Drata Security and Compliance Glossary

Helpful definitions for the terms you need to know before getting compliance audit-ready.

Join the thousands of companies that trust Drata

Abnormal Logo
BambooHR Logo
BigID Logo
Clearbit Logo
Clearco Logo
Lemonade Logo
Fivetran Logo
Notion Logo
Vercel Logo
Wordpress VIP
Calendly Logo

All Glossary


AICPA is the acronym for the American Institute of Certified Public Accountants. The AICPA is the originator of the SOC (System and Organization Controls) audit and reporting standards.

Approved Scanning Vendor (ASV)

What is an Approved Scanning Vendor (ASV)? Company approved by the PCI SSC to conduct external vulnerability scanning services.

Attestation of Compliance (AOC)

What is Attestation of Compliance (AOC)? The AOC is a form for merchants and service providers to attest to the results of a PCI DSS assessment, as documented in the Self-Assessment Questionnaire or Report on.

Asset-Based Risk Assessment

An asset-based risk assessment is a type of risk assessment that focuses on identifying and evaluating the risks to an organization's assets.

What is CMMC? The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. The CMMC is the DoD’s response.

Compliance Automation Software

Compliance automation software monitors a company’s internal systems and controls, helping ensure it complies with required standards and regulations while saving time automating the manual tasks typically associated with compliance.

Compliance Risk Management

Compliance risk management, which is a subset of compliance management, involves identifying, assessing, and monitoring the risks to your enterprise’s compliance with regulations and industry standards, putting internal controls in.


Cybersecurity is the work of protecting data, information, programs, systems, networks, and devices from unauthorized or malicious access and use by external sources on the internet. Cybersecurity programs and policies must consider the interplay.

Cybersecurity Asset Management

Cybersecurity asset management is the process of identifying, classifying, and managing the assets in an organization's information technology (IT).


What is FedRAMP? FedRAMP stands for the “Federal Risk and Authorization Management Program.” FedRAMP standardizes security assessment and authorization for cloud products and services used by U.S. federal agencies. The goal of FedRAMP is to.

What is GDPR? The General Data Protection Regulation (GDPR) 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer.

What is a GRC Tool? Governance, risk, and compliance (GRC) tools allow a company to effectively manage its governance, enterprise risk program, and its compliance with standards and regulations. Benefits of using a GRC tool.

What is a HIPAA Breach? A HIPAA breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted by HIPAA regulations.

HIPAA Employee Training

What is HIPAA Employee Training? Organizations and their employees working in or with the healthcare industry are required to protect the security and privacy of the patient information with which they are entrusted.


What are the HIPAA Rules? The Health Insurance Portability and Accountability Act (HIPAA) is composed of a number of standards or rules by which compliance can be monitored.

Internal Security Assessor (ISA)

What is an Internal Security Assessor (QSA)? ISAs are qualified through a PCI SSC training program to conduct PCI assessments on their own organization.

ISO 27001

What is ISO 27001? ISO 27001 is a framework for managing IT security. ISO 27001 is an information security management system (ISMS) that helps keep consumer data safe, and it’s applied by the private sector.

ISO 27001 Security Standard

The ISO/IEC 27001 standard provides requirements for information security management systems (ISMS). The standard is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission.

ISO 27001:2022

ISO 27001:2022, published in September 2022, is an international standard that specifies requirements for an information security management system (ISMS).

ISO 27002:2022

ISO 27002:2022, published in September 2022, is an international standard that provides guidelines for information security management.

ISO 27003:2017

ISO/IEC 27003:2017 is an international standard that provides guidelines for information security management system (ISMS) implementation.

ISO 27004

ISO 27004 is an international standard that provides guidelines for measuring information security.

ISO 27005:2022

ISO 27005:2022, published in September 2022, is an international standard that provides information security risk management guidelines.

ISO 27006

ISO 27006 is an international standard that specifies requirements for the certification of information security management systems (ISMS).

ISO 27007

ISO 27007 is an international standard that provides guidelines for auditing information security management systems (ISMS).

IT Security Policy

What is an IT Security Policy? An information technology (IT) security policy establishes rules and procedures for the individuals who interact with an organization’s IT assets and resources, in order to protect information.


