The ultimate cyber IT audit glossary for security leaders

Cyber IT audits involve many different moving pieces. And there’s a lot of terminology involved. But a basic understanding of this area is critical for compliance and security leaders. We put together this glossary to make it easier for you to understand when it’s time for your next audit. 

Core security principles & architecture

Accountability
Accountability refers to the ability to trace actions or decisions back to a specific individual or system. It ensures that users understand their responsibilities and can be held answerable for their activities. Strong accountability relies on logging, monitoring, and defined roles — all of which auditors evaluate to ensure compliance and operational integrity.

Availability
Availability refers to ensuring that systems, data, and services remain accessible and functional when needed. It is one of the core principles of information security, alongside confidentiality and integrity. Compliance frameworks evaluate availability through controls like redundancy, backup strategies, and disaster recovery planning.

Confidentiality
Confidentiality ensures that information is accessible only to authorized individuals and systems. It is one of the core pillars of information security and is enforced through measures like access control, encryption, and data classification. Many compliance frameworks require organizations to demonstrate how they safeguard confidential data.

Integrity
Integrity refers to ensuring information remains accurate, complete, and unaltered except by authorized actions. Controls supporting integrity include hashing, change tracking, version control, and access restrictions. Compliance frameworks require integrity protections to prevent tampering and maintain trust in data and systems.

Defense in Depth
Defense in depth is a layered security approach involving multiple, redundant controls to protect systems and data. Examples include combining firewalls, MFA, network segmentation, monitoring, and endpoint protections. This strategy reduces single points of failure and is widely recommended in security frameworks.

Security Architecture
Security architecture defines the structure, components, and design principles that govern how an organization secures its systems and data. It includes network design, access models, technology choices, and control implementation. Auditors review architecture to ensure it aligns with best practices and adequately mitigates risks.

Governance, Risk & Compliance (GRC)

Compliance
Compliance is the process of adhering to laws, regulations, frameworks, standards, or internal policies. It helps organizations manage risk, protect data, and build trust with customers and regulators. Security audits validate whether compliance requirements are met and consistently maintained.

Governance, Risk, and Compliance (GRC)
GRC is the integrated approach organizations use to align governance practices, manage risks, and meet compliance requirements. Modern GRC programs include policies, controls, assessments, and reporting workflows. Auditors evaluate GRC maturity to determine whether processes are structured and consistently applied across the organization.

Governance Framework
A governance framework defines how an organization makes decisions, assigns responsibility, and ensures accountability across IT and security functions. Examples include COBIT, ISO governance standards, and internal governance models. Effective governance strengthens audit readiness by demonstrating structured oversight and risk management.

Risk Assessment / Risk Analysis / Risk Management
A risk assessment identifies and evaluates risks to systems, processes, and data, while risk analysis determines their likelihood and potential impact. Risk management encompasses the ongoing process of treating, monitoring, and reviewing risks. Auditors examine these activities to ensure risks are systematically identified and managed in accordance with frameworks like ISO 27001 and NIST.

Risk Appetite / Risk Tolerance
Risk appetite defines the amount and type of risk an organization is willing to accept to achieve its objectives, while risk tolerance sets specific, measurable thresholds for acceptable variation. These concepts guide decision-making and control design. Auditors review risk appetite and tolerance to ensure governance processes are aligned with business strategy and regulatory expectations.

Risk Register
A risk register is a centralized document or system that tracks identified risks, their owners, impacts, likelihood, and mitigation strategies. It provides visibility into risk status and supports informed decision-making. Auditors use the risk register to evaluate whether risks are actively monitored and addressed.

Inherent Risk
Inherent risk is the level of risk that exists before any controls or mitigating measures are applied. It reflects how exposed an organization would be based purely on its processes, systems, and threat landscape. Auditors use inherent risk to determine the necessary strength and frequency of control testing.

Residual Risk
Residual risk is the level of risk that remains after controls and mitigation measures have been applied. It reflects the organization’s accepted exposure based on business needs and practical limitations. Auditors assess residual risk to determine whether it aligns with documented risk appetite and governance expectations.

Security Posture
Security posture represents the overall strength of an organization’s security controls, processes, and readiness to defend against threats. It encompasses technology, governance, people, and practices. Auditors assess posture to determine how well an organization protects sensitive information and manages risk.

Metrics / Security Metrics
Security metrics quantify the effectiveness of security controls, processes, and risk management efforts. Examples include patching timelines, incident response speed, or MFA adoption rates. Auditors evaluate whether metrics are defined, measured, and used for continuous improvement.

Key Performance Indicator (KPI) / Key Risk Indicator (KRI)
KPIs measure performance against business or operational goals, while KRIs measure signals that indicate increased risk or emerging threats. Both help organizations monitor effectiveness and anticipate issues before they become incidents. Auditors review KPI/KRI programs to gauge control effectiveness and governance maturity.

