One evidence vault. Every framework. Every deal.
Uploading the same access-review screenshot to a SOC 2 folder, an ISO 27001 folder and a customer questionnaire folder is a waste. ISO-STANDARD.app stores it once, links it to every control it evidences, versions it, and lets you share it under NDA — for audits, buyers and internal reviews.
Evidence is where compliance actually happens
Auditors don't care about your policy library — they care about evidence that the policy is real. Buyers don't care about your certificate — they care about proof it isn't a shelfware artifact. Evidence is the trust surface.
When evidence lives in Google Drive, it goes stale. When it lives in the workspace that generated it, it stays current — and it works for every framework and every buyer.
What's in the box
Attach to any control, in any framework
Versioned, dated, superseded — never lost
Find it in seconds
Freshness cadence enforced
Share under NDA
Owner accountability
Why one vault beats five folders
How buyers verify you — in minutes, not weeks
Whoever is asking — auditor, buyer or regulator — the answer is one link away.
- Step 1
Auditor asks for a control's evidence
Filter by control → all live evidence attached, timestamped, with the owner named. No war-room scramble.
- Step 2
Buyer questionnaire needs a screenshot
Reuse from the vault; the answer field auto-attaches the current version. Update once, reflected everywhere.
- Step 3
Regulator or DPO investigates an incident
Timeline view: which evidence was current when. Defensible reconstruction from the vault, not from Slack.
- Step 4
New team member joins
The evidence library is the operational picture. No 'ask Sarah where the SoA screenshot is'.
The artifacts buyers actually ask for
Every artifact below is generated inside the workspace, versioned, timestamped and shareable via a signed link — no last-minute PDF assembly, no "wait, which version did I send them?"
Preview real sample evidence
Every artifact below is a redacted, anonymised export from the workspace — the same shape auditors and buyers receive under NDA. Download, share with your team, use them as a spec for what 'good' looks like.
Reviewer sign-off across AWS, GitHub, Okta, RDS, Datadog, PagerDuty — with findings, remediation and attestation.
PDF · ISO 27001 A.5.15–18 · SOC 2 CC6.2/6.3 · Cyber Essentials
100% MFA coverage across the IdP and all federated SaaS, phishing-resistant factor distribution and exception log.
PDF · ISO 27001 A.5.17/A.8.5 · SOC 2 CC6.1 · PCI Req 8.4
Successful production database restore into an isolated VPC, RTO/RPO measured against policy with SRE sign-off.
PDF · ISO 27001 A.8.13 · ISO 20000-1 · SOC 2 A1.2
Monthly authenticated ASV scan of the production perimeter with SLA-tracked remediation and risk acceptance log.
PDF · ISO 27001 A.8.8 · SOC 2 CC7.1 · PCI Req 11.3 · CE+
Right-sized supplier assessment covering certifications, data protection, access, incident notification and exit plan.
PDF · ISO 27001 A.5.19–22 · SOC 2 CC9.2 · GDPR Art. 28
100% completion register with quiz scores and simulated-phishing outcomes for the annual awareness programme.
PDF · ISO 27001 A.6.3 · SOC 2 CC1.4 · GDPR · Cyber Essentials
Facilitated ransomware tabletop: participants, decisions, target vs observed timings, gaps identified and closed.
PDF · ISO 27001 A.5.24–27 · SOC 2 CC7.4 · PCI Req 12.10
Samples are anonymised for public preview. Real exports carry your workspace branding, signed timestamps and per-control mappings.
Who it's for
Pain: You maintain three folders for the same evidence — and updates never sync.
With ISO-STANDARD.app: Upload once. Every framework reads from the same vault; freshness is enforced centrally.
Pain: Every deal repeats 80% of the same questions with slightly different phrasing.
With ISO-STANDARD.app: Answer once, reuse forever. New questionnaires prefill from the vault; only novel questions need human work.
Pain: You don't know what evidence you need — and you can't find what you have.
With ISO-STANDARD.app: Framework-aware evidence catalogue tells you what's expected, what's attached and what's missing.
"Our auditor stopped asking us for evidence packs mid-way through Stage 2. Everything they needed was already linked to the control."
Answers buyers, procurement and auditors want
Where is my evidence stored?+
In a Lovable Cloud project (managed Supabase / Postgres storage) with per-organisation access control, encrypted at rest and served via signed URLs with expiry.
Can I control who sees what?+
Yes — role-based access on the workspace, plus per-share NDA-gated links with download logs for external recipients.
What file types are supported?+
PDFs, images, spreadsheets, documents, logs and CSVs — anything an auditor or buyer would accept as evidence.
How do I know evidence is fresh?+
Each evidence type has a cadence (monthly, quarterly, annual). Stale items surface on the dashboard and in the audit-readiness view.
Can auditors access the vault directly?+
Yes — an 'auditor' role gives read-only access scoped to the current audit; access is time-limited and audited.
Related
Pair with the public Trust Center, audit log, or explore SOC 2 and ISO 27001.
Stop chasing screenshots
Upload evidence once, link it to every framework, share it under NDA. The vault is the operational picture your audit — and your next deal — depends on.
Prefer a conversation? Email hello@iso-standard.app — a practitioner responds within one business day.