Compliance framework mappings — ZTP-prem ↔ SOC 2 / ISO 27001 / LGPD / GDPR / NIST 800-53

Audience: customer compliance auditor + procurement reviewer mapping TLSStress.Art's Zero-Trust-on-Premises 12-camadas posture to industry frameworks during a security review.

Companion docs: - SECURITY_ZTP_PREM.md — architectural posture - ZTP_PREM_OPERATOR_GUIDE.md — day-2 operator - ADR 0018 — compliance track decision - ADR 0026..0033 — ZTP-prem family

TL;DR

The 12 ZTP-prem camadas were designed to map cleanly to the control families a Fortune-500 compliance audit will check. This document gives the auditor the lookup table they expect.

Coverage is demonstrative — TLSStress.Art is not currently SOC 2 Type II certified, nor ISO 27001 certified (target horizon in ADR 0018). The mappings below show which camada implements which control family, so once certification is in motion the auditor knows where to look.

SOC 2 Trust Service Criteria mapping

The Trust Services Criteria (TSC) most relevant to a TLSStress.Art deployment:

TSC	Description	ZTP-prem camada(s)
CC6.1	Logical access security	1 (HSM custody), 4 (Tier A/B), 5 (admission)
CC6.2	Authentication credentials	1 (HSM custody), 9 (envelope)
CC6.3	Authorization roles + segregation	5 (admission), 7 (cross-correlation)
CC6.6	Logical access logging + monitoring	5 (admission), 6 (sealed audit), 7 (correlation)
CC6.7	Logical access change management	4 (Tier A/B), 6 (sealed audit)
CC6.8	Removal of access	5 (admission deny), 8 (token vault)
CC7.1	Threat detection	11 (DLP), 12 (anomaly)
CC7.2	Threat monitoring + response	12 (anomaly), 7 (correlation)
CC7.3	Vulnerability mitigation	4 (Tier A/B), CI gates
CC8.1	Change management	4 (Tier A/B), supply-chain ADR 0005
A1.2	Backup + DR	ADR 0017 (separate from ZTP-prem)

ISO/IEC 27001:2022 control mapping

Most relevant Annex A controls:

ISO control	Title	ZTP-prem camada(s)
A.5.15	Access control	1, 4, 5
A.5.17	Authentication information	1, 9
A.5.18	Access rights	5, 8
A.8.2	Privileged access rights	5 (break-glass), 6 (sealed audit)
A.8.5	Secure authentication	1, 9
A.8.9	Configuration management	4 (Tier A/B), 6 (sealed audit)
A.8.15	Logging	6 (sealed audit), 7 (correlation)
A.8.16	Monitoring activities	11 (DLP), 12 (anomaly)
A.8.20	Networks security	OOBI (ADR 0019), VXLAN immutable
A.8.24	Use of cryptography	1 (HSM), 9 (envelope), 2 + 3 (CC + TPM)
A.8.28	Secure coding	4 (Tier A/B partition + garble)
A.8.34	Protection of information during audit	6 (sealed audit WORM)

LGPD (Brazil) mapping

LGPD Lei 13.709/2018 — most relevant articles for a B2B SaaS:

Artigo	Tópico	ZTP-prem camada(s)
Art. 6º (Princípios)	Finalidade + adequação + necessidade	DLP rules (11), tier policy (4)
Art. 46	Medidas de segurança técnicas	All 12 camadas
Art. 47	Adoção de boas práticas	ADR 0026 umbrella
Art. 48	Comunicação de incidente	12 (anomaly), incident-response runbook
Art. 50	Programas de governança	ADR 0018 + this document

GDPR (EU) mapping

GDPR Regulation (EU) 2016/679 — most relevant articles for the same:

