The ELDR Institute/Reference Center
Enterprise Reference Center

Reference Center.

Authoritative definitions, framework comparisons, regulatory references, and implementation guidance — cited to primary sources, not secondary summaries.

Reference Collections
Reference Resource
Governance Glossary

Definitions of governance, compliance, and regulatory terms as used across ELDR publications, frameworks, and advisory engagements.

300+ terms across AI governance, cybersecurity, GRC, and enterprise documentation
Reference Resource
Framework Comparisons

Side-by-side analysis of overlapping governance frameworks — scope, control families, evidence requirements, and certification implications.

ISO 27001 · SOC 2 · NIST 800-53 · FedRAMP · PCI DSS · HIPAA · GDPR · EU AI Act
Reference Resource
Regulatory Definitions

Primary-source regulatory definitions from EU, US, UK, and Nigerian regulatory frameworks — cited to the primary text, not secondary summaries.

EU AI Act · GDPR · FDA 21 CFR · HIPAA · SOX · PCI DSS · FISMA
Reference Resource
Acronym Register

Authoritative expansion and definition of acronyms used across ELDR publications and the governance, cybersecurity, and enterprise technology domains.

GRC · ISMS · SSP · ATO · RTM · NIST · RMF · FISMA · S1000D · DITA · etc.
Reference Resource
Implementation FAQs

Practitioner-sourced answers to the most common implementation questions across ELDR's covered frameworks and governance domains.

ISO 27001 · FedRAMP · SOC 2 · EU AI Act · S1000D · DITA
Reference Resource
Framework Decision Guide

Decision framework for selecting between overlapping governance standards — when ISO 27001 vs SOC 2, when NIST 800-53 vs CIS Controls, when DITA vs docs-as-code.

Framework Selection · Regulatory Alignment · Industry Context
Framework Comparisons

What the frameworks actually say
about each other.

Side-by-side analysis of overlapping governance frameworks — where they agree, where they diverge, and what each requires that the other does not. Cited to primary framework texts.

ISO 27001
vs.
NIST CSF

ISO 27001 is a certification standard with audit-verified requirements. NIST CSF is a voluntary framework without certification. ISO 27001 Annex A controls overlap substantially with NIST CSF functions, but ISO 27001 requires formal risk assessment, SoA, and management review that NIST CSF does not mandate. Organizations using NIST CSF can map to ISO 27001 controls, but NIST CSF compliance does not constitute ISO 27001 certification readiness.

SOC 2
vs.
ISO 27001

SOC 2 is an attestation produced by a licensed CPA firm against AICPA Trust Services Criteria. ISO 27001 is a certification issued by an accredited certification body against ISO/IEC 27001:2022. SOC 2 Type II covers a defined attestation period (typically 12 months). ISO 27001 certification requires continual improvement and annual surveillance audits. Many organizations pursue both: ISO 27001 for international credibility, SOC 2 for US enterprise customer requirements.

NIST AI RMF
vs.
EU AI Act

NIST AI RMF is a voluntary governance framework organized around four functions (GOVERN, MAP, MEASURE, MANAGE). EU AI Act is binding regulation with mandatory documentation requirements for high-risk AI systems. For organizations subject to both: NIST AI RMF provides the governance architecture; EU AI Act imposes the specific documentation artifacts (technical file, risk management, conformity assessment) that the governance architecture must produce.

FedRAMP
vs.
NIST 800-53

FedRAMP is a US federal authorization program for cloud services. NIST SP 800-53 is the control catalog FedRAMP uses. FedRAMP defines three baselines (Low, Moderate, High) drawn from NIST 800-53 Rev. 5, with FedRAMP-specific parameter values and additional requirements. FedRAMP authorization requires a 3PAO assessment and PMO review; NIST 800-53 compliance alone does not constitute FedRAMP authorization.

HIPAA
vs.
ISO 27001

HIPAA is US regulation governing protected health information (PHI). ISO 27001 is an international information security management standard. HIPAA's Security Rule requires administrative, physical, and technical safeguards that overlap with ISO 27001 Annex A controls, but HIPAA imposes specific PHI-handling requirements that go beyond ISO 27001's general control framework. ISO 27001 certification does not constitute HIPAA compliance; HIPAA requires covered entity analysis and BAA management that ISO 27001 does not address.

GDPR
vs.
ISO 27001

GDPR is EU data protection regulation. ISO 27001 is an information security management standard. GDPR imposes data subject rights, lawful basis requirements, and cross-border transfer restrictions that ISO 27001 does not address. ISO 27001 certification can support GDPR compliance evidence for technical and organizational security measures under Article 32, but GDPR compliance requires privacy governance elements (ROPA, DPIA, DPO) outside ISO 27001's scope.

Regulatory Definitions

Primary source.
Not a summary.

Regulatory terms as defined in the primary regulatory text — EU AI Act, GDPR, FDA 21 CFR, HIPAA Security Rule, FedRAMP/NIST RMF. Where secondary sources introduce ambiguity, the primary text governs.

High-Risk AI System
EU AI Act
View Framework →

An AI system listed in Annex III of EU AI Act 2024/1689, including AI systems used in biometric identification, critical infrastructure, education, employment, essential private and public services, law enforcement, migration management, and administration of justice. High-risk AI systems are subject to mandatory conformity assessment, technical documentation requirements, human oversight measures, and registration in the EU AI database.

System Security Plan (SSP)
FedRAMP / NIST RMF
View Framework →

A formal document describing the security requirements for an information system and the security controls in place or planned to meet those requirements. Under FedRAMP, the SSP is the primary authorization document — it describes the system boundary, categorization, implemented controls, and control implementation descriptions. SSP template and structure requirements are defined in NIST SP 800-18 Rev. 1.

