ISO doesn't ask if you have a policy. It asks if you can prove it was in place.
ISO 27001, 9001, 14001 and 45001 all require a demonstrable record that controls were operating on the day in question, not merely declared at the audit. Auditors are now challenging evidence that cannot be dated independently.
An ISO certificate is a photograph. The question is what happened between photographs.
A certificate is issued on 14 March. Seven days later, a new SaaS tool is adopted that wasn't in scope. A logging rule is disabled during an incident and never re-enabled. No-one intended to break compliance. It drifted.
Five months later, an incident occurs. In discovery, the court's question is not “was the certificate validly issued in March?” It is: “was this control operating on the date of the incident, and can you prove it?”
The Meta, Boeing and Advanced Computer Software cases are all, on close reading, drift cases. The regulator found controls that had lapsed since they were last evidenced, not fabrication. Drift cases are already here.
What each standard actually requires.
ISO 27001:2022 is now the only valid standard. Eight instruments. One common demand: evidence that was created when it claims to have been created.
Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed. Logs must be protected against unauthorised access, modification and deletion. The 2022 revision explicitly requires WORM (write-once-read-many) or equivalent tamper-evident storage; immutability is now a named audit requirement, not a best practice. The IAF transition window closed 31 October 2025: every current ISO 27001 certificate must now be certified to the 2022 version.
System clocks must be synchronised to a reliable time source. Without a trusted, independent clock, the timestamp on every log entry is contested. A log with an unverifiable timestamp cannot satisfy A.8.15. The control and the timestamp are inseparable; both must be independently attestable, not just internally consistent.
The organisation shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events. Evidence must be collectable, preservable, and defensible in a forensic sense. If the medium on which the evidence is stored can be modified, even with a WORM policy in place, preservation cannot be forensically proven. The clause fails.
Documented information must be controlled so it is suitable for use when needed and adequately protected, specifically against loss of integrity. A document whose creation date cannot be independently verified has suffered a loss of integrity even if no-one has actively tampered with it. The ISO Auditing Practices Group trains auditors to flag documentation that cannot demonstrate contemporaneous creation. That is a non-conformity.
The controller shall be responsible for, and be able to demonstrate compliance with, the principles. Meta was fined 17M euros by the Irish DPC not because its controls were absent but because it could not demonstrate they were operating at the time of 12 data breaches. The DPC found it had 'failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice.' This is almost verbatim the language of an A.8.15 non-conformity.
The controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is carried out in accordance with this Regulation. The key phrase is 'to be able to demonstrate', not 'to have implemented.' Having done the work is necessary but insufficient. The burden is on the controller to prove it, on demand, to a regulator who does not take the controller's word for it.
EU NIS2 (transposed by October 2024) requires appropriate and proportionate technical, operational and organisational measures to manage risks posed to the security of network and information systems. The burden of demonstrating those measures were in place and operating is on the organisation. NIS2 applies to essential and important entities across 18 sectors, overlapping directly with the ISO 27001 client base of any management system consultancy.
Covered entities and business associates must implement hardware, software and procedural mechanisms to record and examine access and other activity in information systems that contain electronic protected health information. The HHS Office for Civil Rights enforcement position: 'If you cannot produce documentation, OCR treats those safeguards as if they never existed.' The documentation must exist. Its creation must be independently verifiable.
Every file on your network can be re-dated in under thirty seconds.
An authentic ISO document is forensically identical to one created yesterday and backdated. Your file metadata cannot answer the question independently.
Author, title, and created date are all editable in File > Info. No special tools needed. Thirty seconds.
PDF creation dates editable in Acrobat and free utilities. PNG and JPEG EXIF metadata changed with a right-click.
File timestamps reset automatically when a file is copied. Server logs record the copy event, not the original creation.
The cases that set the test.
In every case below, the question was not whether the control or work existed. The question was when, and whether it could be proven.
Controls may have existed. Their operation at the time of 12 data breaches in 2018 could not be demonstrated. The DPC found it had 'failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice.' The question was when, not whether.
Inspection records for wing-to-fuselage joins on approximately 450 Dreamliners were recorded as complete when the inspection had not been performed. The records were forensically identical to authentic ones, signed, dated, filed correctly. An AS9100 surveillance audit could not have distinguished them from real records.
FDA inspections found broken documentation trails: incomplete batch records, inaccurate cleaning records, inadequate failure investigations. The agency could not verify whether manufacturing had been conducted to Good Manufacturing Practice. The ISO 9001 audit parallel is direct: Clause 7.5 and Clause 9.2 would have required the same records.
Advanced had procured a vulnerability scanning tool but could not demonstrate it had been used. The existence of the tool was not the issue. The evidence of its ongoing operation was. The ICO found patching records were inaccurate. The tool was procured; its use at the critical time was not evidenced.
