Security Certifications and Attestations¶
Classification: Internal
Document status: Effective
Version: 1.0
Owner: Management / Security Owner
Review cycle: Annual; interim revision upon material change to scope, issuer requirements, or customer assurance obligations
Document control¶
| Role | Name |
|---|---|
| Prepared by | Management / Security Owner (Cloudnaut) |
| Reviewed by | Nidhi Jain (third-party reviewer) |
| Approved by | Sandeep AC |
Revision history¶
| Version | Date | Summary | Reviewed by | Approved by |
|---|---|---|---|---|
| 0.9 | 2021-03-14 | Draft for third-party review prior to first effective release. | Nidhi Jain (third party) | — |
| 1.0 | 2021-06-18 | Initial effective release. | Nidhi Jain (third party) | Sandeep AC |
| 1.0 | 2024-03-11 | Scheduled annual review; clarifications and cross-references (retained at version 1.0). | Nidhi Jain (third party) | Sandeep AC |
Purpose¶
This document governs how Cloudnaut records, maintains, and discloses information security and cybersecurity certifications and attestations.
Scope¶
This document applies to all certifications, attestations, audit reports, and similar assurance artifacts held or referenced on behalf of the organization.
Policy¶
Cloudnaut maintains only claims that are current, accurate, and supported by controlled evidence. Certificates, attestation letters, audit reports, and related materials are stored in a central register with issuer, scope, validity period, and document reference.
Disclosure to customers, partners, or auditors follows confidentiality agreements and the principle of least disclosure consistent with the assurance request.
Register and evidence¶
The organization maintains a register of active and historical certifications and attestations. Each entry includes at minimum: name of certification or attestation, issuing body, scope, validity dates, and location of the controlled evidence copy.
Supporting evidence is released under appropriate confidentiality terms and only to authorized recipients.
For security reviews and questionnaires, authorized recipients may receive controlled copies of evidence sufficient to validate claims—for example the first page (cover) of each active certificate or attestation letter showing issuer, scope, and validity dates, together with any confidentiality markings required by the issuer. The public policy site describes governance and controls; it does not replace those controlled evidence copies.
Accuracy and claims¶
Personnel must not represent certification or attestation status beyond what the register supports. Where no formal certification applies, security posture is described through this policy library and operational controls, not through unqualified certification claims.