Compliance
Audit-ready evidence, honestly scoped
mipo gives GRC teams a defensible, dated record of network exposure and configuration change. It supports evidence collection for SOC 2 and ISO 27001 — your auditors determine whether each control is satisfied.
Evidence workflows
How mipo produces evidence
Continuous port-state evidence
Scheduled scans + historical diffs produce a dated record of exposure changes over time.
Change attribution
The audit log ties scan and config changes to an actor and timestamp.
Access-control evidence
RBAC scopes, OIDC, and session records demonstrate logical access control.
Tamper-evidence
Local audit-chain detection flags in-place tampering of historical rows.
Control mapping
Capabilities mapped to control frameworks
| Control area | mipo features | Frameworks |
|---|---|---|
| Logical access control | RBAC scopes, OIDC/SSO, owner bootstrap, session management | CC6.1, CC6.2 / A.9.2, A.9.4 |
| Audit logging | Append-only audit trail, actor + timestamp, data access views | CC7.2, CC7.3 / A.12.4 |
| Change management | Config version tracking, scan scope history | CC8.1 / A.12.1.2 |
| Availability monitoring | 24 built-in alarm rules, scanner heartbeats, health endpoints | CC7.1 / A.17.1 |
| Asset management | Subnet inventory, port catalog, scanner registry | CC6.6 / A.8.1 |
| Encryption | TLS everywhere, backup encryption, credential encryption at rest | CC6.7 / A.10.1 |
| Incident response | Alarm lifecycle (open→acknowledged→resolved), notification channels | CC7.4 / A.16.1 |
Disclaimer
mipo supports evidence collection. It does not certify compliance — your auditors determine whether controls are satisfied.
See the evidence reference
The compliance-evidence guide details each workflow and its limits.