Annex: A term used for ISO certification. For 27001, it refers to a document that outlines the controls that are in scope.

Artifact: An artifact is a piece of evidence that demonstrates the implementation or execution of a control. This could include screenshots, system logs, or reports that show a control in action.

Assessor: An independent organization that has the ability to issue an ISO certification.

Asset: An asset is something that has value to a business. The term extends beyond physical items to include people, information, reputation, intellectual property (IP), and software.

Attestation: Attestation is the end result of a SOC 2 audit. The SOC 2 report is an attestation report (not a certification). A SOC 2 auditor attests -- rather than certifies -- that controls have been appropriately designed.

Breach: An incident that specifically relates to the unauthorized exfiltration of confidential data.

Business Associate: An entity that provides services to a Covered Entity (think billing companies, medical device makers, answering services for a doctor's office).

Carve Out: The control activities that are performed by the subservice organization are in scope but are specifically called out in the 'SubService provider controls' section of the System Description. For example, physical security controls for an organization that is 100% cloud hosted. Technically the controls are being performed, so they are not out of scope, but they are being performed by the hosting provider, not the organization obtaining the SOC 2.

Certification: An actual document (or PDF of that document) that says “Company is Certified”. Granted by an independent ‘Assessor’.

Cloud-based: The organization does not have physical servers they manage but instead relies on a cloud service provider for their servers. Servers are stored, managed, and processed on a network of remote servers (virtual machines).

Colocation (Datacenter): A separate organization houses the physical servers and networking equipment for the organization.

Compliance: Adherence to a standard or set of guidelines, but not necessarily a certification.

Control: A specific procedure or protocol that is in place to address a cybersecurity risk. Controls always have an owner, an action, and may have a time frame.

Controllers: An organization that collects personally identifiable information (PII).

Corrective Action: The activities that are undertaken by an organization to get a nonconformity back into conformance.

Covered Entity: For HIPAA, an organization that has a direct relationship or contact with a patient (think Hospital, Insurers)

Document: A document is a written or electronic record that provides evidence of compliance. Examples include employee handbooks and risk assessments.

ePHI or Electronic Personal Health Information: For HIPAA, any bit of data that (alone or in combination with another bit) can be used to identify an individual person. Examples: Patient name, address, email address, a health record, social security number)

Evidence: Evidence is how an organization proves a control is in place or being performed. Evidence can come in many forms. The most common are system generated reports, system screenshots, change tickets, and policy and procedure documents.

External User: Your customer or user outside of your organization that does not work for you.

Framework: The set of objectives, principles, and requirements that comprise a certification or attestation requirement. The framework is oftentimes set by a governing body.

General: General evidence encompasses broader information about the organization's compliance efforts. This might include management assertions, system descriptions, or overall risk management strategies.

Information Asset: Information or data that is of value to an organization (e.g., patient records, employees' information, intellectual property, or company data).

Information Security: Measures, procedures, processes, and technologies that businesses deploy to ensure the confidentiality, integrity, and availability of information.

ISMS or Information Security Management System: A set of practices that management puts in place to ensure ongoing monitoring of its information security practice.

Incident: An unexpected event. Typically negative and can include a breach.

Internal Audit: An independent assessment of an organization's information security management system (ISMS) as a whole or any subset of controls. An internal audit is required as part of a functioning ISMS.

Internal User: An employee, contractor, temp, or vendor that has been granted access to systems inside the network.

Managed Services Provider (MSP): An organization that maintains and manages a range of processes (typically IT) on behalf of the customer.

Nonconformity: A nonconformity is something that is not aligned with an annex control, a clause, or even a regulation or company process. Nonconformities can be identified by auditors, through incidents, by external parties, and by other means.

On-Premises (or "on-prem"): Physical servers and logical and physical access is managed by the organization and are on site, typically in a closet or separate area of the office.

Outsource: When an organization contracts a person or company (vendor) to perform certain processes.

PIMS or Privacy Information Management System: A set of practices that management puts in place (like ISMS), but for ongoing monitoring of Privacy and Information Security practices

Personal data: any bit of data (alone or in combination with another bit) that can be used to identify a person. Example: name, address, email address, photos, social security number).

Policy: A policy is a formal document that outlines an organization's rules, guidelines, and procedures for specific areas of operation. For SOC 2, policies establish the framework for implementing data security and act as primary requirements for employees and third-party vendors.

Population: A population refers to the entire set of data or records from which a sample is drawn. For example, the population might include all new hires or all terminated employees during the audit period.

Processors: An organization that manipulates PII (adds to, does something with, sends out to others).

Qualified Opinion: Qualified opinion is a term used by auditors to describe their opinion or conclusion about a company's controls. A qualified opinion means the auditor liked what the company did, but with exception(s), which they explain. Qualified opinions do not mean a company failed its report and are not necessarily a bad thing, but they do indicate that the design or operation of controls did not meet the auditors' expectations.

Risk: A scenario that leads to an unexpected outcome. A risk is often composed of threats or vulnerabilities to assets and can be defined using a what-could-go-wrong statement.

Sample: A sample is a subset of data or records selected from a larger population to demonstrate compliance. Auditors may request samples to verify that controls are operating effectively over a period of time.

Statement of Applicability: An information security management system (ISMS) document required for ISO showing which Annex controls are in scope. This list is shared with auditors and assessors.

Subprocessor: An organization hired by a controller or processor of PHI.

Subservice Organization: A vendor that provides a critical component of the organization’s in-scope System. For example, an MSP that manages incident response on behalf of your organization would be a subservice organization. Your monitoring or SIEM tool provider would not be a subservice organization, as they are just providing the tool for you to perform incident response; they are not performing the response for you.

Test Exception: An anomaly in the design or operation of a control found by the auditor. Something to avoid, but often unavoidable.

Threat: A potential cause of an incident that may result in a breach of information security or compromise of operations.

Unqualified Opinion: When an auditor finds no issues with control design and operation, they offer an unqualified opinion. This is what all organizations strive for and indicates a clean report from the auditor.