Trust Center
Security management e ISO/IEC 27001 readiness
Attesto construye un information security management system desde el inicio para que security controls, risk decisions, evidence integrity y operating reviews sean trazables antes de que empiece un proyecto formal de certificación.
Esta página describe el preparation model de Attesto. No afirma que Attesto esté ISO/IEC 27001 certified y no sustituye un accredited audit.
What Attesto manages
La ISMS boundary actual cubre tenant dashboard, admin control panel, audit portal, public verify API, docs hub, Proofstream, witness plane, verifier tooling, SDKs, Local Vault, production release evidence y external service boundaries que afectan security, availability, billing, custody, package distribution o evidence integrity.
Customer source systems, customer user assignment decisions, customer-operated witnesses, customer-operated Local Vault hosts y legal interpretation permanecen fuera de la management boundary de Attesto.
ISMS operating records
| Record | Propósito | Significado público |
|---|---|---|
| Scope | Define included services, excluded customer responsibilities y owner roles. | Muestra qué pretende gestionar Attesto. |
| Risk register | Rastrea security, evidence, supplier, documentation y cryptographic risks. | Muestra que los risks tienen ownership y review. |
| Asset register | Rastrea source, release evidence, Proofstream, witness, verifier, secrets, SDKs, docs, connectors, Local Vault y runtime assets. | Muestra que control ownership está ligado a assets reales. |
| Supplier register | Rastrea external service boundaries y review cadence. | Muestra que supplier dependencies son visibles. |
| Incident register | Define intake, classification, retention, escalation y current open-incident state. | Muestra que security events tienen un record path. |
| Self-use evidence loop | Conecta la release evidence de Attesto con security-management review decisions. | Muestra que Attesto usa internamente su disciplina de evidence. |
| Internal audit plan | Define quarterly control review y release-evidence review scope. | Muestra que audit preparation es repetible. |
| Management review cadence | Define monthly review topics y certification trigger conditions. | Muestra que leadership review es explícito. |
Review cadence
- Risk y asset records se reviewed mensualmente y después de material release-gate failures.
- Supplier records se reviewed quarterly y antes de que nuevos critical suppliers entren en producción.
- Incident records están continuamente disponibles para intake y se reviewed mensualmente.
- Internal control review corre quarterly hasta que empiece un accredited certification project.
- Management review corre mensualmente y después de critical security events.
Evidence model
Attesto usa su propia release evidence para apoyar security management: production audit, source secret scan, dependency security, release evidence contract, production readiness snapshot, docs hub contract, customer-visible dead-end contract, SDK registry readiness, Proofstream guarantees, witness/quorum evidence, fork-defense evidence, Local Vault assurance, connector assurance y Nova claim boundaries.
El principio importante es el mismo que Proofstream: los records deben ser verifiable, current, bounded y tied to evidence en vez de depender de status claims informales.
Attesto también mantiene un mapa más amplio de Certification Readiness para ISO/IEC 27001, SOC 2 Type II, ISO/IEC 27701, Cyber Essentials Plus, NEN 7510, ENSIA/BIO y eIDAS 2.0 alignment. Mantiene visible la futura audit preparation sin reclamar certification antes de review externa.
Boundaries
Attesto evidence puede apoyar audits y future certification preparation. No prueba customer compliance, no decide legal obligations, no sustituye auditor judgment ni certifica Attesto por sí misma. Un proyecto formal de certification aún requiere management approval, audit sampling, corrective-action records y un accredited audit.
Public documentation evita intencionalmente private operational details. Security reviewers pueden usar el public trust model de Attesto para entender cómo se genera y verifica evidence, mientras private internal records permanecen controlados por Attesto management.