# ISO doesn't ask if you have a policy. It asks if you can prove it was in place. ISO 27001, 9001, 14001 and 45001 all require a demonstrable record that controls were operating on the day in question, not merely declared at the audit. Auditors are now challenging evidence that cannot be dated independently. immut anchors a SHA-256 hash of each compliance record to the XRP Ledger, creating contemporaneous, tamper-evident, court-ready proof of when every record existed. ## Why is an ISO certificate not enough on its own? An ISO certificate is a photograph. The question is what happened between photographs. A certificate is issued on 14 March. Seven days later, a new SaaS tool is adopted that was not in scope. A logging rule is disabled during an incident and never re-enabled. No one intended to break compliance. It drifted. Five months later an incident occurs, and in discovery the court's question is not "was the certificate validly issued in March?" It is: "was this control operating on the date of the incident, and can you prove it?" The Meta, Boeing and Advanced Computer Software cases are all, on close reading, drift cases: the regulator found controls that had lapsed since they were last evidenced, not fabrication. ## What does each standard actually require? ISO 27001:2022 is now the only valid standard. Eight instruments, one common demand: evidence that was created when it claims to have been created. - **ISO 27001:2022, Annex A 8.15 (Logging).** Logs recording activities, exceptions and faults must be produced, stored, protected and analysed, and protected against unauthorised access, modification and deletion. The 2022 revision explicitly requires WORM (write-once-read-many) or equivalent tamper-evident storage: immutability is now a named audit requirement, not a best practice. The IAF transition window closed 31 October 2025, so every current ISO 27001 certificate must be certified to the 2022 version. - **ISO 27001:2022, Annex A 8.17 (Clock synchronisation).** System clocks must be synchronised to a reliable time source. Without a trusted, independent clock, the timestamp on every log entry is contested, and a log with an unverifiable timestamp cannot satisfy A.8.15. - **ISO 27001:2022, Annex A 5.28 (Collection of evidence).** Procedures for the identification, collection, acquisition and preservation of evidence related to information security events. If the medium on which evidence is stored can be modified, even with a WORM policy in place, preservation cannot be forensically proven. - **ISO 9001, 14001, 45001, Clause 7.5 (Documented information).** Documented information must be adequately protected, specifically against loss of integrity. A document whose creation date cannot be independently verified has suffered a loss of integrity even if no one has actively tampered with it. The ISO Auditing Practices Group trains auditors to flag documentation that cannot demonstrate contemporaneous creation: that is a non-conformity. - **GDPR, Article 5(2) (Accountability).** The controller must be able to demonstrate compliance. Meta was fined 17M euros by the Irish DPC not because its controls were absent but because it could not demonstrate they were operating at the time of 12 data breaches. - **GDPR, Article 24(1) (Controller's responsibility).** The key phrase is "to be able to demonstrate", not "to have implemented." The burden is on the controller to prove compliance, on demand, to a regulator who does not take the controller's word for it. - **NIS2 Directive, Article 21.** EU NIS2 (transposed by October 2024) requires appropriate technical, operational and organisational measures, and the burden of demonstrating those measures were in place and operating is on the organisation. NIS2 applies to essential and important entities across 18 sectors. - **HIPAA, 45 CFR 164.312(b) (Audit controls).** Mechanisms to record and examine activity in systems containing electronic protected health information. The HHS Office for Civil Rights enforcement position: "If you cannot produce documentation, OCR treats those safeguards as if they never existed." ## Why can't file metadata answer the question? Every file on your network can be re-dated in under thirty seconds. An authentic ISO document is forensically identical to one created yesterday and backdated. Word document author, title and created date are all editable in File > Info. PDF creation dates are editable in Acrobat and free utilities; PNG and JPEG EXIF metadata can be changed with a right-click. OS file timestamps reset automatically when a file is copied: server logs record the copy event, not the original creation. ## Which enforcement cases set the test? In every case below, the question was not whether the control or work existed. The question was when, and whether it could be proven. - **Meta Platforms, €17M (Irish DPC, GDPR, 2022).** Controls may have existed; their operation at the time of 12 data breaches in 2018 could not be demonstrated. The DPC found Meta had "failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice." - **Boeing, $487M (US DOJ, AS9100 / ISO 9001, 2024).