Cognitive Server
Mapped · 93 of 93 controls

ISO/IEC 27001:2022

Cognitive Server control mapping & evidence matrix

A.5
Organizational
37controls
A.6
People
8controls
A.7
Physical
14controls
A.8
Technological
34controls

Perimetral enforcement

Shield · Role-based access matrix

Shield · Role-based access matrixSHIELD · ROLE-BASED ACCESS MATRIX · ENFORCED PERIMETRALLYecosystem_adminapp_admindirector_areaoperatorviewerPERMISSIONS PER ACTIONECOAPPDIROPEVIEWread.dashboardinvoke.skillapprove.artefactconfigure.adaptermanage.tenantEVERY REQUEST CARRIES A SIGNED JWT{ "sub": "user_8421", "tenant": "fundicion_benito", "role": "director_area:logistica", "scopes": ["read.dashboard", "invoke.skill", "approve.artefact"], "iat": 1737504000, "exp": 1737507600, "iss": "shield.cognitivserver" }

FIG. 05 · RBAC MATRIX, ENFORCED PERIMETRALLY

Filter
ControlDescriptionOwner · CapabilityCross-mapped toCover
A.5.15Access controlFabric · SHIELDSSO + scoped tokens
GDPR Art.32SOC2 CC6.1
A.5.17Authentication informationFabric · SHIELDOAuth 2.1 PKCE
NIST 800-63
A.5.23Information security for cloud servicesApp · NEXUSSovereign on-prem perimeter
NIS2 Art.21
A.6.3Information security awarenessApp · NEXUSOperator playbooks + training records
SOC2 CC1.4
A.7.4Physical security monitoringFabric · SHIELDTPM 2.0 attestation (hardware vendor)
NIS2 Art.21
A.8.3Information access restrictionApp · VAULTVDS row-level policies
GDPR Art.5
A.8.5Secure authenticationFabric · SHIELDJWT + Tenant-ID isolation
NIST 800-63SOC2 CC6.1
A.8.10Information deletionApp · VAULTVDS lifecycle
GDPR Art.17
A.8.12Data leakage preventionApp · COREInside-perimeter inference, zero egress
GDPR Art.32
A.8.15LoggingFabric · CHAINTrace ID per request
SOC2 CC7.2NIS2
A.8.16Monitoring activitiesFabric · CHAINHeartbeat + alert engine
NIS2 Art.21
A.8.28Secure codingFabric · BRIDGECode signing + SBOM
SLSA L3

Showing 12 representative controls of 93. Full matrix available on request under NDA.

Evidence library

Artifacts behind every control

Each mapped control is backed by reproducible artifacts: signed configurations, trace exports, attestation reports and policy bundles. Auditors receive a read-only view of the evidence repository scoped to their engagement.

Configuration
Shield IAM bundle
OAuth 2.1 · OIDC · SCIM
Trace export
Chain audit log
JSONL · signed · 90d retention
Attestation
TPM 2.0 attestation quote
EK cert · PCR set
Policy
Vault VDS row-level rules
GAIA-X compatible
SBOM
Server image SBOM
CycloneDX 1.5
Report
Penetration test
Q1 2026 · external
Audit history

Independent assessments

  1. 2026-04Passed

    ISO/IEC 27001:2022 — surveillance audit

    Bureau Veritas. Zero major non-conformities. 2 observations on access-review cadence — closed.

  2. 2025-11Passed

    SOC 2 Type II — annual

    Trust Services Criteria across Security, Availability, Confidentiality. Unqualified opinion.

  3. 2025-09Passed

    NIS2 readiness review

    Internal mapping against Art.21 controls completed for all four cognitive applications.

  4. 2025-06Passed

    ISO/IEC 27001:2022 — initial certification

    Stage 1 + Stage 2 audit completed. Certificate issued for the Cognitive Server platform.

  5. 2025-03Passed

    Penetration test (external)

    Black-box and grey-box assessment. 0 critical, 1 high (patched), 4 medium (patched).