A certification is not a document. It is evidence. When a procurement officer at a Fortune 500 healthcare system reviews your security questionnaire, they are not asking whether you have good intentions. They are asking whether a qualified, independent third party has examined your controls and confirmed that they work. When a defense contracting officer evaluates your CMMC readiness, they are not interested in your security architecture diagram. They need a C3PAO assessment report with a certification level.
Ariana Nexus has built its security and compliance controls first — the architecture, the policies, the technology, the training, the testing. The certifications come next. This is the correct order. An organization that pursues certifications before building the underlying controls produces audit reports that do not reflect operational reality. An organization that builds controls first and then subjects them to independent examination produces evidence that procurement officers, CISOs, and regulators trust.
This page documents every certification and audit that Ariana Nexus has achieved, is actively pursuing, or has placed on its multi-year roadmap — with honest timelines, defined milestones, and the rationale behind each.
Before examining the certification roadmap, it is important to understand what Ariana Nexus has already built. The following controls are operational today within the Microsoft 365 Business Premium environment:
Identity & Access — Microsoft Entra ID, MFA (100%), Conditional Access, RBAC, quarterly access reviews. Relevant certifications: SOC 2 CC6, ISO 27001 A.5/A.8, CMMC IA/AC.
Data Protection — Four-tier classification, Purview Sensitivity Labels, DLP across all surfaces including endpoint. Relevant certifications: SOC 2 CC6, ISO 27001 A.8, CMMC MP/SC.
Encryption — AES-256 at rest, TLS 1.2+ in transit, BitLocker/FileVault on all devices, Purview document encryption. Relevant certifications: SOC 2 CC6, ISO 27001 A.8, CMMC SC, HIPAA §164.312.
Threat Detection — Defender for Office 365, Entra ID Protection, DLP incident monitoring. Relevant certifications: SOC 2 CC7, ISO 27001 A.8, CMMC SI.
Incident Response — Documented and tested IRP (NIST SP 800-61 Rev. 3), severity matrix, notification procedures. Relevant certifications: SOC 2 CC7, ISO 27001 A.5.24-28, CMMC IR.
Business Continuity — Documented BCP/DRP, cloud-native 4-hour RTO, third-party backup, semi-annual restore testing. Relevant certifications: SOC 2 CC9, ISO 27001 A.5.29-30, CMMC CP.
Device Management — Intune enrollment, compliance policies, remote wipe, application protection. Relevant certifications: SOC 2 CC6, ISO 27001 A.8, CMMC MP.
Personnel Security — Vetting, background screening, NDAs, HIPAA training, security awareness training. Relevant certifications: SOC 2 CC1, ISO 27001 A.6, CMMC PS/AT.
Audit Logging — M365 Unified Audit Log, Purview DLP logging, Entra ID sign-in logs. Relevant certifications: SOC 2 CC7, ISO 27001 A.8, CMMC AU.
Vendor Management — BAA executed with Microsoft, DPA template ready, third-party due diligence. Relevant certifications: SOC 2 CC9, ISO 27001 A.5.19-23, CMMC SA.
Risk Management — Risk assessment, VDP operational, privacy impact assessments. Relevant certifications: SOC 2 CC3/CC9, ISO 27001 A.5.1, CMMC RA.
Cyber Insurance — Cyber liability insurance with nationally recognized carrier. Relevant certifications: SOC 2 CC9, ISO 27001 risk treatment.
What this means: The foundational controls that SOC 2, ISO 27001, CMMC, and HITRUST auditors examine are already operational. The certification process will formalize, document, and independently validate what is already in place — not build new capabilities from scratch.
Ariana Nexus has identified an audit and compliance advisory firm and is in discussions regarding certification sequencing. The following roadmap reflects the planned order of certification pursuit, with ISO 27001 as the lead certification due to its international recognition across all client categories.
ISO 27001:2022 — Target start: Q3 2026. Target completion: Q2 2027. Priority 1 — Lead Certification. Rationale: International recognition; accepted by healthcare, government, AI labs, EU institutions, and defense.
SOC 2 Type I — Target start: Q1 2027. Target completion: Q3 2027. Priority 2 — U.S. Enterprise. Rationale: Most requested certification by U.S. enterprise procurement; point-in-time assessment.
SOC 2 Type II — Target start: Q3 2027. Target completion: Q2 2028. Priority 3 — Full Assurance. Rationale: Observation-period assessment (3–12 months); strongest U.S. enterprise evidence.
