<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Life's like a box of chocolates 🍫 Your access shouldn't be. Register for our new webinar.

Close icon
Search bar icon

SOC 2 Terminology Glossary

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

SOC 2 compliance, like so many things related to IT and security, is chock full of terms and acronyms to learn.  If you are just getting started with SOC 2, it’s helpful to get familiar with this alphabet soup ahead of time so you can move your compliance efforts forward with confidence.

🎉 Have you heard? StrongDM offers a free and completely self-paced online SOC 2 Course.

Below is a SOC 2 terminology glossary to get you started:


The American Institute of CPAs, formed in 1887, set the U.S. auditing standards for non-profit organizations and private companies, as well as state, federal and local governments.  The institute has more than 430,000 members coming from various areas of practice and expertise.  

Control mapping

There are many security frameworks available for organizations to map to, including the Critical Security Controls, HIPAA, NIST Cybersecurity Framework, SOC1/SOC2 and more. Some organizations may have to follow several frameworks for compliance reasons. Control mapping involves listing out your organization’s risks and then mapping out which controls address those risks.  

Cloud service provider

A cloud service provider (sometimes abbreviated as CSP) offers Internet-based computing services that individuals and businesses can consume - typically on a subscription basis.  These services are usually offered in three different categories:

  • IaaS - Infrastructure as a Service
  • PaaS - Platform as a Service
  • SaaS - Software as a Service


A CPA is a Certified Public Accountant - someone who often serves as an auditor, business advisor or other key decision maker.  A CPA is required to pass the CPA exam, meet necessary work experience requirements and take regular professional education courses to keep their certification in good standing.


FedRAMP (The Federal Risk and Authorization Management Program) is a government-created program that provides a NIST-based standardized security assessment for cloud services and products.  FedRAMP is similar to SOC 2 - the key difference is that while FedRAMP is concerned primarily with cloud-based providers, SOC 2 assesses all third party providers.


HIPAA is the Health Insurance Portability and Accountability Act, which is a United States law developed by the Department of Health and Human Services.  HIPAA aims to protect our medical and health information, but does not attest to the organization’s privacy and security controls - which is the job of SOC 2.


With Infrastructure as a Service, a cloud provider will host the components you would traditionally have on your local or data center network, such as servers, firewalls, routers, switches, storage and virtualization.  The provider will have large pools of these resources available so you can scale them up and down as your needs change.

Internal corporate governance

Internal corporate governance are setup to insure that management acts in the best interest of the company owners.  Some examples of governance mechanisms include setting up a board of directors, establishing codes of conduct and engaging in regular internal auditing.


ISO, which stands for International Organization for Standardization, is heavily focused on making sure your organization's technical and security components are up to snuff, but does not play a part in ensuring an organization operates legally and ethically.  For example, ISO will require you to follow a strict password policy just like SOC 2. However, if you allow your employees to defraud customers, SOC 2 will frown on it, but ISO doesn’t care.  


The National Institute of Standards and Technology is a set of technically focused practices recognized by US federal agencies.  These practices have some overlap with those in ISO, but are also aligned with FISMA (Federal Info Security Management Act). If you are going to be doing business with government agencies, you want to get NIST certified.  


Platform as a Service is especially popular with developers.  Similar to IaaS, PaaS offers the computing resources you need to run a comprehensive virtual network, but with the addition of the operating systems, development tools, databases and other management software needed to build applications and services.


The Payment Card Industry Data Security Standard (PCI-DSS) is the information security framework that organizations handling credit cards must adhere to.  The standard is overseen by the Payment Card Industry Standards Council, who created the standard to protect cardholder data and reduce fraud. Organizations following PCI-DSS must have an annual assessment to validate compliance.


PII stands for Personally identifiable information, and is generally considered to be any data that could identify a particular individual, or distinguish one person from another.  Examples of PII include full name, home address, email address, fingerprints, handwriting, date of birth and phone number.


A policy contains statements and plans that an organization follows to make decisions.  A good SOC 2 program contains concise, well-written policies covering a variety of topics, including:

Access Onboarding and Termination Policy

This policy, which is focused only on technical infrastructure, aims to minimize your organization's risk of data exposure by enforcing the principle of least privilege.  

Business Continuity Policy

The business continuity policy maps out a plan to keep your business running after a disruptive event.  

Change Management Policy

The change management policy sets expectations for how changes to systems will be documented and communicated to appropriate parties.

Confidentiality Policy

This policy sets expectations as to how your organization will handle sensitive client information.

Cyber Risk Management Policy

The cyber risk management policy focuses on identifying security incidents that could happen based on incidents that happened in the past.

Data Center Security Policy

The data center security policy details procedures needed to prevent unauthorized access to your organization’s data center.

Data Classification Policy

This policy helps your organization create security policies around your company data based on its sensitivity.

