Reference

Compliance & Cybersecurity Glossary

This glossary defines 45+ of the most common compliance and cybersecurity terms in plain English — from SOC 2 and ISO 27001 to the DPDP Act, HIPAA, GDPR, and VAPT. Each definition is written the way a certified auditor would explain it to a client, with links to deeper guidance where Tranquility Cybersecurity (TCSA) has it.

Last reviewed: June 2026|45 terms across SOC, ISO, privacy, security testing, and audit

A

AIMSArtificial Intelligence Management SystemISO: The governance system defined by ISO 42001 for managing the risks and obligations that come with building or deploying AI. It sets out policies, roles, and controls so an organisation can show its AI is developed and operated responsibly. Learn more
Annex A ControlsISO: The catalogue of 93 information-security controls listed in Annex A of ISO/IEC 27001:2022, grouped into organisational, people, physical, and technological themes. An organisation selects the controls relevant to its risks and records that choice in the Statement of Applicability. Learn more
AttestationGeneral Audit: An engagement in which an independent CPA examines a subject matter — such as a set of controls — and issues an opinion on it. SOC 1, SOC 2, and SOC 3 are attestation reports: the auditor attests to management's description and the operating effectiveness of controls, rather than awarding a pass/fail certificate. Learn more

B

BAABusiness Associate AgreementPrivacy & Data Protection: A contract required under HIPAA between a covered entity and any vendor (a "business associate") that handles protected health information on its behalf. It binds the vendor to safeguard PHI and to report breaches, extending HIPAA obligations down the supply chain. Learn more

C

CERT-InIndian Computer Emergency Response TeamTesting & Security: India's national agency for responding to cybersecurity incidents, operating under the Ministry of Electronics and IT. Its 2022 directions set mandatory incident-reporting timelines and log-retention rules, and certain audits are expected to be performed by CERT-In empanelled assessors.
Consent ManagerPrivacy & Data Protection: Under India's DPDP Act, a registered intermediary that lets a Data Principal give, manage, review, and withdraw consent through a single, interoperable platform. It acts on the individual's behalf and is accountable to the Data Protection Board. Learn more
ControlGeneral Audit: A safeguard or measure — technical, administrative, or physical — put in place to reduce a specific risk, such as enforcing multi-factor authentication or reviewing access quarterly. Compliance frameworks are essentially structured sets of controls that an auditor tests for design and operating effectiveness.

D

Data FiduciaryPrivacy & Data Protection: Under India's DPDP Act, the person or organisation that determines the purpose and means of processing personal data — the rough equivalent of a "controller" under GDPR. The Data Fiduciary carries the primary accountability for lawful processing and for honouring Data Principal rights. Learn more
Data PrincipalPrivacy & Data Protection: Under India's DPDP Act, the individual to whom the personal data relates — the equivalent of a "data subject" under GDPR. Data Principals have rights to access, correction, erasure, and grievance redressal. Learn more
DPDP ActDigital Personal Data Protection Act, 2023Privacy & Data Protection: India's comprehensive data-protection law governing the processing of digital personal data, built around consent, purpose limitation, and accountability. It introduces the roles of Data Fiduciary and Data Principal and is enforced by the Data Protection Board of India. Learn more
DPIAData Protection Impact AssessmentPrivacy & Data Protection: A structured assessment of how a planned processing activity could affect individuals' privacy, used to identify and mitigate risks before processing begins. It is mandatory under GDPR for high-risk processing and is expected of Significant Data Fiduciaries under the DPDP Act.

E

EvidenceGeneral Audit: The records an auditor collects to confirm a control was actually operating — screenshots, configuration exports, tickets, policy documents, access logs, and the like. In a Type II engagement, evidence must show the control ran consistently across the entire observation window, not just on the day of testing.

G

Gap AssessmentGeneral Audit: A structured comparison of an organisation's current state against the requirements of a target framework, producing a list of "gaps" to remediate before a formal audit. It is the usual first step in any certification or attestation project.
GDPRGeneral Data Protection RegulationPrivacy & Data Protection: The European Union's data-protection regulation governing how personal data of individuals in the EU and EEA is collected, processed, and transferred. It applies extraterritorially, so organisations outside Europe that offer goods or services to EU residents are also bound by it. Learn more

H

HIPAAHealth Insurance Portability and Accountability ActPrivacy & Data Protection: A United States federal law that sets national standards for protecting individuals' health information held by healthcare providers, health plans, and their vendors. Its Privacy Rule and Security Rule together govern how protected health information is used, disclosed, and safeguarded. Learn more

