New: Manage Compliance and Risk in One Location with Drata. Learn More.

Your Security and Compliance Glossary

Helpful definitions of all of the terms you need to know before getting compliance audit-ready.

Get Started with Drata Today

Trusted by the best:


AICPA is the acronym for the American Institute of Certified Public Accountants. The AICPA is the originator of the SOC (System and Organization Controls) audit and reporting standards.

What is the AICPA?


What is CMMC? The Cybersecurity Maturity Model Certification (CMMC) is a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. The CMMC is the DoD’s response

What is the CMMC?

Compliance Risk Management

What is Compliance Risk Management? Compliance risk management, which is a subset of compliance management, involves identifying, assessing, and monitoring the risks to your enterprise’s compliance with regulations and industry standards, putting internal controls in

What is the Compliance Risk Management?


What is Cybersecurity? Cybersecurity is the work of protecting data, information, programs, systems, networks, and devices from unauthorized or malicious access and use by external sources on the internet. Cybersecurity programs and policies must consider the interplay

What is the Cybersecurity?


What is FedRAMP? FedRAMP stands for the “Federal Risk and Authorization Management Program.” FedRAMP standardizes security assessment and authorization for cloud products and services used by U.S. federal agencies. The goal of FedRAMP is to

What is the FedRAMP?


What is GDPR? The General Data Protection Regulation (GDPR) 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer

What is the GDPR?


What is a GRC Tool? Governance, risk, and compliance (GRC) tools allow a company to effectively manage its governance, enterprise risk program, and its compliance with standards and regulations. Benefits of using a GRC tool

What is the GRC?


What is HIPAA? HIPAA is the acronym for the Health Insurance Portability and Accountability Act passed by Congress in 1996. HIPAA helps by: Providing the ability to transfer and continue health insurance coverage for millions

What is the HIPAA?

HIPAA Breach

What is a HIPAA Breach? A HIPAA breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted by HIPAA regulations, which compromises the security or

What is the HIPAA Breach?

HIPAA Employee Training

What is HIPAA Employee Training? Organizations and their employees working in or with the healthcare industry are required to protect the security and privacy of the patient information with which they are entrusted. The HIPAA Rules were

What is the HIPAA Employee Training?


What are the HIPAA Rules? The Health Insurance Portability and Accountability Act (HIPAA) is composed of a number of standards or rules by which compliance can be monitored. HIPAA Rules include the Privacy, Security, and Breach Notification

What is the HIPAA Rules?

ISO 27001

What is ISO 27001? ISO 27001 is a framework for managing IT security. ISO 27001 is an information security management system (ISMS) that helps keep consumer data safe, and it’s applied by the private sector

What is the ISO 27001?

ISO 27001 Security Standard

What is the ISO 27001 Security Standard? The ISO/IEC 27001 standard provides requirements for information security management systems (ISMS). The standard is published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission

What is the ISO 27001 Security Standard?

IT Security Policy

What is an IT Security Policy? An information technology (IT) security policy establishes rules and procedures for the individuals who interact with an organization’s IT assets and resources, in order to protect information and IT

What is the IT Security Policy?


What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a strict set of controls created to make sure companies that accept, process, store or transmit credit card information maintain a secure

What is the PCI DSS?

Risk Assessment

What is Risk Assessment? A cyber security risk assessment identifies the information assets that could be affected by a cyber attack (such as hardware, systems, laptops, customer data and intellectual property). It then identifies the

What is the Risk Assessment?

Security Questionnaire

What is a Security Questionnaire? A security questionnaire is a tool that an enterprise may circulate to service organizations to evaluate and validate an organization’s security practices before choosing to do business with that organization.

What is the Security Questionnaire?


What is SOC 1? A Service Organization Control 1 or SOC 1 report is documentation of the internal controls that are likely to be relevant to an audit of a customer’s financial statements. There are

What is the SOC 1?


What is SOC 2? Developed by the American Institute of CPAs (AICPA), SOC 2 defines criteria for managing customer data based on five “trust service criteria” — security, availability, processing integrity, confidentiality and privacy. SOC

What is the SOC 2?

SOC 2 Auditor

What is a SOC 2 Auditor? To obtain a SOC 2 audit and report, an organization’s security measures must be reviewed and verified by a certified auditor. Only licensed CPA firms can perform a SOC 2 examination.

What is the SOC 2 Auditor?


What is SOC 3? You can think of a SOC 3 report as a redacted SOC 2 report; the SOC 3 report summarizes the material of a SOC 2 report, but it excludes details of the testing

What is the SOC 3?

SOC Reports

What are SOC Reports? A service organization controls (SOC) report is a way to verify that an organization is following specific best practices related to protecting their clients’ data before you outsource a business function

What is the SOC Reports?


What is SSAE 16? The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of auditing standards and guidance published by the Auditing Standards Board (ASB) of the American Institute of Certified

What is the SSAE 16?


What is SSAE 18? SSAE 18 is a series of enhancements aimed to increase the usefulness and quality of SOC reports, now superseding SSAE 16. The changes made to the standard this time around will require

What is the SSAE 18?

Vendor Assessment

What is Vendor Assessment? Vendor assessment describes an organization’s program of assessing its vendors’ management of that organization’s information, and whether vendors are implementing and maintaining appropriate security controls. A vendor assessment program will establish

What is the Vendor Assessment?

Vendor Review

What is Vendor Review? Vendor review is a process by which an organization can understand the potential risks of utilizing a vendor’s product or service, as well as an ongoing process to ensure that quality

What is the Vendor Review?

Vulnerability Management

What is Vulnerability Management? Vulnerability management is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. This, implemented alongside with other security tactics, is

What is the Vulnerability Management?

Subscribe & receive the latest content.

Subscribe & receive the latest content.


Get Started Today

Close more sales and build trust faster while eliminating the hundreds of hours of manual work that used to go into maintaining your SOC 2 report.

Case Study:

Learn how Iteratively used Drata to get their SOC 2 report faster than most thought possible, and now monitor their security & compliance posture…