GLOSSARY

SOC 1

Terms

Annex A Controls

Attestation of Compliance (AOC)

California Consumer Privacy Act (CCPA)

Compliance risk management

Cardholder Data (CHD)

Cardholder Data Environment (CDE)

Compliance software

General Data Protection Regulation (GDPR)

HIPAA Business Associates

HIPAA Compliance

HIPAA Covered Entities

HIPAA employee training

HIPAA Risk Assessment

HIPAA Rules: Breach Notification Rule

HIPAA Rules: Enforcement Rule

HIPAA Rules: Omnibus Rule

HIPAA Rules: Privacy Rule

HIPAA Rules: Security Rule

HIPAA Safeguards

HIPAA Sanctions

Health Information Technology for Economic and Clinical Health Act (HITECH)

ISMS Governing Body

ISO 27001 security standard

ISO 27001 Internal Audit

ISO 27001 Key Performance Indicators (KPIs)

ISO 27001 Management Review

ISO 27001 Nonconformities

ISO 27001 Risk Assessment

ISO 27001 Risk Treatment Plan

ISO 27001 Stage 1 Audit

ISO 27001 Stage 2 Audit

IT security policy

Information Security Management System (ISMS)

NIST Cybersecurity Framework (CSF)

Protected health information

Payment Card Industry Data Security Standard (PCI DSS)

Qualified Security Assessor (QSA)

Report on Compliance (ROC)

Security questionnaire

SOC 2 Type I report

SOC 2 Type II report

SOC 2 compliance

SOC Trust Services Criteria

Self-Assessment Questionnaire (SAQ)

Service Provider

Statement of Applicability

Vendor assessment

Vendor management policy

What is SOC 1?

‍

A Service Organization Control 1 or SOC 1 report is documentation of the internal controls that are likely to be relevant to an audit of a customer's financial statements.

‍

There are two types of reports for these engagements:

‍

Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

‍

Use of these reports is restricted to, your company, your customers, and your auditors. If you’d like a report you can share publicly, you may want a SOC 3.