I

ISMSInformation Security Management SystemISO: The framework of policies, processes, roles, and controls an organisation uses to manage information-security risk in a systematic, repeatable way. ISO/IEC 27001 is the standard against which an ISMS is certified. Learn more
ISO/IEC 27001ISO: The leading international standard for an information security management system (ISMS), specifying requirements for establishing, operating, and continually improving information security. Certification is issued by an accredited certification body after a successful Stage 1 and Stage 2 audit. Learn more
ISO/IEC 27701ISO: An extension to ISO/IEC 27001 that adds privacy-specific requirements and controls, turning an ISMS into a Privacy Information Management System (PIMS). It helps organisations demonstrate alignment with privacy laws such as GDPR and the DPDP Act. Learn more
ISO/IEC 42001ISO: The first international management-system standard for artificial intelligence, published in 2023, defining requirements for an AI Management System (AIMS). It helps organisations govern AI responsibly and map to obligations such as the EU AI Act. Learn more

N

NonconformityGeneral Audit: A failure to meet a requirement of a standard, identified during an ISO audit. Major nonconformities must be resolved before certification can be granted, while minor ones require a corrective-action plan and are verified at the next audit.

O

Observation WindowGeneral Audit: The period — typically three to twelve months — over which an auditor evaluates whether controls operated effectively in a SOC 2 Type II engagement. Evidence must demonstrate the controls ran consistently throughout this window, also called the audit or review period.

P

PCI DSSPayment Card Industry Data Security StandardTesting & Security: A security standard maintained by the PCI Security Standards Council that applies to any organisation storing, processing, or transmitting payment-card data. It defines technical and operational requirements, with the validation method depending on transaction volume. Learn more
Penetration TestingTesting & Security: A controlled, authorised simulation of a real-world attack in which a tester actively attempts to exploit weaknesses to gauge their real impact. Unlike an automated scan, it adds manual exploitation and business-logic testing to show what an attacker could actually achieve. Learn more
PHIProtected Health InformationPrivacy & Data Protection: Any individually identifiable health information — diagnoses, treatments, payment records, and identifiers — that is protected under HIPAA. Safeguarding PHI in every form, electronic or otherwise, is the central obligation HIPAA places on covered entities and their business associates. Learn more
PIMSPrivacy Information Management SystemISO: The privacy-management framework established by ISO/IEC 27701, layered on top of an ISO 27001 ISMS. It adds the controls and accountability needed to manage personally identifiable information as a controller or processor. Learn more
Privacy Rule (HIPAA)Privacy & Data Protection: The HIPAA standard that governs how protected health information may be used and disclosed, and that gives individuals rights over their own health data. It sets the "what and when" of PHI sharing, complementing the Security Rule's focus on safeguards. Learn more

R

RBI Cybersecurity FrameworkTesting & Security: A set of cybersecurity directions issued by the Reserve Bank of India for banks, NBFCs, and other regulated entities, covering governance, controls, incident reporting, and resilience. The depth of expected controls scales with the size and risk profile of the institution. Learn more
Readiness AssessmentGeneral Audit: A pre-audit review that tests whether an organisation's controls and evidence would withstand a formal audit, so issues can be fixed in advance. It is broader than a gap assessment, often including a dry run of control testing.
Risk AssessmentGeneral Audit: The process of identifying threats to an organisation's information assets, then analysing and prioritising them by likelihood and impact. It is a mandatory foundation of ISO 27001 and feeds directly into the risk-treatment plan and the Statement of Applicability.
Risk TreatmentGeneral Audit: The decision and action taken on each identified risk — mitigate it with controls, transfer it (for example via insurance), avoid the activity, or formally accept it. The chosen approach for every risk is documented in a risk-treatment plan.
RoPARecord of Processing ActivitiesPrivacy & Data Protection: A documented inventory of all the ways an organisation processes personal data — the purposes, categories of data and individuals, recipients, and transfers. Maintaining a RoPA is an explicit accountability requirement under Article 30 of the GDPR.

