Eliminate the jargon through this detailed guide for understanding important information security and compliance terms.

  • ALL
  • SOC 2
  • ISO 27001


The American Institute of Certified Public Accountants (AICPA) is the national professional organization of Certified Public Accountants in the USA.

Annex A Controls →

Annex A is a part of the ISO 27001 security standard. It consists of a list of security controls that organizations can utilize according to their needs to improve the security of their information assets.

Approved Scanning Vendor (ASV) →

An Approved Scanning Vendor (ASV) is a company approved by the PCI DSS to conduct external vulnerability scanning services.

California Consumer Privacy Act (CCPA) →

The California Consumer Privacy Act (CCPA) is a state-wide data privacy law regulating how businesses worldwide are allowed to handle California residents' personal information (PI).


Cybersecurity Maturity Model Certification (CMMC) is a standard for implementing cybersecurity across the Defense Industrial Base (DIB).

Compliance Automation Software →

By automating the time-consuming manual procedures generally involved in compliance management, compliance automation software keeps track of a company's internal systems and controls to help guarantee it conforms with the necessary standards and regulations.

Compliance Risk Management →

Compliance risk management describes the process of identifying, assessing, and monitoring the risks to your organization using regulations and industry standards and checks if the system's internal controls are in place to ensure your organization is infosec compliant.

Compliance Software →

Compliance software monitors an organization’s internal systems and controls, helping ensure it complies with required infosec standards and regulations while saving time and automating the manual tasks typically associated with compliance management.

Cybersecurity →

Cybersecurity is the practice of protecting data, information, programs, systems, devices, and networks from unauthorized or malicious access and use by external sources on the internet.


The "Federal Risk and Authorization Management Program" is known as FedRAMP. Federal agencies in the United States use cloud goods and services, and FedRAMP standardizes security evaluation and authorization.

General Data Protection Regulation →

The EU or European Union established the General Data Protection Regulation (GDPR) in 2018 to protect the clients' and customers' personal data. This GDPR came into succession after the digital reform launched in 2012 by the European Union (EU) to create new standards for internet and technology advancements.


GRC is an acronym for governance, risk, and compliance. It refers to the strategy undertaken by a company for managing the overall governance, enterprise risk management, and regulations compliance.

Internal Security Assessor (ISA) →

Internal Security Assessor (ISA) is a designation given by the Payment Card Industry Security Standards Council (PCI SSC) to eligible internal security audit professionals working for a qualifying organization to conduct assessments.

Risk Assessment →

The information assets that can potentially be impacted by a cyber assault are identified through a cyber security risk assessment (such as hardware, systems, laptops, customer data and intellectual property). The risks that might have an impact on such assets are then identified.

Trust Services Criteria →

The Trust Services Criteria, also formerly known as the Trust Services Principles, are a set of control criteria used to evaluate, analyze and report on the suitability of the design and operating effectiveness of controls relevant to five sections of an organization’s information and systems.

Vendor Management Policy →

The criticality of risk increases when an organization outsources to a wider ecosystem of vendors and partners.

Vulnerability Management →

The process of assessing, identifying, analyzing, treating, and reporting security deficiencies or vulnerabilities in software systems is known as vulnerability management. Implementing vulnerability management practices and other security strategies is vital to ensure that the organization is prone to the minimum attack surface.

Health Information Technology for Economic and Clinical Health Act (HITECH) →

The American Recovery and Reinvestment Act of 2009 included the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was passed to encourage the adoption and effective use of health information technology.


All Covered Entities and Business Associates must comply with HIPAA. If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules.

HIPAA Breach →

Acquisition, access, use, or disclosure of protected health information (PHI) is considered a HIPAA breach when the PHI's security or privacy is compromised in a way that is not permitted by HIPAA standards.

HIPAA Business Associates →

A HIPAA business associate is any entity, be that an individual or a company, provided with access to PHI in order to perform services for, or on behalf of, a HIPAA covered entity.

HIPAA Compliance →

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, its later revisions and additions, and any connected legislation must all be complied with to be considered HIPAA compliant.

HIPAA Covered Entities →

Individuals, organisations, and agencies that meet the HIPAA definition of a covered entity must comply with the Rules' requirements to protect the privacy and security of health information, must provide individuals with certain health information rights.

HIPAA Employee Training →

The regulations relating to HIPAA training for employees are deliberately flexible because of the different functions Covered Entities perform, the different roles of employees, and the different level of access each employee has to Protected Health Information (PHI).

HIPAA Risk Assessment →

An organization's creation, receipt, maintenance, or transmission of any protected health information (PHI) is subject to potential risks and vulnerabilities, which are the focus of a HIPAA risk assessment.

