The American Institute of Certified Public Accountants (AICPA) oversees the System and Organizational Controls (SOC) recommendations and standards for compliance, auditing, and reporting.

Attestation of Compliance (AOC) »

An Attestation of Compliance (AOC) a form used by merchants and service providers to document compliance with the Payment Card Industry Data Security Standard (PCI DSS).

California Consumer Privacy Act »

The California Consumer Privacy Act (CCPA) expands California's data privacy provisions ito increase protection of consumer information.

Compliance as a Service »

Compliance as a service (CaaS) combines cloud-based software and services that enables compliance without prohibitive capital investments.

Compliance Automation Software »

Compliance automation software \uses automation to ease and improve compliance with best practices, regulations, and standards.

Compliance Risk Management »

Compliance risk management is the Identification, assessment, mitigation, and monitoring of the risks of non-compliance with key regulations and standards.

Comprehensive Assessment »

Comprehensive assessment provides detailed information about an organization's adherence to the SOC 2 Trust Services Criteria.

Controls »

Controls are the policies, procedures, processes, and systems employed to meet specific requirements or criteria, such as those for SOC 2 compliance.

Cybersecurity »

Cybersecurity is the coordinated management of people, processes, and technologies in ways that maximize protection of information systems and data from threats and unauthorized access.


An acronym for "governance, risk, and compliance" that refers to a consolidated approach to these three critical elements of business management and operations.

Information Security Management System (ISMS) »

An information security management system (ISMS) is a systematic approach to managing information security and customer data protection.

ISMS Governing Body »

A team of senior leaders within an organization responsible for management of that organization's information security management system (ISMS).

ISO 27001 »

ISO 27001 defines requirements from the International Organization for Standardization (ISO) designed to reduce risks to information systems and customer data.

ISO 27001 Annex A Controls »

The 114 security controls from which companies can choose to craft their specific ISO 27001-compliant security strategies.

ISO 27001 Security Standard »

The ISO 27001 Security Standard defines information security management system (ISMS) requirements and best practices for their management.

Pen Testing »

Pen testing is a method for determination of how vulnerable an information infrastructure is to unauthorized access.

Policies »

Policies are formal declarations of how a company addresses specific elements of information system security and compliance with regulations and standards.

Risk Assessment »

Risk assessment is a detailed evaluation of the risks that could affect all elements of the business information infrastructure, with a focus on information systems and critical data.

Security Questionnaire »

A security questionnaire is a tool enterprises use to evaluate the security practices of current and potential business partners.

SOC 1 »

SOC 1 audits focus on a company's financial controls and policies, and are sometimes conducted as first steps toward SOC 2 compliance.

SOC 2 »

SOC 2 audits focus on detailed assessments of measures and policies intended to protect customer data.

SOC 2 Auditor »

A SOC 2 auditor is an independent CPA certified to asses and report on the controls in place at a service organization and the effectiveness of those controls at achieving SOC 2 compliance.

SOC 2+ »

A SOC 2+ report addresses multiple industry standards and regulations beyond the AICPA's System and Organization Controls (SOC) framework.

SOC 3 »

A SOC 3 audit report basically provides a less technically detailed version of the information contained in a SOC 2 report.

SOC Reports »

SOC reports document the results of audits of an organization's compliance with the AICPA's System and Organization Controls (SOC) recommendations and standards.

SOC Trust Services Criteria (TSC) »

Five Trust Services Criteria -- Security, Availability, Processing Integrity, Confidentiality, and Privacy -- make up the foundation of the AICPA's System and Organization Controls (SOC) recommendations, including SOC 2.

SSAE 16 »

SSAE 16 is the Statement on Standards for Attestation Engagements No. 16, a set of AICPA-developed auditing standards and guidance for applying them.

SSAE 18 »

SSAE 18 is the Statement on Standards for Attestation Engagements No. 18, the current successor to SSAE 16.

Statement of Applicability (SoA) »

A Statement of Applicability (SOA) compares the specific elements of an organization's ISMS with the ISO 27001 Annex A control set.

Vendor Assessment »

Vendor assessment is evaluation of the security practices of current and potential vendors.

Vendor Management Policy »

A company's vendor management policy details the security requirements all third-party vendors and business partners must meet.

Vulnerability Management »

Vulnerability management is assessment of the elements of an information system most likely to be subject to a cybersecurity threat or attack.