CSF (Cybersecurity Framework)
A Cybersecurity Framework provides structured guidance on managing security risks, typically through categories like Identify, Protect, Detect, Respond, and Recover. The most widely used CSF is NIST’s Cybersecurity Framework. Organizations use CSFs to build balanced security programs that align with auditor expectations.

Security Controls Frameworks (e.g. NIST, CIS, ISO 27001)
Security control frameworks provide structured sets of security requirements and best practices for managing risk and protecting information. Organizations use frameworks like NIST SP 800-53, CIS Controls, and ISO 27001 to guide their security programs. Auditors rely on these frameworks to measure control effectiveness and compliance.

COBIT
COBIT (Control Objectives for Information and Related Technologies) is a governance and management framework for enterprise IT. It provides best practices for aligning technology with business goals while managing risk and compliance. Organizations use COBIT to strengthen governance and support audit readiness.

ISO 27001
ISO 27001 is the leading international standard for Information Security Management Systems (ISMS). It establishes requirements for managing security risks, implementing controls, and continuously improving security practices. Certifications require independent audits and are widely requested by customers and partners to validate security posture.

ISO 27005
ISO 27005 is an international standard providing guidance on information security risk management within the ISO 27001 framework. It outlines processes for identifying, assessing, and treating risk. Organizations use ISO 27005 to structure risk programs, and auditors reference it to evaluate risk management discipline.

ISO 22301
ISO 22301 is the global standard for Business Continuity Management Systems (BCMS). It defines requirements for planning, maintaining, and testing continuity and recovery capabilities. Auditors review ISO 22301-aligned processes to verify that organizations can continue operations during major disruptions.

ISO 42001
ISO 42001 establishes requirements for implementing and governing AI management systems, addressing AI-specific risks such as transparency, fairness, and security. As AI adoption grows, organizations use this standard to demonstrate responsible and compliant AI usage. Auditors evaluate whether AI systems follow documented controls and governance practices.

NIST SP 800-53
NIST Special Publication 800-53 provides a comprehensive catalog of security and privacy controls for federal information systems and critical infrastructure. It is widely used beyond government environments due to its depth and structure. Auditors reference 800-53 when evaluating control strength, coverage, and maturity.

SP 800-37
NIST SP 800-37 outlines the Risk Management Framework (RMF), providing guidance for integrating security and risk management into system development and operations. It emphasizes continuous monitoring, authorization, and lifecycle security governance. Auditors reference 800-37 when evaluating risk management maturity and system authorization processes.

Identity, Access & Privileged Management

Access Control
Access control is the process of regulating who can view or use information, systems, or physical spaces. It ensures that only authorized individuals can perform specific actions, reducing the risk of unauthorized access or data misuse. In security audits, access control is a core principle used to validate whether organizations protect sensitive assets according to policy and compliance requirements.

Access Control List (ACL)
An Access Control List is a table that assigns permissions to users, systems, or processes for specific resources such as files, databases, or network interfaces. ACLs determine what actions (read, write, execute, delete) are allowed and by whom. Auditors review ACLs to confirm that access rights are appropriate, periodically reviewed, and aligned with the principle of least privilege.

Access Review / User Access Review (UAR)
A User Access Review is the periodic evaluation of user permissions to ensure access levels remain appropriate based on role, employment status, and business needs. UARs help identify excessive, outdated, or orphaned permissions that could create risk. Many frameworks (SOC 2, ISO 27001, HIPAA) require regular access reviews to maintain a strong security posture.

Authorization
Authorization is the process of granting approved users or systems access to specific resources based on policies or roles. It typically follows authentication and ensures individuals only perform actions aligned with their responsibilities. Strong authorization controls reduce the likelihood of privilege misuse and are essential for audit compliance.

Identity & Access Management (IAM)
Identity & Access Management is the framework of policies, technologies, and processes used to ensure the right individuals have the right access at the right time. IAM covers identity creation, authentication, authorization, and lifecycle management. Auditors view IAM as foundational, since weak identity controls often lead to significant security and compliance failures.

Credential Management
Credential management involves the secure handling of passwords, keys, certificates, and authentication tokens throughout their lifecycle. It includes creation, storage, rotation, revocation, and monitoring for misuse. Strong credential management reduces the risk of unauthorized access and credential-based attacks.

Password Policy
A password policy defines requirements for creating, storing, and managing passwords, such as minimum length, complexity, expiration, and reuse restrictions. Strong password policies help prevent unauthorized access and credential-based attacks. Auditors examine password policy enforcement across systems and integrations to verify consistent application.

Least Privilege
Least privilege is the principle of granting users the minimum access necessary to perform their job functions. It reduces the risk of misuse, credential compromise, and lateral movement by attackers. Auditors often test least-privilege adherence through access reviews and role-based access evaluations.

Role-Based Access Control (RBAC)
RBAC assigns permissions to users based on job roles rather than individual identities. It simplifies access management and supports least-privilege principles. Auditors frequently review RBAC configurations, role definitions, and provisioning workflows to ensure access rights align with responsibilities.