Disaster Recovery Policy
The disaster recovery policy is similar to the business continuity policy, but the difference is in the goal of each policy: business continuity aims to return your business to normalcy, while disaster recovery maps out the functions your business needs to maintain during a crisis

Encryption Policy

The encryption policy provides guidance around how and where your organization will deploy encryption in your organization.

Information Security Policy

This policy is the cornerstone of your security program, and declares your mission is to protect the confidentiality, integrity and availability of the organization’s information and information systems.

IT Vendor Management Policy

The IT vendor management policy helps your organization identify vendors that pose a risk to the organization, and defines controls to minimize those risks.

Log Management and Review Policy

This policy ensures your organization is collecting logs from key endpoints, that the logs contain adequately verbose data, and that log collection is tested regularly.

Office Physical Security Policy

The office physical security policy defines the controls and monitoring procedures around physical assets.

Password Policy

The password policy defines how your organization will select and securely manage passwords.

Remote Access Policy

In this policy, you will define how your organization will access the company network and resources from anywhere without sacrificing security.

Removable Media / Cloud Storage / BYOD Policy

In this policy, your organization establishes guidelines for how employees can use removable media, cloud storage and BYOD devices while keeping company risk to a minimum.

Software Development Lifecycle Policy

The software development lifecycle policy lays out requirements for developing and/or implementing new software and systems while making sure all work is compliant with any necessary regulatory guidelines.

Workstation Security Policy

The workstation security policy creates rules around workstation use in order to reduce your organization’s risk of data loss and exposure.

Regulatory oversight

An organization is under regulatory oversight if it is supervised by an outside body in order to control or direct according to principle, rule or law.

Risk management processes

This exercise will help an organization identify and prioritize risks (such as breaches, system failures and natural disasters) and then create strategies for minimizing the impact to business.  


Software as as Service is a model in which a third-party hosts applications and data that are consumed over the Internet, typically on a subscription basis.  Dropbox, Spotify and WebEx are examples of SaaS offerings.  

SAS 70

The Statement on Auditing Standards 70 used to be the audit used to assess the effectiveness of an organization’s internal controls.  But when organizations also started to use SAS 70 to attest that a vendor was safe to do business with, the SSAE 16 (Statement on Standards for Attestation Engagements 16) took its place, and SOC 2 was started as a report focused strictly on security.  


SOC, which was created by the AICPA, stands for Service Organization Control.  SOC is a framework to guide organizations in shoring up their security controls in the cloud and in their data centers.  SOC comes in several “flavors:”

  • SOC 1 focuses on a company’s financial reporting
  • SOC 2 centers around the controls a company uses to protect their customers’ data
  • SOC 3 is similar to SOC 2, but written in layman's terms for a general audience

SOC is also offered in several types:

  • SOC 2 Type 1 - this is a point-in-time snapshot of your organization’s controls, which are tested and validated for effectiveness
  • SOC 2 Type 2 - this is similar to SOC 2 Type 1 except the controls are examined over a longer period of time (typically 12 months)


The Statement on Standards for Attestation Engagements 16 report is what replaced the SAS 70 after SOC 2 was introduced as a report focusing only on security.

Trust Services Criteria (fka Trust Service Principles)

SOC 2 is heavily based on the Trust Services Criteria, renamed from Trust Service Principles in 2018. These principles, defined by the AICPA, are:

  • Security - data and systems need protection from anything that could compromise their privacy, integrity, confidentiality and availability
  • Availability - systems should be available at all times for use
  • Processing integrity - accurate, authorized system processing must happen - and in a timely manner
  • Confidentiality - any information deemed confidential needs to have proper protections surrounding it
  • Privacy - if personal information is collected, stored or processed, it needs to be handled and disposed of with appropriate controls

To learn more on how StrongDM helps companies with SOC 2 compliance, make sure to check out our SOC 2 Compliance Use Case.

Want to learn more terms? Check out our Cybersecurity Glossary

About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

ISO 27001 vs SOC 2
ISO 27001 vs. SOC 2: Understanding the Difference
SOC 2 and ISO 27001 both provide companies with strategic frameworks and standards to measure their security controls and systems against. But what’s the difference between SOC 2 vs. ISO 27001? In this article, we’ll provide an ISO 27001 and SOC 2 comparison, including what they are, what they have in common, which one is right for you, and how you can use these certifications to improve your overall cybersecurity posture.
Answering auditor questions in a SOC 2 review
Answering Auditors’ Questions in a SOC 2 Review
We recently completed our own SOC 2 audit, so we thought we’d review how we dogfooded our own product. We’ll share tips and tricks to make the audit process a little easier, whether you’re wrapping up your own or about to dive into the coming year’s audit. Here are the questions auditors asked us during our own SOC 2 audit and the commands and strongDM tooling we used to gather the evidence they requested.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Audit
Everything You Need to Know About SOC 2 Audits
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. ‍In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.
SOC 2 Policies Guide
A Definitive Guide to SOC 2 Policies
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual SOC 2 policy.