Security Certifications and Attestations

Classification: Internal
Document status: Effective
Version: 1.0
Owner: Management / Security Owner
Effective date: 2026-05-13
Review cycle: Annual; interim revision upon material change to scope, issuer requirements, or customer assurance obligations

---

Purpose

This document governs how Cloudnaut records, maintains, and discloses information security and cybersecurity certifications and attestations.

Scope

This document applies to all certifications, attestations, audit reports, and similar assurance artifacts held or referenced on behalf of the organization.

Policy

Cloudnaut maintains only claims that are current, accurate, and supported by controlled evidence. Certificates, attestation letters, audit reports, and related materials are stored in a central register with issuer, scope, validity period, and document reference.

Disclosure to customers, partners, or auditors follows confidentiality agreements and the principle of least disclosure consistent with the assurance request.

Register and evidence

The organization maintains a register of active and historical certifications and attestations. Each entry includes at minimum: name of certification or attestation, issuing body, scope, validity dates, and location of the controlled evidence copy.

Supporting evidence is released under appropriate confidentiality terms and only to authorized recipients.

Accuracy and claims

Personnel must not represent certification or attestation status beyond what the register supports. Where no formal certification applies, security posture is described through this policy library and operational controls, not through unqualified certification claims.