Segregation of Duties (SoD)
Segregation of Duties ensures no single individual has control over multiple steps of a critical process, reducing the risk of fraud, error, or misuse. Examples include separating development from production access or dividing approval responsibilities. Auditors frequently test SoD to verify proper oversight and risk reduction.

Privileged Access Management (PAM)
PAM is the set of tools and processes used to secure and monitor accounts with elevated permissions, such as administrators or service accounts. It includes credential vaulting, session monitoring, just-in-time access, and strict approval workflows. Auditors review PAM practices closely because privileged accounts pose high security risk if mismanaged.

Privileged Account / Privileged Access
A privileged account is an account with elevated permissions that grant the ability to modify systems, access sensitive data, or administer infrastructure. Improper management of privileged access is a common cause of breaches. Auditors verify that privileged accounts are restricted, monitored, and periodically reviewed.

Multi-Factor Authentication (MFA)
MFA requires users to verify their identity using two or more factors—such as something they know (password), something they have (token), or something they are (biometrics). It significantly reduces the risk of credential compromise. Compliance frameworks frequently require MFA for privileged and remote access due to its strong security impact.

Federated Identity Management (FIM)
Federated Identity Management allows users to authenticate once and access multiple systems across different organizations or domains using shared identity standards. It enhances user experience while reducing password sprawl and administrative overhead. Auditors review FIM implementations to ensure trust relationships are secured and properly governed.

Single Sign-On (SSO)
SSO enables users to authenticate once and gain access to multiple applications without repeated logins. It enhances security by centralizing authentication and reduces password fatigue. Auditors evaluate SSO to ensure identity providers, session controls, and integrations are properly secured.

SAML (Security Assertion Markup Language)
SAML is an open standard used to exchange authentication and authorization information between identity providers and service providers. It enables Single Sign-On (SSO) across applications and domains. Auditors assess SAML configurations to verify secure token handling, assertion validation, and proper access governance.

OAuth
OAuth is an open standard authorization protocol that allows users to grant applications limited access to their data without sharing credentials. It is commonly used for secure API access and third-party integrations. Auditors review OAuth implementations to confirm scopes are restricted, tokens are protected, and permissions are properly governed.

OpenID Connect
OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that enables secure authentication using standardized tokens. It allows applications to verify user identities provided by trusted identity providers. Auditors review OIDC implementations to ensure token handling, session management, and identity assertions follow security best practices.

Audit & Assurance Concepts

Assessment
An assessment is a systematic evaluation of risks, controls, or security posture against defined criteria. Examples include risk assessments, gap assessments, and compliance readiness assessments. Assessments help organizations identify weaknesses ahead of audits and ensure alignment with frameworks such as SOC 2, ISO 27001, and PCI DSS.

Audit
An audit is an independent examination of an organization’s controls, processes, and documentation to validate compliance with a specific framework or standard. Audits can be internal or external and typically involve evidence collection, testing, and formal reporting. Security audits help organizations build trust with customers, regulators, and partners.

External Audit
An external audit is an independent assessment performed by a third-party auditor to evaluate compliance with a defined standard (e.g., SOC 2, ISO 27001, PCI). External audits provide objective assurance to customers, regulators, and partners. They typically include evidence review, testing, and reporting on control effectiveness.

Internal Audit
An internal audit is an independent, objective evaluation performed by an organization’s own audit function to assess risk management, governance, and internal controls. Internal audits help identify issues early and prepare teams for external audits. They are an important indicator of control maturity and ongoing oversight.

SOC 1 Report
A SOC 1 report evaluates the effectiveness of a service organization’s internal controls over financial reporting. It is typically required when a vendor’s systems or processes affect a customer’s financial statements. Auditors issue either Type I (design only) or Type II (design + operating effectiveness) reports, providing assurance to customers and stakeholders.

SOC 2 Report
A SOC 2 report assesses a service organization’s security, availability, processing integrity, confidentiality, and privacy controls based on the AICPA Trust Services Criteria. It is widely used in SaaS, technology, and cloud-based environments to demonstrate rigorous security and compliance practices. SOC 2 Type II reports, which evaluate operating effectiveness over time, are the most common requirement in the mid-market.

SOC 3 Report
A SOC 3 report is a publicly shareable summary of SOC 2 results that provides high-level assurance without detailed test results or findings. It is useful for marketing and customer communications, as it confirms that an organization meets Trust Services Criteria. Unlike SOC 2, SOC 3 reports are intended for general audiences.

Subservice Organization / Third-Party Controls
A subservice organization is a vendor or external provider that performs part of a service organization’s processes relevant to the audit, such as hosting, data processing, or support services. In audits like SOC 2, organizations must choose whether to include (inclusive method) or exclude (carve-out method) the subservice provider’s controls from the scope. Auditors review how these third-party relationships are managed, monitored, and evaluated through vendor risk management processes.

