Compliance reference
Compliance Glossary
Plain-English definitions of the SOC 2, ISO 27001, GDPR, and general compliance terminology used in B2B SaaS procurement and audits. Every term links out to a full playbook when one is available.
SOC 2
- Bridge Letter
- A letter issued by an auditor confirming no material changes have occurred since the last SOC 2 report period.
- Enterprise buyers sometimes require a bridge letter when your most recent SOC 2 report is 3 or more months old. The letter certifies that controls continue to operate effectively in the gap between audit periods. It is not a substitute for the report itself.
- Common Criteria (CC1–CC9)
- The nine categories that structure the Security Trust Service Criterion in SOC 2.
- CC1 (control environment), CC2 (communication), CC3 (risk assessment), CC4 (monitoring activities), CC5 (control activities), CC6 (logical and physical access), CC7 (system operations), CC8 (change management), and CC9 (risk mitigation). Auditors test each applicable CC with specific evidence.
- SOC 2
- A security framework from the AICPA that evaluates how a service organization manages customer data against five Trust Service Criteria.
- SOC 2 (Service Organization Control 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A licensed CPA firm examines an organization's controls against one or more Trust Service Criteria and issues an attestation report. Unlike ISO 27001, SOC 2 is a report (not a certification) and is the dominant security standard in North American enterprise procurement.
- SOC 2 Type I
- A point-in-time SOC 2 report assessing whether controls are designed correctly on a specific date.
- SOC 2 Type I evaluates the design of controls at a single point in time. It does not test operating effectiveness. Type I is useful to unblock enterprise deals quickly (achievable in 6–8 weeks) while the observation period for Type II runs.
- SOC 2 Type II
- A SOC 2 report covering whether controls operated effectively over a 3 to 12 month observation period.
- SOC 2 Type II tests not only control design but also operating effectiveness across an observation period (usually 6 or 12 months). Enterprise buyers strongly prefer Type II because it proves sustained execution. Most B2B SaaS companies target Type II after an initial Type I report.
- Trust Service Criteria (TSC)
- The five criteria that SOC 2 reports can cover: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
- The Trust Service Criteria are defined by the AICPA. Security is mandatory for every SOC 2 engagement. The other four (Availability, Processing Integrity, Confidentiality, Privacy) are optional and selected based on customer commitments and data handling. Most B2B SaaS engagements include Security plus Availability.
ISO 27001
- Annex A Controls
- The 93 reference controls listed in ISO 27001:2022, organized into 4 themes.
- ISO 27001:2022 Annex A contains 93 controls grouped into four themes: Organizational (37), People (8), Physical (14), and Technological (34). Organizations select applicable controls in the Statement of Applicability. The previous 2013 version had 114 controls in 14 domains.
- ISMS
- Information Security Management System: the documented framework required to achieve ISO 27001 certification.
- An ISMS is a systematic approach to managing information security risks. It includes risk assessment methodology, risk treatment plan, Statement of Applicability, internal audit program, management review cadence, and documented policies. Certification requires that the ISMS operates as documented.
- ISO 27001
- An international standard for Information Security Management Systems, with formal certification valid for 3 years.
- Published by ISO and IEC, ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Unlike SOC 2, ISO 27001 produces a formal certificate issued by an accredited certification body. The current version is ISO 27001:2022.
- Risk Treatment Plan
- A document mapping each identified risk to a treatment decision (mitigate, accept, transfer, avoid) and specific controls.
- The risk treatment plan is the bridge between the risk assessment and the Statement of Applicability. For every risk above threshold, the plan specifies how it will be treated and which Annex A controls implement that treatment. Auditors trace this chain end to end.
- Stage 1 Audit
- The first ISO 27001 certification audit, reviewing ISMS documentation for completeness.
- Stage 1 is a readiness check performed by the certification body. The auditor reviews scope, risk assessment, SoA, policies, and internal audit results. Findings must be resolved before scheduling Stage 2. Typically 1–2 days.
- Stage 2 Audit
- The main ISO 27001 implementation audit that verifies the ISMS operates as documented.
- Stage 2 evaluates actual control operation. Auditors interview control owners, test samples, and assess ISMS maturity. Typically 3–5 days. Major nonconformities must be resolved within 90 days; minor nonconformities by the next surveillance audit.
- Statement of Applicability (SoA)
- A mandatory ISO 27001 document listing every Annex A control with applicability, justification, and implementation status.
- Required by ISO 27001 Clause 6.1.3, the SoA lists all 93 Annex A controls, marks each as applicable or excluded, and provides specific justification for each decision tied to the risk assessment. It is the first document certification body auditors review.
GDPR
- Data Controller
- The entity that determines the purposes and means of processing personal data.
- Under GDPR, controllers hold the primary legal responsibility for compliance. Controllers must have a lawful basis, inform data subjects, handle DSARs, and ensure processors meet their obligations. A SaaS company is usually a controller for its own employee and marketing data.
- Data Processor
- The entity that processes personal data on behalf of a controller under a Data Processing Agreement.
- Processors act under the controller's instructions. A B2B SaaS is typically a processor for customer data. Processors must implement appropriate security measures, notify breaches to the controller, and only use subprocessors with the controller's approval.
- DPA
- Data Processing Agreement: a legally binding contract between a data controller and processor required by GDPR Article 28.
- The DPA defines the scope, purpose, and duration of processing, the categories of data, security measures, subprocessor rules, breach notification obligations, and audit rights. Most B2B SaaS companies act as processors and must sign DPAs with every enterprise customer.
- DPIA
- Data Protection Impact Assessment: a structured review of processing activities that pose high risk to data subjects.
