Authoritative definitions, framework comparisons, regulatory references, and implementation guidance — cited to primary sources, not secondary summaries.
Definitions of governance, compliance, and regulatory terms as used across ELDR publications, frameworks, and advisory engagements.
Side-by-side analysis of overlapping governance frameworks — scope, control families, evidence requirements, and certification implications.
Primary-source regulatory definitions from EU, US, UK, and Nigerian regulatory frameworks — cited to the primary text, not secondary summaries.
Authoritative expansion and definition of acronyms used across ELDR publications and the governance, cybersecurity, and enterprise technology domains.
Practitioner-sourced answers to the most common implementation questions across ELDR's covered frameworks and governance domains.
Decision framework for selecting between overlapping governance standards — when ISO 27001 vs SOC 2, when NIST 800-53 vs CIS Controls, when DITA vs docs-as-code.
Side-by-side analysis of overlapping governance frameworks — where they agree, where they diverge, and what each requires that the other does not. Cited to primary framework texts.
ISO 27001 is a certification standard with audit-verified requirements. NIST CSF is a voluntary framework without certification. ISO 27001 Annex A controls overlap substantially with NIST CSF functions, but ISO 27001 requires formal risk assessment, SoA, and management review that NIST CSF does not mandate. Organizations using NIST CSF can map to ISO 27001 controls, but NIST CSF compliance does not constitute ISO 27001 certification readiness.
SOC 2 is an attestation produced by a licensed CPA firm against AICPA Trust Services Criteria. ISO 27001 is a certification issued by an accredited certification body against ISO/IEC 27001:2022. SOC 2 Type II covers a defined attestation period (typically 12 months). ISO 27001 certification requires continual improvement and annual surveillance audits. Many organizations pursue both: ISO 27001 for international credibility, SOC 2 for US enterprise customer requirements.
NIST AI RMF is a voluntary governance framework organized around four functions (GOVERN, MAP, MEASURE, MANAGE). EU AI Act is binding regulation with mandatory documentation requirements for high-risk AI systems. For organizations subject to both: NIST AI RMF provides the governance architecture; EU AI Act imposes the specific documentation artifacts (technical file, risk management, conformity assessment) that the governance architecture must produce.
FedRAMP is a US federal authorization program for cloud services. NIST SP 800-53 is the control catalog FedRAMP uses. FedRAMP defines three baselines (Low, Moderate, High) drawn from NIST 800-53 Rev. 5, with FedRAMP-specific parameter values and additional requirements. FedRAMP authorization requires a 3PAO assessment and PMO review; NIST 800-53 compliance alone does not constitute FedRAMP authorization.
HIPAA is US regulation governing protected health information (PHI). ISO 27001 is an international information security management standard. HIPAA's Security Rule requires administrative, physical, and technical safeguards that overlap with ISO 27001 Annex A controls, but HIPAA imposes specific PHI-handling requirements that go beyond ISO 27001's general control framework. ISO 27001 certification does not constitute HIPAA compliance; HIPAA requires covered entity analysis and BAA management that ISO 27001 does not address.
GDPR is EU data protection regulation. ISO 27001 is an information security management standard. GDPR imposes data subject rights, lawful basis requirements, and cross-border transfer restrictions that ISO 27001 does not address. ISO 27001 certification can support GDPR compliance evidence for technical and organizational security measures under Article 32, but GDPR compliance requires privacy governance elements (ROPA, DPIA, DPO) outside ISO 27001's scope.
Regulatory terms as defined in the primary regulatory text — EU AI Act, GDPR, FDA 21 CFR, HIPAA Security Rule, FedRAMP/NIST RMF. Where secondary sources introduce ambiguity, the primary text governs.
An AI system listed in Annex III of EU AI Act 2024/1689, including AI systems used in biometric identification, critical infrastructure, education, employment, essential private and public services, law enforcement, migration management, and administration of justice. High-risk AI systems are subject to mandatory conformity assessment, technical documentation requirements, human oversight measures, and registration in the EU AI database.
A formal document describing the security requirements for an information system and the security controls in place or planned to meet those requirements. Under FedRAMP, the SSP is the primary authorization document — it describes the system boundary, categorization, implemented controls, and control implementation descriptions. SSP template and structure requirements are defined in NIST SP 800-18 Rev. 1.
A document required under ISO/IEC 27001:2022 Clause 6.1.3(d) listing all Annex A controls, whether each is applicable or excluded, and the justification for inclusion or exclusion. The SoA is a key audit artifact — it demonstrates that the organization has considered all controls and made documented decisions about applicability. Exclusions must be justified; organizations cannot simply exclude controls without documented rationale.
A formal declaration by a designated authorizing official that authorizes a federal information system to operate and explicitly accepts the residual risk of that system. Under FedRAMP, cloud service providers must obtain ATO from a federal agency before operating in the federal environment. The ATO decision is based on the security assessment package (SSP, SAR, POA&M).
Any information relating to an identified or identifiable natural person (data subject), as defined in Article 4(1) of GDPR 2016/679. A person is identifiable if they can be identified directly or indirectly, including by reference to an identifier such as a name, identification number, location data, online identifier, or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
Individually identifiable health information that is created, received, transmitted, or maintained by a covered entity or business associate, as defined under 45 CFR 160.103. PHI includes demographic information, health conditions, care and treatment information, or payment history that can be used to identify the individual. Electronic PHI (ePHI) is PHI transmitted or maintained in electronic form and subject to the HIPAA Security Rule.