Audit Plan / Audit Program
An audit plan defines the scope, objectives, timeline, and resources needed to conduct an audit. It outlines what will be tested, how sampling will occur, and which evidence will be required. An effective audit plan ensures the assessment is structured, efficient, and aligned with framework requirements.

Audit Scope
Audit scope defines the boundaries of an audit — including the systems, processes, facilities, time periods, and business units that will be evaluated. Clear scoping prevents misalignment and ensures relevant controls are tested. Incorrect or vague scope can lead to incomplete audits, higher costs, or gaps in compliance.

Audit Evidence
Audit evidence consists of documentation, logs, screenshots, configurations, or artifacts that demonstrate a control is designed and operating effectively. Auditors evaluate the sufficiency, relevance, and reliability of evidence to support their conclusions. Strong, audit-ready evidence reduces delays and rework during the audit cycle.

Audit Log / Audit Trail
An audit log is a chronological record of system activities, including user access, configuration changes, and security events. These logs help trace actions back to specific users and support forensic analysis. Maintaining complete, tamper-resistant logs is critical for compliance and incident investigations.

Audit Report
An audit report is the formal deliverable that communicates audit findings, conclusions, and overall compliance status. Depending on the framework, it may include test results, identified deficiencies, management responses, and an auditor’s opinion. Organizations often share audit reports with customers or regulators to demonstrate security and compliance posture.

Audit Test / Audit Testing
Audit testing is the process of evaluating whether a control is designed properly and operating as intended. Testing methods include inquiry, observation, inspection, and re-performance. Effective testing provides assurance that controls mitigate the risks they were created to address.

Design Effectiveness
Design effectiveness evaluates whether a control is structured correctly to mitigate a specific risk before assessing how it operates in practice. Auditors first confirm that the control, on paper, addresses the risk with proper documentation, responsibilities, and frequency. Only after confirming design effectiveness will auditors test operating effectiveness.

Operating Effectiveness
Operating effectiveness measures whether a control functions as intended over time and in real-world conditions. Auditors test operating effectiveness through sampling, inspection, and re-performance. A control may be well-designed but still fail operating effectiveness if applied inconsistently or without proper oversight.

Detection Risk
Detection risk is the chance that an auditor’s procedures will fail to identify a material error, deficiency, or misstatement. It is influenced by control strength, evidence quality, and sampling approaches. Lowering detection risk often requires deeper testing and more rigorous evidence collection.

Control Risk
Control risk is the probability that a control will fail to prevent or detect a material error, security issue, or noncompliance event. It increases when controls are poorly designed, inconsistently applied, or not monitored. Assessing control risk helps auditors determine where deeper testing is needed.

Population
Population refers to the full set of items, events, transactions, or records from which an auditor selects samples for testing. Clearly defined populations ensure sampling results are accurate and representative. Poor population definition can lead to audit exceptions or inconclusive testing.

Sampling
Sampling is the process of selecting a subset of a population for audit testing to evaluate control effectiveness without examining every item. Proper sampling ensures representative, accurate conclusions. Auditors rely on statistically sound sampling to reduce testing time while maintaining confidence in results.

Inspection
Inspection is an audit technique in which the auditor examines records, documents, or configurations to verify accuracy and compliance. It may involve reviewing policies, screenshots, logs, or system settings. Inspection is one of the primary methods used to evaluate both design and operating effectiveness of controls.

Walkthrough
A walkthrough is an audit technique in which the auditor follows a process step-by-step with the control owner to understand how a control operates in practice. It includes reviewing documentation, observing procedures, and confirming responsibilities. Walkthroughs help auditors validate the accuracy of process descriptions and identify potential gaps.

Evidence Retention
Evidence retention refers to how long organizations store audit evidence, logs, and documentation. Retention periods vary by framework, regulatory requirement, and business need. Proper retention ensures availability during audits, investigations, or compliance reviews.

Security Assessment
A security assessment evaluates an organization’s security posture, controls, and vulnerabilities through methods like interviews, document review, technical testing, or gap analysis. It provides insight into strengths and areas needing improvement. Security assessments are often used to prepare for formal audits.

Controls, Policies & Control Management

Administrative Controls
Administrative controls are policies, procedures, and organizational practices designed to manage security risks and guide user behavior. Examples include training programs, access approval workflows, and incident response plans. They complement technical and physical controls and are key components evaluated during audits to assess governance effectiveness.

Control Activities / Controls
Controls are processes, technologies, or practices designed to reduce risk and ensure that security, compliance, and operational objectives are met. They include preventive, detective, and corrective measures across people, processes, and systems. Auditors evaluate both the design and operation of controls to determine effectiveness.

Compensating Control
A compensating control is an alternative measure put in place when a primary control cannot be implemented as required. It must sufficiently mitigate the associated risk to an equivalent level. Auditors evaluate compensating controls to ensure they are effective, documented, and justified.

Key Control
A key control is a control essential for reducing a significant risk or meeting a critical compliance requirement. Failure of a key control often results in deficiencies or audit findings. Auditors focus testing on key controls because of their importance to overall assurance.

