Glossary
Security & compliance glossary
Plain-English definitions of the frameworks, audit concepts, and offensive-security terms that come up on the path to compliance — including the breach-simulation and attack-surface concepts most glossaries skip.
Frameworks & standards
CMMC
CMMC (Cybersecurity Maturity Model Certification) is a US Department of Defense program that verifies defense contractors and subcontractors have adequate cybersecurity to protect sensitive government information. CMMC 2.0 defines three levels and is built largely on NIST SP 800-171, protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
EU AI Act
The EU AI Act is the European Union's comprehensive, risk-based regulation governing artificial intelligence. It classifies AI systems by risk — unacceptable (banned), high-risk, limited, and minimal — imposing the strictest obligations on high-risk uses, and adds specific rules for general-purpose AI models. It applies to providers and deployers whose AI affects the EU market.
FedRAMP
FedRAMP (Federal Risk and Authorization Management Program) is a US government program that standardizes the security assessment, authorization, and continuous monitoring of cloud products and services used by federal agencies. Built on NIST SP 800-53 controls, it lets a cloud service earn an authorization that agencies can reuse rather than assessing each provider independently.
GDPR
GDPR is the European Union's General Data Protection Regulation, a comprehensive data-protection law governing how personal data of individuals in the EU and EEA is collected, processed, and protected. It applies to any organization worldwide that targets or monitors EU residents, grants individuals strong rights over their data, and carries significant penalties for violations.
HIPAA
HIPAA is the US federal law that sets national standards for protecting individuals' health information. Enforced by the HHS Office for Civil Rights, it governs how covered entities and their business associates safeguard protected health information (PHI) through its Privacy, Security, and Breach Notification Rules. Compliance is mandatory for organizations handling US health data.
HITRUST
HITRUST is a certifiable security and privacy framework, delivered through the HITRUST CSF, that harmonizes requirements from HIPAA, ISO 27001, NIST, PCI DSS, and other standards into a single control set. Widely adopted in healthcare, it lets an organization demonstrate compliance against many overlapping mandates through one certification.
ISO 27001
ISO 27001 is the international standard for an information security management system (ISMS), published by ISO and IEC. It defines requirements for systematically identifying, treating, and monitoring information security risks, and is the basis for accredited certification recognized worldwide. The 2022 revision lists 93 Annex A controls across four themes.
ISO 27701
ISO 27701 is an international standard that extends ISO 27001 and ISO 27002 with requirements for a Privacy Information Management System (PIMS). It adds privacy-specific controls for organizations acting as data controllers or processors and maps closely to regulations such as the GDPR, turning an existing security management system into a privacy management system.
ISO 42001
ISO 42001 is the world's first international standard for an artificial intelligence management system (AIMS), published in 2023 by ISO and IEC. It defines requirements for governing the responsible development and use of AI, including an AI impact assessment, and is certifiable by an accredited registrar. Annex A provides 38 controls across nine objectives.
NIST AI RMF
NIST AI RMF (AI Risk Management Framework) is a voluntary US framework published by the National Institute of Standards and Technology to help organizations identify, measure, and manage the risks of designing, developing, and deploying AI systems. It is organized around four functions: Govern, Map, Measure, and Manage.
NIST Cybersecurity Framework
The NIST Cybersecurity Framework (NIST CSF) is a voluntary framework from the US National Institute of Standards and Technology that helps organizations manage and reduce cybersecurity risk. Its 2.0 version is organized around six core functions - Govern, Identify, Protect, Detect, Respond, and Recover - and is widely used across industries to structure security programs.
PCI DSS
PCI DSS is the Payment Card Industry Data Security Standard, a set of security requirements that any organization storing, processing, or transmitting payment card data must meet. Maintained by the PCI Security Standards Council, its current major version is v4.0. Validation ranges from a self-assessment questionnaire to a full on-site audit by a Qualified Security Assessor.
SOC 2
SOC 2 is an attestation report, defined by the AICPA, that evaluates how a service organization protects customer data against five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. An independent CPA firm issues the report, making it the standard proof of security posture for SaaS and cloud vendors in North America.
SOC 2 Type II
SOC 2 Type II is a SOC 2 report that evaluates whether a service organization's controls not only are designed appropriately but also operate effectively over a defined observation period, typically three to twelve months. It is the more rigorous and widely demanded form of SOC 2, because it proves controls work continuously rather than at a single moment.
Trust Services Criteria
Trust Services Criteria (TSC) are the five control criteria defined by the AICPA that a SOC 2 examination evaluates: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security — the common criteria — is always included, while the other four are optional categories an organization selects based on its commitments to customers.
