Trust Center
Security management and ISO/IEC 27001 readiness
Attesto is building an information security management system from the start so security controls, risk decisions, evidence integrity, and operating reviews are traceable before a formal certification project begins.
This page describes Attesto's preparation model. It does not state that Attesto is ISO/IEC 27001 certified, and it does not replace an accredited audit.
What Attesto manages
The current ISMS boundary covers the tenant dashboard, admin control panel, audit portal, public verify API, docs hub, Proofstream, witness plane, verifier tooling, SDKs, Local Vault, production release evidence, and external service boundaries that affect security, availability, billing, custody, package distribution, or evidence integrity.
Customer source systems, customer user assignment decisions, customer-operated witnesses, customer-operated Local Vault hosts, and legal interpretation remain outside Attesto's management boundary.
ISMS operating records
| Record | Purpose | Public meaning |
|---|---|---|
| Scope | Defines included services, excluded customer responsibilities, and owner roles. | Shows what Attesto intends to manage. |
| Risk register | Tracks security, evidence, supplier, documentation, and cryptographic risks. | Shows risks are owned and reviewed. |
| Asset register | Tracks source, release evidence, Proofstream, witness, verifier, secrets, SDKs, docs, connectors, Local Vault, and runtime assets. | Shows control ownership is attached to real assets. |
| Supplier register | Tracks external service boundaries and review cadence. | Shows supplier dependencies are visible. |
| Incident register | Defines intake, classification, retention, escalation, and current open-incident state. | Shows security events have a record path. |
| Self-use evidence loop | Connects Attesto's own release evidence to security-management review decisions. | Shows Attesto uses its evidence discipline internally. |
| Internal audit plan | Defines quarterly control review and release-evidence review scope. | Shows audit preparation is repeatable. |
| Management review cadence | Defines monthly review topics and certification trigger conditions. | Shows leadership review is explicit. |
Review cadence
- Risk and asset records are reviewed monthly and after material release-gate failures.
- Supplier records are reviewed quarterly and before new critical suppliers enter production.
- Incident records are continuously available for intake and reviewed monthly.
- Internal control review runs quarterly until an accredited certification project starts.
- Management review runs monthly and after critical security events.
Evidence model
Attesto uses its own release evidence to support security management: production audit, source secret scan, dependency security, release evidence contract, production readiness snapshot, docs hub contract, customer-visible dead-end contract, SDK registry readiness, Proofstream guarantees, witness/quorum evidence, fork-defense evidence, Local Vault assurance, connector assurance, and Nova claim boundaries.
The important principle is the same as Proofstream itself: records should be verifiable, current, bounded, and tied to evidence instead of relying on informal status claims.
Attesto also maintains a broader Certification Readiness map for ISO/IEC 27001, SOC 2 Type II, ISO/IEC 27701, Cyber Essentials Plus, NEN 7510, ENSIA/BIO, and eIDAS 2.0 alignment. It keeps future audit preparation visible without claiming certification before an external review.
Boundaries
Attesto evidence can support audits and future certification preparation. It does not prove customer compliance, decide legal obligations, replace auditor judgment, or certify Attesto by itself. A formal certification project still requires management approval, audit sampling, corrective-action records, and an accredited audit.
Public documentation intentionally avoids private operational details. Security reviewers can use Attesto's public trust model to understand how evidence is generated and verified, while private internal records remain controlled by Attesto management.