Certifications Roadmap
We publish honest self-assessments today (cryptography, OWASP, CSA STAR Level 1, secure development, NIST CSF) and pursue independent, audited certifications over time. This page tracks where we're headed.
1. What we're working toward
| Target | What it is | Status |
|---|---|---|
| SOC 2 Type II (AICPA) | An independent auditor's report on the design and operating effectiveness of our security, availability, and confidentiality controls over a period | Planned |
| ISO/IEC 27001 (+ 27017, 27018, 27701) | Certification of an Information Security Management System, with the cloud-security (27017), cloud-PII (27018), and privacy (27701) extensions | Under evaluation |
| Cyber Essentials / Plus (UK NCSC) | A UK baseline cyber-security certification (Plus adds hands-on verification) | Under evaluation |
| CSA STAR Level 2 | A third-party attestation that builds on our STAR Level 1 self-assessment, typically backed by SOC 2 or ISO 27001 | After SOC 2 / ISO 27001 |
We are not committing to fixed dates here; certification timelines depend on an audit period and a third party. We would rather under-promise than publish a date we might miss.
2. What we publish in the meantime
While those audits are pursued, our posture is documented and verifiable today:
- Cryptography · Secure development & supply chain · OWASP Top 10 self-assessment
- CSA STAR Level 1 (CAIQ) · NIST Cybersecurity Framework alignment · Build provenance (SLSA)
- Payment card security (SAQ A) · Sub-processors · Privacy policy
- A live coordinated vulnerability disclosure program and published security advisories.
These are self-assessments and alignments, not certifications — but together they are substantive evidence for a security review.
3. Enterprise reviews
If you're evaluating OWL and need a security questionnaire completed, our CAIQ workbook, or an update on a specific certification's status, contact security@ndevr.org.