Skip to main content

Key Concepts and Terminology

Learn the key compliance terms used throughout episki, including frameworks, controls, assessments, and programs.

Written by Jessica Donado
Updated over 2 months ago

Understanding these terms will help you get the most out of episki.

Framework

A framework is a structured collection of compliance requirements (like SOC 2, PCI-DSS, or ISO 27001). Each framework contains controls organized hierarchically.

Think of a framework as the “rulebook” you need to follow.

Control

A control is an individual compliance requirement within a framework.

For example, “Implement strong password policies” might be a control.

Controls include:

• A reference ID (e.g., “6.1.1”)
• A description of the requirement
• Testing procedures (how to verify compliance)

Controls are the building blocks of compliance—everything in episki connects back to controls.

Assessment

An assessment is a point-in-time evaluation of your compliance against a specific framework. Think of it as your annual audit preparation.

During an assessment, you:

• Review each control in the framework
• Document how you meet each requirement (responses)
• Attach evidence (artifacts)
• Identify and track gaps (tasks/issues)

Program

A program is your ongoing compliance monitoring between assessments.

Instead of scrambling before audits, programs help you maintain compliance year-round.

Programs use recurring tasks to ensure compliance activities happen on schedule.

The system also tracks “program health”—the percentage of controls that are up-to-date.

Response

A response is your written explanation of how you meet a specific control during an assessment.

Artifact

An artifact is a file or document that proves compliance, such as:

• Policies
• Screenshots
• Audit logs
• Test results

Artifacts can be attached to assessments, tasks, or issues.

Task

A task is a work item used to achieve or maintain compliance.

Tasks can be:

One-time (for assessment gaps)
Recurring (for ongoing program activities)

Issue

An issue is a compliance gap or finding that needs remediation.

Issues are similar to tasks but typically represent problems discovered during assessments.

Health

Health refers to your program’s compliance status, measured as a percentage.

A control is considered “healthy” when all recurring tasks are up-to-date.

If tasks are overdue, the control becomes “unhealthy.”

Testing Procedure

A testing procedure describes how to verify that a control is being met.

Auditors use these to validate compliance.

Did this answer your question?