ISO 27001 / SOC 2
Regulator: ISO/IEC and AICPA
Signal Provenance covers the technical subset of ISO 27001 Annex A (approximately 15-20 controls directly) and provides strong evidence for the SOC 2 Security, Processing Integrity, and Confidentiality criteria. Availability is supported by RUNBOOK recovery. Organizational and people controls remain the client's program to implement.
Scope
ISO 27001:2022 specifies an Information Security Management System (ISMS) with 93 Annex A controls. SOC 2 (AICPA) reports on service organization controls against five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Both are common enterprise procurement prerequisites.
Control-by-control coverage
Every claim below traces to source code in the echology monorepo or to a deliverable template shipped with Signal Provenance. If the code does not do it, the row is not here.
| Control | Requirement | Coverage | Evidence mechanism | Source |
|---|---|---|---|---|
| A.5.33 | Protection of records: records shall be protected from loss, destruction, falsification, unauthorized access and release | Complete | Hash-chained Aletheia ledger with verify_chain() tamper detection. AES-256 encryption at rest. Localhost-only network binding. | engine/aletheia/ledger.py, engine/vanta/vanta_security.py |
| A.8.15 | Logging: information about events, exceptions, and faults shall be produced, stored, protected and analyzed | Complete | 49 operational witness points plus inference and training logs. All events hash-chained, all tamper-evident, all queryable via ops ledger history. | ops/db.py, engine/aletheia/ledger.py |
| A.8.24 | Use of cryptography: rules for the effective use of cryptography shall be defined and implemented | Complete | AES-256 Fernet for data at rest. SHA-256 for content hashing. HMAC-SHA256 for provenance. Ed25519 for license signing. scrypt for password hashing. | engine/vanta/vanta_security.py, ops/rbac.py |
| A.5.34 | Privacy and protection of personally identifiable information (PII) | Strong | Automatic PII detection (SSN, CC, passport, HIPAA PHI patterns). Data minimization by architecture: only derived metadata is persisted. | engine/vanta/vanta_security.py |
| A.8.5 | Secure authentication: authentication technologies and procedures shall be implemented based on access restrictions | Strong | scrypt-hashed passwords, RFC 6238 TOTP multi-factor, session idle timeout, CSRF protection, rate-limited login attempts. | ops/rbac.py, ops/dashboard/auth.py |
| A.8.9 | Configuration management | Strong | Metadata harvesting detects configuration drift. Every change is witnessed with actor and timestamp. Edit-frequency tracking surfaces high-churn files. | ops/metadata.py |
| A.8.10 | Information deletion | Strong | Provenance records deletions with cryptographic proof of when and by whom. Secure delete utility for PHI-adjacent data. | provenance/db.py, engine/vanta/vanta_security.py |
| A.8.34 | Protection of information systems during audit testing | Strong | Aletheia ledger is isolated from the operational database, so audit testing on ops.db cannot corrupt the audit trail. Read-only compliance exports for auditors. | Architecture |
| SOC 2 Security | Trust Services Criterion: Security | Strong | AES-256 at rest, localhost binding, RBAC, MFA, review gates, CSRF protection, input validation. | Platform |
| SOC 2 Processing Integrity | Trust Services Criterion: Processing Integrity | Complete | Deterministic-first classification pipeline (decompose > 0.80 confidence, Ollama fallback). Every inference is logged. Review gates enforce human verification. | engine/vanta/vanta_classify_v2.py, ops/db.py |
| SOC 2 Confidentiality | Trust Services Criterion: Confidentiality | Strong | Data minimization by architecture, PII detection, AES-256 at rest, on-premise deployment model. | Architecture, engine/vanta/vanta_security.py |
What Signal Provenance does not do
The platform is the technical evidence layer. The items below require organizational or physical implementation by the client. Listing them explicitly is how we keep the claim honest.
- A.5.2-A.5.6 Roles, responsibilities, management direction, contact with authorities (organizational).
- A.6.x People controls (screening, terms of employment, awareness and training).
- A.7.x Physical controls (physical perimeters, entry, securing offices).
- SOC 2 Availability SLA enforcement and automated failover. Signal provides healthchecks, backup scripts, and RUNBOOK recovery; the client defines the SLA.
What you get
Each deployment ships these artifacts. All are generated from the live ledger and current deployment state.
ISO 27001 / SOC 2 audit export (PDF + JSON)
ops compliance audit <deployment-id> --framework iso27001_soc2 Access control report
ops rbac user-list Cryptography inventory
ops compliance crypto-inventory Algorithms, key locations, rotation policy.
Chain integrity proof
ops ledger verify <deployment-id> Configuration change history
ops metadata history --deployment-id <deployment-id> Prove it for your next audit.
Signal Provenance is deployed white-glove. We configure it on your hardware, point it at your folders, and generate your first ISO 27001 / SOC 2 coverage export together. Your auditor verifies the hash chain independently.
Schedule your deployment
Canonical URL: /provenance/frameworks/iso-27001-soc-2/ \u00b7 Cited in every compliance export for ISO 27001 / SOC 2.