Compliance evidence
mipo supports evidence collection for frameworks like SOC 2 and ISO 27001. It does not certify compliance — your auditors determine whether each control is satisfied. This guide describes the evidence mipo produces and the boundaries of those claims.
Evidence workflows
Continuous port-state evidence
Scheduled scans + historical diffs produce a dated record of exposure changes over time.
Change attribution
The audit log ties scan and config changes to an actor and timestamp.
Access-control evidence
RBAC scopes, OIDC, and session records demonstrate logical access control.
Tamper-evidence
Local audit-chain detection flags in-place tampering of historical rows.
How the evidence is produced
Scheduled scans plus historical diffing produce a dated record of exposure changes over time. The append-only audit log ties every scan and configuration change to an actor and timestamp, and a local audit-chain check flags in-place tampering of historical rows. RBAC scopes, OIDC, and session records demonstrate logical access control. Together these provide a defensible, exportable trail rather than a point-in-time snapshot.
Control mapping
| Control area | mipo features | Frameworks |
|---|---|---|
| Logical access control | RBAC scopes, OIDC/SSO, owner bootstrap, session management | CC6.1, CC6.2 / A.9.2, A.9.4 |
| Audit logging | Append-only audit trail, actor + timestamp, data access views | CC7.2, CC7.3 / A.12.4 |
| Change management | Config version tracking, scan scope history | CC8.1 / A.12.1.2 |
| Availability monitoring | 24 built-in alarm rules, scanner heartbeats, health endpoints | CC7.1 / A.17.1 |
| Asset management | Subnet inventory, port catalog, scanner registry | CC6.6 / A.8.1 |
| Encryption | TLS everywhere, backup encryption, credential encryption at rest | CC6.7 / A.10.1 |
| Incident response | Alarm lifecycle (open→acknowledged→resolved), notification channels | CC7.4 / A.16.1 |
mipo supports evidence collection. It does not certify compliance — your auditors determine whether controls are satisfied.
Where auditor judgement remains required
mipo maps capabilities to control areas as a starting point, not a determination. Whether a control is satisfied depends on your scope, your other controls, and your auditor's assessment. mipo's job is to make the underlying evidence complete, dated, and tamper-evident — the judgement stays with the auditor.