CMMC Level 2 — Target start: Q1 2027. Target completion: Q4 2027. Priority 4 — Defense Access. Rationale: Required for DoD contracts involving CUI; C3PAO assessment.
HITRUST e1 / i1 — Target start: Q1 2028. Target completion: Q3 2028. Priority 5 — Healthcare Depth. Rationale: Healthcare-specific; complements ISO 27001 for health system procurement.
ISO/IEC 42001:2023 — Target start: Q1 2028. Target completion: Q4 2028. Priority 6 — AI Governance. Rationale: AI Management System; differentiator for AI lab and Big Tech engagements.
ISO/IEC 27701:2019 — Target start: Q2 2028. Target completion: Q4 2028. Priority 7 — Privacy. Rationale: Privacy Information Management; extends ISO 27001 for GDPR alignment.
Cyber Essentials Plus (UK) — Target start: Q1 2028. Target completion: Q2 2028. Priority 8 — UK Market. Rationale: Required by many UK government suppliers; supports UK market entry.
FedRAMP (Tailored/Low) — Target start: 2029. Target completion: 2030. Priority 9 — Federal Cloud. Rationale: Required for cloud service offerings to federal agencies.
HITRUST r2 — Target start: 2029. Target completion: 2030. Priority 10 — Healthcare Premium. Rationale: Most rigorous healthcare security certification; enterprise health system requirement.
Ariana Nexus allocates certification and audit investment in proportion to revenue growth and client demand. Rather than pursuing all certifications simultaneously with capital that should be deployed in service delivery, Ariana Nexus sequences certifications strategically:
This approach ensures that each certification investment is supported by the revenue it enables, creating a self-sustaining compliance maturation cycle.
ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). It is recognized in over 150 countries and accepted by virtually every client category Ariana Nexus serves:
ISO 27001 also provides the management system framework upon which ISO 42001 (AI), ISO 27701 (Privacy), and ISO 22301 (Business Continuity) can be extended as bolt-on certifications.
Stage 1 — Gap Assessment (Q3 2026): Engage the identified audit advisory firm for an ISO 27001 gap assessment. Map existing controls to ISO 27001:2022 Annex A controls (93 controls across 4 themes: Organizational, People, Physical, Technological). Identify gaps and develop a remediation plan.
Stage 2 — ISMS Documentation (Q4 2026): Formalize the Information Security Management System documentation, including ISMS scope statement, information security policy, risk assessment methodology and risk treatment plan, Statement of Applicability (SoA), internal audit procedures, management review procedures, and continual improvement procedures. Integrate existing Trust Center documentation into the ISMS framework.
Stage 3 — Implementation and Internal Audit (Q1 2027): Implement remediation items. Conduct at least one internal audit of the ISMS. Conduct management review. Address nonconformities.
Stage 4 — Certification Audit (Q2 2027): Stage 1 Audit (Document Review) — certification body reviews ISMS documentation. Stage 2 Audit (On-Site Assessment) — certification body assesses implementation and effectiveness. Certification Decision — upon successful completion, ISO 27001:2022 certificate issued.
Stage 5 — Surveillance and Recertification: Annual surveillance audits (Years 1 and 2). Recertification audit in Year 3 (full reassessment). Continuous improvement based on surveillance findings and evolving threat landscape.
A.5 — Organizational Controls (37 controls): Information security policies, roles, threat intelligence, asset management, access control, supplier relationships, incident management, business continuity, compliance. Readiness: High — majority implemented. Key evidence: Trust Center policies, IRP, BCP/DRP, vendor management, ROPA.
A.6 — People Controls (8 controls): Screening, terms of employment, awareness/training, disciplinary process, responsibilities after termination. Readiness: High — implemented. Key evidence: Vetting procedures, NDAs, training records, deprovisioning procedures.
A.7 — Physical Controls (14 controls): Physical security perimeters, entry controls, securing offices, physical media handling. Readiness: Medium — cloud-native operations reduce physical control surface; device controls implemented. Key evidence: Intune device management, BitLocker/FileVault, remote wipe.
A.8 — Technological Controls (34 controls): Endpoint devices, access rights, authentication, cryptography, network security, logging, vulnerability management, data protection. Readiness: High — implemented via M365 security stack. Key evidence: Entra ID, MFA, Conditional Access, Purview DLP, Defender, encryption, audit logging.
SOC 2 (System and Organization Controls 2) is the most requested security certification by U.S. enterprise procurement teams. Developed by the AICPA, SOC 2 evaluates an organization's controls against five Trust Services Criteria (TSC):
CC1–CC5 — Common Criteria (Security): Security policies, risk management, monitoring, logical/physical access, system operations. Readiness: High — controls implemented across Trust Center.
