ISO 27001 is the globally recognised standard for information security management systems (ISMS). For government clients, certification against this standard signals that a supplier has systematically assessed its information risks and implemented a proportionate set of controls across people, processes, and technology. Cerberus solutions are designed and operated in alignment with ISO 27001 requirements — covering asset management, access control, cryptography, incident management, and supplier relationships. Regular internal and external audits verify that controls remain effective as threats evolve. For procurement teams, this means contractual assurance backed by an independently verified framework rather than vendor self-attestation.
Compliance & Privacy
Built to the highest standards. Open by design.
A detailed account of how Cerberus aligns with the frameworks governments are held to — and why open protocols underpin every layer of what we deliver.
Regulatory Standards
What each standard means for government clients
ISO 27001, NIS2, and GDPR are not checkbox exercises at Cerberus — they define how we architect, operate, and audit our solutions.
The EU's NIS2 Directive (2022/2555) raises the baseline for cyber resilience across critical infrastructure sectors — energy, transport, health, water, digital infrastructure, and public administration. It imposes mandatory incident reporting, supply-chain security obligations, and senior management accountability. Because many of our government clients fall within NIS2 scope — and because Cerberus operates as a managed security service provider serving those entities — our security practices, incident-response procedures, and supply-chain controls are aligned with the Directive's requirements. Clients can rely on Cerberus not only to help them meet their own NIS2 obligations, but as a partner whose operational standards will not introduce compliance risk into their supply chain.
The General Data Protection Regulation (EU 2016/679) sets the legal framework for processing personal data of EU residents. Privacy by design and by default is a core GDPR principle — meaning that data-protection safeguards must be built into systems from the outset, not added as an afterthought. Every Cerberus solution is architected with data minimisation, purpose limitation, and technical access controls embedded at the design stage. We respect data sovereignty: citizen data processed in the course of delivering a security service is never monetised, profiled, or transferred to third countries without appropriate safeguards. As a Portugal-based entity operating under EU jurisdiction, Cerberus is itself subject to GDPR — our compliance obligations are the same as our clients'.
Open Protocols · No Backdoors
The open-source commitment in full
Our solutions are built on published, peer-reviewed standards. Any auditor can inspect the cryptographic foundations, verify the logic, and confirm that no hidden access exists.
Open protocols, verifiable logic
Every cryptographic mechanism Cerberus deploys — TLS 1.3, AES-256, RSA/ECC key exchange, SHA-2 hashing — is drawn from published, peer-reviewed standards. There are no proprietary encryption algorithms, no closed-source cryptographic libraries, and no security-through-obscurity. Any government auditor or independent expert can inspect the protocol stack, verify the implementation, and confirm that it matches the published specification.
No hidden access
Cerberus was founded in Portugal specifically because of the country's track record of geopolitical neutrality and its absence of legislation compelling technology companies to embed backdoors or covert access mechanisms. We make an unconditional commitment: no hidden access exists in any solution we deliver. Our source code is available for review under appropriate non-disclosure arrangements, and our audit trail is designed so that any access event — by any party — is logged, timestamped, and cryptographically protected against tampering.
Independent auditability
Transparency is not a marketing claim — it is an architectural property. Governments and their appointed auditors can conduct independent technical reviews of our systems at any time. We maintain a complete and current Software Bill of Materials (SBOM) for every product component, so clients know exactly what open-source dependencies are present, at which versions, and whether any carry known vulnerabilities. Patch timelines are contractually committed and publicly documented.
Cryptographic stack — verifiable at any time
# cryptographic handshakeprotocol = "TLS 1.3 / open"encryption = "AES-256-GCM"key_exchange = "ECDHE / X25519"audit_trail = truebackdoors = nonesource = "verifiable"sbom = "available on request"
How We Are Audited
Independent verification, not self-certification
Cerberus undergoes structured external review so that government procurement teams can rely on verified evidence rather than vendor claims.
Third-party certification audits
ISO 27001 certification is awarded and maintained through independent audits conducted by accredited certification bodies. Auditors examine our ISMS documentation, interview staff, and test controls — not just review paperwork. Re-certification audits occur on a three-year cycle with annual surveillance audits in between to confirm continued compliance.
Ongoing internal audit programme
Between external audit cycles, Cerberus runs a structured internal audit programme covering every area of the ISMS. Findings are tracked through a formal non-conformance and corrective-action process. Audit results are reported to senior management and reviewed at quarterly management-review meetings.
Client and government audits
Government clients and their appointed auditors may conduct technical reviews of Cerberus systems under appropriate non-disclosure arrangements. We provide access to our SBOM, architecture documentation, security test reports, and audit logs. We treat client audit rights as a standard contractual commitment, not an exceptional concession.
Secure sovereign systems with confidence.
Speak with our team about protecting your critical infrastructure, sensitive data, and public trust.