** Inspection records for wing-to-fuselage joins on approximately 450 Dreamliners were recorded as complete when the inspection had not been performed. The records were forensically identical to authentic ones: signed, dated, filed correctly. - **Ranbaxy Laboratories, $500M (US FDA / DOJ, GMP, 2013).** FDA inspections found broken documentation trails: incomplete batch records, inaccurate cleaning records, inadequate failure investigations. The agency could not verify whether manufacturing had been conducted to Good Manufacturing Practice. - **Advanced Computer Software, £3.07M (UK ICO, 2025).** Advanced had procured a vulnerability scanning tool but could not demonstrate it had been used. The existence of the tool was not the issue; the evidence of its ongoing operation was. The ICO found patching records were inaccurate. - **National Grid Gas, £4M (UK HSE, 2016).** 769 high-rise buildings with no evidence that gas riser inspections had taken place at required intervals. No harm occurred: the fine was for the evidential gap alone. - **Wm Morrison Supermarkets, £3.5M (UK HSE, 2018).** An employee with epilepsy died after a seizure on a staff staircase. Morrison's own procedures required an individual risk assessment for every employee with a disability; none had ever been produced for this individual. - **West Yorkshire manufacturer, £70K plus costs (UK HSE, Crown Court).** Following a serious workplace injury, the company submitted a risk assessment and training records dated before the incident. The court found both documents had been created after the incident and backdated. ## Don't Vanta, Drata, Secureframe or Sprinto solve this? Compliance platforms collect evidence; they contractually disclaim its provenance. Each provider's public agreement (retrieved April 2026) returns the question of evidence integrity to the customer: - **Vanta** (Section 7.3, Master Subscription Agreement, vanta.com/legal/terms): the services "are only tools for assisting Customer in meeting the various compliance obligations for which it solely is responsible." - **Drata** (Section 6.4, Terms of Service, March 2025, drata.com/terms): "Customer is solely responsible for the accuracy, content, and legality of all Customer Data." - **Secureframe** (Section 2.6, Terms of Service, secureframe.com/terms): "Customer is solely responsible for ... the entry, accuracy, integrity and legality of Customer Data." - **Sprinto** (Disclaimers, Terms of Service, effective 30 January 2025, sprinto.com/terms): recommendations "do not constitute any warranty or guarantee" of compliance; "it is solely your responsibility to ensure that you comply." In practice: when an auditor, ICO investigator or court asks "show me that this control was operating on 14 March," the platform's answer is "we received that evidence from the customer." The accountability principle under GDPR Article 5(2) and the demonstrability requirement under Annex A 8.15 land back on you. immut is the layer that answers the question the platform is contractually excused from answering. ## How does immut work? Public proof, private work. Only a mathematical fingerprint of each file is recorded on a public blockchain; that record cannot be altered by anyone, including immut. 1. **Only the hash is recorded.** immut generates a SHA-256 cryptographic fingerprint of your file. Only that fingerprint is anchored to the blockchain, not the file itself. 2. **Hash anchored to the XRP Ledger.** The hash is written to the public XRP Ledger, a distributed, immutable blockchain. Once written, no party can alter or delete it. 3. **Certificate issued immediately.** A court-ready certificate contains the hash, the XRPL transaction ID, the ledger sequence number, and the UTC timestamp. 4. **Proof outlives immut.** The record lives on a public blockchain and remains verifiable even if immut ceased to exist. ## Do courts accept blockchain-anchored evidence? Blockchain-anchored certificates are already accepted as legal evidence in 88 countries across 171 jurisdictions. - **United States: US v. Sterlingov (2024).** The US District Court for DC admitted blockchain transaction records as primary evidence, establishing that public blockchain data satisfies US federal evidentiary standards without requiring expert testimony on the technology. - **European Union: EU Regulation 2025/2531 (eIDAS-2).** Qualified electronic time-stamps have the legal effect of evidence of the date, time and integrity of the data across all 27 Member States. - **France: AZ Factory v. Valeria Moda (Paris commercial court, 2025).** A blockchain timestamp was accepted as proof of prior creation in an IP dispute, without requiring production of the underlying file. - **China: Supreme People's Court (2018).** Blockchain-stored evidence is presumptively authentic; over 1,400 IP cases have since been decided on blockchain-anchored evidence. ## The question to ask yourself If an ISO auditor asked you to prove that you followed a process, or that you created a procedure before the event it governs, could you? ## Links - Live page: https://www.immut.io/evidence/iso - Developer docs: https://www.immut.io/docs - For AI agents: https://www.immut.io/ai-agents