Trust Center
Certification readiness
Attesto prepares for certifications and assurance reviews by working according to the right practices before a formal audit starts. The goal is simple: make future certification easier because the evidence already exists.
This page does not state that Attesto is certified, compliant, qualified, legally approved, or externally attested. It explains the preparation model and the evidence boundaries.
Priority
- ISO/IEC 27001 first. This is the foundation for enterprise, EU, government, and critical-supplier information security.
- SOC 2 Type II second. This matters for international and US customers because it reviews operating effectiveness over time.
- ISO/IEC 27701 later. This adds privacy management once PII roles and processing records are mature.
- Cyber Essentials Plus later. This supports UK public-sector baseline security needs when procurement requires it.
- NEN 7510 later. This matters if Dutch healthcare becomes an active customer segment.
- ENSIA/BIO alignment. This supports Dutch public-sector evidence conversations.
- eIDAS 2.0 alignment. This is a strategic trust and evidence lane, not a qualification claim.
Framework map
| Framework | Why it matters | Attesto preparation | Boundary |
|---|---|---|---|
| ISO/IEC 27001 | Enterprise, government, and critical-supplier security management. | ISMS scope, risk register, asset register, supplier register, incident register, self-use evidence loop, internal audit plan, management review. | Requires formal scope, policies, audit sampling, corrective actions, and accredited certification audit later. |
| SOC 2 Type II | International and US buyer assurance over operating effectiveness. | Preserve period evidence for security, availability, processing integrity, confidentiality, and privacy where customer commitments require them. | Requires a system description, management assertion, observation period, and CPA examination later. |
| ISO/IEC 27701 | Privacy information management for PII controller and processor accountability. | Privacy-sensitive evidence boundaries, no raw payloads in release reports, supplier and asset records. | Requires PIMS scope, PII role analysis, privacy processes, privacy risk assessment, and specialist review later. |
| Cyber Essentials Plus | UK public-sector baseline security procurement. | Technical baseline evidence around assets, TLS, dependency security, secure configuration, and cloud/service boundaries. | Requires approved scheme assessment and technical verification later. |
| NEN 7510 | Dutch healthcare information-security expectations. | Build on ISO/IEC 27001 records and keep healthcare-specific scope separate until that market is active. | Requires healthcare-specific scope, health-data analysis, and sector review later. |
| ENSIA/BIO | Dutch government information-security accountability support. | Map Attesto evidence to public-sector security principles, incident evidence, supply-chain assurance, and auditability. | Customer public-sector bodies own their BIO scope and ENSIA reporting process. |
eIDAS 2.0 alignment
eIDAS 2.0 is strategically important for Attesto because the platform is built around verifiable evidence, timestamps, ledger-style integrity, signatures, independent verification, and trust boundaries. That makes it a natural research and legal-review lane.
The boundary is strict: Attesto does not claim qualified trust-service provider status, qualified electronic ledger status, qualified timestamp status, legal admissibility outcome, eIDAS certification, or public-authority approval. Any stronger claim requires specialist legal and conformity-assessment work.
Evidence discipline
Attesto uses Attesto-generated release evidence internally. The self-use evidence loop ties release integrity, secret exposure prevention, dependency security, Proofstream lifecycle guarantees, public documentation boundaries, SDK registry readiness, incidents, and management review to specific evidence records.
This is the practical habit that makes certification easier later: evidence is generated, checked, hashed, reviewed, and kept current before an auditor asks for it.
Boundaries
Certification readiness does not certify Attesto. It does not replace legal counsel, auditor judgment, customer supplier review, sector obligations, public-authority decisions, or customer control ownership. It shows that Attesto is operating toward those reviews in a disciplined, evidence-first way.