Skip to main content

Key Concepts and Terminology

Learn the key compliance terms used throughout episki, including frameworks, controls, assessments, and programs.

Written by Jessica Donado

Understanding these terms will help you get the most out of episki.

Framework

A framework is a structured collection of compliance requirements (like SOC 2, PCI-DSS, or ISO 27001). Each framework contains controls organized hierarchically.

Think of a framework as the “rulebook” you need to follow.

Control

A control is an individual compliance requirement within a framework.

For example, “Implement strong password policies” might be a control.

Controls include:

• A reference ID (e.g., “6.1.1”)
• A description of the requirement
• Testing procedures (how to verify compliance)

Controls are the building blocks of compliance—everything in episki connects back to controls.

Assessment

An assessment is a point-in-time evaluation of your compliance against a specific framework. Think of it as your annual audit preparation.

During an assessment, you:

• Review each control in the framework
• Document how you meet each requirement (responses)
• Attach evidence (artifacts)
• Identify and track gaps (tasks/issues)

Program

A program is your ongoing compliance monitoring between assessments.

Instead of scrambling before audits, programs help you maintain compliance year-round.

Programs use recurring tasks to ensure compliance activities happen on schedule.

The system also tracks “program health”—the percentage of controls that are up-to-date.

Response

A response is your written explanation of how you meet a specific control during an assessment.

Artifact

An artifact is a file or document that proves compliance, such as:

• Policies
• Screenshots
• Audit logs
• Test results

Artifacts can be attached to assessments, tasks, or issues.

Task

A task is a work item used to achieve or maintain compliance.

Tasks can be:

One-time (for assessment gaps)
Recurring (for ongoing program activities)

Issue

An issue is a compliance gap or finding that needs remediation.

Issues are similar to tasks but typically represent problems discovered during assessments.

Health

Health refers to your program’s compliance status, measured as a percentage.

A control is considered “healthy” when all recurring tasks are up-to-date.

If tasks are overdue, the control becomes “unhealthy.”

Testing Procedure

A testing procedure describes how to verify that a control is being met.

Auditors use these to validate compliance.

Did this answer your question?