Control Objective
A control objective describes the intended outcome or purpose of a control, such as protecting data integrity or ensuring authorized access. Frameworks like SOC 2 and ISO 27001 define control objectives that guide implementation. Auditors test whether controls meet these objectives through evidence review and sampling.

Control Owner
A control owner is the individual responsible for operating, maintaining, and monitoring a specific control. They ensure the control functions as intended, maintain documentation, and address issues identified during testing. Auditors rely on control owners for evidence, clarification, and confirmation of how controls are executed in practice.

Control Effectiveness
Control effectiveness measures how well a control is designed and operating to mitigate risk. Effective controls are consistently applied, properly monitored, and aligned with security objectives. Audit testing validates control effectiveness as part of delivering an assurance opinion.

Control Gap / Control Deficiency
A control gap is a missing, weak, or improperly implemented control that fails to mitigate an identified risk. When discovered during an audit, it may be classified as a deficiency and require remediation. Addressing gaps promptly helps maintain compliance and reduce exposure.

Control Maturity Model
A control maturity model assesses the development and sophistication of an organization’s control environment, typically ranging from ad hoc to optimized. It helps teams prioritize improvements and benchmark progress. Maturity models are used during risk management and audit readiness planning.

Corrective Action
Corrective action refers to steps taken to fix the root cause of a control deficiency or security issue. This may include updating processes, retraining staff, or modifying configurations. Effective corrective actions reduce the likelihood of future recurrence and demonstrate strong governance during audits.

Continuous Controls Monitoring (CCM)
CCM involves the automated, ongoing assessment of control performance to detect deviations or failures in real time. It helps organizations maintain audit readiness throughout the year instead of relying solely on periodic reviews. CCM is increasingly used in modern compliance programs as part of a shift toward continuous assurance.

Configuration Management
Configuration management is the process of establishing, maintaining, and documenting consistent system settings across infrastructure, applications, and devices. It reduces misconfiguration risk, which is one of the leading causes of security incidents. Auditors review configuration management practices to ensure environments follow security baselines and change controls.

Change Management
Change management is the structured process for requesting, approving, implementing, and reviewing modifications to systems or processes. It ensures changes are controlled, documented, and do not introduce unintended risks. Strong change management practices support system stability and are routinely tested during audits.

Patch Management
Patch management is the systematic process of identifying, testing, and deploying software updates to fix vulnerabilities or improve stability. Timely patching is critical for reducing exploit risk. Auditors evaluate patch cadence, tracking processes, and evidence of successful deployment to confirm compliance and security hygiene.

Path Management
Path management involves documenting and controlling system, application, or data paths to ensure the integrity and security of how information flows within an environment. It reduces risks associated with unauthorized access, misrouting, or insecure file handling. Auditors review path configurations to validate consistency and compliance with security baselines.

Policy / Security Policy
A security policy outlines organizational expectations, rules, and requirements for protecting systems and data. Policies guide user behavior, set standards for control implementation, and support governance. Auditors rely on policies as foundational evidence that controls are formally defined and approved.

Procedure
A procedure is a step-by-step set of instructions describing how a control or process should be carried out. Procedures provide operational detail beyond policy-level guidance. Auditors use procedures to verify that teams follow consistent, repeatable methods that align with documented policies.

Remediation / Mitigation
Remediation is the process of fixing the root cause of a vulnerability or control deficiency, while mitigation reduces the impact or likelihood of a risk when full remediation isn’t immediately possible. Both actions strengthen an organization’s security posture and close audit findings. Auditors review remediation and mitigation efforts to ensure issues are addressed promptly and effectively.

Root Cause Analysis
Root Cause Analysis is a structured method used to determine the underlying cause of an incident, failure, or control deficiency. Understanding root causes helps organizations implement effective long-term fixes rather than temporary solutions. Auditors often request RCA documentation to verify that corrective actions address the true source of issues.

Deterrent / Detective / Preventive Controls
Security controls fall into three functional categories: deterrent controls discourage malicious activity, detective controls identify incidents or anomalies, and preventive controls block or reduce the likelihood of an attack. Organizations use a mix of all three to build a robust defense. Auditors evaluate whether these controls are documented, implemented, and appropriate to the risks they are meant to address.

Data Protection & Privacy

Data Classification
Data classification is the process of categorizing information based on sensitivity, regulatory requirements, and business impact. Common classifications include public, internal, confidential, and restricted. Classification helps determine appropriate security controls and is reviewed during audits to ensure data is protected based on risk.

Data Governance
Data governance defines policies, standards, and responsibilities for the proper handling of organizational data. It covers quality, privacy, security, and lifecycle management. Strong data governance supports audit transparency and ensures compliance with frameworks like SOC 2, ISO 27001, GDPR, and CCPA.

