Sample kye.report.v1 CISO view synthetic tenant

CISO Report™ — Security posture & ISO 27001 SoA evidence.

A representative kye.report.v1 envelope for a Chief Information Security Officer. The bytes you see are signature-covered — anyone with the published assembler_kid public key can verify the report locally, with no portal log-in and no vendor cooperation.

Synthetic tenant. Real reports carry tenant-PII and are scoped to the customer's admin console. Mechanism details are part of the patent track and not disclosed in this repository.

Executive verdict

Acme Ltd's information-security posture is L3-conforming for the Q2 2026 period. 93 of 93 declared ISO 27001 Annex A controls are operational; 4 controls have findings under remediation (2 informational, 2 low). Zero severity-high or critical incidents. Public-key replay-verifiable evidence pack per control.

Supporting findings

  1. SoA coverage · 93/93 declared controls operational · 4 findings open (2 info, 2 low; all with owner + deadline).
  2. Incident posture · 0 sev-high · 0 sev-critical · 7 sev-low (median MTTR 1h12m) · all closed with signed incident_evidence_pack.
  3. Access management · 1,419 humans · 87 service principals · 0 stale credentials · privileged sessions JIT-elevated only · break-glass triggered 2× (both audit-chained).
  4. Patch posture · 100% of fleet at current minor version · CVE backlog 0 critical / 0 high / 3 medium (all within SLA).
  5. Third-party risk · 18 sub-processors · all carry current attestations (SOC 2 Type II + ISO 27001) · DORA Art 28 register synchronised.

Framework binding

ClauseKYE™ artefact that binds it
ISO 27001 Annex A — SoAPer-control compliance_card.v1 + signed evidence pack.
ISO 27001 9.1 — MonitoringAudit-chain queryable by control id; tamper-evident.
NIST 800-207 — Zero TrustPer-call admissibility evaluation; deny-by-default.
FedRAMP CM-2 — Baseline configCompiled control bundle with integrity seal (patent track).
DORA Art 28 — Critical third partySub-processor register schema-bound; cross-border envelope per call.

Signature

The bytes of this page are the canonical artefact; the signature fragment below binds them.

{
  "schema_id":     "kye.report.v1",
  "report_id":     "kye:report:iso27001_soa:sample-acme:2026Q2",
  "tenant_id":     "kye:tenant:sample",
  "report_kind":   "iso27001_soa",
  "framework":     "iso_27001",
  "period_start":  "2026-04-01T00:00:00Z",
  "period_end":    "2026-07-01T00:00:00Z",
  "sealed_at":     "2026-07-01T00:00:00Z",
  "assembler_kid": "kye:kid:sample-acme:ciso-q2-2026",
  "signature_b64": "MEUCIQDxRy…(truncated; sample)…"
}

verified Verify a real envelope offline →