Compliance mapping pack
Map BeProof Policy Pack rules and signed export artifacts to SOC 2 and ISO 27001:2022 control themes. BeProof is an evidence input layer — not a replacement for your control framework or BeProof SOC 2 / ISO certification (not available at pilot stage).
Evidence strength
Direct
Policy rule evaluates the control objective on endpoint
Supporting
Relevant metadata; customer operates surrounding process
Indirect
Documents posture; control owned by MDM/IdP/SIEM
Gap
BeProof does not evaluate — use other evidence
Themes → Policy Pack
POL-* codes are Policy Pack rule IDs. Open a rule to see its policy text, layer, severity, signals, and evidence notes.
| Theme | Rules | Primary evidence |
|---|---|---|
| Asset & config inventory | AgentSurface, InstallRecord, CloudAgentSurface | |
| Access & grants | CredentialRef, GrantEdge, review queue | |
| MCP / tool risk | Finding categories, MCP baseline records | |
| Audit quality | CoverageGap, AuditRunRecord, signed export | |
| Privacy & consent | ConsentRecord ledger | |
| Integrity & trust | ExportManifest, verify-journal, verify-install |
SOC 2 TSC (selected)
Indicative mapping to Common Criteria plus Confidentiality and Processing Integrity. Align to your auditor's control matrix.
| TSC | Theme | BeProof contribution | Strength |
|---|---|---|---|
| CC6.1 | Logical access | Credential inventory (metadata-only), grant visibility, consent for keychain | Supporting |
| CC6.6 | Encryption | Journal payloads are encrypted at rest (AES-256-GCM, Keychain-bound key); inventory tables are metadata-only but not encrypted in the current release. Ed25519 export signing. | Direct |
| CC7.2 | Monitoring | Stale audit detection, fleet heartbeat (managed fleet) | Supporting |
| CC7.3 | Deficiency evaluation | CoverageGap-first — missing evidence is explicit | Direct |
| C1.1 | Confidentiality | No raw secrets in reports; fingerprint-only credentials | Direct |
| PI1.1 | Processing completeness | Per-audit coverage matrix with partial-audit reasons | Direct |
ISO 27001:2022 Annex A (selected)
Selected organizational and technological controls relevant to AI-agent endpoint governance. Full Annex A operation remains organizational.
| Control | Title | BeProof contribution | Strength |
|---|---|---|---|
| A.5.9 | Asset inventory | AI-agent surface and install inventory | Direct |
| A.5.28 | Collection of evidence | Signed exports and hash-chain journal | Direct |
| A.5.33 | Protection of records | Signed exports, hash-chain journal. Journal payloads are encrypted; inventory tables are metadata-only but not encrypted in the current release. | Direct |
| A.5.34 | Privacy / PII | Consent ledger, metadata-only design | Supporting |
| A.8.15 | Logging | Append-only evidence journal | Direct |
| A.8.24 | Cryptography | Export signing and encrypted journal payloads. Journal payloads are encrypted; inventory tables are metadata-only but not encrypted in the current release. | Direct |
Auditor workflow
- Obtain signed export from sample endpoints (JSON + manifest sidecar)
- Run beproof verify-export-manifest on the artifact
- Review policyEvaluation — violations, exceptions, N/A, CoverageGaps
- Cross-check gaps against org-policy overlay requirements
- For fleet: correlate admin console metrics with fleet summaries
- Record BeProof as automated test support — not sole proof of control operation
Explicit gaps
- Entity-level SOC 2 CC1 / full ISMS governance — customer-owned
- Physical access, HR lifecycle, network perimeter — MDM/IdP/customer controls
- BeProof vendor SOC 2 Type II or ISO 27001 certificate — not available at pilot stage
- SIEM streaming as compliance evidence — integrations roadmap (planned)