Data Encryption / Cryptography
Data encryption uses mathematical algorithms to convert readable information into unreadable form, protecting it from unauthorized access. Cryptography supports confidentiality, integrity, and authenticity across data at rest, in transit, and in use. Auditors verify encryption controls, key lengths, and algorithms to ensure they meet industry standards.

Encryption Key Management
Encryption key management is the practice of generating, storing, rotating, revoking, and protecting cryptographic keys. Poor key management can undermine even strong encryption controls. Auditors frequently test whether key lifecycle processes align with industry best practices and regulatory requirements.

Public Key Infrastructure (PKI)
PKI is the framework used to create, distribute, manage, and revoke digital certificates and encryption keys. It enables secure communication, authentication, and data integrity across networks and applications. Auditors examine PKI governance, certificate lifecycle management, and key protection mechanisms to ensure cryptographic controls are robust.

Data Loss Prevention (DLP)
DLP tools and processes prevent unauthorized transmission, sharing, or leakage of sensitive data. They monitor endpoints, networks, and cloud platforms for risky behavior or policy violations. DLP capabilities help demonstrate data protection during audits and reduce the likelihood of data breaches.

Privacy
Privacy refers to the rights and controls individuals have over how their personal data is collected, used, stored, and shared. Organizations must implement policies, safeguards, and transparency mechanisms to protect personal information. Auditors assess privacy practices for alignment with regulations like GDPR, CCPA, and industry standards.

Personally Identifiable Information (PII)
PII consists of data that can identify an individual—such as name, email, address, Social Security number, or unique identifiers. Protecting PII is a core requirement of many privacy and security frameworks. Auditors examine how PII is classified, stored, accessed, and safeguarded throughout its lifecycle.

CCPA
The California Consumer Privacy Act is a state law granting residents rights over their personal data, including access, deletion, and opt-out of sale. Organizations must implement governance, transparency, and security measures to comply. Auditors evaluate whether data handling practices align with CCPA requirements.

GDPR
The General Data Protection Regulation is the EU’s data privacy law governing how organizations collect, store, process, and transfer personal data of EU residents. It emphasizes transparency, individual rights, and strong data protection practices. Auditors typically evaluate GDPR-relevant controls such as consent management, data minimization, retention, and breach notification processes.

HIPAA
The Health Insurance Portability and Accountability Act sets national privacy and security standards for protecting health information (PHI) in the United States. Covered entities and business associates must implement administrative, technical, and physical safeguards to comply. HIPAA audits examine how organizations protect PHI, manage access, track disclosures, and respond to security incidents.

Security Operations, Monitoring & Infrastructure

Cloud Security
Cloud security encompasses the policies, technologies, and controls used to protect data, applications, and infrastructure in cloud environments. It typically includes identity management, encryption, network security, and shared responsibility considerations. Auditors assess whether cloud configurations follow best practices and meet compliance requirements.

Network Segmentation
Network segmentation divides an organization's network into isolated zones to limit lateral movement and contain breaches. It enforces communication boundaries between systems based on risk and access needs. Auditors evaluate segmentation to confirm that sensitive systems are properly isolated and protected.

Endpoint Security / MDM
Endpoint security protects devices such as laptops, servers, and mobile devices from threats through antivirus, device hardening, and policy enforcement. Mobile Device Management (MDM) tools add centralized control for enrollment, configuration, and compliance checks. Auditors review endpoint controls to confirm that corporate devices are secured and monitored consistently.

End-Point Detection & Response (EDR)
EDR solutions monitor endpoint devices for suspicious behavior, known attack patterns, and anomalies. They provide real-time detection, automated containment, and forensic insights. EDR is a core component of modern security operations and helps demonstrate continuous monitoring during audits.

Intrusion Detection System (IDS) / Intrusion Prevention System (IPS)
An IDS monitors network or system activity for suspicious behavior and alerts security teams, while an IPS takes automated action—such as blocking traffic—to prevent attacks. These systems strengthen detection and response capabilities. Auditors examine IDS/IPS configurations, tuning practices, and alert-handling workflows.

Logs / Log Aggregation / SIEM
Logs record system and user activity, while log aggregation centralizes logs from multiple sources for easier analysis. SIEM (Security Information and Event Management) platforms correlate events, detect anomalies, generate alerts, and support investigations. Robust logging and SIEM practices are critical audit requirements for monitoring and traceability.

Security Incident & Event Management (SIEM)
A SIEM collects, normalizes, and analyzes logs from across an organization to detect threats, generate alerts, and support investigations. It provides centralized visibility into security events and user activity. Auditors evaluate SIEM use to confirm continuous monitoring and traceability.

Monitoring / Security Monitoring
Security monitoring is the continuous observation of systems, networks, and user activity to detect threats, anomalies, or policy violations. It often relies on SIEM, EDR, or cloud-native tools to surface issues in real time. Auditors assess monitoring maturity to ensure that organizations can identify and respond to incidents promptly.