- Required by GDPR Article 35 when processing is likely to result in high risk (e.g., large-scale profiling, automated decision-making, sensitive data). The DPIA documents the nature, purposes, necessity, and safeguards for the processing, plus residual risk.
- DSAR
- Data Subject Access Request: a formal request from an individual to access, correct, or delete their personal data.
- Under GDPR Articles 15–22, data subjects have rights of access, rectification, erasure, restriction, portability, and objection. Organizations must respond within 30 calendar days (extendable by 60 for complex requests). Responses are generally free of charge.
- GDPR
- The EU General Data Protection Regulation, governing personal data processing of EU residents.
- GDPR applies to any organization processing personal data of people in the EU, regardless of where the organization is based. Maximum fines reach €20 million or 4% of global annual turnover, whichever is higher. Key obligations include lawful basis, transparency, data subject rights, DPAs, and breach notification.
- Standard Contractual Clauses (SCCs)
- EU-approved contract clauses that legitimize transfers of personal data outside the EEA.
- SCCs are pre-approved template contracts published by the European Commission. After the Schrems II ruling invalidated Privacy Shield, SCCs (combined with transfer impact assessments) became the primary mechanism for EU–US and other cross-border transfers.
- Subprocessor
- A third party that processes personal data on behalf of a processor.
- Every SaaS company relies on subprocessors (cloud providers, analytics, support tools). Under GDPR Article 28(4), subprocessors require written authorization, a back-to-back DPA, and notification to customers when changed. Public subprocessor lists are standard practice.
General
- Access Review
- A periodic review of user accounts and permissions to verify appropriate access.
- Required for SOC 2 CC6.2/CC6.3 and ISO 27001 A.5.18. Typically run monthly or quarterly, reviewers confirm that each user still needs their access and that access levels follow the principle of least privilege. Terminated users must be deprovisioned promptly.
- Continuous Compliance
- An operational practice of maintaining audit-ready controls year-round rather than only before audits.
- Continuous compliance relies on automated evidence collection, scheduled human review cycles (monthly / quarterly / annual), and control monitoring dashboards. It replaces the panic cycle of pre-audit preparation with steady-state operations.
- Evidence
- Artifacts (screenshots, reports, logs, policy documents) that prove a control operates effectively.
- Audit-quality evidence is timestamped, attributable, traceable to a specific control, and collected within the observation period. Standardize naming (e.g., CC6.1-AccessReview-2025-Q4.pdf) and store in a central repository or GRC platform.
- Penetration Test
- A security assessment where testers simulate attacks against a system to find exploitable vulnerabilities.
- Effectively required for SOC 2 (CC4, CC7) and ISO 27001 (A.8.8). Typical SaaS pen test: $8,000–$25,000 for external, $5,000–$15,000 for web application. Annual cadence with retesting after major changes. Look for firms with CREST, OSCP, or industry-specific experience.
- Risk Register
- A structured list of identified information security risks with likelihood, impact, treatment, and owner.
- Required for ISO 27001 and expected by SOC 2 auditors. A typical SaaS risk register contains 30–60 risks. Each entry has an ID, asset, threat, vulnerability, likelihood score, impact score, risk score, treatment decision, linked controls, owner, and review date.
- Security Questionnaire
- A standardized set of questions (SIG, CAIQ, VSA) used by buyers to assess vendor security posture.
- Common formats include SIG Core (800+ questions), SIG Lite (~180), CAIQ (CSA's cloud-specific questionnaire), and custom buyer-issued questionnaires. A mature answer library can reduce turnaround from weeks to 1–2 business days.
- TPRM
- Third-Party Risk Management: the process of assessing and monitoring security risks from vendors and subprocessors.
- TPRM is mandated by SOC 2 CC9 and ISO 27001 A.5.19–A.5.23. It includes vendor tiering, initial assessments, DPA signing, periodic reassessments, and continuous monitoring. Enterprise buyers review your TPRM program during procurement.
- Trust Center
- A public or gated page containing a company's security artifacts and compliance evidence.
- A trust center typically includes the SOC 2 report (under NDA), ISO 27001 certificate, penetration test summary, subprocessor list, DPA template, privacy notices, and a named security contact. Companies with trust centers report 40–60% fewer incoming security questionnaires.
Tools
- GRC Platform
- Governance, Risk, and Compliance software that automates evidence collection and control monitoring (e.g., Vanta, Drata, Secureframe).
- GRC platforms connect to cloud providers, identity providers, ticketing systems, and HR tools to pull evidence automatically. They typically cost $8,000–$40,000 per year. Platforms handle about 40–50% of total compliance workload; the rest requires human judgment.
- SIEM
- Security Information and Event Management: a system that aggregates and analyzes security logs.
- Common examples include Splunk, Datadog Cloud SIEM, AWS Security Hub, and Sumo Logic. SIEMs provide evidence for SOC 2 CC7 (system operations) and ISO 27001 A.8.15/A.8.16 (logging and monitoring) by demonstrating continuous detection capability.
- SSO / IdP
- Single Sign-On via an Identity Provider (Okta, Azure AD, Google Workspace, JumpCloud).
- An IdP centralizes authentication across applications, enforces MFA, and produces audit-quality logs. SOC 2 CC6 and ISO 27001 A.5.17/A.8.5 make SSO with MFA the de facto standard for enterprise SaaS.
Need help applying any of these to your company?
CertifyOps builds SOC 2, ISO 27001, and GDPR programs for B2B SaaS companies that need to unblock enterprise procurement without hiring a full compliance team.