Blog Details

Introduction

Compliance, GRC and internal-audit teams live and die by evidence. When an assessor asks you to show that the log exports, configuration dumps or data extracts you collected for a control are exactly what they were on the day you captured them, "trust me" is not an answer. A compliance verification certificate turns that assurance into a signed attestation: a short, readable document stating that a defined set of files is intact for a named compliance control, backed by cryptographic hashes and a cryptographic seal. This article explains what the certificate is, what it actually contains, where it fits in your evidence pack, and how e-Dex (formerly Hash Calculator) generates one entirely on your own machine.

What a Compliance Verification Certificate Is

A compliance verification certificate is a focused attestation that a specific set of records is bit-for-bit identical to a previously recorded state, scoped to a control you define. It is the integrity layer of your evidence: rather than describing whether a control is well designed or operating, it proves that the artefacts you are submitting as evidence have not changed since collection. That distinction matters. The certificate does not opine on compliance and it does not replace your auditor's judgement — it gives that auditor a defensible, reproducible basis for trusting the files in front of them. Think of it as the same idea as an evidence integrity certificate, framed for an audit and compliance context with a control reference attached.

What's Inside It

The certificate is built from real, structured fields rather than free prose. At the top sits the compliance scope and control reference — the framework (for example ISO/IEC 27001:2022), the specific control (such as A.8.15 Logging), the audit period (FY 2025-26) and the responsible auditor. Below that is the annexure: a numbered list of every file with its byte size, its SHA-256 hash and a per-file result of Verified. An overall verification result summarises the batch in one line — for example verified=2 failed=0 errors=0 — so the outcome is visible at a glance. The whole document is bound by an integrity SHA-256 seal, a single hash computed over every sealed line, and closed with a signed declaration stating that the hash values were computed with e-Dex and that the verification result accurately and completely reflects the integrity of the files against their recorded values.

Use Cases Across Frameworks

Because the certificate attests to file integrity for any control you name, it slots into many compliance workflows. For ISO/IEC 27001 internal and external audits, it backs the log, access-review and configuration evidence you hand to the assessor. For SOC 2 engagements, it lets you show the auditor that pulled samples and system exports were not edited between collection and review. For DPDP Act 2023 and GDPR evidence, it demonstrates that data-processing records, consent logs or breach-investigation exports are unaltered. And for regulatory submissions, it gives the regulator a clean, reproducible integrity statement over the files you file. In each case the framework, control and period are recorded as fields, and the file integrity is sealed behind them.

How e-Dex Generates It

Producing the certificate follows a short, repeatable path. Open the e-Dex Certificate Generator, choose the Compliance Verification template, and fill in the fields: the framework, control reference, audit period, auditor and the case or organisation details. Add the evidence files and e-Dex hashes each one and builds the annexure with its SHA-256 value and result. You then optionally sign the document with a PAdES digital signature using a Digital Signature Certificate on a USB token, and apply an RFC-3161 trusted timestamp to seal the exact time it was produced against an independent Time-Stamping Authority. Finally you export to PDF. The same engine produces the related backup integrity certificate for compliance, so your evidence pack stays consistent across document types.

Verifying It Offline

A certificate is only as good as the ability to check it independently, and e-Dex certificates are verifiable without any proprietary tool. To confirm the seal, recompute SHA-256 over each sealed line followed by a newline in UTF-8; the result must equal the SHA-256 seal printed on the document. To confirm the files themselves, re-hash them and compare against the SHA-256 values in the annexure — any mismatch means a file changed. If you applied a signature and timestamp, a standard PDF reader validates the PAdES signature and the RFC-3161 time without needing e-Dex at all. The signing and timestamping mechanics are covered in our guide to signing and timestamping a forensic certificate with PAdES and RFC-3161.

What It Does Not Claim

It is worth being precise about the boundary. e-Dex documents file integrity to support your compliance evidence; it does not certify regulatory compliance itself. The certificate tells a reader that the listed files are unchanged against recorded values for the control you named — nothing more. Whether the control is met, whether your programme satisfies a standard, and how a regulator or assessor weighs the evidence are all judgements outside the tool. Using e-Dex does not make an organisation compliant; it gives compliant evidence-handling a verifiable, reproducible backbone.

Frequently Asked Questions

Does a compliance verification certificate prove my organisation is compliant?
No. A compliance verification certificate documents that a defined set of files is intact and unaltered against recorded hash values, scoped to a control you name. It supports your compliance evidence; it does not certify regulatory compliance itself. Whether a control is met is a judgement for your auditor or assessor based on the full body of evidence. e-Dex helps you produce the integrity attestation, not a compliance opinion.

What goes inside a compliance verification certificate?
It records the compliance scope and control reference (for example framework, control, audit period and auditor), an annexure listing each file with its size, SHA-256 hash and per-file result, an overall verification result such as verified=2 failed=0 errors=0, an integrity SHA-256 seal computed over the sealed content, and a signed declaration that the values were computed with e-Dex and reflect the integrity of the files.

Does e-Dex need an internet connection to generate the certificate?
No. e-Dex runs fully offline on your own Windows machine. Hashing the files, building the annexure, computing the SHA-256 seal and exporting the PDF all happen locally, so your evidence files never leave your computer. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp from a Time-Stamping Authority.

How do I verify a compliance verification certificate offline later?
Recompute SHA-256 over each sealed-content line followed by a newline in UTF-8; the result must equal the SHA-256 seal printed on the certificate. To check the underlying files, re-hash them with e-Dex and compare against the SHA-256 values in the annexure. If the certificate was PAdES-signed and RFC-3161 timestamped, a standard PDF reader can confirm the signature and timestamp without any e-Dex-specific tool.

Which compliance frameworks can it support evidence for?
Because the certificate simply attests to file integrity for a control you define, it can support evidence for frameworks such as ISO/IEC 27001, SOC 2, and data-protection regimes like the DPDP Act 2023 and GDPR, as well as regulatory submissions where you must show that exported records were not altered. You record the framework, control and audit period as fields; e-Dex seals the file integrity behind them.

Conclusion

A compliance verification certificate gives compliance, GRC and audit teams a one-page, verifiable fact: these evidence files are intact for this control, proven by SHA-256 hashes and a cryptographic seal, and optionally signed and timestamped. It does not certify that you are compliant — that judgement stays with your assessor — but it gives them a defensible, reproducible basis to trust your evidence. You can produce one in minutes, offline, on a single Windows machine with e-Dex — the Digital Evidence Integrity Suite. Download it free and give your evidence pack an integrity backbone it can stand on.