IT Compliance Terminology A-Z

This article is a reference resource for IT compliance and security. It is not professional advice. Consult professionals for guidance specific to your situation.

Compliance and security have their own language. Terms carry specific meanings that differ from general usage, and misunderstanding terminology creates confusion about what's actually required. An "audit" doesn't mean the same thing in compliance as in accounting. An "assessment" can refer to different types of reviews with different implications. A "control" can be technical, administrative, or physical. This glossary explains the terms that appear throughout compliance and security discussions, organized by category so you can understand not just what words mean but how they relate to each other.

Core Compliance Concepts

A framework is a structured standard or set of requirements that define what an organization must do to achieve compliance. SOC 2, ISO 27001, HIPAA, and PCI DSS are all frameworks. Frameworks typically define control objectives (what you need to achieve) and may prescribe how to achieve them or leave the method flexible. Understanding which frameworks apply to your organization is the first step in compliance.

A control is a specific safeguard, procedure, or technical mechanism designed to reduce risk or achieve a compliance objective. Controls come in three types: preventive controls stop bad things from happening, detective controls find bad things that have happened, and corrective controls fix problems once found. A firewall is a preventive control. Log monitoring is a detective control. Your incident response plan is part of corrective control. Most frameworks require a mix of all three types.

An assessment is a systematic review of your environment, systems, or controls against a standard. During an assessment, an auditor or consultant examines your practices, tests your controls, and identifies gaps. Assessment is the broader term. An audit is a specific type of assessment conducted by an external, independent party and resulting in a formal report.

An audit is a formal evaluation by an independent auditor of whether your organization complies with a standard. Audits result in official reports and opinions. A SOC 2 audit results in an audit report stating the auditor's opinion on your controls. An ISO 27001 audit results in a certification if you pass. A HIPAA audit is conducted by HHS and results in findings if violations are found. Audits carry weight because they're independent and formal.

A gap analysis, also called readiness assessment, identifies the difference between your current state and the requirements of a framework. A consultant might conduct a gap analysis before you pursue SOC 2, telling you which controls you're missing and what work is needed before the audit. Gap analysis is often the most valuable step in compliance because it prevents surprises.

Scope defines what parts of your organization, systems, or data are covered by a compliance framework or an audit. Your SOC 2 scope might include your production environment but not development systems. Your HIPAA scope includes only systems that process protected health information. Scope decisions affect the work required, the cost, and the assurance provided.

Remediation is the work to fix compliance gaps. If an audit finds that you don't have access reviews (a control), remediation is implementing access reviews. Remediation can be quick (implementing a policy) or lengthy (redesigning a system). Most auditors expect a remediation plan for any gaps found during the assessment.

Certification is official recognition that you've met a standard. ISO 27001 certification means a certification body has audited you and confirmed you comply. Unlike a SOC 2 report (which is an audit opinion), a certificate is a credential you can display and reference. Certifications typically require ongoing surveillance audits to maintain them.

A control environment is the overall culture, governance structure, and support systems that ensure controls are effective. A strong control environment means management takes compliance seriously, communicates expectations, holds people accountable, and invests in the systems to make compliance possible. A weak control environment means controls exist on paper but aren't actually enforced.

Documentation is the evidence that controls exist and work. Documentation can include policies, procedures, system configurations, logs, and evidence of reviews. During audits, auditors review documentation to verify that controls are both designed and operating effectively. Organizations that lack documentation are vulnerable in audits.

Security and Risk Concepts

A threat is an actor, condition, or event that could cause harm to your organization. Threats include external attackers, malicious employees, system failures, natural disasters, and data loss. Threats are outside your direct control, though you can influence the likelihood through your controls.

A vulnerability is a weakness that can be exploited by a threat. Unpatched software, weak passwords, misconfigurations, and insecure code are all vulnerabilities. Vulnerabilities are under your control—you can fix them through patching, configuration hardening, and better development practices.

Risk is the probability that a threat will exploit a vulnerability and cause harm. Risk = threat likelihood × impact. A vulnerability in software only matters if a threat actor is likely to exploit it. An internal database vulnerability is lower risk than a web-facing vulnerability because it's harder for external threats to find. Risk assessment is about understanding which combinations of threats and vulnerabilities pose the greatest danger to your organization.

