an organization's policy program, risk management, and compliance posture. Often used loosely to describe compliance automation platforms.

Process for assessing and monitoring the risk introduced by vendors and partners. Includes vendor due diligence, ongoing monitoring, and contractual controls.

Documented process to identify, analyze, and prioritize risks. Required by every major framework. Methodology and frequency vary; the methodology itself must be documented.

Level of risk in the absence of any controls. Comparing inherent risk to residual risk shows the effectiveness of the control program.

Level of risk that remains after applying controls. Risk acceptance, transfer, or further treatment decisions are made on residual risk.

Decision and plan for what to do with each identified risk: accept, transfer, mitigate, or avoid. Required ISO 27001 artifact.

Policy, procedure, or technical mechanism intended to reduce a specific risk or assert a specific assurance. Controls map to framework requirements.

Alternative control implemented when the prescribed control is not feasible. Must achieve the same risk reduction; documentation must justify the substitution.

Maximum acceptable downtime for a business process or system after a disruption. Drives backup and disaster recovery design.

Maximum acceptable amount of data loss measured in time. Drives backup frequency.

Plan for maintaining or quickly resuming critical business functions during and after a disruption. Tested at least annually under most frameworks.

Plan focused specifically on recovering IT systems and data after a disruption. Subset of business continuity planning.

Required under GDPR Article 35 for high-risk processing including systematic profiling, large-scale special categories, and systematic monitoring. Documents risks and mitigations before processing begins.

Contract between controller and processor with terms required by GDPR Article 28. Customers' security teams typically expect a current DPA before signing.

EU Commission-approved contract clauses for transferring personal data to non-adequate countries. The 2021 SCCs replaced the 2010 versions; old contracts must be updated.

EU Commission decision that a non-EU country provides adequate data protection. Transfers to adequate countries do not require additional safeguards. Limited list including UK, Switzerland, Japan, and a few others.

Required inventory of processing activities under GDPR Article 30. Maintained by both controllers and processors. Most-requested artifact in supervisory authority inquiries.

Request from a data subject to exercise rights under GDPR (access, rectification, erasure, portability, objection) or equivalent rights under other privacy regimes. Response window typically one month.

One of six bases under GDPR Article 6 that justifies processing personal data: consent, contract, legal obligation, vital interests, public interest, legitimate interests. Must be identified before processing begins.

Categories of personal data with elevated protection under GDPR Article 9: race, ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health, sex life, sexual orientation.

Processing personal data so it can no longer be attributed to a data subject without additional information held separately. Reduces risk under GDPR but data remains personal data.

Processing personal data so it can no longer be attributed to any data subject by any means reasonably likely to be used. Truly anonymous data falls outside GDPR scope.

Authentication using two or more factors from different categories: knowledge, possession, inherence. Required by every modern compliance framework, with PCI DSS v4.0 expanding scope to all CDE access.

Centralized authentication so a user signs in once and accesses multiple applications. Typically implemented via SAML or OIDC. Auditors expect SSO for production access.

Standard protocol for automating user provisioning and deprovisioning across SaaS applications. Reduces manual offboarding errors that auditors flag in access reviews.

Granting elevated access only when needed and only for the time required. Reduces standing privileged access; preferred control for cloud production environments.

Centralized aggregation, correlation, and analysis of security event data. Required under most frameworks for monitoring and detection.

Endpoint security capability that detects, investigates, and responds to threats on devices. Increasingly expected by auditors as antivirus alone is no longer considered sufficient.

Centralized management of company devices: enforcement of disk encryption, screen lock, OS updates, application allowlists. Required for endpoint compliance under most frameworks.

Cryptographic protection of data while stored. Cloud providers typically offer this by default; auditors verify it is enabled for systems holding sensitive data.

Cryptographic protection of data while moving across networks. Typically TLS 1.2 or higher; auditors verify enforcement and certificate management.

Authorized simulation of an attack against systems, performed under defined rules of engagement, to identify exploitable vulnerabilities. Required annually under PCI DSS and expected under SOC 2.

Automated scan to identify known vulnerabilities. Different from penetration testing; typically run quarterly or more frequently. Required under PCI DSS via Approved Scanning Vendor.

Documented rules governing a penetration test: in-scope assets, out-of-scope assets, testing windows, escalation contacts, authorized techniques. Required before any pentest begins.