What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a strict set of controls created to make sure companies that accept, process, store or transmit credit card information maintain a secure infrastructure.

Protected Health Information

What is Protected Health Information? Protected health information (PHI) describes health data that is created, received, stored, or transmitted — by electronic media or in any other form or medium — by HIPAA-covered entities.

Qualified Security Assessor (QSA)

What is a Qualified Security Assessor (QSA)? A Qualified Security Assessor is qualified by PCI SSC to perform PCI DSS on-site assessments.

Report on Compliance (ROC)

What is a Report on Compliance (ROC)? Report documenting detailed results from an entity’s PCI DSS assessment. This is issued by a QSA (Qualified Security Assessor) and details an organization’s security posture.

Risk Assessment

What is Risk Assessment? A cyber security risk assessment identifies the information assets that could be affected by a cyber attack (such as hardware, systems, laptops, customer data and intellectual property).

Security Questionnaire

A security questionnaire is a tool that an enterprise may circulate to service organizations to evaluate and validate an organization’s security practices before choosing to do business with that organization.

Self-Assessment Questionnaire (SAQ)

What is Self-Assessment Questionnaire (SAQ)? The Self-Assessment Questionnaire is a reporting tool used to document self-assessment results from an entity’s PCI DSS assessment.

Semi-Quantitative Risk Assessment

A semi-quantitative risk assessment is a type of risk assessment that combines elements of both quantitative and qualitative risk assessments.

What is SOC 1? A Service Organization Control 1 or SOC 1 report is documentation of the internal controls that are likely to be relevant to an audit of a customer’s financial statements.

What is SOC 2? Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service criteria” — security, availability, processing integrity, confidentiality and privacy.

SOC 2 Auditor

What is a SOC 2 Auditor? To obtain a SOC 2 audit and report, an organization’s security measures must be reviewed and verified by a certified auditor. Only licensed CPA firms can perform a SOC 2 examination.

What is SOC 3? You can think of a SOC 3 report as a redacted SOC 2 report; the SOC 3 report summarizes the material of a SOC 2 report, but it excludes details of the testing

SOC Reports

What are SOC Reports? A service organization controls (SOC) report is a way to verify that an organization is following specific best practices related to protecting their clients’ data before you outsource a business function.

SOC Trust Services Criteria (TSC)

What are the SOC Trust Services Criteria (TSC)? The Trust Services Criteria (formerly Trust Services Principles) are control criteria utilized to evaluate and report on the suitability of the design and operating effectiveness of controls.


The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of auditing standards and guidance published by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).


SSAE 18 is a series of enhancements aimed to increase the usefulness and quality of SOC reports, now superseding SSAE 16.

Threat-Based Risk Assessment

A threat-based risk assessment is a type of risk assessment that focuses on the identification and evaluation of the threats to an organization's assets.

Qualitative Risk Assessment

A qualitative risk assessment is a type of risk assessment that involves the evaluation of potential risks based on subjective judgments and expert opinions.

Quantitative Risk Assessment

A quantitative risk assessment is a type of risk assessment that involves the use of mathematical and statistical methods to estimate the likelihood and impact of potential risks.

Vendor Assessment

What is Vendor Assessment? Vendor assessment describes an organization’s program of assessing its vendors’ management of that organization’s information, and whether vendors are implementing and maintaining appropriate security controls.

Vendor Management Policy

What is a Vendor Management Policy? A vendor management policy is an important component of an organization’s larger compliance risk management strategy.

Vendor Review

Vendor review is a process by which an organization can understand the potential risks of utilizing a vendor’s product or service, as well as an ongoing process to ensure that quality security practices are being maintained in an ongoing fashion.

Vulnerability Management

What is Vulnerability Management? Vulnerability management is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them.

Vulnerability-Based Risk Assessment

A vulnerability-based risk assessment focuses on the identification and evaluation of vulnerabilities in an organization's systems, networks, and processes.

Automate Your Journey

Drata's platform experience is designed by security and compliance experts so you don't have to be one.


Easily integrate your tech stack with Drata.


Pre-map auditor validated controls.


Begin automating evidence collection.

Put Compliance on Autopilot

Close more sales and build trust faster while eliminating hundreds of hours of manual work to maintain compliance.