Concepts & Terminology
This glossary defines key terms used throughout ForgeComply. Understanding these concepts will help you navigate the platform and communicate effectively with auditors.
Organization
An Organization represents a single company or business entity in ForgeComply. All assessments, policies, evidence, and team members belong to an organization.
- Each organization has its own data, completely isolated from others
- You can manage multiple organizations from one account
- Team members are invited per organization
Assessment
An Assessment is a compliance evaluation for a specific framework and audit type. Think of it as a "project" for preparing for an audit.
Examples:
- "SOC 2 Type I - Q1 2025"
- "ISO 27001 Stage 1 - Initial Certification"
Each assessment contains:
- A set of controls to evaluate
- Your responses and evidence
- Generated policies
- Reports for auditors
You may have multiple assessments per organization (e.g., Type I followed by Type II).
Control
A Control is a specific security requirement you must address. Controls are the building blocks of compliance frameworks.
Example: AC-01 — MFA Enforcement requires that multi-factor authentication is enabled for all user accounts.
For each control, you will:
- Answer whether it's implemented (Yes / No / Partial / N/A)
- Assign an owner responsible for it
- Link relevant policies
- Upload supporting evidence
Control Status
Each control is evaluated and assigned a status:
| Status | Meaning |
|---|---|
| Pass | All requirements met: answered, owner assigned, policy linked, evidence provided (if required) |
| At Risk | Partially complete — something is missing but progress has been made |
| Fail | Critical gaps exist — unanswered, no owner, or missing required evidence |
| Not Started | No action taken yet |
These statuses help you prioritize work and understand audit readiness.
Control Owner
The Control Owner is the person accountable for a specific control. This should be an individual, not a team or department.
Good: "Jane Smith, IT Manager"
Not ideal: "IT Team" or "Engineering"
Auditors want to know who is responsible. Assigning clear ownership demonstrates organizational accountability.
Policy
A Policy is a formal document that describes your organization's rules and procedures for a security domain.
Examples:
- Access Control Policy
- Incident Response Policy
- Data Classification Policy
Policies explain what your organization commits to doing. Controls and evidence demonstrate how you implement those commitments.
Key points:
- One policy typically covers multiple related controls
- Policies have versions and approval status
- Policies are generated based on your organization's profile
Policy Status
| Status | Meaning |
|---|---|
| Draft | Generated but not yet approved |
| Approved | Reviewed and approved by an authorized person |
Auditors expect approved policies. Draft policies indicate work in progress.
Evidence
Evidence is documentation that proves your controls are implemented and operating. Evidence supports your claims during an audit.
Examples:
- Screenshots of MFA configuration
- Access review spreadsheets
- Training completion certificates
- System configuration exports
Key points:
- Evidence requirements vary by audit type
- Evidence should be recent and relevant
- Evidence is reviewed before being accepted
- Auditors can view evidence linked to reports
Evidence Review Status
| Status | Meaning |
|---|---|
| Pending Review | Uploaded but not yet reviewed |
| Approved | Reviewed and accepted as valid evidence |
| Rejected | Reviewed and found insufficient |
Evidence review ensures quality before audit submission.
Exception
An Exception is a formal acknowledgment that a control cannot be fully met, along with a documented reason and compensating measures.
Example: A legacy system cannot support MFA. The exception documents this limitation, explains why, and describes compensating controls (IP restrictions, enhanced monitoring).
Exceptions are:
- Time-bound (they expire)
- Require approval
- Visible in reports
- Expected by auditors for legitimate gaps
Report
A Report is an immutable, point-in-time snapshot of your compliance status. Reports are generated on demand and do not auto-update.
Report types:
- Audit Readiness Summary — Executive overview of compliance status
- Control Matrix — Detailed status of all controls with policy and evidence mapping
- Evidence Index — Complete listing of evidence for audit sampling
- Exceptions Report — Documented risk acceptances
Key points:
- Reports are read-only once generated
- Generate new reports to reflect updates
- Auditors view reports, not your working data
Frameworks
SOC 2
SOC 2 (Service Organization Control 2) is a compliance framework for service providers, focusing on security, availability, processing integrity, confidentiality, and privacy.
Audit types:
- Type I — Point-in-time evaluation of control design
- Type II — Evaluation of control effectiveness over a period (typically 6-12 months)
ISO 27001
ISO 27001 is an international standard for information security management systems (ISMS).
Audit stages:
- Stage 1 — Documentation review and readiness assessment
- Stage 2 — Full certification audit of implementation and effectiveness
Type I vs Type II (SOC 2)
| Aspect | Type I | Type II |
|---|---|---|
| Focus | Control design | Control effectiveness |
| Evidence | Policies, procedures, configurations | Operating evidence over time |
| Duration | Point in time | 6-12 month period |
| Common for | First-time audits, fast certification | Ongoing compliance, mature organizations |
Most organizations start with Type I and progress to Type II.
Stage 1 vs Stage 2 (ISO 27001)
| Aspect | Stage 1 | Stage 2 |
|---|---|---|
| Focus | Documentation readiness | Implementation verification |
| Evidence | Policies, ISMS scope, risk assessment | Operating records, interviews, observations |
| Outcome | Readiness confirmation | Certification decision |
Stage 1 identifies gaps. Stage 2 verifies you've addressed them.
Guided Setup
Guided Setup is an optional workflow that walks you through controls step-by-step. It helps first-time users complete their assessment systematically.
Guided setup:
- Presents controls one at a time
- Tracks your progress
- Provides contextual guidance
- Can be exited and resumed anytime
Guided setup helps you prepare. It does not replace management judgment or audit review.
Auditor Role
An Auditor is a user role with read-only access to reports and evidence. Auditors cannot:
- Modify controls or policies
- Generate reports
- Access draft content
- See internal notes
This ensures audit integrity and clear separation of duties.
Next Steps
- Getting Started Guide — Set up your first assessment
- Guided Setup Overview — Learn how guided setup works
- Controls Documentation — Understanding the controls workflow