SOC 2 and ISO 27001: Moving to Real-Time

Every organization that has been through a SOC 2 or ISO 27001 audit knows the pattern. Months of preparation. Weeks of evidence gathering. Days of auditor interactions. A final report or certificate issued after all the evidence has been reviewed. And then the organization goes back to operating normally until the next audit cycle begins, knowing that the certification they just earned reflects their security posture at the time of the audit, not necessarily at this moment, next month, or six months from now.

This pattern has persisted because auditing frameworks were designed for a world where evidence collection was inherently periodic. Controls were reviewed on a schedule. Evidence was gathered manually. Assessments were labor-intensive and therefore infrequent. Annual or semi-annual audit cycles represented the practical upper limit of what organizations and auditors could sustain.

That constraint no longer applies. Cryptographic attestation technology makes it possible to generate verifiable evidence of control effectiveness continuously, automatically, and with zero manual effort. Every control check can produce a 74-byte cryptographic proof. Every proof is signed, timestamped, and chained to the previous proof. The result is a continuous, tamper-evident audit trail that any auditor can verify at any time.

SOC 2 and ISO 27001 are not just ready for real-time verification. They are overdue for it. And the organizations that move first will spend less time on compliance, produce more reliable evidence, and maintain stronger security postures between audits.

The Lagging Indicator Problem

Annual audits are lagging indicators of security posture. By the time a SOC 2 report is issued or an ISO 27001 certificate is granted, the information in that report or certificate is already historical. The audit assessed the organization's controls during a specific period. That period ended before the report was finalized. The report describes what was true during that period, not what is true today.

This temporal lag creates a fundamental disconnect between what compliance certifications represent and what stakeholders believe they represent. When a customer reviews a vendor's SOC 2 report, they typically interpret it as evidence that the vendor's controls are effective right now. But the report does not make that claim. It makes a historical claim about a specific period that may have ended months ago. The vendor's security posture may have changed significantly since the end of the audit period.

The lag is not a minor technicality. Security postures change rapidly. Employees with privileged access leave and their access is not immediately revoked. Critical patches are deferred due to competing priorities. New systems are deployed without adequate security controls. Configuration changes introduce vulnerabilities. Monitoring tools are reconfigured and coverage gaps emerge. Any of these changes can occur in the weeks or months between the end of an audit period and the moment a stakeholder reviews the resulting report.

For organizations that rely on compliance certifications as a signal of vendor security, this lag represents hidden risk. They are making decisions based on historical information about a dynamic situation. It is analogous to investing based on a company's annual report without any access to current financial data. The annual report provides useful historical context, but it is not a reliable indicator of the company's current financial position.

Why SOC 2 Type II Is Not Enough

SOC 2 Type II audits are often positioned as the solution to the timeliness problem because they assess controls over a period of time rather than at a point in time, as Type I audits do. A SOC 2 Type II report provides an opinion on whether controls were operating effectively throughout a specified period, typically six to twelve months.

However, Type II audits still suffer from the same fundamental limitations. The evidence used to assess control effectiveness during the period is gathered and reviewed after the period ends or during periodic testing windows within the period. The auditor does not observe every control at every moment. They sample. They review documentation. They examine evidence that was collected, often manually, at specific points during the period.

This sampling approach means that the auditor's opinion covers the period but is based on evidence from specific points within that period. Controls that were effective at the sampling points but ineffective between them may not be detected. Controls that functioned correctly most of the time but had brief lapses may be reported as operating effectively because the lapses were not captured in the sample.

The sampling frequency is constrained by the cost and effort of evidence collection. More frequent sampling is more expensive and more burdensome for the organization being audited. There is a practical limit to how much sampling the organization and the auditor can sustain, and this limit is well short of continuous coverage.

Type II audits are better than Type I audits, but they are still periodic assessments of a continuous reality. They provide reasonable assurance for the assessed period, but they cannot provide the continuous assurance that stakeholders increasingly need and expect.