Availability: System availability commitments, BCP/DRP, monitoring. Readiness: High — BCP/DRP documented, 4-hour RTO, cloud-native resilience.
Processing Integrity: Accuracy and completeness of processing. Readiness: Medium — QA processes documented; engagement-specific SLAs.
Confidentiality: Protection of confidential information. Readiness: High — four-tier classification, DLP, encryption, access controls.
Privacy: Personal information collection, use, retention, disclosure, disposal. Readiness: High — Privacy Policy, GDPR compliance, DSAR procedures, retention schedules.
SOC 2 Type I (Q1–Q3 2027): Point-in-time assessment of control design effectiveness. Evaluates whether controls are suitably designed as of a specific date. Faster to achieve (typically 2–4 months from readiness to report). Provides initial assurance while Type II observation period begins.
SOC 2 Type II (Q3 2027–Q2 2028): Evaluates control operating effectiveness over a 3–12 month observation period. Provides the strongest assurance: evidence that controls not only exist but function consistently over time. The report most commonly requested by enterprise procurement, healthcare systems, and technology companies.
CC6.1 — Logical access security, encryption. Implementation: MFA, Conditional Access, AES-256, TLS 1.2+, Purview encryption.
CC6.2 — System credentials and authentication. Implementation: Entra ID, RBAC, Security Groups, NIST 800-63B password policy.
CC6.3 — Access authorization. Implementation: Role-based provisioning, sponsor-approved guest access, quarterly reviews.
CC6.6 — Boundary protection. Implementation: Conditional Access, Defender, DLP, endpoint protection.
CC6.7 — Data transmission protection. Implementation: TLS 1.2+, OME, Sensitivity Label encryption.
CC6.8 — Unauthorized/malicious software prevention. Implementation: Defender for Office 365, Safe Attachments, Safe Links, Intune compliance.
CC7.1 — Detection of changes and vulnerabilities. Implementation: Defender alerts, Entra ID Protection, DLP monitoring, VDP.
CC7.2 — Monitoring for anomalies. Implementation: Entra ID risk detection, sign-in anomaly alerts, DLP incident reports.
CC7.3 — Security incident evaluation. Implementation: IRP severity matrix, triage procedures.
CC7.4 — Incident response execution. Implementation: Containment, eradication, recovery procedures; tested IRP.
CC7.5 — Incident recovery. Implementation: BCP/DRP, third-party backup, restore testing.
CC9.1 — Risk identification and assessment. Implementation: Risk assessment, PIAs, threat intelligence awareness.
CC9.2 — Risk mitigation through vendor management. Implementation: Microsoft BAA, DPA template, vendor due diligence.
The Cybersecurity Maturity Model Certification (CMMC) program is required for Department of Defense contractors who handle Controlled Unclassified Information. CMMC Level 2 requires implementation of all 110 NIST SP 800-171 Rev. 2 security requirements (Rev. 2 remains current for DoD/CMMC; Rev. 3 transition planned per DoD rulemaking) and certification by a CMMC Third-Party Assessment Organization (C3PAO).
Preparation (Q1–Q2 2027): Complete the System Security Plan (SSP) documenting implementation of all 110 NIST SP 800-171 controls. Complete the Plan of Action and Milestones (POA&M). Conduct a NIST SP 800-171 self-assessment and calculate the SPRS score. Submit SPRS score to DoD via the SPRS portal.
Readiness Assessment (Q2–Q3 2027): Engage a Registered Practitioner Organization (RPO) or C3PAO for a pre-assessment readiness review. Remediate any findings. Compile evidence packages for all 110 controls.
Certification Assessment (Q3–Q4 2027): Engage a C3PAO for the formal CMMC Level 2 assessment. Assessment covers all 14 NIST SP 800-171 control families across 110 requirements. Upon successful assessment, C3PAO recommends certification to the CMMC Accreditation Body (The Cyber AB).
Post-Certification: Maintain controls and evidence continuously. Prepare for triennial reassessment. Monitor for CMMC program updates and evolving DoD requirements.
The HITRUST Common Security Framework (CSF) is the most widely adopted healthcare-specific security framework. HITRUST certification is increasingly required by major healthcare systems, health plans, and pharmaceutical companies as evidence of comprehensive security maturity.
HITRUST e1 Assessment (Q1–Q3 2028): Entry-level assessment covering 44 essential controls. Provides foundational assurance for healthcare engagements. One-year certification validity.