HIPAA Rules →

CThe "Various standards or regulations make up the Health Insurance Portability and Accountability Act (HIPAA), which can be used to monitor compliance. The HITECH Act and the Transactions and Code Set Standards, Identifier Standards, Enforcement Rule, Omnibus Final Rule, and Privacy, Security, and Breach Notification Rules are all parts of the HIPAA Rules.

HIPAA Rules: Breach Notification Rule →

The HIPAA Compromise Notification Rule mandates that after a breach of unprotected health information, HIPAA-covered entities and their business partners must notify affected individuals (PHI).

HIPAA Rules: Enforcement Rule →

The Health Insurance Portability and Accountability Act was first passed in 1996; the HIPAA Enforcement Rule was added in 2006. (HIPAA). HIPAA mandated that the Secretary of the U.S. Department of Health and Human Services (HHS) create rules for the security and privacy of specific health information.

HIPAA Rules: Omnibus Rule →

The Department of Health and Human Services (HHS) published the HIPAA Final Omnibus Rule of 2013 to implement the changes mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

HIPAA Rules: Privacy Rule →

The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used.

HIPAA Rules: Security Rule →

HIPAA mandated that the Secretary of the US Department of Health and Human Services (HHS) created rules for the security and privacy of specific health information.

HIPAA Sanctions →

A variety of fines and other consequences are available for HIPAA violations. HIPAA violations and data breaches can result in extremely expensive financial and other penalties.

Protected Health Information (PHI) →

Protected health information (PHI) refers to health data produced, received, stored, or transmitted by HIPAA-covered entities and their business associates in connection with healthcare delivery, the operation of healthcare systems, and the payment for healthcare services.

Information Security Management System (ISMS) →

An organization's information security is managed systematically via an information security management system (ISMS). The ISMS offers a set of security controls that a business can include in policies, procedures, and other types of papers.

SOC 1 →

SOC 1 is an acronym for Service Organization Control 1 which is a report documenting the internal controls that are considered relevant to the audit of a customer's financial statements.

SOC 2 →

SOC 2 has been developed by the American Institute of CPAs (AICPA) and is used to define criteria for managing and handling customer data based on the five trust service principles: security, availability, confidentiality, processing integrity, and privacy.

SOC 2 Type 1 Report →

SOC 2 Type I report is an authenticated report that validates a company’s security rules or controls at a specific date and time. This Type I report is used to define the controls a company follows but does not evaluate or describe the effectiveness of those controls.

SOC 2 Type 2 Report →

A SOC 2 Type 2 report is an authenticated report that validates a company's security rules or controls over about 3-12 months. This Type 2 report validates the controls a company has followed and establishes the relevant controls over time.

SOC 3 →

A SOC 3 report is often considered a redacted SOC 2 report. This SOC 3 report summarizes everything covered in a SOC 2 report, with the only difference being the exclusion of the details of test results and the procedures performed to gain those results. A SOC 3 report can only be developed and received if a SOC 2 has been completed.

SOC Auditor →

In order to obtain a SOC 2 audit and report, every organization’s security measures have to go under review and must be verified by a certified auditor. This verification can only be performed by licensed CPA firms that are credible to hold a SOC 2 examination.

SOC Reports →

A service organization controls (SOC) report is one way to verify that an organization is following the underlined best practices specified by the authorities regarding protecting a client’s data before outsourcing a business function to that organization.

SSAE - 16 →

SSAE is an acronym for The Statement on Standards for Attestation Engagements No. 16, which is a set of defined auditing standards and guidance published under the wing of the Auditing Standards Board (ASB) that, is a part of the American Institute of Certified Public Accountants (AICPA).

SSAE - 18 →

SSAE 18 is a defined set of improvements aimed to increase or inflate the usefulness and quality of SOC reports. SSAE 18 has now superseded SSAE 16 (add the internal link for SSAE 16) in terms of established guidelines.

Statement of Applicability →

Statement of Applicability is a fundamental component that falls under an organization's Information Security Management System. It is a critical document that serves essentially in achieving ISO 27001 certification.

Vendor Assessment →

The program employed by an organization to assess its vendors’ management of information shared by the organization is known as Vendor assessment. It is also responsible for evaluating whether the vendors are implementing and maintaining the relevant and required security controls.

Vendor Review →

The process undertaken by an organization to understand the possible risks that follow by using a vendor’s product or service is known as Vendor Review. It is an ongoing process that enables an organization to maintain its security practices while using a product or service.

Attestation of Compliance (AOC) →

The formal validation document known as the Attestation of Compliance is used to show an entity's compliance status to interested outside parties (Banks, Acquirers, customers). A Qualified Security Assessor or an entity officer may approve the AOC (for self-assessment) (for a Report on Compliance).

