Certifications Roadmap

We publish honest self-assessments today (cryptography, OWASP, CSA STAR Level 1, secure development, NIST CSF) and pursue independent, audited certifications over time. This page tracks where we're headed.

Part of NDEVR's compliance & conformity program · Enterprise security reviews & questionnaires: security@ndevr.org.

NDEVR does not currently hold the certifications below. This page records intent and direction, not achievement. We will only state that we hold a certification once it has been independently awarded — and this page is updated as we progress.

1. What we're working toward

TargetWhat it isStatus
SOC 2 Type II (AICPA)An independent auditor's report on the design and operating effectiveness of our security, availability, and confidentiality controls over a periodPlanned
ISO/IEC 27001 (+ 27017, 27018, 27701)Certification of an Information Security Management System, with the cloud-security (27017), cloud-PII (27018), and privacy (27701) extensionsUnder evaluation
Cyber Essentials / Plus (UK NCSC)A UK baseline cyber-security certification (Plus adds hands-on verification)Under evaluation
CSA STAR Level 2A third-party attestation that builds on our STAR Level 1 self-assessment, typically backed by SOC 2 or ISO 27001After SOC 2 / ISO 27001

We are not committing to fixed dates here; certification timelines depend on an audit period and a third party. We would rather under-promise than publish a date we might miss.

2. What we publish in the meantime

While those audits are pursued, our posture is documented and verifiable today:

These are self-assessments and alignments, not certifications — but together they are substantive evidence for a security review.

3. Enterprise reviews

If you're evaluating OWL and need a security questionnaire completed, our CAIQ workbook, or an update on a specific certification's status, contact security@ndevr.org.