Compliance concepts
Access Review
An access review is a periodic check that each user's permissions still match what their role actually requires. By confirming and revoking access on a recurring basis, organizations enforce least privilege and catch the over-permissioned or orphaned accounts that accumulate over time. Access reviews are a standard control across SOC 2, ISO 27001, and other frameworks.
AIMS
An AIMS (AI Management System) is the structured set of policies, processes, roles, and controls an organization uses to govern the responsible development and use of artificial intelligence. It is the system that ISO 42001 certifies. An AIMS extends management-system thinking to AI-specific risks like bias, transparency, and oversight.
Annex A Controls
Annex A controls are the catalog of security or AI controls listed in the annex of an ISO management-system standard. ISO 27001:2022 defines 93 controls across 4 themes, while ISO 42001 defines 38 controls across 9 objectives. Organizations select from this catalog based on their risk assessment and record their choices in the Statement of Applicability.
Attestation
An attestation is a CPA firm's formal opinion on whether an organization's controls are designed and operating as described, most commonly delivered as a SOC 2 report. It differs from certification, where an accredited body certifies conformance to a standard like ISO 27001. An attestation is an auditor's opinion, not a pass-or-fail certificate.
Compensating Control
A compensating control is an alternative safeguard used when an organization cannot implement a required control, but still needs to meet the intent of that requirement. It must provide a comparable level of protection and be formally documented and justified. Compensating controls are most familiar from PCI DSS, where they follow a strict approval process.
Continuous Control Monitoring
Continuous control monitoring (CCM) is the practice of automatically and continuously testing whether controls operate correctly, then alerting on drift the moment a control falls out of compliance. It replaces point-in-time checks with always-on assurance, so issues surface in near real time rather than during an annual audit.
Evidence Collection
Evidence collection is the process of gathering proof that security and compliance controls actually operate as intended. This proof includes system configurations, logs, screenshots, policy documents, and tickets that an auditor reviews to confirm a control is both designed correctly and operating effectively over time.
Gap Analysis
A gap analysis compares an organization's current controls against the requirements of a framework to identify what is missing before an audit. It produces a prioritized list of gaps and remediation work. It is typically the first step on the road to certification or attestation.
Internal Audit
An internal audit is a self-assessment an organization performs on its own management system before an external certification or examination. Its purpose is to find nonconformities and gaps so they can be fixed first. In ISO 27001, internal audits are a mandatory, recurring requirement under clause 9.2 of the standard.
ISMS
An ISMS (Information Security Management System) is the structured set of policies, procedures, roles, and controls an organization uses to manage information security risk. It is the thing ISO 27001 certifies. An ISMS treats security as an ongoing, risk-driven program rather than a one-time project.
Residual Risk
Residual risk is the risk that remains after controls and other treatments have been applied. No safeguard eliminates risk entirely, so a measurable amount persists, and leadership must formally decide to accept, further treat, or transfer it. Documenting and accepting residual risk is a core requirement of risk-based frameworks like ISO 27001.
Risk Assessment
A risk assessment is the process of identifying assets, threats, and vulnerabilities, then scoring each risk by its likelihood and impact. It is the analytical core of an ISMS, and ISO 27001 clause 6 requires it to follow a repeatable, documented method. Its output drives which controls an organization implements.
Risk Treatment
Risk treatment is the process of deciding how to handle each risk identified in a risk assessment, by mitigating, accepting, transferring, or avoiding it. Whatever risk remains after treatment is the residual risk. The decisions are recorded in a risk treatment plan that drives control selection.
Segregation of Duties
Segregation of duties (SoD) is the practice of splitting a critical task across multiple people so that no single individual can complete a sensitive action alone. By requiring more than one person, it reduces the chance of fraud and error and creates a natural check on powerful actions. SoD is a foundational control in both security and financial compliance.
Statement of Applicability
A Statement of Applicability (SoA) is the ISO 27001 and ISO 42001 document that lists every Annex A control and records whether each one is applicable or excluded, the justification for that decision, and its implementation status. It is the cornerstone document an auditor reviews to understand the ISMS at a glance.
Trust Center
A trust center is a public-facing page where an organization shares its security posture, certifications, and supporting documentation so prospects and customers can perform due diligence on their own. By centralizing audit reports, policies, and subprocessor lists, a trust center reduces repetitive security questionnaires and accelerates sales and procurement.
Vendor Risk Management
Vendor risk management is the practice of assessing and continuously monitoring the security and compliance posture of the third-party suppliers an organization relies on. It typically involves collecting vendors' audit reports, evaluating their access to data, and reassessing them on a periodic basis, because a vendor's weakness can become your breach.