Cardholder Data (CHD) →

Primary Account Number (PAN), the 15 or sometimes 16-digit account number on a credit or branded debit card, is the minimal need for cardholder data. Sensitive Authentication Data (SAD), such as the 3 or 4 digit code printed on a card, magnetic stripe data, PIN, or chip data, may also be included in cardholder data, along with the cardholder's name, expiration date, and/or service code.

Cardholder Data Environment (CDE) →

The term "cardholder data environment" means any individuals, groups, and systems that handle, transmit, store, or have the potential to handle cardholder data securely.

Merchant →

A merchant is described as any entity that accepts payment using payment cards with the logos of any of the five organizations that make up the PCI Security Standards Council - Visa, Mastercard, American Express, Discover, and JCB.

Payment Card Industry Data Security Standard (PCI DSS) →

The Payment Card Industry Data Security Standard is a set of security standards developed by major credit card providers: Visa, Discover Financial Services, MasterCard, JCB International, and American Express. It is managed by the Payment Card Industry Security Standards Council (PCI SSC).
It addresses 12 key security domains and details specific requirements for all payment card providers and service providers that store, process, and transmit cardholder data.

Qualified Security Assessor (QSA) →

A Qualified Security Assessor (QSA) is someone the PCI SSC council has qualified to validate PCI DSS compliance assessments.

Report on Compliance (ROC) →

The Report on Compliance is an annual assessment performed by a Qualified Security Assessor (QSA). The report details the organization's security posture, the systems, and the protection of cardholder data.
ROC applies to both Payment card merchants and service providers.

Self-Assessment Questionnaire (SAQ) →

To prove information security is a top priority, all payment card merchants and service providers must complete the Self-Assessment Questionnaire (SQA).
Different types of questionnaires are available to meet different merchant environments. The questionnaires are based on factors like payment transaction value and bank requirements.

Service Provider →

The Payment Card Industry (PCI) service provider is a business entity (not a payment brand) that is directly involved in the processing, storage, or transmission of cardholder data or could impact the security of another merchant's or service provider's cardholder data environment.

IT Security Policy →

An information technology security policy establishes rules and procedures for the individuals who interact with an organization's IT assets and resources to safeguard information and IT systems from unauthorized access, use, alteration, or destruction.

ISO 27001 Security Standard →

The ISO 27001 standard is a set of requirements that are provided to Information Security Management Systems (ISMS) by the International Electrotechnical Commission (IEC) and the International Organization for Standardization (ISO).

ISO 27001 Stage 1 Audit →

An ISO 27001 Stage 1 Audit is the foremost step in the ISO certification process which has two parts in total. Stage 1 Audit includes an extensive documentation review under which an external ISO 27001 auditor reviews the organization's policies and procedures to ensure that the said organization meets all the requirements imposed by the ISO standard.

ISMS Governing Body →

An ISMS governing body is composed of the key management members in any organization and is defined as an organizational governance team that specializes in management oversight.

ISO 27001 →

ISO 27001 is defined as a framework used for managing IT security. It lists the guidelines for an information security management system (ISMS) responsible for keeping the client’s data safe. An organization can be certified for ISO 27001 by an auditor only after the completion of an audit.

ISO 27001 Internal Audit →

An ISO 27001 internal audit includes examining an organization's Information Security Management System (ISMS) prior to pursuing an ISO audit with an external auditor. The internal audit aims to help identify loopholes or shortcomings that could affect an organization's Information Security Management System and hinder its ability to meet the required objectives as per ISO standards.

ISO 27001 Key Performance Indicators (KPIs) →

ISO 27001 key performance indicators (KPIs) are the measures or metrics organizations implement for their Information Security Management System (ISMS).

ISO 27001 Management Review →

As the term suggests, the ISO 27001 management review is aimed to ensure that the objectives of the Information Security Management System (ISMS of an organization continue to remain appropriate and operative effectively given the purpose, issues, and potential risks to an organization's information assets.

ISO 27001 Non-Conformities →

An ISO 27001 non-conformity is defined as the non-fulfillment of an organization's requirement established by the ISO standard. Both major and minor nonconformities are considered during the company's audit certification process. Under these circumstances, if there is a major non-conformity present, then it means that the company in question cannot get certified for audit and compliance.

ISO 27001 Risk Assessment →

Risk Assessment under ISO 27001 aims to help an organization or entity identify, analyze, and evaluate the weaknesses or loopholes present in its information security system (ISMS) and its processes and procedures.

ISO 27001 Risk Treatment Plan →

A risk treatment plan is the second step in the overall risk management process and is usually introduced when the company completes the ISO 27001 risk assessment.

ISO 27001 Stage 2 Audit →

Also known as the Certification audit, the ISO 27001 Stage 2 Audit is the second step of the two-step external ISO certification process. It follows after the Stage 1 Audit is successfully completed.

See Scrut in action!