GRC · Compliance · Policy Pack v1.2.2

Compliance mapping pack

Map BeProof Policy Pack rules and signed export artifacts to SOC 2 and ISO 27001:2022 control themes. BeProof is an evidence input layer — not a replacement for your control framework or BeProof SOC 2 / ISO certification (not available at pilot stage).

Evidence strength

Direct

Policy rule evaluates the control objective on endpoint

Supporting

Relevant metadata; customer operates surrounding process

Indirect

Documents posture; control owned by MDM/IdP/SIEM

Gap

BeProof does not evaluate — use other evidence

Themes → Policy Pack

POL-* codes are Policy Pack rule IDs. Open a rule to see its policy text, layer, severity, signals, and evidence notes.

ThemeRulesPrimary evidence
Asset & config inventoryAgentSurface, InstallRecord, CloudAgentSurface
Access & grantsCredentialRef, GrantEdge, review queue
MCP / tool riskFinding categories, MCP baseline records
Audit qualityCoverageGap, AuditRunRecord, signed export
Privacy & consentConsentRecord ledger
Integrity & trustExportManifest, verify-journal, verify-install

SOC 2 TSC (selected)

Indicative mapping to Common Criteria plus Confidentiality and Processing Integrity. Align to your auditor's control matrix.

TSCThemeBeProof contributionStrength
CC6.1Logical accessCredential inventory (metadata-only), grant visibility, consent for keychainSupporting
CC6.6EncryptionJournal payloads are encrypted at rest (AES-256-GCM, Keychain-bound key); inventory tables are metadata-only but not encrypted in the current release. Ed25519 export signing.Direct
CC7.2MonitoringStale audit detection, fleet heartbeat (managed fleet)Supporting
CC7.3Deficiency evaluationCoverageGap-first — missing evidence is explicitDirect
C1.1ConfidentialityNo raw secrets in reports; fingerprint-only credentialsDirect
PI1.1Processing completenessPer-audit coverage matrix with partial-audit reasonsDirect

ISO 27001:2022 Annex A (selected)

Selected organizational and technological controls relevant to AI-agent endpoint governance. Full Annex A operation remains organizational.

ControlTitleBeProof contributionStrength
A.5.9Asset inventoryAI-agent surface and install inventoryDirect
A.5.28Collection of evidenceSigned exports and hash-chain journalDirect
A.5.33Protection of recordsSigned exports, hash-chain journal. Journal payloads are encrypted; inventory tables are metadata-only but not encrypted in the current release.Direct
A.5.34Privacy / PIIConsent ledger, metadata-only designSupporting
A.8.15LoggingAppend-only evidence journalDirect
A.8.24CryptographyExport signing and encrypted journal payloads. Journal payloads are encrypted; inventory tables are metadata-only but not encrypted in the current release.Direct

Auditor workflow

  1. Obtain signed export from sample endpoints (JSON + manifest sidecar)
  2. Run beproof verify-export-manifest on the artifact
  3. Review policyEvaluation — violations, exceptions, N/A, CoverageGaps
  4. Cross-check gaps against org-policy overlay requirements
  5. For fleet: correlate admin console metrics with fleet summaries
  6. Record BeProof as automated test support — not sole proof of control operation

Explicit gaps

  • Entity-level SOC 2 CC1 / full ISMS governance — customer-owned
  • Physical access, HR lifecycle, network perimeter — MDM/IdP/customer controls
  • BeProof vendor SOC 2 Type II or ISO 27001 certificate — not available at pilot stage
  • SIEM streaming as compliance evidence — integrations roadmap (planned)

Related documentation