A breach is the unauthorized access to, disclosure of, or loss of data. A data breach means someone who shouldn't have access to your data now has it. Breach notification is a legal requirement in most jurisdictions—you must notify affected individuals of certain types of breaches within a specific timeframe.

An incident is an event that violates your security policy or poses a threat to your systems or data. Not all incidents are breaches. A suspicious login attempt is an incident even if the attacker didn't gain access. An incident response process includes detection, investigation, containment, eradication, and recovery.

Exposure is a condition where data or systems are accessible to unauthorized parties. A database with public internet access is "exposed." You might have exposed data without knowing it (vulnerability + misconfiguration = exposure). Exposure is the precursor to breach—if your data is exposed, a threat actor could breach it.

Risk tolerance is the level of risk your organization is willing to accept. Different organizations have different risk tolerances. A financial services firm has very low risk tolerance for data loss. A social media company might have higher risk tolerance for operational disruptions. Your risk tolerance guides which controls are worth investing in.

Risk acceptance is a deliberate decision to accept a risk rather than control it. If you identify a vulnerability that's technically difficult or expensive to fix, and the risk is low, you might accept the risk. Risk acceptance should be documented and approved by senior management.

Residual risk is the risk that remains after you've implemented controls. You can't reduce risk to zero—residual risk is always present. Compliance is about reducing risk to a level your organization finds acceptable.

Technical Control Concepts

Encryption is the process of converting data into a form that can only be read if you have the decryption key. Encryption in transit protects data while it's being sent over networks. Encryption at rest protects data stored on systems. Encryption is a foundational control for protecting sensitive data.

Authentication is the process of verifying who you are. Passwords are one form of authentication. Multi-factor authentication (MFA) requires multiple factors—something you know (password), something you have (phone), or something you are (biometric). Strong authentication is critical because most breaches begin with compromised credentials.

Authorization is the process of determining what authenticated users are allowed to do. Once you've verified who someone is, you need rules determining what systems, data, and functions they can access. Role-based access control (RBAC) groups permissions into roles and assigns users to roles.

Access control is the overarching term for policies, systems, and procedures that determine who can access what. Access control includes authentication, authorization, and privilege management. Strong access control is a foundational security requirement.

Privilege or privileged access is the highest level of access—administrative rights to systems, databases, or applications. Privileged accounts can create users, change configurations, delete data, and access anything. Privileged access is the most dangerous if compromised. Privileged access management (PAM) is a specialized control category focused on governing privileged access.

An access review is a periodic examination of who has what access and whether that access is still appropriate. Access reviews prevent access creep (people retaining access they don't need) and catch unauthorized access changes. Access reviews are typically quarterly or annual, documenting that managers have verified their team's access levels.

A user account is the mechanism by which a person accesses systems. Account management includes provisioning (creating accounts), deprovisioning (removing access when people leave), and periodic review. Account management is fundamental to access control.

Logging is the recording of events and activities in systems. Web servers log HTTP requests. Firewalls log network traffic. Databases log queries. Audit logs record who accessed what and when. Logging is a detective control—logs don't prevent bad things but help you find them afterward.

Monitoring is the continuous or regular review of logs and system events for anomalies or violations. A SIEM monitors logs for patterns indicating compromise. An EDR agent monitors a system for suspicious behavior. Monitoring is essential for detecting incidents.

Alerting is the automated notification when monitoring detects something suspicious. When a SIEM rule matches a pattern indicating compromise, it generates an alert. Alerts are only useful if someone is trained to investigate them and respond appropriately. Alert fatigue—too many false-positive alerts—is a common problem.

Policy, Procedure, and Process Terms

A policy is a high-level statement of your organization's position on a topic. A password policy states your requirements for password length, complexity, and expiration. An acceptable use policy defines what employees can do with company systems. Policies are the "what"—they state requirements.

A procedure is the step-by-step process for complying with a policy. If your policy requires annual access reviews, your procedure documents how those reviews are conducted, by whom, on what timeline, and how results are documented. Procedures are the "how"—they explain how to comply.

