{ "schema_version": "1", "assessor_export_profile": "ctm-assessor-intake-v1", "framework_code": "CTM", "framework_edition": "Cyber Trust mark - Promoter (PLACEHOLDER content) · SS712:2025-PLACEHOLDER", "crosswalk_version": "ctm-ss712-2025-placeholder.v1", "tenant_id": "tnt_demo", "tenant_name": "Meridian Pay (synthetic demo)", "generated_at": "2026-06-04T00:00:00Z", "target_tier": null, "source_workbook": null, "certification_body_intake_assumptions": [ "CyberG7 provides a pre-audit readiness pack. Certification and pass/fail decisions remain with the appointed certification body or assessor.", "Evidence freshness, parser confidence, and review decisions are evaluated at export time and must be rechecked if the assessment window changes.", "Workbook provenance points back to the pinned CSA Cyber Trust mark self-assessment checklist catalog used to create the evidence task.", "Parser output is deterministic evidence triage metadata. It does not replace assessor sampling, interviews, or professional judgment.", "Controls marked partial or missing should not be represented as certification-ready until fresh evidence is accepted by a human reviewer." ], "scoring_model": "weighted_v1_met_1_partial_0_5_missing_0", "readiness_percent": 83, "controls_ready": 4, "controls_partial": 2, "controls_missing": 0, "controls_total": 6, "controls": [ { "code": "AC-1", "domain": "Access Control", "title": "MFA on privileged and remote access", "state": "ready", "is_ready": true, "score_status": "met", "score_weight": 1, "owner": "arjun.rao@meridianpay.example", "due_at": null, "blockers": [], "evidence": [ { "source": "connector", "source_ref": "okta:access_review", "collected_at": "2026-03-20T02:00:00Z", "expires_at": "2026-06-20T02:00:00Z", "fresh": true, "signature_ref": null, "artifacts": [], "reviews": [], "freshness": { "status": "fresh", "evaluated_at": "2026-06-04T00:00:00Z", "age_days": 75, "days_until_expiry": 16, "note": "Fresh at export time; expires in 16 day(s)." }, "parser_summary": { "artifact_count": 0, "parsed_count": 0, "highest_confidence": null, "parser_hints": [], "has_extracted_fields": false }, "review_summary": { "review_count": 0, "accepted_count": 0, "needs_rework_count": 0, "latest_decision": null, "latest_quality": null, "requires_human_review": true } }, { "source": "connector", "source_ref": "okta:mfa_privileged", "collected_at": "2026-05-28T02:00:00Z", "expires_at": "2026-08-28T02:00:00Z", "fresh": true, "signature_ref": null, "artifacts": [], "reviews": [], "freshness": { "status": "fresh", "evaluated_at": "2026-06-04T00:00:00Z", "age_days": 6, "days_until_expiry": 85, "note": "Fresh at export time; expires in 85 day(s)." }, "parser_summary": { "artifact_count": 0, "parsed_count": 0, "highest_confidence": null, "parser_hints": [], "has_extracted_fields": false }, "review_summary": { "review_count": 0, "accepted_count": 0, "needs_rework_count": 0, "latest_decision": null, "latest_quality": null, "requires_human_review": true } } ], "crosswalk": [ { "framework": "ISO27001:2022", "code": "A.8.5", "confidence": "high" }, { "framework": "SOC2-TSC", "code": "CC6.1", "confidence": "high" } ], "workbook_provenance": null, "evidence_summary": { "evidence_count": 2, "fresh_count": 2, "stale_count": 0, "accepted_review_count": 0, "needs_rework_review_count": 0, "parsed_artifact_count": 0, "highest_parser_confidence": null, "freshness_note": "Fresh evidence exists at export time." }, "assessor_notes": [ "Pre-audit ready: control has fresh evidence and has been marked ready.", "Evidence is collected but still needs an accepted human review