← Islamic Open Finance™OSCAL Exports

OSCAL exports.

Machine-readable security controls in NIST OSCAL format. 12 artefacts spanning component definitions, system security plans (SaaS + BYOC), profiles for 7 compliance regimes, and continuous assessment plans/results — all signed, versioned, and downloadable for procurement and regulator review.

Why OSCAL?

OSCAL (Open Security Controls Assessment Language) is the NIST machine-readable standard for security controls. Procurement teams, regulators, and assurance auditors can ingest IOF's posture directly — no spreadsheet shuttling, no PDF re-keying, no version drift between vendors.

Reference: NIST 800-53 Rev 5 + OSCAL 1.1.x (current). Schema documentation at pages.nist.gov/OSCAL.

Implementation layer3 artefacts

Component Definition — IOF Platform

Published

Machine-readable component definition for the IOF platform including all 73 rails, 11 named engines, 282 Cerbos policies, and 13-regime compliance posture.

JSONYAML

312 controls

System Security Plan — IOF SaaS (Multi-tenant)

Published

SSP for the IOF SaaS deployment — covers tenancy model, encryption, access control, audit logging, incident response, business continuity. NIST 800-53 Rev 5 baseline.

JSONYAML

287 controls

System Security Plan — IOF BYOC (Customer-hosted)

Published

SSP for the IOF BYOC deployment — Helm charts, Docker compose, Terraform modules, customer-managed KMS, customer-managed identity. Inherits IOF Platform component.

JSONYAML

287 controls

Profile layer6 artefacts

Profile — AAOIFI Shariah Standards

Published

Tailored profile mapping AAOIFI SS-8, SS-9, SS-12, SS-13, SS-17, SS-26, SS-30, SS-39 to the IOF platform's enforced controls.

JSON

84 controls

Profile — SOC 2 Trust Services Criteria

Published

TSC Security + Availability + Confidentiality + Processing Integrity + Privacy mapped to the IOF control set.

JSON

64 controls

Profile — ISO/IEC 27001:2022 Annex A

Published

93 Annex A controls mapped to the IOF control set; ~80% evidence reuse with SOC 2.

JSON

93 controls

Profile — EU AI Act (Annex III high-risk)

Published

Risk classification, technical documentation, post-market monitoring, FRIA-bridge controls.

JSON

47 controls

Profile — DORA (Digital Operational Resilience Act)

Published

ICT risk management, third-party risk, incident reporting, resilience testing.

JSON

38 controls

Profile — PSD3 / PSR (designed-for)

Draft

Designed-for PSD3 / PSR profile pending final published rules. Will lock when in force.

JSON

41 controls

Assessment layer3 artefacts

Assessment Plan — Quarterly Self-Audit

Published

Quarterly self-assessment plan executed by the Self-Audit Engine. Sample size, methodology, evidence gathering, exception handling.

JSON

312 controls

Assessment Results — 2026-Q1 Self-Audit

Published

2026-Q1 self-audit results. Coverage 100%, deviations 3, remediation plan attached. Evidence pack signed.

JSON

312 controls

Plan of Action and Milestones — 2026-Q1

Published

POA&M tracking the 3 deviations from 2026-Q1 self-audit. Closure dates, owners, evidence requirements.

JSON

3 controls

Request OSCAL bundle

Bundle of all published artefacts is available under MNDA for procurement teams and accredited auditors.