Your security and
compliance glossary

All the terms you need to know when you’re trying to get compliance audit ready, fast.


AICPA is the acronym for the American Institute of Certified Public Accountants. The AICPA is the originator of the SOC (System and Organization Controls) audit and reporting standards.

Compliance risk management

Compliance risk management describes an organization’s strategy for managing the risk of non-compliance with pertinent regulations.

Compliance software

Compliance software describes the software tools an organization employs to monitor its internal systems and controls, in order to comply with required standards and regulations.


Governance, risk and compliance (GRC) refers to a company’s strategy for managing their overall governance, enterprise risk management and compliance with regulations.


HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed by Congress in 1996 with the goal of improving health care portability and the handling of confidential health information.


The Health Insurance Portability and Accountability Act (HIPAA) is composed of a number of standards or rules by which compliance can be monitored. Among additional rules, the HIPAA Rules include the Privacy, Security, and Breach Notification Rules.

HIPAA employee training

HIPAA compliance is required of organizations and employees who work in or with the healthcare industry, or who have access to protected health information (PHI). The goal of HIPAA compliance training is to ensure that organizations and their employees are appropriately protecting the privacy and security of patients’ PHI.

ISO 27001

ISO 27001 is a set of requirements for an information security management system (ISMS) that helps keep consumer data safe by applying a risk management process to an organization’s people, process, and IT systems.

ISO27001 security standard

The ISO27001 security standard is a set of best practices that support organizations in managing their information security by addressing people, processes, and technology.

IT security policy

An information technology (IT) security policy establishes rules and procedures for the individuals who interact with an organization’s IT assets and resources. The goal of an effective IT security policy is to protect information technology systems from any unauthorized access, use, alteration, or destruction, and to provide guidance in the case of the compromise of any systems.


A SOC 1 report is documentation of the internal controls that are likely to be relevant to an audit of a customer's financial reporting.


SOC 2 defines controls for managing customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality and privacy.

SOC 2 auditor

SOC auditors are independent CPAs who work with the SOC (System and Organization Controls) suite to evaluate and report on the controls in place at a service organization, relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.


A SOC 3 report covers the same basic materials and concerns of a SOC 2 report, but it only distributes the auditor’s report without including description of the tests and their results or any opinions on the processes and results.

SOC Trust Services Criteria

The five Trust Services Criteria comprise the evaluation structure of a SOC 2 audit and report. The Trust Services Criteria are applied to report on the suitability of the design and operating effectiveness of controls relevant to the Security, Availability, Processing Integrity, Confidentiality, and Privacy of an organization’s information and systems.

SOC reports

A service organization controls (SOC) report is a way to verify that an organization is following specific best practices related to protecting their clients’ data.


The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of auditing standards and guidance on using the standards, published by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).


SSAE 18 is a series of enhancements aimed to increase the usefulness and quality of SOC reports, now, superseding SSAE 16.

Security questionnaire

A security questionnaire is a tool that an enterprise may circulate to a service organization to evaluate and validate its security practices before choosing to do business with that organization.

Vendor assessment

Vendor assessment describes an organization’s program of assessing its vendors’ management of that organization’s information, and whether vendors are implementing and maintaining appropriate security controls.

Vendor management policy

A vendor management policy reviews all of an organization’s vendors — each third-party, contractor, or associate with whom an organization does business — and establishes requirements for the level of information security that vendors should maintain.

Vendor review

Vendor review is a process by which an organization can understand the potential risks of utilizing a vendor’s product or service, as well as an ongoing process to ensure that quality security practices are being maintained in an ongoing fashion.

We'll email you within 24 hours
Please enter your first name
Please enter your last name
Please enter a valid email address
Please enter your company website
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.