decision." ] }, { "code": "ASM-1", "domain": "Asset Management", "title": "Asset inventory maintained", "state": "ready", "is_ready": true, "score_status": "met", "score_weight": 1, "owner": "arjun.rao@meridianpay.example", "due_at": null, "blockers": [], "evidence": [ { "source": "connector", "source_ref": "aws:asset_inventory", "collected_at": "2026-05-26T02:00:00Z", "expires_at": "2026-08-26T02:00:00Z", "fresh": true, "signature_ref": null, "artifacts": [], "reviews": [], "freshness": { "status": "fresh", "evaluated_at": "2026-06-04T00:00:00Z", "age_days": 8, "days_until_expiry": 83, "note": "Fresh at export time; expires in 83 day(s)." }, "parser_summary": { "artifact_count": 0, "parsed_count": 0, "highest_confidence": null, "parser_hints": [], "has_extracted_fields": false }, "review_summary": { "review_count": 0, "accepted_count": 0, "needs_rework_count": 0, "latest_decision": null, "latest_quality": null, "requires_human_review": true } } ], "crosswalk": [ { "framework": "ISO27001:2022", "code": "A.5.9", "confidence": "high" }, { "framework": "SOC2-TSC", "code": "CC6.1", "confidence": "low" } ], "workbook_provenance": null, "evidence_summary": { "evidence_count": 1, "fresh_count": 1, "stale_count": 0, "accepted_review_count": 0, "needs_rework_review_count": 0, "parsed_artifact_count": 0, "highest_parser_confidence": null, "freshness_note": "Fresh evidence exists at export time." }, "assessor_notes": [ "Pre-audit ready: control has fresh evidence and has been marked ready.", "Evidence is collected but still needs an accepted human review decision." ] }, { "code": "DP-1", "domain": "Data Protection", "title": "Data protection and tested backups", "state": "manual_pending", "is_ready": false, "score_status": "partial", "score_weight": 0.5, "owner": "sara.koh@meridianpay.example", "due_at": "2026-06-30T09:00:00+00:00", "blockers": [ "Manual task pending (due 2026-06-30)" ], "evidence": [ { "source": "connector", "source_ref": "crowdstrike:device_encryption", "collected_at": "2026-05-29T02:00:00Z", "expires_at": "2026-08-29T02:00:00Z", "fresh": true, "signature_ref": null, "artifacts": [], "reviews": [], "freshness": { "status": "fresh", "evaluated_at": "2026-06-04T00:00:00Z", "age_days": 5, "days_until_expiry": 86, "note": "Fresh at export time; expires in 86 day(s)." }, "parser_summary": { "artifact_count": 0, "parsed_count": 0, "highest_confidence": null, "parser_hints": [], "has_extracted_fields": false }, "review_summary": { "review_count": 0, "accepted_count": 0, "needs_rework_count": 0, "latest_decision": null, "latest_quality": null, "requires_human_review": true } }, { "source": "manual", "source_ref": "tnt_demo/manual/DP-1/encryption-and-backup-policy.pdf", "collected_at": "2026-05-10T00:00:00Z", "expires_at": "2027-05-10T00:00:00Z", "fresh": true, "signature_ref": null, "artifacts": [], "reviews": [], "freshness": { "status": "fresh", "evaluated_at": "2026-06-04T00:00:00Z", "age_days": 25, "days_until_expiry": 340, "note": "Fresh at export time; expires in 340 day(s)." }, "parser_summary": { "artifact_count": 0, "parsed_count": 0, "highest_confidence": null, "parser_hints": [], "has_extracted_fields": false }, "review_summary": { "review_count": 0, "accepted_count": 0, "needs_rework_count": 0, "latest_decision": null, "latest_quality": null, "requires_human_review": true } } ], "crosswalk": [ { "framework": "ISO27001:2022", "code": "A.8.24", "confidence": "high" }, { "framework": "SOC2-TSC", "code": "CC6.7", "confidence": "medium" } ], "workbook_provenance": null, "evidence_summary": { "evidence_count": 2, "fresh_count": 2, "stale_count": 0, "accepted_review_count": 