Continuous Monitoring
Continuous monitoring is the ongoing evaluation of security risks, events, and control performance across systems and networks. It typically includes log collection, alerting, vulnerability checks, and compliance monitoring. Auditors view continuous monitoring as evidence of a proactive, mature security posture.

Anomaly Detection
Anomaly detection is the process of identifying unusual patterns or behaviors in network, system, or user activity that may indicate a security issue. Tools such as SIEMs or EDR platforms use anomaly detection to surface potential threats. During audits, the presence and effectiveness of anomaly detection capabilities help demonstrate proactive monitoring.

Baseline / Security Baseline
A security baseline is a defined set of minimum security configurations and requirements that systems must meet. It promotes standardization and reduces the risk of misconfiguration. Auditors often review baselines to verify that systems are consistently hardened and aligned with established best practices.

Shadow IT
Shadow IT refers to systems, software, or services used without explicit IT or security approval, such as unsanctioned cloud apps. It introduces uncontrolled risk, visibility gaps, and potential compliance issues. Auditors often identify Shadow IT during access reviews, asset inventories, or cloud assessments.

Threats, Vulnerabilities & Offensive Testing

Adversary / Threat Actor
A threat actor is any individual or group with the intent, capability, or opportunity to exploit vulnerabilities in a system. Threat actors may include cybercriminals, insiders, nation-states, or hacktivists. Understanding threat actors helps organizations assess risk and prioritize mitigation strategies during security planning and audits.

Advanced Persistent Threat (APT)
An APT is a sophisticated, prolonged cyberattack in which an adversary gains unauthorized access to a network and remains undetected for an extended period. APTs typically target high-value data and require advanced defenses and continuous monitoring. Auditors often assess whether an organization’s controls can detect and respond to these stealthy threats.

Cyber Kill Chain
The cyber kill chain is a model that outlines the stages of a cyberattack, from reconnaissance to data exfiltration. Understanding each phase helps organizations implement targeted defenses and incident response strategies. Audit teams often use the kill chain as a reference for evaluating detection and response capabilities.

Threat Vector / Attack Vector
An attack vector is the method or pathway an attacker uses to gain unauthorized access to a system, network, or application. Common vectors include phishing, exposed APIs, misconfigurations, and credential theft. Understanding attack vectors helps organizations strengthen defenses and informs auditors about risk exposure.

Indicator of Compromise (IoC)
An IoC is a forensic artifact—such as an IP address, file hash, domain, or behavior pattern—that signals a potential breach or malicious activity. Security teams use IoCs to detect threats early and guide investigations. IoCs support audit objectives by demonstrating active monitoring and rapid detection capabilities.

Vulnerability / Vulnerability Assessment
A vulnerability is a weakness in a system, process, or application that could be exploited by an attacker. A vulnerability assessment identifies, rates, and prioritizes these weaknesses using automated scans and manual analysis. Auditors verify that organizations perform regular assessments and address high-risk findings promptly.

Vulnerability Scan
A vulnerability scan is an automated test that identifies potential weaknesses, misconfigurations, or outdated software across networks, endpoints, and cloud environments. Scans provide a baseline for remediation activities and help maintain continuous security. Auditors often request scan reports as evidence of ongoing risk management.

Vulnerability Management Lifecycle
The vulnerability management lifecycle includes identifying, evaluating, prioritizing, remediating, and verifying the closure of vulnerabilities across systems and applications. Effective programs use recurring scanning, patching, and tracking workflows to ensure issues are resolved in a timely manner. Auditors review this lifecycle to confirm that vulnerability risks are monitored and controlled.

Exploit
An exploit is a tool or technique that takes advantage of a vulnerability to gain unauthorized access or cause harm. Exploits can be manual, automated, or part of larger attack kits. Understanding exploits helps organizations prioritize patching and strengthen defenses.

Exploit Kit
An exploit kit is a collection of pre-packaged exploits used by attackers to automatically identify vulnerabilities and compromise systems. They are often delivered through malicious websites or phishing campaigns. Controls like patching, sandboxing, and monitoring help mitigate exploit kit risks.

Exposure / Attack Surface
Attack surface refers to all possible points where an attacker could attempt to access or compromise an environment. It includes systems, APIs, users, networks, applications, and misconfigurations. Reducing attack surface through hardening and asset management is a key audit consideration.

Penetration Testing (Pen Test)
Penetration testing is a simulated attack conducted by ethical hackers to identify vulnerabilities in systems, networks, or applications. Pen tests reveal real-world exploitation paths and help organizations prioritize remediation. Compliance frameworks like SOC 2, ISO 27001, and PCI DSS often require annual or periodic penetration testing.

Black-box Testing
Black-box testing evaluates system functionality without visibility into internal code, architecture, or logic. Testers focus solely on inputs and outputs, simulating an external attacker’s perspective. This method is commonly used in penetration testing to assess real-world exposure.

Red Team / Blue Team
A Red Team simulates attackers to test an organization’s defenses, while a Blue Team defends against attacks and strengthens detection and response. These exercises expose real-world weaknesses and improve operational readiness. Auditors view red/blue team activities as indicators of a mature, proactive security program.

