Resources · Answers

Compliance & Security Glossary

Plain-English definitions of the certification and cybersecurity terms you’ll meet along the way.

PCI & payments
PCI DSS
The Payment Card Industry Data Security Standard — requirements every organisation handling card data must meet. Current: v4.0.1.
QSA — Qualified Security Assessor
A person/company certified by the PCI Council to perform PCI DSS assessments and produce a Report on Compliance.
ROC — Report on Compliance
The formal report a QSA produces after assessing a larger merchant or service provider against PCI DSS.
AOC — Attestation of Compliance
A signed summary confirming the outcome of a PCI DSS assessment, shared with banks and partners.
SAQ — Self-Assessment Questionnaire
A self-validation tool for smaller merchants. The right type depends on how you handle card data.
PCI 3DS
The PCI standard covering 3-D Secure, the cardholder authentication step used in online payments.
3DS Assessor
A qualified assessor certified to evaluate organisations against the PCI 3DS standard.
SWIFT CSP
The SWIFT Customer Security Programme — controls for organisations connected to the SWIFT banking network.
ISO management systems
ISO/IEC 27001
The international standard for an Information Security Management System (ISMS). Current: 2022.
ISMS
Information Security Management System — the policies, processes and controls you use to manage security.
Statement of Applicability (SoA)
The document listing which ISO 27001 controls you’ve applied and why — central to certification.
ISO/IEC 27701
A privacy extension to ISO 27001, covering personal information management (a PIMS).
ISO/IEC 42001
The first international standard for an AI Management System — responsible governance of AI.
Lead Auditor
The qualified auditor who conducts an ISO certification audit and recommends the certification decision.
Surveillance audit
The lighter annual check, between full certifications, confirming you’re maintaining your management system.
Continual improvement
The ISO principle that a management system should keep getting better over time — not just pass once.
SOC, government & general
SOC 2
An AICPA report on a service organisation’s controls for security, availability, confidentiality, processing integrity and privacy.
Trust Services Criteria
The five categories a SOC 2 report can cover (security is always included).
Type I vs Type II
Type I assesses control design at a point in time; Type II assesses operating effectiveness over a period.
NZISM
The New Zealand Information Security Manual — the government baseline for protecting official information.
Essential Eight
An Australian set of eight baseline strategies to mitigate cyber security incidents.
Gap analysis
An early review comparing your current controls to a standard, identifying what’s missing.
Remediation
The work of fixing the gaps found, so you can meet the standard.
Impartiality
The principle that an assurance provider must be free of conflicts of interest — central to a credible audit.