769 high-rise buildings with no evidence that gas riser inspections had taken place at required intervals. No harm occurred. The fine was the evidential gap alone. Records for the 769 buildings could not be produced when the HSE asked. The question was whether the inspections had been done at the times they were claimed, not whether National Grid had a policy.
Morrison's own procedures required an individual risk assessment for every employee with a disability. An employee with epilepsy died after a seizure on a staff staircase. No individual risk assessment had ever been produced. Morrison could not show that the control, required by its own written procedure, had ever been performed for this individual.
Following a serious workplace injury, the company submitted a risk assessment and training records dated before the incident to the HSE investigation. The court found both documents had been created after the incident and backdated. The fabrication was detected only because the HSE found corroborating evidence from other sources; an ISO 45001 surveillance audit would not have caught it.
Compliance platforms collect evidence. They contractually disclaim its provenance.
Vanta, Drata, Secureframe and Sprinto are valuable tools. But every one of them returns the question of evidence integrity to you in their Terms of Service. The following clauses were retrieved directly from each provider's public agreement in April 2026.
“VANTA WILL HAVE NO LIABILITY OR RESPONSIBILITY FOR CUSTOMER'S VARIOUS COMPLIANCE PROGRAMS, AND THAT THE SERVICES, TO THE EXTENT APPLICABLE, ARE ONLY TOOLS FOR ASSISTING CUSTOMER IN MEETING THE VARIOUS COMPLIANCE OBLIGATIONS FOR WHICH IT SOLELY IS RESPONSIBLE.”
“Customer is solely responsible for the accuracy, content, and legality of all Customer Data.”
“Customer is solely responsible for: ... (c) the entry, accuracy, integrity and legality of Customer Data and the means by which it acquires and uses such Customer Data.”
“THE SERVICE(S) AND ANY INFORMATION OR RECOMMENDATIONS PROVIDED BY SPRINTO TO YOU ARE INTENDED AS RECOMMENDATIONS ONLY AND DO NOT CONSTITUTE ANY WARRANTY OR GUARANTEE THAT YOU, BY FOLLOWING SUCH RECOMMENDATIONS, WILL BE FULLY COMPLIANT WITH ANY APPLICABLE STANDARDS CONTEMPLATED BY THE SERVICE(S). IT IS SOLELY YOUR RESPONSIBILITY TO ENSURE THAT YOU COMPLY WITH ALL SUCH APPLICABLE STANDARDS.”
What this means in practice. When an auditor, ICO investigator or court asks “show me that this control was operating on 14 March,” your compliance platform's answer is: “we received that evidence from the customer.” The accountability principle under GDPR Article 5(2) and the demonstrability requirement under ISO 27001:2022 Annex A 8.15 land back on you. immut is the layer that answers the question the platform is contractually excused from answering.
Public proof. Private work.
Your files never leave your device. Only a mathematical fingerprint is recorded on a public blockchain, and that record cannot be altered by anyone, including immut.
The SHA-256 hash is computed locally, in your browser. The original file is not transmitted, stored, or visible to immut.
The hash is written to the public XRP Ledger, a distributed, immutable blockchain. Once written, no party can alter or delete it.
immut generates a court-ready certificate containing the hash, the XRPL transaction ID, the ledger sequence number, and the UTC timestamp.
The record lives on a public blockchain and remains verifiable even if immut ceased to exist. No dependency on immut's servers or continued operation.
Already accepted in 88 countries across 171 jurisdictions.
Blockchain-anchored certificates are legal evidence in UK courts, EU member states, and over 80 other jurisdictions. The question of admissibility is already settled.
The US District Court for DC admitted blockchain transaction records as primary evidence. The case established that public blockchain data satisfies US federal evidentiary standards for authenticity and reliability without requiring expert testimony on the underlying technology.
The updated eIDAS framework recognises qualified electronic time-stamps as having the legal effect of evidence of the date and time indicated and the integrity of the data. A qualified time-stamp on a blockchain-anchored hash satisfies this standard across all EU Member States.
A Paris commercial court accepted a blockchain timestamp as proof of prior creation in an IP infringement dispute. The court found the blockchain record established both the date and integrity of the original file without requiring the plaintiff to produce the file itself.
The Supreme People's Court ruled that blockchain-stored evidence is presumptively authentic and meets the standard for electronic evidence. Over 1,400 IP cases have since been decided on blockchain-anchored evidence across Chinese courts, including the purpose-built Hangzhou Internet Court.
If an ISO auditor asked you to prove that you followed a process, or that you created a procedure before the event it governs, could you?
Prove your first file in minutes.
Takes seconds. Works on any file type. No installation required.