MITRE ATT&CK Framework
The MITRE ATT&CK Framework is a globally recognized knowledge base that categorizes adversary tactics, techniques, and procedures (TTPs). It helps organizations strengthen detection, threat hunting, and response strategies. Auditors may reference ATT&CK maturity to evaluate how well security teams understand and mitigate modern threats.

Threat Modeling
Threat modeling is a structured process used to identify potential threats, vulnerabilities, and attack paths within a system or application. It helps teams proactively design security controls and reduce risk early in the development lifecycle. Auditors may review threat models to validate that security considerations are integrated into architecture and design decisions.

Zero-Day Vulnerability
A zero-day vulnerability is a previously unknown security flaw that has no available patch at the time of discovery. Because attackers can exploit it before defenses are updated, zero-days pose significant risk. Auditors assess how organizations prepare for and respond to zero-day threats through monitoring, patching processes, and incident response readiness.

Incident Response, Forensics & Business Continuity

Incident / Security Incident
A security incident is any event that threatens the confidentiality, integrity, or availability of systems or data. Incidents can include unauthorized access, malware infections, data loss, or suspicious activity. Effective detection, response, and documentation are key elements auditors review when assessing incident-handling maturity.

Incident Response Plan
An Incident Response Plan outlines the structured approach an organization uses to detect, contain, eradicate, and recover from security incidents. It defines roles, communication procedures, and escalation paths. Auditors evaluate IRPs to ensure they are documented, tested, and aligned with business and regulatory requirements.

Containment
Containment refers to the steps taken during incident response to limit the spread or impact of a security event. It may involve isolating systems, blocking network traffic, or disabling accounts. Effective containment minimizes damage and allows responders to move toward eradication and recovery.

Eradication
Eradication is the phase of incident response during which the root cause of an incident—malware, vulnerabilities, unauthorized accounts—is removed from the environment. This step follows containment and precedes recovery. Effective eradication reduces the likelihood of reinfection or repeated incidents.

Digital Forensics
Digital forensics involves the collection, preservation, and analysis of electronic evidence to investigate security incidents or legal matters. It focuses on reconstructing timelines, identifying threat actions, and supporting remediation. Auditors may review forensic processes to ensure incident investigations follow chain-of-custody and integrity requirements.

Evidence Chain of Custody
Chain of custody documents how evidence is collected, stored, transferred, and preserved to ensure it has not been tampered with. It is especially important in forensic investigations and regulatory matters. Maintaining chain of custody supports evidence integrity and increases auditor confidence in submitted artifacts.

Business Continuity Plan (BCP)
A Business Continuity Plan outlines how an organization will maintain critical operations during and after disruptive events such as outages, disasters, or cyberattacks. It includes recovery strategies, communication protocols, and resource requirements. Auditors review BCPs to ensure resilience measures are documented, tested, and effective.

Business Impact Analysis (BIA)
A BIA identifies and evaluates the potential effects of disruptions on business operations. It helps determine recovery priorities, resource needs, and acceptable downtime thresholds. BIAs inform the creation of BCP and disaster recovery strategies and are required by standards such as ISO 22301.

Disaster Recovery (DR)
Disaster Recovery refers to the processes and technologies an organization uses to restore IT systems and data following a major disruption such as a cyberattack, outage, or natural disaster. DR plans define recovery priorities, procedures, and acceptable downtime. Auditors assess DR capabilities—including backups and testing—to verify resilience and continuity.

Recovery Point Objective (RPO) / Recovery Time Objective (RTO)
RPO defines the maximum acceptable amount of data loss measured in time, while RTO defines how quickly systems must be restored after a disruption. Both guide disaster recovery planning and technology investments. Auditors review RPO/RTO alignment to ensure recovery capabilities match business requirements.

Cyber Resilience
Cyber resilience is an organization’s ability to prevent, withstand, respond to, and recover from cyber incidents. It blends security, continuity planning, and disaster recovery to ensure business operations can continue despite disruptions. Auditors assess resilience to determine whether controls support both protection and recovery objectives.

Tabletop Exercise
A tabletop exercise is a discussion-based simulation in which teams walk through a hypothetical incident, disaster, or security scenario to test response plans and decision-making. It helps identify gaps in communication, roles, and processes without disrupting operations. Auditors view tabletop exercises as evidence of preparedness and continuous improvement in incident response and business continuity programs.

Runbook
A runbook is a documented set of steps that guides teams through specific operational or incident-response procedures. It ensures consistency, reduces errors, and accelerates response time during high-pressure situations. Auditors may review runbooks to evaluate preparedness and process standardization.

Service Level Agreement (SLA)
An SLA is a documented agreement that defines performance expectations—such as uptime, response time, or support windows—between a service provider and customer. SLAs help ensure reliability and accountability in service delivery. Auditors review SLAs to assess vendor risk and confirm alignment with business continuity requirements.

‍