Statement of Applicability (SoA)
ISO 27001:2022
View Framework →

A document required under ISO/IEC 27001:2022 Clause 6.1.3(d) listing all Annex A controls, whether each is applicable or excluded, and the justification for inclusion or exclusion. The SoA is a key audit artifact — it demonstrates that the organization has considered all controls and made documented decisions about applicability. Exclusions must be justified; organizations cannot simply exclude controls without documented rationale.

Authorization to Operate (ATO)
FedRAMP / FISMA
View Framework →

A formal declaration by a designated authorizing official that authorizes a federal information system to operate and explicitly accepts the residual risk of that system. Under FedRAMP, cloud service providers must obtain ATO from a federal agency before operating in the federal environment. The ATO decision is based on the security assessment package (SSP, SAR, POA&M).

Personal Data
GDPR / EU Law
View Framework →

Any information relating to an identified or identifiable natural person (data subject), as defined in Article 4(1) of GDPR 2016/679. A person is identifiable if they can be identified directly or indirectly, including by reference to an identifier such as a name, identification number, location data, online identifier, or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.

Protected Health Information (PHI)
HIPAA
View Framework →

Individually identifiable health information that is created, received, transmitted, or maintained by a covered entity or business associate, as defined under 45 CFR 160.103. PHI includes demographic information, health conditions, care and treatment information, or payment history that can be used to identify the individual. Electronic PHI (ePHI) is PHI transmitted or maintained in electronic form and subject to the HIPAA Security Rule.

Acronym Register

Governance & compliance
acronym register.

A B C D E F G H I M N P R S Z
A
ATO
Authorization to Operate — Formal declaration authorizing a federal information system to operate
FedRAMP / FISMA
B
BCP
Business Continuity Plan — Document defining procedures to maintain business operations during disruptions
ISO 22301 / NIST SP 800-34
C
CASB
Cloud Access Security Broker — Security policy enforcement point between cloud users and providers
General
CCM
Cloud Controls Matrix — Cybersecurity control framework for cloud computing organizations
CSA
CER
Clinical Evaluation Report — Document evaluating clinical evidence for EU medical device conformity
EU MDR
CMDB
Configuration Management Database — Repository of configuration items and their relationships
ITIL
CSDB
Common Source Database — Repository for S1000D data modules and publications
S1000D
ConOps
Concept of Operations — Document describing how a system operates from the user perspective
FAA/DOD
D
DHP
Design History File — Compilation of records describing design history of a medical device
FDA 21 CFR 820
DPA
Data Processing Agreement — Contract between controller and processor governing personal data processing
GDPR
DPIA
Data Protection Impact Assessment — Assessment of processing operations with high risk to natural persons
GDPR Article 35
E
EIA
Electronic Industries Alliance — Standards body; EIA-649 covers configuration management
Engineering Standards
F
FFIEC
Federal Financial Institutions Examination Council — Interagency body prescribing uniform principles for federal examination of financial institutions
US Banking
FISMA
Federal Information Security Modernization Act — Legislation requiring federal agencies to protect information systems
US Federal Law
FRTB
Fundamental Review of the Trading Book — Basel Committee standards for market risk capital requirements
Basel III/IV
G
GMP
Good Manufacturing Practice — Minimum standards for manufacturing, processing, packaging, or holding drugs
FDA / ICH
GRC
Governance, Risk, and Compliance — Integrated approach to managing organizational governance, risk management, and compliance
General
H
HWCI
Hardware Configuration Item — Hardware items designated for configuration management
MIL-HDBK-61
I
ICH
International Council for Harmonisation — Organization developing technical guidelines for pharmaceutical products
Pharmaceutical
IFU
Instructions for Use — Documentation accompanying medical devices describing safe and effective use
FDA / EU MDR
ILS
Integrated Logistics Support — Disciplined, unified approach to managing technical documentation and support for defense systems
Defense/Aviation
ISMS
Information Security Management System — Systematic approach to managing sensitive information through people, processes, and technology
ISO 27001
ITGC
IT General Controls — Controls over IT infrastructure and applications supporting financial reporting
SOX / Auditing
M
MIL-HDBK
Military Handbook — Standardization document for defense procurement and manufacturing
US DoD
N
NIST
National Institute of Standards and Technology — US agency developing standards and guidelines for technology and cybersecurity
US Federal
P
PLM
Product Lifecycle Management — Process for managing product data throughout its lifecycle
Manufacturing / Engineering
POA&M
Plan of Action and Milestones — Document identifying tasks needed to remediate security weaknesses
FedRAMP / NIST
R
ROPA
Records of Processing Activities — Documentation of personal data processing activities maintained by controllers
GDPR Article 30
RTM
Requirements Traceability Matrix — Document linking requirements to implementation and test artifacts
Engineering / Compliance
S
SAR
Security Assessment Report — Document from 3PAO describing security control testing results
FedRAMP / NIST RMF
SOC 2
Service Organization Control 2 — Attestation report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, and privacy
AICPA
SOX
Sarbanes-Oxley Act — US law establishing requirements for financial reporting and internal controls for public companies
US Federal Law
SSP
System Security Plan — Document describing security requirements and controls for an information system
FedRAMP / NIST RMF
SoA
Statement of Applicability — Document listing ISO 27001 Annex A controls with inclusion/exclusion justification
ISO 27001
Z
ZTA
Zero Trust Architecture — Security model requiring verification of every user and device regardless of network location
NIST SP 800-207 / CISA
Related Resources