S

Security Rule (HIPAA)Privacy & Data Protection: The HIPAA standard that requires administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). Where the Privacy Rule governs use and disclosure, the Security Rule governs how ePHI is technically and operationally secured. Learn more
Significant Data FiduciarySDFPrivacy & Data Protection: A class of Data Fiduciary that the Indian government may designate based on factors such as the volume and sensitivity of data processed and the risk to individuals. An SDF carries heavier obligations, including appointing a Data Protection Officer, conducting Data Protection Impact Assessments, and undergoing periodic audits. Learn more
SOC 1SOC: An attestation report on a service organisation's controls that are relevant to its clients' financial reporting — for example, a payroll or transaction-processing provider. It is governed by SSAE 18 and is read mainly by auditors of the client's financial statements. Learn more
SOC 2SOC: An attestation report on a service organisation's controls relevant to security, availability, processing integrity, confidentiality, and privacy — the Trust Services Criteria. It is the de facto trust standard for SaaS and cloud providers and is typically requested by enterprise customers during procurement. Learn more
SOC 3SOC: A short, general-use version of a SOC 2 report that can be shared publicly, for example on a marketing website. It conveys the auditor's opinion and a system overview without the detailed control descriptions and test results found in a SOC 2. Learn more
SSAE 18Statement on Standards for Attestation Engagements No. 18SOC: The AICPA standard that governs how SOC 1 attestation engagements are performed in the United States. It introduced stricter requirements around monitoring sub-service organisations and the completeness and accuracy of the information used in testing.
Statement of ApplicabilitySoAISO: A mandatory ISO 27001 document that lists every Annex A control, states whether it applies, and justifies each inclusion or exclusion. It is the auditable bridge between an organisation's risk assessment and the controls it has actually implemented. Learn more
Surveillance AuditGeneral Audit: A lighter-touch audit conducted by the certification body in the years between the initial ISO certification and its three-year recertification, usually annually. It confirms the management system is still operating effectively and being improved.

T

Trust Services CriteriaTSCSOC: The five categories defined by the AICPA against which SOC 2 controls are evaluated: security, availability, processing integrity, confidentiality, and privacy. Security (the "common criteria") is always in scope; the other four are included only if relevant to the service. Learn more
Type ISOC: A SOC report that evaluates whether controls are suitably designed and in place at a single point in time. It is faster to obtain than a Type II but offers weaker assurance, because it does not test whether the controls actually operated over a period. Learn more
Type IISOC: A SOC report that evaluates whether controls were both suitably designed and operating effectively across an observation window, typically three to twelve months. It is the report enterprise customers most often require, because it evidences sustained control performance. Learn more

V

VAPTVulnerability Assessment and Penetration TestingTesting & Security: A combined security exercise that pairs broad automated vulnerability scanning with targeted manual penetration testing. The assessment finds and catalogues weaknesses, while the penetration test verifies which ones are genuinely exploitable. Learn more
vCISOVirtual Chief Information Security OfficerGeneral Audit: An experienced security leader engaged on a part-time or fractional basis to set strategy, own the security programme, and provide executive accountability — without the cost of a full-time hire. It is a common model for startups and mid-market firms building compliance for the first time. Learn more
vDPOVirtual Data Protection OfficerPrivacy & Data Protection: A fractional Data Protection Officer who provides the independent privacy oversight required or expected under laws such as GDPR and the DPDP Act. The vDPO advises on compliance, monitors processing, and acts as the contact point for regulators and data subjects. Learn more

Related references

SOC 2 Compliance Hub ISO 27001 Knowledge Hub DPDP Act Compliance Hub

Glossary FAQs

Quick answers to the questions readers ask most when comparing these frameworks.

What's the difference between SOC 2 and ISO 27001?

Both demonstrate strong information security, but they differ in form and audience. ISO 27001 is an international certification of a management system (an ISMS), awarded by an accredited certification body and recognised worldwide. SOC 2 is an attestation report written by a CPA against the Trust Services Criteria, and it is the format most commonly requested by enterprise customers in North America. Many organisations pursue both, because an ISO 27001 ISMS supplies much of the control foundation a SOC 2 examines.

What is an attestation versus a certification?

A certification (such as ISO 27001) is a pass/fail determination by an accredited body that your system conforms to a published standard, resulting in a certificate. An attestation (such as SOC 2) is an independent CPA's opinion on a defined subject matter — typically your controls and how they operated — resulting in a detailed report rather than a certificate. In short, certification says "you meet the standard," while attestation says "here is my examined opinion on your controls."

What's the difference between SOC 2 Type I and Type II?

A Type I report assesses whether controls are suitably designed and in place at a single point in time, while a Type II report assesses whether those controls also operated effectively across an observation window — usually three to twelve months. Type I is quicker to obtain and is often a stepping stone, but Type II provides stronger assurance and is what most enterprise customers ultimately require.

What is the difference between a vulnerability assessment and penetration testing?

A vulnerability assessment uses automated scanning to identify and catalogue known weaknesses broadly across your systems. Penetration testing goes further: a tester manually attempts to exploit selected weaknesses to prove real-world impact and uncover issues — such as business-logic flaws — that scanners miss. VAPT combines both for breadth and depth.

Written By Expert Auditors

Surendra Pal Singh

Chief Information Security Officer & Data Protection Officer

CISODPOCISAMCSEITILISO 27001 Lead AuditorISO 27701 Lead AuditorISO 42001 Lead Auditor

Saundhi Chauhan

Lead Auditor

ISO 27001 Lead AuditorISO 27701 Lead Auditor

Last reviewed: June 2026•Content verified by certified lead auditors