A control objective is a specific goal a control is designed to achieve. The control objective of access reviews is to ensure that access is authorized and appropriate. The control objective of encryption is to protect sensitive data. Control objectives come from frameworks and define what needs to be true for compliance.

A control activity is the specific action taken to achieve a control objective. If the control objective is "ensure systems are updated with security patches," control activities might include "scan for missing patches weekly," "prioritize high-severity patches," and "apply patches within 30 days."

Documentation is the evidence that controls are designed and operating. This includes written policies and procedures, system configurations, logs showing that controls executed, and evidence of monitoring and review. Well-organized documentation is essential for audits.

A test is the process auditors use to verify that controls are operating effectively. An auditor might test a control by reviewing evidence that access reviews were conducted, examining the documentation, and verifying that unauthorized access was identified and removed. Tests are how auditors move from "your policy says you do this" to "you actually do this."

Evidence is the documentation that supports your claim that a control is operating. If you claim to conduct quarterly access reviews, evidence includes the access review reports, manager sign-offs, and records of access changes made based on reviews. Without evidence, an auditor will not accept that a control is operating.

Risk Assessment and Management

A risk assessment is a systematic process to identify threats and vulnerabilities, evaluate the probability and impact of risks, and prioritize which risks to address. A risk assessment produces a risk register—a documented list of identified risks, their likelihood and impact, and planned responses.

A risk register is a document listing identified risks, their severity, who owns them, what controls address them, and the status of remediation. The risk register is a living document updated as risks change, new risks are identified, and controls are implemented.

Risk mitigation is the process of reducing risk through controls, process changes, or other measures. If you identify that weak passwords are a high-risk vulnerability, you mitigate by enforcing strong password requirements and MFA.

Risk transfer is moving risk to another party, typically through insurance or outsourcing. If you outsource data processing, you transfer some security risk to the service provider (though not all—you're still liable if your vendor is breached).

Risk avoidance is eliminating an activity that creates unacceptable risk. If you identify an unacceptable risk in a business process that you can't mitigate or transfer, you might avoid the risk by not doing that activity.

Incident Response and Investigation

An incident is a security event that violates your policy or poses a threat to your systems or data. Incidents range from suspicious login attempts to confirmed breaches. Your incident response plan defines how you detect, investigate, contain, and recover from incidents.

Detection is the process of identifying that an incident has occurred. Detection comes from monitoring (alerts from your SIEM or EDR) or from external notification (a customer reporting suspicious access, law enforcement notifying you of a breach).

Investigation is the process of determining what happened during an incident. Investigation includes collecting evidence, examining logs, interviewing users, and understanding the scope of compromise. Investigation determines whether an incident is a false alarm, a contained incident, or a breach.

Containment is the action taken to stop an ongoing incident. If malware is spreading on your network, containment is isolating affected systems. If an account is compromised and being used to access data, containment is disabling the account or revoking its tokens.

Eradication is the process of removing the cause of an incident. If malware is on a system, eradication is removing the malware, not just stopping it. If an attacker had access, eradication is blocking the attack vector they used.

Recovery is returning systems and services to normal operation. Recovery includes patching systems, changing compromised passwords, and restoring from backups if necessary.

Forensics is the collection and analysis of digital evidence from an incident for investigation, legal proceedings, or root cause analysis. Forensics preserves evidence in a way that's defensible and admissible in potential legal proceedings.

Root cause analysis is the investigation into why an incident happened. If malware infected your systems, root cause analysis determines how the malware got in—was there a vulnerability, did a user click a malicious link, was it supply chain compromise? Understanding root cause prevents the same incident from recurring.

Assurance and Testing Concepts

Assurance is confidence that an organization complies with requirements and that controls are effective. Audits provide assurance to stakeholders that an organization is trustworthy.

Internal audit is an audit conducted by people within your organization. Internal audits provide assurance to management but less credibility to external stakeholders because they lack independence. Internal audits are valuable for your own compliance planning.

External audit is an audit conducted by an independent third party. External audits provide credibility because the auditor is independent and has no incentive to give a false positive. SOC 2, ISO 27001, and HIPAA audits are all external.

A qualified auditor or assessor is someone trained and certified to conduct specific compliance audits. A SOC 2 auditor must be a licensed CPA. An ISO 27001 auditor must be accredited by a certification body. Qualification matters because it ensures the auditor knows what to look for.

