Resources

Compliance glossary

Plain-language definitions for terms you'll see across audits, frameworks, and TrustsComply. Bookmark this page—we'll keep expanding it.

Control: A safeguard or requirement you implement and evidence to meet a framework (e.g. access reviews, logging, encryption).
Evidence: Artifacts that prove a control is operating—policies, screenshots, tickets, configs, logs, or signed attestations.
Audit readiness: The state where controls are implemented, evidence is organized, and gaps are tracked so an audit can proceed smoothly.
Framework: A structured set of requirements (e.g. SOC 2, ISO 27001) your organization maps controls and evidence against.
SOC 2: A voluntary attestation focused on security, availability, processing integrity, confidentiality, and/or privacy at a service organization.
ISO 27001: An international standard for establishing, implementing, and improving an information security management system (ISMS).
HIPAA: U.S. regulations governing protected health information (PHI), including safeguards for privacy and security.
NIST AI RMF: A risk management framework for governing and managing risks related to artificial intelligence systems.
Risk register: A living list of identified risks, owners, likelihood/impact, and mitigation or acceptance decisions.
Continuous compliance: Ongoing monitoring and evidence collection so posture stays current—not only during audit season.