The Archvault Standard
The Archvault Standard defines the cybersecurity controls an organisation must implement, evidence and maintain to achieve certification. It is designed to be rigorous enough to satisfy enterprise due diligence, and practical enough for small and mid-sized organisations to achieve.
Control domains
- Boundary and network securityControls at the perimeter and between network segments.
- Secure configurationHardened, minimal-footprint configuration of systems and devices.
- Access control and identityLeast-privilege access, authentication and identity management.
- Malware protectionDefences against malicious software across endpoints and infrastructure.
- Vulnerability and patch managementTimely identification and remediation of known vulnerabilities.
- Backup and recoveryIncluding verified recovery testing, not just backup existence.
- Incident response readinessA tested plan for detecting and responding to security incidents.
- Security awareness and phishing resilienceStaff training and measured resistance to phishing.
- Logging and monitoringVisibility into system activity sufficient to detect misuse.
- Supplier and third-party managementOversight of the security risk introduced by suppliers.
Controls are mapped to recognised national guidance and governance frameworks. Full standard documentation is available to organisations entering assessment.
How controls are verified
Certification under the Archvault Standard combines evidence-based review with technical verification. Assessors verify configurations and test outcomes; attestation alone is not sufficient.