HITRUST i1 Assessment (Alternative, Q1–Q3 2028): Intermediate assessment covering approximately 182 controls. Includes threat-adaptive controls selected based on the organization's risk profile. Two-year certification validity. Evaluating e1 vs. i1 based on client requirements and cost-benefit analysis.
HITRUST r2 Assessment (2029–2030): The most rigorous HITRUST certification, covering approximately 375+ controls. Required by many large healthcare systems and health plans. Two-year certification validity with interim assessment. Pursued upon achievement of healthcare revenue scale that justifies the investment.
The first international standard for AI Management Systems. Provides a framework for organizations to manage AI-related risks and opportunities. Directly relevant to Ariana Nexus's AI Data Factory, model validation services, and planned Cultural Intelligence API.
Target: Q1–Q4 2028. Builds on ISO 27001 ISMS framework with AI-specific controls.
Extension to ISO 27001 that provides a Privacy Information Management System (PIMS). Demonstrates GDPR alignment through a formal certification framework. Directly relevant to EU and UK client engagements.
Target: Q2–Q4 2028. Builds on ISO 27001 certification.
UK government-backed cybersecurity certification. Required or preferred by many UK government suppliers and NHS bodies. Covers firewalls, secure configuration, user access control, malware protection, and patch management.
Target: Q1–Q2 2028, aligned with UK market entry.
Required for cloud service providers offering services to U.S. federal agencies. Ariana Nexus evaluates FedRAMP authorization for its planned cloud service offerings (Cultural Intelligence API, Data Platform, Orchestration OS).
Target: 2029–2030. Requires significant investment and is pursued upon platform product maturity and federal cloud revenue justification.
International standard for Business Continuity Management Systems (BCMS). Certifies the organization's ability to prepare for, respond to, and recover from disruptive incidents.
Target: 2028–2029. Builds on existing BCP/DRP documentation.
Ariana Nexus has identified a compliance advisory firm to guide the certification process. The advisory relationship includes:
The advisory firm engagement is structured to scale with Ariana Nexus's certification roadmap — beginning with ISO 27001 gap assessment in Q3 2026 and expanding as subsequent certifications are pursued.
While formal certifications are in progress, Ariana Nexus provides the following assurance mechanisms to clients:
Upon request and under NDA, Ariana Nexus can provide: Trust Center documentation (all published pages), security architecture overview and control descriptions, data classification framework and DLP policy summaries, Incident Response Plan summary (non-confidential version), Business Continuity Plan summary, encryption standards and key management description, personnel vetting and training documentation, Microsoft 365 security configuration evidence (Secure Score report, Conditional Access policy export, DLP policy summary), HIPAA BAA template, Data Processing Agreement (GDPR Article 28) template, and cyber liability insurance certificate of coverage.
Ariana Nexus is prepared to complete industry-standard security questionnaires, including:
Engagement Agreements and DPAs include provisions for client audit rights, allowing clients to conduct or commission security assessments of Ariana Nexus's controls. Audit rights are defined in the applicable agreement, including scope, frequency, notice period, and confidentiality obligations.
For enterprise procurement officers: Ariana Nexus has built the controls first and is now pursuing formal certification through an identified advisory firm. ISO 27001 certification is targeted for Q2 2027, SOC 2 Type I for Q3 2027, and SOC 2 Type II for Q2 2028. In the interim, we provide evidence packages, complete security questionnaires, and support client due diligence through our published Trust Center documentation.
For healthcare systems and health plans: Our ISO 27001 and SOC 2 certifications will be complemented by HITRUST e1/i1 certification (2028) and HITRUST r2 (2029–2030). Combined with our HIPAA Business Associate compliance and Microsoft BAA, this provides a multi-layered assurance stack for healthcare engagements.
For defense and government contracting officers: Our CMMC Level 2 certification is targeted for Q4 2027, with SSP and SPRS score submission planned for Q2 2027. Our NIST SP 800-171 controls are already implemented — certification will formalize what is already operational.
For AI labs and Big Tech: ISO 42001 (AI Management System) certification is targeted for 2028, providing formal evidence of AI governance maturity. Combined with ISO 27001, this will satisfy the most rigorous vendor qualification requirements.
For EU and UK institutions: ISO 27001 (international security), ISO 27701 (privacy), and Cyber Essentials Plus (UK) provide the certification package required for European and UK government and institutional engagements.
