Section navigation
ARCS-VER: Verification and Audit
Minimum Profile
The ARCS-VER family addresses the problem of proving that declared governance conditions are real. The controls in this family govern evidence, traceability, audit support, and verification of record treatment across relevant systems and boundaries. These controls are grouped together because governance claims require substantiation. Retention, deletion, custody, and hold language are not sufficient on their own. They must be supportable by records, artifacts, and reviewable traces capable of independent examination.
The formal definition and scope of this family are maintained in the Standard.
| Control | Description |
|---|---|
| VER-01 | Documentation currency: the operator SHALL maintain current documentation of lifecycle and custody controls. |
| VER-02 | Internal verification: the operator SHALL perform periodic confirmation that controls operate as documented. |
| VER-03 | Vendor verification: the operator SHALL obtain vendor confirmation of retention, deletion, and preservation behavior. |
| VER-04 | Preservation verification: the operator SHALL confirm preservation posture is in effect and deletion is suspended. |
| VER-05 | Audit availability: the operator SHALL make documentation available for audit, regulatory, or legal review. |
| VER-06 | Attestation: the operator SHALL be able to attest to compliance with ARCS controls; attestation does not replace documentation. |
| VER-07 | Cross-vendor traceability: where conformance depends on behavior across multiple vendor surfaces, the audit evidence package SHALL permit an assessor to identify records across those surfaces. Where cross-surface identification is incomplete, disclose the limitation. |