Security testing
Attack Path
An attack path is the chain of steps an attacker takes, from an initial foothold through exploitation and pivoting, to reach a high-value target. It combines privilege escalation and lateral movement to show real blast radius, revealing not just isolated weaknesses but how they connect into a route to crown-jewel assets.
Attack Surface Management
Attack Surface Management (ASM) is the continuous discovery, inventory, and monitoring of an organization's internet-facing assets that an attacker could target. It takes an outside-in view, mapping every exposed domain, IP, service, and certificate so security teams can find and fix exposures before adversaries reach them.
Breach and Attack Simulation
Breach and Attack Simulation (BAS) is the practice of safely emulating real adversary techniques to validate whether security controls detect and stop them. BAS is continuous and automated, typically maps each test to MITRE ATT&CK, and produces evidence of which defenses actually work rather than which merely exist.
CVE
CVE stands for Common Vulnerabilities and Exposures, a system that assigns a unique identifier to each publicly disclosed cybersecurity vulnerability. A CVE record uses the format CVE-YYYY-NNNNN and is maintained by the CVE Program, giving the security community a common reference for naming and tracking flaws.
CVSS
CVSS, the Common Vulnerability Scoring System, is an open framework for rating the severity of software vulnerabilities on a numerical scale from 0.0 to 10.0. Maintained by FIRST, it translates a vulnerability's technical characteristics into a score and a severity rating such as Low, Medium, High, or Critical.
Internal Attack Surface Management
Internal Attack Surface Management (iASM) is the discovery and mapping of internal cloud and identity assets and the attack paths between them. It takes an inside-out view, modeling what an attacker could reach after gaining a foothold, so teams can find and cut the chains that lead to high-value targets.
Lateral Movement
Lateral movement is the set of techniques an attacker uses to move from an initially compromised system to other systems inside a network, hunting for the credentials, data, or privileges needed to reach a final objective. It is constrained by network segmentation, least privilege, and zero-trust controls.
Least Privilege
Least privilege is the security principle of granting every user, account, and process only the access it genuinely needs to perform its function, and no more. By minimizing standing permissions, it shrinks the attack surface and limits the damage that any single compromised account can cause.
MITRE ATT&CK
MITRE ATT&CK is a free, globally used knowledge base of real-world adversary tactics and techniques observed in actual intrusions. It gives offense and defense a common language for describing how attackers operate, and is widely used to plan testing, measure detection coverage, and map findings to known behaviors.
Penetration Testing
Penetration testing is an authorized, simulated attack carried out by skilled humans to find and exploit vulnerabilities in a system. It is point-in-time and creativity-driven, going beyond scanning to prove what an attacker could actually achieve. Many frameworks, including PCI DSS and SOC 2, expect periodic penetration testing.
Privilege Escalation
Privilege escalation is the act of gaining higher access than you started with, such as moving from a standard user to an administrator. It is a key step in most attack paths, letting an intruder turn a limited foothold into broad control. It is mitigated primarily by least privilege and regular access reviews.
Security Posture
Security posture is the overall strength of an organization's cybersecurity at a given point in time, reflecting the state of its controls, its exposure to threats, and its ability to detect and respond to attacks. Because it changes constantly, it is best understood and proven through continuous monitoring and active testing.
Vulnerability Management
Vulnerability management is the ongoing process of identifying, prioritizing, and remediating security weaknesses across an organization's systems and software. It is a continuous cycle rather than a one-time scan, and it relies on standardized CVE identifiers and CVSS severity scores to track and rank issues.
Zero Trust
Zero Trust is a security model built on the principle never trust, always verify. It grants no implicit trust based on network location, treating every user, device, and connection as untrusted until proven otherwise through continuous verification of identity, enforcement of least privilege, and segmentation.
AI governance
AI Impact Assessment
An AI impact assessment is a structured evaluation of how an AI system affects individuals, groups, and society, including risks to rights, fairness, safety, and wellbeing. It is a core requirement of ISO 42001 and supports conformity efforts under regulations such as the EU AI Act.
Open Knowledge Format
Open Knowledge Format, or OKF, is an open, vendor-neutral standard for packaging information as graph-linked Markdown that AI agents can read natively. Rather than locking knowledge inside proprietary systems, OKF structures it so that tools like AI assistants can traverse and reason over it directly.
Responsible AI
Responsible AI, also called trustworthy AI, is the practice of developing and using AI systems that are fair, transparent, accountable, safe, and respectful of privacy. It moves beyond principles into operation through frameworks such as ISO 42001 and the NIST AI Risk Management Framework.