If your organization requires certification status verification, evidence packages, or a compliance roadmap briefing, contact trust@ariananexus.com or +1 (202) 771-0224.
Advisory firm engaged. ISO 27001 gap assessment. ISMS documentation initiated. SSP development begun.
ISMS documentation complete. Internal audit conducted. ISO 27001 Stage 1 and Stage 2 audits. ISO 27001:2022 certification achieved.
SOC 2 Type I assessment and report. SPRS score submitted. CMMC readiness assessment.
CMMC Level 2 C3PAO assessment and certification. SOC 2 Type II observation period and report.
HITRUST e1 or i1 certification. ISO 42001 AI Management System certification. ISO 27701 Privacy certification. Cyber Essentials Plus (UK).
FedRAMP Tailored/Low evaluation. HITRUST r2 certification. ISO 22301 Business Continuity certification.
Automated compliance monitoring. Multi-framework continuous assessment. Certification portfolio maintenance across 8+ frameworks. Real-time compliance dashboards for client visibility.
Certification Timelines. The certification targets described on this page reflect Ariana Nexus's current plans and intentions as of the Effective Date. Certification timelines are subject to change based on business priorities, revenue growth, auditor availability, regulatory changes, and remediation requirements identified during gap assessments or audits. Target dates are good-faith estimates, not guarantees.
Certification Status. As of the Effective Date, Ariana Nexus does not hold SOC 2, ISO 27001, CMMC, HITRUST, FedRAMP, ISO 42001, ISO 27701, Cyber Essentials, or ISO 22301 certifications. Controls described in this page and throughout the Trust Center are operational but have not been independently certified unless explicitly stated. The distinction between "controls implemented" and "certification achieved" is material and should be understood by all readers.
No Certification Guarantee. The submission of an application, engagement of an advisory firm, or completion of a gap assessment does not guarantee that any certification will be awarded. Certification decisions are made by independent certification bodies, C3PAOs, and accreditation organizations based on their assessment of Ariana Nexus's controls.
Advisory Firm Independence. Ariana Nexus's compliance advisory firm provides guidance, readiness assessment, and documentation support. The advisory firm does not issue certifications. Certification audits are conducted by independent, accredited certification bodies that are separate from the advisory firm, consistent with auditor independence requirements.
Interim Assurance. Evidence packages, security questionnaire responses, and Trust Center documentation provided before formal certification represent Ariana Nexus's self-reported control descriptions. They have not been independently audited unless stated otherwise. Clients should evaluate this information in the context of their own risk assessment and due diligence requirements.
Roadmap Items. All roadmap milestones are forward-looking statements, not binding commitments. Ariana Nexus reserves the right to modify, defer, or reprioritize certifications at its sole discretion.
Limitation of Liability. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ARIANA NEXUS'S TOTAL AGGREGATE LIABILITY FOR ALL CLAIMS ARISING OUT OF OR RELATED TO CERTIFICATION STATUS, AUDIT RESULTS, OR COMPLIANCE POSTURE SHALL NOT EXCEED THE AMOUNTS SET FORTH IN THE APPLICABLE ENGAGEMENT AGREEMENT, OR, WHERE NO ENGAGEMENT AGREEMENT EXISTS, ONE HUNDRED DOLLARS ($100). ARIANA NEXUS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES ARISING FROM OR RELATED TO CERTIFICATION TIMELINES, AUDIT OUTCOMES, OR THE ABSENCE OF ANY SPECIFIC CERTIFICATION. NOTHING IN THIS SECTION SHALL LIMIT OR EXCLUDE ARIANA NEXUS'S LIABILITY FOR: (A) FRAUD OR FRAUDULENT MISREPRESENTATION; (B) DEATH OR PERSONAL INJURY CAUSED BY NEGLIGENCE; OR (C) ANY OTHER LIABILITY THAT CANNOT BE EXCLUDED OR LIMITED BY APPLICABLE LAW, INCLUDING BUT NOT LIMITED TO LIABILITY UNDER THE UK UNFAIR CONTRACT TERMS ACT 1977, THE UK CONSUMER RIGHTS ACT 2015, OR GDPR.
Dispute Resolution. Any dispute arising out of or relating to this page shall be subject to the dispute resolution provisions in the Terms of Use, Section 18.
This page is provided for informational purposes and does not constitute a warranty, guarantee, or binding commitment regarding Ariana Nexus's certification status or audit outcomes. Certification timelines and targets are subject to change. Nothing in this page shall be construed as a waiver of any right, defense, or immunity available to Ariana Nexus under applicable law.
