ISO 27001 certifies the existence of an Information Security Management System. The evidence supporting that certification traditionally arrives as documents, screenshots, and self-attestation. H33 replaces that pile with a continuous stream of cryptographic receipts — every control firing, every policy change, every privileged action — independently verifiable by your assessor without trusting H33.
An ISO 27001 certification audit looks at the ISMS at moments in time: the initial Stage 1 and Stage 2 audits, the annual surveillance audits, and the recertification at year three. Between those moments, the organization is trusted to operate the controls it claims. The evidence the auditor reviews — policies, procedures, control records — is almost always self-generated and self-attested.
This is the gap. Self-attestation does not survive contact with adversarial scrutiny in 2026. Insurance carriers, enterprise customers, financial regulators, and increasingly the certification bodies themselves want evidence that the controls actually fired, in the order claimed, against the policy in force at the time — without trusting the organization to be honest about it.
H33 fills that gap. The ISMS that runs on H33 produces, at runtime, a continuous stream of independently verifiable receipts. The Statement of Applicability stops being a document the auditor reads. It becomes a verifier the auditor runs.
ISO 27001:2022 organizes Annex A into four themes — Organizational (37), People (8), Physical (14), and Technological (34). H33 does not replace any of these. It makes the technological and organizational controls generate evidence in a form your assessor can independently verify.
Policies, roles, classification, supplier relationships, threat intelligence. H33 binds each policy version to a signed identifier; every control decision references the policy version in force at the time. Future assessors verify against the policy that existed, not the current one.
Screening, terms of employment, awareness, disciplinary actions. Authorization events tied to a person (and the role they held at the time) emit receipts via Agent-008. Role changes, suspensions, and revocations are themselves recorded as policy events.
For environments under H33 governance, physical access events from badge systems are receipt-bound; cryptographic receipts attest the time, location, and authorization state.
The largest theme and where H33 carries most of the load. Identity, access management, secrets, logging, monitoring, cryptography, network security, software development, and supplier security — all 34 controls have H33 evidence patterns.
| Control | H33 evidence |
|---|---|
| 5.7 Threat intelligence | Threat-feed ingestion events emit receipts: source, payload hash, processing rule, action taken |
| 5.15 Access control | Every access decision (allow / deny / step-up) carries a receipt with policy version, identity, resource, decision rationale |
| 5.16 Identity management | Identity lifecycle events (create, modify, suspend, delete) emit receipts; complete chain replayable |
| 5.17 Authentication information | H33-Key receipts attest every credential use without disclosing the credential itself |
| 5.23 Information security for cloud services | Configuration drift, control changes, and security posture changes against cloud services receipt-bound and replayable |
| 8.2 Privileged access rights | Privileged-action receipts include the elevation justification, expiry, and the policy version that authorized it |
| 8.5 Secure authentication | Authentication events receipt-bound; post-quantum signatures for long-retention authentication records |
| 8.15 Logging | Logs become receipts. The integrity of a log entry is verifiable independently — not "we trust the logger" |
| 8.16 Monitoring activities | Detection events and the rules that produced them are receipt-bound and replayable against the same inputs |
| 8.24 Use of cryptography | Cryptographic key use, rotation, and revocation events emit receipts; cryptographic agility supported via Q-Sign three-family signatures |
| 8.32 Change management | Code changes, configuration changes, policy changes — each a receipt with author, approver, justification, policy version |
The continuous-evidence layer. Replaces sampling with a stream the auditor verifies independently.
For automated systems making access, authorization, or policy decisions. Every decision carries a receipt.
Authentication information (A.5.17, A.8.5) governed without disclosure. Every secret use receipt-bound.
The 74-byte receipt format. Long-retention records that survive cryptographic transitions.
Three-family signatures supporting A.8.24 cryptographic agility. Ready when NIST transitions.
Demonstrate cryptographic compliance to assessors and customers without requiring them to trust your word.
An ISMS that uses H33 for its evidence layer gives the assessor a fundamentally different surface to review. The Statement of Applicability points at controls that produce a continuous stream of receipts. The assessor's role shifts from asking the organization for evidence to verifying the evidence themselves.
H33 is currently in audit under Drata. Talk to us about how the substrate maps to your Statement of Applicability.