What auditors actually check about your terminology management — and how Compliance Glossary helps you pass. Mapped to real regulatory standards.
We fact-checked every claim against actual regulatory standards. Each control weakness below is marked with its evidence level: Verified means an explicit regulatory requirement exists with a citable standard. Well-Supported means real compliance principles apply but the extension to glossary terms is inferred. Planned means the feature is on our roadmap.
21 CFR 211.100(b) SOX SOC 2 CC8
21 CFR 211.100(b): "Any deviation from the written procedures shall be recorded and justified." SOC 2 CC8 requires documentation of "reason for change, authorizing entity, and employee that implemented the change."
This is one of the most consistently mandated requirements across all compliance frameworks. Auditors don't just want to see what changed — they need to know why.
ISO 9001:2015 §7.5.3 21 CFR 211.100(a) ISO 13485:2016 §4.2.4
ISO 9001:2015 requires documents to be "reviewed and updated as necessary." ISO 13485 requires "procedures for document review and update." 21 CFR 211.100(a) requires written procedures to be "drafted, reviewed, and approved."
While no standard mandates a specific review frequency, auditors universally check that approved documents remain current. An approved term from 18 months ago with no review record is a red flag.
reviewedAt timestamp, set when approved. The Dashboard shows an amber warning listing all approved terms not reviewed in 6+ months. Auditors can see at a glance which terms are current and which need attention.
Controlled Terminology (general principle) ICH E2D
Regulatory frameworks like MedDRA (EU pharmacovigilance) and CDISC (FDA data submissions) exist specifically because terminology inconsistency causes real harm — delayed approvals, miscoded safety events, failed submissions. The underlying principle — enforcing a controlled vocabulary across documents — applies to any regulated industry.
EMA guidance states: "Data entry staff should be instructed in the use of the terminologies, and their proficiency should be confirmed."
ALCOA+ (Attributable, Contemporaneous)
ALCOA+ requires data to be Attributable (who did it), Contemporaneous (timestamped when it happened), and Enduring (preserved for the record lifecycle). 21 CFR Part 11 requires audit trails for electronic records — though its full scope (electronic signatures, system validation) goes beyond what a glossary tool addresses.
ALCOA+ (Complete) ISO 27001 §7.5
ALCOA+ requires data to be "Complete — nothing relevant is missing." While this principle was designed for clinical data records, auditors apply the same thinking to governance documentation. Empty fields suggest incomplete governance.
ALCOA+ (Consistent)
ALCOA+ requires data to be "Consistent" across the organization. The FDA's own CDRH event coding system was criticized for "inconsistent, ambiguous, and duplicative concepts." MedDRA exists specifically to prevent cross-team terminology divergence.
Single Source of Truth ISO 9001 §7.5.3
ISO 9001 requires that "only current and approved documents are available for use." Duplicate definitions create ambiguity about which version is authoritative — a direct control weakness.
ICH Q10 ISO 13485 §4.2.1
ICH Q10 explicitly identifies the source of each definition (ICH, ISO, or newly developed). ISO 13485 requires identifying "regulatory requirements applicable to the organization." Linking terms to their regulatory source demonstrates governance rigor.
regulatorySource field will link each term to its authoritative text (e.g., "FDA 21 CFR 11 §11.10(e)", "MiFID II Art. 4"). The audit export will include a traceability matrix.
No specific standard mandates this, but orphaned terms signal a neglected glossary. Planned: cross-reference scan results with the term list to flag terms defined but never found in any scanned content.
Controlled vocabulary is a real requirement in pharma (CDISC, MedDRA) and a common gap across industries. Planned: a reverse scanner that finds regulated-looking terms in documents that aren't yet managed in the glossary.
| Standard | What It Requires | Our Feature | Status |
|---|---|---|---|
| 21 CFR 211.100(b) | Deviations recorded and justified | Mandatory change reason on all changes (edits + status transitions) | Live |
| SOC 2 CC8 | Change reason + authorizing entity documented | Mandatory change reason + user ID on every version entry | Live |
| SOX | Changes authorized, documented, reviewed | Four-eyes approval + audit trail | Live |
| ISO 9001 7.5.3 | Documents reviewed and kept current | Stale approval detection (6-month flag) | Live |
| ISO 13485 4.2.4 | Document review and update procedures | reviewedAt tracking + dashboard | Live |
| 21 CFR Part 11 | Audit trails for electronic records | Append-only version history with user/timestamp (audit trail scope; e-signatures and system validation require org-level processes) | Live |
| ALCOA+ | Attributable, Complete, Consistent, Enduring | User tracking, mandatory change reasons, cross-space scan, CSV export | Live |
| Controlled Terminology | Terminology consistency across documents | Custom glossary synonym scanner across Confluence pages | Live |
| ICH Q10 | Source traceability for definitions | regulatorySource field + traceability matrix | Planned |