0, "needs_rework_review_count": 0, "parsed_artifact_count": 0, "highest_parser_confidence": null, "freshness_note": "Fresh evidence exists at export time." }, "assessor_notes": [ "Partial: evidence exists, but closure still needs accepted review, refresh, or remaining control work.", "Evidence is collected but still needs an accepted human review decision.", "Open blocker(s): Manual task pending (due 2026-06-30)" ] }, { "code": "GOV-1", "domain": "Governance", "title": "Cybersecurity governance and ownership", "state": "ready", "is_ready": true, "score_status": "met", "score_weight": 1, "owner": "wei.tan@meridianpay.example", "due_at": null, "blockers": [], "evidence": [ { "source": "manual", "source_ref": "tnt_demo/manual/GOV-1/governance-charter-2026.pdf", "collected_at": "2026-04-02T00:00:00Z", "expires_at": null, "fresh": true, "signature_ref": null, "artifacts": [], "reviews": [], "freshness": { "status": "open_ended", "evaluated_at": "2026-06-04T00:00:00Z", "age_days": 63, "days_until_expiry": null, "note": "No expiry date supplied; reviewer should confirm evidence recency expectations." }, "parser_summary": { "artifact_count": 0, "parsed_count": 0, "highest_confidence": null, "parser_hints": [], "has_extracted_fields": false }, "review_summary": { "review_count": 0, "accepted_count": 0, "needs_rework_count": 0, "latest_decision": null, "latest_quality": null, "requires_human_review": true } } ], "crosswalk": [ { "framework": "ISO27001:2022", "code": "A.5.1", "confidence": "high" }, { "framework": "SOC2-TSC", "code": "CC1.1", "confidence": "medium" } ], "workbook_provenance": null, "evidence_summary": { "evidence_count": 1, "fresh_count": 1, "stale_count": 0, "accepted_review_count": 0, "needs_rework_review_count": 0, "parsed_artifact_count": 0, "highest_parser_confidence": null, "freshness_note": "Fresh evidence exists at export time." }, "assessor_notes": [ "Pre-audit ready: control has fresh evidence and has been marked ready.", "Evidence is collected but still needs an accepted human review decision." ] }, { "code": "IR-2", "domain": "Incident Response", "title": "Incident response capability is tested", "state": "in_progress", "is_ready": false, "score_status": "partial", "score_weight": 0.5, "owner": "wei.tan@meridianpay.example", "due_at": "2026-07-15T09:00:00+00:00", "blockers": [ "Control in progress" ], "evidence": [ { "source": "connector", "source_ref": "crowdstrike:edr_coverage", "collected_at": "2026-05-29T02:00:00Z", "expires_at": "2026-08-29T02:00:00Z", "fresh": true, "signature_ref": null, "artifacts": [], "reviews": [], "freshness": { "status": "fresh", "evaluated_at": "2026-06-04T00:00:00Z", "age_days": 5, "days_until_expiry": 86, "note": "Fresh at export time; expires in 86 day(s)." }, "parser_summary": { "artifact_count": 0, "parsed_count": 0, "highest_confidence": null, "parser_hints": [], "has_extracted_fields": false }, "review_summary": { "review_count": 0, "accepted_count": 0, "needs_rework_count": 0, "latest_decision": null, "latest_quality": null, "requires_human_review": true } }, { "source": "soc", "source_ref": "evp_demo_soc_0001", "collected_at": "2026-05-30T11:42:00Z", "expires_at": "2026-08-30T11:42:00Z", "fresh": true, "signature_ref": "ed25519:VoKCmDUZOK49zBn38D7GP6+4ksIzk9YLKBt7StfmDNX4nZp4ezyUvW5hLAc3xdvS+cK3p5l6FOGR7bdJktVvDw==", "artifacts": [], "reviews": [], "freshness": { "status": "fresh", "evaluated_at": "2026-06-04T00:00:00Z", "age_days": 4, "days_until_expiry": 87, "note": "Fresh at export time; expires in 87 day(s)." }, "parser_summary": { "artifact_count": 0, "parsed_count": 0, "highest_confidence": null, "parser_hints": [], "has_extracted_fields": false }, "review_summary": { "review_count": 0, "accepted_count": 0, "needs_rework_count": 0, "latest_decision": null, "latest_quality": null, "requires_human_review": true } } ], "crosswalk": [ { "framework": "ISO27001:2022", "code": "A.5.24", "confidence": "high" }, { "framework": "SOC2-TSC", "code": "CC7.3", "confidence": "high" } ], "workbook_provenance": null, "evidence_summary": { "evidence_count": 2, "fresh_count": 2, "stale_count": 0, "accepted_review_count": 0, "needs_rework_review_count": 0, "parsed_artifact_count": 0, "highest_parser_confidence": null, "freshness_note": "Fresh evidence exists at export time." }, "assessor_notes": [ "Partial: evidence exists, but closure still needs accepted review, refresh, or remaining control work.", "Evidence is collected but still needs an accepted human review decision.", "Open blocker(s): Control in progress" ] }, { "code": "LOG-1", "domain": "Logging and Monitoring", "title": "Central security logging", "state": "ready", "is_ready": true, "score_status": "met", "score_weight": 1, "owner": "mei.lim@meridianpay.example", "due_at": null, "blockers": [], "evidence": [ { "source": "connector", "source_ref": "aws:audit_logging", "collected_at": "2026-05-26T02:00:00Z", "expires_at": "2026-08-26T02:00:00Z", "fresh": true, "signature_ref": null, "artifacts": [], "reviews": [], "freshness": { "status": "fresh", "evaluated_at": "2026-06-04T00:00:00Z", "age_days": 8, "days_until_expiry": 83, "note": "Fresh at export time; expires in 83 day(s)." }, "parser_summary": { "artifact_count": 0, "parsed_count": 0, "highest_confidence": null, "parser_hints": [], "has_extracted_fields": false }, "review_summary": { "review_count": 0, "accepted_count": 0, "needs_rework_count": 0, "latest_decision": null, "latest_quality": null, "requires_human_review": true } }, { "source": "soc", "source_ref": "evp_demo_soc_0001", "collected_at": "2026-05-30T11:42:00Z", "expires_at": "2026-08-30T11:42:00Z", "fresh": true, "signature_ref": "ed25519:VoKCmDUZOK49zBn38D7GP6+4ksIzk9YLKBt7StfmDNX4nZp4ezyUvW5hLAc3xdvS+cK3p5l6FOGR7bdJktVvDw==", "artifacts": [], "reviews": [], "freshness": { "status": "fresh", "evaluated_at": "2026-06-04T00:00:00Z", "age_days": 4, "days_until_expiry": 87, "note": "Fresh at export time; expires in 87 day(s)." }, "parser_summary": { "artifact_count": 0, "parsed_count": 0, "highest_confidence": null, "parser_hints": [], "has_extracted_fields": false }, "review_summary": { "review_count": 0, "accepted_count": 0, "needs_rework_count": 0, "latest_decision": null, "latest_quality": null, "requires_human_review": true } } ], "crosswalk": [ { "framework": "ISO27001:2022", "code": "A.8.15", "confidence": "high" }, { "framework": "SOC2-TSC", "code": "CC7.2", "confidence": "high" } ], "workbook_provenance": null, "evidence_summary": { "evidence_count": 2, "fresh_count": 2, "stale_count": 0, "accepted_review_count": 0, "needs_rework_review_count": 0, "parsed_artifact_count": 0, "highest_parser_confidence": null, "freshness_note": "Fresh evidence exists at export time." }, "assessor_notes": [ "Pre-audit ready: control has fresh evidence and has been marked ready.", "Evidence is collected but still needs an accepted human review decision." ] } ], "fusion": [ { "evidence_id": "evp_demo_soc_0001", "kind": "response_action", "signature": "ed25519:VoKCmDUZOK49zBn38D7GP6+4ksIzk9YLKBt7StfmDNX4nZp4ezyUvW5hLAc3xdvS+cK3p5l6FOGR7bdJktVvDw==" } ], "disclaimer": "Readiness snapshot prepared for accredited-assessor review — not a certification. The Cyber Trust mark is issued by an accredited assessor. Synthetic demo data only." }