Stage 1
Inventory and mapping
The standard is decomposed into candidate controls and obligations, but the result is still mainly a semantic map. This is where frameworks stop being slogans and become a machine-readable backlog.
Certification Readiness
OpenCompliance can strengthen certification readiness. It does not replace certification bodies.
The right question is not "can OpenCompliance certify ISO 27001?" The right question is: how far can a scoped corridor move from loose evidence collection toward a proof-carrying certification-readiness package, and where do accredited certification bodies, CPA firms, and human judgment still remain essential? This page answers that boundary directly.
The Ladder
Stage 2
Typed evidence and scoped corridor
The mapped obligations now have typed evidence contracts, clear scope boundaries, and route labels such as decidable, attestation, or judgment. This is where a company can start producing a real readiness package.
Stage 3
Proof-carrying corridor
The decidable slice is Lean-backed, the verifier produces a trust-surface report, and the result is replayable. This is the strongest current OpenCompliance state for narrow technical corridors.
Stage 4
Certification-readiness package
A scoped package exists for external review: mappings, typed evidence, proofs where possible, attestations where necessary, judgment markers where unavoidable, and a tamper-evident replay bundle. This can materially improve audit and certification preparation.
Stage 5
Accredited certification or formal assurance opinion
This is still external. Certification bodies, accreditation schemes, CPA firms, and regulators keep their role. OpenCompliance can improve the evidence substrate, but it does not become the institution that issues the certificate or opinion.
Where ISO 27001 and SOC 2 sit today
ISO 27001
Broad mapping, narrow proofs, blocked exact anchors
The current ISO 27001 bridge is strong, but it is not a certification replacement. Publicly, OpenCompliance currently exposes 85 mapped controls, 22 Lean-backed controls, and 71 blocked exact-anchor items pending licensed review. That puts the whole-framework story between stages 2 and 3, not at stage 5.
SOC 2
Same honesty rule, different assurance institution
The current SOC 2 bridge sits in the same general place: strong overlap mapping and narrow proof-carrying corridors, but still short of a CPA examination and opinion. Public exact-anchor publication is blocker-aware for 50 promoted controls pending licensed review.
What is ready now
Narrow technical corridors can already reach stage 3
Cyber-baseline, issued, and parts of the medium corridor already show the useful state: typed evidence, exact proof-versus-attestation boundaries, replayable bundles, and a trust-surface report that says exactly what the outcome rests on.
What still blocks stage 4 and 5
Exact anchors, live evidence, real trust roots, outside review
The current hard blockers are licensed exact-anchor review for proprietary standards, live organisation evidence and connectors instead of synthetic-only corridors, real signer and witness identities, and external reviewer rounds with practitioners and assurance specialists.
What you can say today
Safe statement
"We can produce an OpenCompliance certification-readiness package for a scoped ISO 27001 or SOC 2 corridor, showing what is proved, what is attested, what remains judgment-dependent, and how the result can be replayed."
Unsafe statement
"OpenCompliance proved ISO 27001" or "OpenCompliance replaces a certification body, CPA firm, or regulator." The system can strengthen preparation and evidence quality; it does not erase the external institution.
What certifiers and auditors still do
Scope
They judge organisational scope and sufficiency
External reviewers still decide whether the scope is appropriate, whether the ISMS or control environment is adequate, and whether the corridor evidence is enough for the claim being made.
Sampling
They go beyond the mechanised corridor
Certification and assurance work often includes interviews, sampling, physical controls, governance review, and adequacy judgments that remain outside the current proof corridor.
Institution
They issue the certificate or opinion
The formal certificate, report, or opinion remains attached to an institution operating inside an accreditation or assurance regime. OpenCompliance does not become that institution by publishing better artifacts.
Challenge
They challenge the package from the outside
The real value of the package is that outside reviewers can inspect, replay, question, and disagree with it more precisely than they can with a static PDF bundle or a green dashboard tile.
What must happen next
Step 1
Finish licensed exact-anchor review
Work through the blocked ISO 27001 and SOC 2 controls with the prepared private review packets so the public-control layer can become more exact without bluffing.
Step 2
Bring in live evidence
Move beyond synthetic-only corridors by connecting real system exports, real attestation flows, and real scope boundaries for at least one organisation-grade package.
Step 3
Use real signer and witness identities
Replace synthetic trust roots with real release identities, witness identities, and publication roots so the trust surface is not only structurally sound but institutionally meaningful.
Step 4
Run external reviewer rounds
Subject the corridor and mapping program to ISO 27001 practitioners, SOC 2 assurance reviewers, OSCAL specialists, and formal-methods reviewers before calling it a reference-quality package.