Home · Synthesis · cl-processing-integrity

Processing integrity — change management, redundancy, clock synchronisation, storage integrity

ISO 27001ISO 42001NIST AI RMFSOC 2NIST CSF 2.0

Primary statement

Processing integrity per ISO A.8.32 change management + A.8.17 clock synchronisation + A.8.14 redundancy + SOC 2 PI1.5.a/b storage integrity + NIST CSF + ISO 42001. The integrity of inputs / processing / outputs / storage drives operational reliability.

Audit-fatigue payoff

A unified processing integrity programme — change control + redundancy + clock sync + storage integrity — satisfies processing integrity requirements across all 5 contributing frameworks.

Strictness matrix

Scope
Scope: inputs, items in processing, AND outputs stored completely, accurately, timely. Three-stage scope. Ceiling source: soc2:PI1.5.a Rationale: SOC 2 PI1.5.a three-stage scope is comprehensive.
Threshold
Threshold: stored inputs/processing/outputs protected against unauthorised modification, alteration, destruction. Access controls restrict to authorised personnel. Ceiling source: soc2:PI1.5.b Rationale: SOC 2 PI1.5.b protection threshold is the binary qualifier.
Method
Method: change management per A.8.32 + clock synchronisation per A.8.17 + redundancy per A.8.14 + storage integrity per SOC 2 PI1.5 + integration with backup and recovery. Ceiling source: iso27001:A.8.32 Rationale: ISO A.8.32 + A.8.17 + A.8.14 + SOC 2 PI1.5 combined are the most prescriptive.
Frequency
Clock synchronisation: continuous (NTP). Storage integrity verification: continuous (checksums, hashes). Redundancy testing: annual via DR test. Change management: per change. Ceiling source: iso27001:A.8.17 Rationale: Continuous clock + integrity + annual redundancy is the cadence.
Evidence
Evidence: change management records + NTP configuration + redundancy architecture + storage integrity controls + integrity verification logs. Ceiling source: soc2:PI1.5.b Rationale: SOC 2 PI1.5.b evidence is comprehensive for integrity.

Auditor test pattern

Step 1: Verify NTP synchronisation. Step 2: Inspect redundancy architecture. Step 3: Verify storage integrity controls. Step 4: Sample change management record. Step 5: Verify integrity verification logs.

Common findings

Common findings: (1) Clock drift across systems undetected; (2) Redundancy theoretical — DR failover incomplete; (3) Storage integrity claimed but verification absent; (4) Change management bypassed for emergency.