Article	Topic	ZTP-prem camada(s)
Art. 5 (Principles)	Lawfulness + minimisation + integrity	DLP (11), Tier A/B (4)
Art. 25	Data protection by design + default	ADR 0026 umbrella, ADR 0021 PURE privacy
Art. 32	Security of processing	All 12 camadas
Art. 33	Breach notification	12 (anomaly detector firing)
Art. 35	Data protection impact assessment	This document + ADR 0018

NIST 800-53 Rev. 5 (FedRAMP baseline) mapping

Most relevant control families for FedRAMP Moderate or High baseline:

Family	Family name	ZTP-prem camada(s)
AC	Access Control	1, 4, 5, 8
AU	Audit + Accountability	5, 6, 7 (the heart of the posture)
CA	Assessment, Authorization, Monitoring	6 (sealed audit), 7 (correlation), 12 (anomaly)
CM	Configuration Management	4 (Tier A/B), supply-chain ADR 0005
CP	Contingency Planning	ADR 0017 (backup/DR)
IA	Identification + Authentication	1, 9
IR	Incident Response	12 (anomaly), break-glass + runbook
SC	System + Communications Protection	2 (CC), 3 (TPM), OOBI (ADR 0019)
SI	System + Information Integrity	6 (sealed audit), 11 (DLP), 12 (anomaly)

Coverage matrix — camada × framework

Camada	SOC 2	ISO 27001	LGPD	GDPR	NIST 800-53
1 Cloud HSM custody	CC6.1, CC6.2	A.5.17, A.8.24	Art. 46	Art. 32	IA, SC
2 CC detection	CC6.1	A.8.24	Art. 46	Art. 32	SC
3 TPM measured-boot	CC6.1	A.8.24	Art. 46	Art. 32	SC
4 Tier A/B partition	CC6.7, CC8.1	A.8.9, A.8.28	Art. 46	Art. 25	CM, AC
5 K8s admission webhook	CC6.3, CC6.6	A.5.18, A.8.2	Art. 46	Art. 32	AC, AU
6 Sealed audit chain	CC6.6, CC6.7	A.8.15, A.8.34	Art. 46	Art. 32	AU, CA, SI
7 Cross-correlation	CC6.6, CC7.2	A.8.15	Art. 46	Art. 32	AU, CA
8 UTXO token vault	CC6.8	A.5.18	Art. 46	Art. 32	AC
9 LICENSE.Art envelope	CC6.2	A.5.17, A.8.5	Art. 46	Art. 32	IA
10 Sealed-key release	CC6.1	A.8.24	Art. 46	Art. 32	SC (v6.0+)
11 DLP egress	CC7.1	A.8.16	Art. 6º	Art. 5	SI
12 Behavioural anomaly	CC7.1, CC7.2	A.8.16	Art. 48	Art. 33	IR, SI

Auditor handoff package

For an active audit, hand the assessor:

1. This document (mapping reference)
2. SECURITY_ZTP_PREM.md (architectural)
3. ZTP_PREM_OPERATOR_GUIDE.md (day-2)
4. ADRs 0026..0033 (design decisions)
5. platform/ztp-prem/tier-policy.yaml + SHA-256 attestation
6. Last 90 days of weekly operator-checklist output (per ZTP-prem operator guide)
7. SBOM + Cosign signatures for the running release

Certification status

Framework	Status	Target
SOC 2 Type II	Planned	18-month horizon per ADR 0018
ISO 27001:2022	Planned	Same horizon
LGPD readiness	Self-attested	Continuous
GDPR readiness	Self-attested	Continuous
FedRAMP Moderate	Planned	24-36 month horizon (gated by US Government customer demand)

Self-attestation means: we believe the posture meets the framework's technical controls; we have not (yet) had an independent assessor sign off. The mapping above is the basis for that future assessor's work.

Related

• ADR 0018 — compliance track decision
• ADR 0026 — ZTP-prem umbrella
• SECURITY_ZTP_PREM.md — architectural posture
• ZTP_PREM_OPERATOR_GUIDE.md — day-2 operator

---

Last verified against shipping code: v3.7.0 (2026-05-12).