How H33-74 Attestation Creates Continuous Audit Trails

H33-74 attestation solves the timeliness problem by generating cryptographic evidence continuously rather than periodically. Every control that is in scope for a SOC 2 or ISO 27001 audit produces attestations as it operates. These attestations are not screenshots, log entries, or documents. They are cryptographic proofs that are signed with post-quantum signatures, timestamped, and chained into a tamper-evident sequence.

Each attestation is exactly 74 bytes. This compact format makes continuous attestation practical at scale. An organization generating attestations for hundreds of controls at frequent intervals does not accumulate massive storage requirements. The attestation chain is lean, efficient, and designed for high-volume continuous operation.

The attestation chain provides several properties that are essential for real-time audit trails. Tamper evidence means that any modification to the chain, whether insertion, deletion, or alteration of an attestation, breaks the cryptographic linkage and is immediately detectable. Independent verifiability means that any party with access to the public verification key can confirm the authenticity and integrity of the chain without relying on the attesting organization. Temporal ordering means that the chain provides an authoritative sequence of events that cannot be rearranged. And post-quantum security means that the cryptographic signatures will remain valid even as quantum computing advances, using three independent hardness assumptions to ensure long-term resilience.

For auditors, the attestation chain replaces the traditional evidence binder. Instead of reviewing folders of screenshots, policy documents, and sample outputs, the auditor can verify the attestation chain programmatically. They can confirm that attestations were generated continuously throughout the audit period. They can identify any gaps in the chain that indicate periods when controls may not have been functioning. They can verify the cryptographic integrity of every attestation in the chain.

SOC 2 Trust Service Criteria in Real-Time

SOC 2 audits assess controls across five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. Each criterion includes multiple control objectives, and each objective requires evidence that the associated controls are designed and operating effectively.

With H33-74 attestation, each control objective can be mapped to one or more attestation types. Security controls related to access management generate attestations when access provisioning and deprovisioning events occur, when access reviews are completed, and when access policy changes are made. Controls related to vulnerability management generate attestations when vulnerability scans are completed, when patches are deployed, and when exceptions are documented and approved. Controls related to incident response generate attestations when incidents are detected, triaged, escalated, and resolved.

The mapping between SOC 2 control objectives and attestation types is defined by the HATS (H33 AI Trust Standard). HATS is a publicly available technical conformance standard for continuous AI trustworthiness; certification under HATS provides independently verifiable evidence that a system satisfies the standard's defined controls. The HATS framework provides a standardized mapping between compliance requirements and attestation-generating events, ensuring that attestation coverage aligns with audit requirements.

This mapping enables auditors to assess control effectiveness continuously rather than through periodic sampling. Instead of selecting a sample of access provisioning events and reviewing the associated evidence, the auditor can verify that every access provisioning event generated an appropriate attestation. Instead of testing a sample of patch deployments, the auditor can verify that every patch deployment was attested within the required timeframe. The sample becomes the population, and the coverage becomes complete.

ISO 27001 Controls Under Continuous Attestation

ISO 27001 Annex A specifies controls across fourteen domains, ranging from information security policies to compliance. Each control requires evidence that it is implemented and effective. The traditional approach to demonstrating this evidence involves documentation, process artifacts, and periodic assessments.

Continuous attestation transforms how ISO 27001 evidence is generated and maintained. Controls in the access control domain generate attestations when user access rights are reviewed, when privileged access is granted or revoked, and when authentication mechanisms are verified. Controls in the operations security domain generate attestations when change management procedures are followed, when capacity is monitored, and when logging and monitoring are verified. Controls in the cryptography domain generate attestations when encryption is applied, when keys are managed according to policy, and when cryptographic controls are verified.

The attestation chain for each control creates a continuous record of the control's operation. During a surveillance audit or recertification audit, the certification body can review the attestation chain for any control and verify that it was operating effectively throughout the period since the last assessment. Gaps in the attestation chain are immediately visible and can be investigated.

This continuous evidence model also makes the annual surveillance audit more efficient. Instead of the certification body conducting extensive testing during the surveillance visit, they can review the attestation data in advance and focus their on-site time on areas where the attestation data raises questions or where controls cannot be fully attested. The audit becomes a verification of the attestation chain rather than an independent assessment of control effectiveness.

