Control Catalog v1
A focused control set for distributed edge infrastructure. Each control lists what we collect, what we export, and what an auditor can verify.
Note: NIS2 and ISO-style mappings are optional wrappers on top of the same evidence.
How to use
Use this catalog to agree scope during an evaluation/pilot. The Evidence Pack index references these IDs so you can show control coverage without screenshots.
| Control ID | Control | Evidence exported | Auditor-friendly checks |
|---|---|---|---|
| VE-C01 | Asset inventory per site | Device inventory export (CSV/JSON) with site scope + timestamps | Assets are enumerated, scoped, time-bounded, and reproducible |
| VE-C02 | Identity, RBAC, and least privilege | Role definitions + access events in audit log | Least-privilege roles exist; admin actions are logged |
| VE-C03 | Privileged change accountability | Append-only audit trail for configuration/admin actions | No silent changes; who/what/when is visible |
| VE-C04 | Time synchronization | Evidence pack metadata + agent timestamps; continuity timeline | Events are ordered and attributable across sites |
| VE-C05 | Telemetry integrity and lineage | Lineage fields (collector, site, timestamps) + reproducible hashes | Evidence is tamper-evident; exports can be re-derived |
| VE-C06 | Immutable audit logging | Append-only log export with integrity chaining (where applicable) | Edits/deletes are detectable; traceability is preserved |
| VE-C07 | Monitoring coverage | Fleet health summaries + per-site status exports | Sites report health; gaps are identifiable and explainable |
| VE-C08 | Alert handling and acknowledgements | Alert + acknowledgement trail (who acknowledged, when, notes) | Response actions are attributable and reviewable |
| VE-C09 | Patch cadence evidence (where in scope) | Collected patch signals + time series summaries (non-PII) | Cadence is observable and can be reported consistently |
| VE-C10 | Continuity: offline buffering | Continuity log proving offline collection and buffered intervals | Outages do not create evidence gaps |
| VE-C11 | Continuity: lossless backfill | Backfill proof in continuity log + reconciliation timestamps | Disconnected periods reconcile without data loss |
| VE-C12 | Evidence pack generation | Evidence pack (ZIP) containing PDF/CSV exports + index | Artifacts are structured, time-scoped, and exportable on demand |
| VE-C13 | Control-to-evidence mapping | Index mapping each control ID to included artifacts | Clear coverage: what is proven vs out of scope |
| VE-C14 | EU-only hosting and zero-PII telemetry | Data flow + DPIA kit; telemetry scope statements | Residency is verifiable; PII collection is out of scope |
| VE-C15 | Supply chain: SBOM and attestation | CycloneDX SBOM + signed build provenance where available | Build inputs and outputs can be verified independently |
Optional mappings
We can map the above control set to customer frameworks (ISO 27001-style, NIS2, and internal control matrices). The underlying evidence and exports stay the same.