A penetration test is a simulated attack on your organization designed to find vulnerabilities. A penetration tester attempts to gain access to your systems the way an attacker would. Penetration testing is a detective control that helps you find vulnerabilities before an actual attacker does.

Vulnerability scanning is the automated process of testing systems for known vulnerabilities. A vulnerability scanner examines your systems and identifies missing patches, weak configurations, and known flaws. Scanning is faster than penetration testing but less thorough.

A compliance audit differs from a financial audit in that it focuses on whether you comply with a specific standard, not on financial accuracy. Compliance audits examine whether your controls are designed and operating as required.

An operational audit examines whether your processes and operations are efficient and effective. An operational audit doesn't necessarily focus on compliance but might find compliance gaps.

Data and Privacy Concepts

Personal data (or personally identifiable information, PII) is information that can be used to identify or contact a specific person. Names, email addresses, phone numbers, social security numbers, and financial account numbers are all personal data. GDPR, CCPA, and HIPAA all regulate personal data handling.

Sensitive data is information that requires protection beyond normal access controls. Credit card data, health records, trade secrets, and personal financial information are all sensitive. Your organization defines what it considers sensitive data.

Data classification is the process of categorizing data by sensitivity. Your organization might classify data as public, internal, confidential, or restricted. Data classification drives how data is protected—restricted data requires stronger encryption and access controls than public data.

Data retention is how long you keep data. Your data retention policy specifies how long different types of data are kept and when they're deleted. GDPR requires that you delete personal data when you no longer need it (data minimization). HIPAA requires you keep records for six years.

Data minimization is the principle that you collect and retain only the data you actually need. Collecting excessive personal data creates risk—more data means more potential for breach. Collecting and keeping data longer than necessary violates GDPR and good practice.

Data protection is the overarching concept of safeguarding data through encryption, access controls, and other measures. Data protection is required by most frameworks and regulations.

A privacy impact assessment (PIA) is a review of a system, process, or proposal to identify privacy risks and ensure compliance with privacy laws. A PIA is required before implementing new systems that handle personal data.

Data processing agreement is a contract between a data controller (who decides how data is used) and a data processor (who processes data on the controller's behalf). Data processing agreements are required under GDPR and define how data will be protected.

Compliance Governance

Compliance governance is the structure and processes that ensure compliance is happening. Compliance governance includes defining roles and responsibilities, establishing compliance policies, conducting assessments, tracking remediation, and reporting to leadership.

A compliance officer is responsible for overseeing compliance with regulations and standards. In large organizations, this might be a full-time role. In smaller organizations, compliance responsibilities might be distributed or handled by a fractional compliance resource.

A compliance program is the comprehensive set of policies, procedures, controls, and processes designed to ensure compliance. A compliance program includes risk assessments, control documentation, audit plans, remediation tracking, and board reporting.

Board reporting on compliance keeps senior leadership informed about the organization's compliance status, key risks, and remediation progress. Boards are increasingly focused on cybersecurity and compliance, particularly after breaches or regulatory action.

A third-party assessment is an audit or assessment of a vendor or service provider to verify they meet compliance requirements. Third-party assessments help you understand whether vendors are trustworthy with your data.

Vendor management is the process of identifying compliance requirements for vendors, assessing whether vendors meet those requirements, and monitoring vendor compliance. If a vendor is breached, your organization may be liable, so vendor management is important.

Understanding Terminology in Context

Compliance and security terminology overlaps and sometimes uses the same words in different contexts. A "control" can be a technical tool, an administrative procedure, or a physical safeguard. An "assessment" can be a gap analysis, a vulnerability scan, or a full audit. An "audit" in compliance means something different than in accounting. Understanding these distinctions prevents confusion and helps you interpret compliance discussions accurately.

The best use of this glossary is as a reference when you encounter unfamiliar terms. When someone talks about "control objectives" or "residual risk," you can look up the term and understand what they mean. As you become more familiar with compliance language, these terms become part of your working vocabulary.

Fully Compliance provides educational content about compliance and security terminology. Specific guidance on compliance requirements should come from qualified professionals in your industry and jurisdiction.