What Changes for the Auditor

The shift to real-time verification changes the auditor's role but does not eliminate it. Professional judgment remains essential in assessing whether controls are appropriately designed, whether the attestation coverage is complete, and whether the attestation data supports the conclusions being drawn. The auditor's value shifts from manual evidence examination to analytical assessment and professional interpretation.

Auditors gain several capabilities with attestation-based evidence. They can assess control effectiveness over the entire audit period rather than for sampled points within it. They can identify patterns in control operation, such as controls that function correctly during business hours but not during off-hours, or controls that degrade during specific periods such as quarter-end. They can compare attestation data across organizations to develop benchmarks and identify outliers. And they can complete evidence review more quickly because the verification of cryptographic proofs is automated.

The efficiency gains are significant. Evidence review is one of the most time-consuming aspects of an audit engagement. When evidence consists of screenshots and documents that must be manually examined, the review process is slow and error-prone. When evidence consists of cryptographic attestations that can be verified programmatically, the review process is fast and reliable. Auditors can spend less time on mechanical evidence review and more time on substantive analysis and professional judgment.

This efficiency benefit flows through to the organization being audited as well. Less time spent on evidence gathering and auditor interactions means less disruption to operations. The compliance burden decreases even as the compliance assurance increases. Organizations get more reliable certifications with less effort.

What Changes for the Organization

For organizations undergoing SOC 2 or ISO 27001 audits, the shift to real-time verification eliminates the audit preparation scramble that characterizes the current model. Instead of spending weeks before each audit gathering evidence, coordinating with control owners, and organizing documentation, the organization's evidence is generated automatically and continuously.

When the audit period arrives, the evidence already exists. There is nothing to gather, compile, or organize. The attestation chain is the evidence, and it has been building automatically since the last audit. The organization's compliance team can focus on reviewing the attestation data to identify and address any gaps before the auditor reviews it, rather than spending their time on evidence collection logistics.

This also changes how organizations think about compliance between audits. In the current model, compliance attention peaks around audit time and declines between audits. Controls that need maintenance may be deferred because there is no immediate visibility consequence. With continuous attestation, the organization has real-time visibility into its own compliance posture. Gaps are visible immediately, not just at audit time. This creates a natural incentive to maintain controls consistently rather than scrambling to restore them before the next assessment.

The result is a genuine improvement in security posture, not just a more efficient audit process. When controls are continuously attested, the organization is continuously compliant, not just periodically assessed. The distinction matters because security incidents do not wait for convenient audit schedules. They happen when they happen, and the organization's controls need to be effective at that moment, not just at the moments captured in the last audit sample.

The Path from Periodic to Continuous

The transition from periodic audits to continuous verification will happen incrementally. Organizations do not need to implement continuous attestation for every control simultaneously. They can begin with their highest-risk controls and expand coverage over time. They can run attestation-based evidence in parallel with traditional evidence during the transition period. They can work with their auditors to establish acceptance criteria for attestation evidence alongside traditional evidence.

The HATS standard provides the framework for this incremental adoption. HATS defines attestation types for common control categories, provides guidance on attestation frequency and coverage requirements, and specifies verification procedures that auditors can follow. Organizations can adopt HATS progressively, starting with the control categories that are most important or most burdensome under the current evidence model.

Early adopters will benefit from reduced compliance burden, more reliable certifications, and stronger security postures. As adoption increases, auditing standards and frameworks will evolve to incorporate attestation-based evidence as a first-class evidence type. Eventually, attestation-based evidence will become the expected standard rather than an innovative option.

The movement toward real-time verification in SOC 2 and ISO 27001 is not speculative. It is the natural evolution of compliance frameworks that were designed for periodic assessment but are now operating in a world that demands continuous assurance. The technology to enable this evolution exists today. The standard to guide it exists today. The only variable is how quickly organizations and auditors will complete the transition.

The organizations that start now will have the strongest compliance posture, the most efficient audit process, and the most reliable certifications. They will also have something that no screenshot can provide: proof.