Compliance & Standards

Aligned with the frameworks you already report to.

Struktive doesn't just normalise your asset data — it structures it to meet the documentation requirements of the security, regulatory, and industry standards your organisation already follows. Every export is tamper-evident, every change is tracked, and every audit pack is independently verifiable.

SOC 2 CC6.1ISO 27001 A.5.9NIST SP 800-53 CM-8PCI DSS 12.5.1EU EED 2024/1364EN 50600NIS2IEC 62443NIST 800-82TIA-942ASHRAE TC 9.9

Tamper-Evident Audit Packs

WORM-equivalent

SHA-256 sealed · 12-month retention · Independently verifiable

Every Compliance Audit Pack is fingerprinted with a SHA-256 hash at the moment of generation and written to an immutable record with a 12-month retention period. The hash is sealed — it cannot be altered after the pack is created.

  • SHA-256 fingerprint computed from the XLSX bytes at export time
  • Immutable audit record: Pack ID, S3 key, hash, file size, generated at, retained until
  • Independent verification: re-compute the hash yourself and compare
  • Tamper-Evident badge on every Compliance Audit Pack card
  • Audit Pack Registry in the admin panel for full organisational oversight
The compliance difference: Right now the audit trail is trustworthy because Struktive says it is. With a SHA-256 sealed record, the audit trail is trustworthy because it is physically impossible to alter it after generation. That is a different conversation with a compliance officer.

Baseline Diffing & Re-Ingestion

Accountability loop

Point-in-time snapshots · Change Report XLSX · Drift detection

Every job creates a baseline for its site. When you re-upload an updated inventory, Struktive automatically diffs it against the previous baseline — showing exactly what changed, what was added, and what was removed since the last snapshot.

  • Automatic baseline creation on every job completion
  • Cascading record matching: serial → hostname+model → rack position
  • Change classification: Added, Removed, Changed, Unchanged, Score Change
  • Field-level diff for every Changed record
  • 6-sheet Change Report XLSX: Cover, Summary Dashboard, Added, Removed, Changed, Full Comparison
  • Change Report fingerprinted and sealed alongside the Compliance Audit Pack
The accountability loop: Struktive produces the clean, scored baseline. The DCIM platform owns ongoing change management. The connection point is the normalised asset ID and serial that Struktive outputs and the DCIM tracks forward. Periodic re-ingestion closes the loop.

Public Verification Endpoint

Every Compliance Audit Pack has a public verification URL at struktive.io/verify/{packId}. Share the link with your auditor, QSA, or compliance officer — they can independently verify the SHA-256 fingerprint without needing access to the platform. No login required.

The verification page re-fetches the file from storage, recomputes the SHA-256, and compares it against the sealed record in real time. A green verified status means the file is byte-for-byte identical to what was generated. A tampered status triggers an immediate alert.

Security & Audit

SOC 2 · ISO 27001 · NIST SP 800-53 · PCI DSS

SOC 2 CC6.1

SOC 2 — Common Criteria 6.1

Logical and Physical Access Controls. Requires a complete, auditable inventory of all system components with documented chain of custody.

Struktive outputs that satisfy this requirement
  • Complete asset register with hostname, vendor, model, serial number, and location
  • Transformation audit trail showing every normalisation change made to each record
  • Duplicate detection register identifying assets that appear more than once
  • Chain-of-custody metadata linking each output row to its source input row
  • SHA-256 fingerprint of the source file sealed at ingestion time — tamper-evident by design
  • Compliance Audit Pack written to immutable storage with 12-month retention and public verification URL
Why it matters: Auditors reviewing CC6.1 will ask for evidence of what assets exist, where they are, and how the inventory was produced. Struktive's six-tab Compliance Audit Pack provides all three — and the WORM-sealed SHA-256 fingerprint means the pack cannot be altered after generation.
ISO 27001 A.5.9

ISO/IEC 27001:2022 — Annex A Control 5.9

Inventory of Information and Other Associated Assets. Requires organisations to identify, document, and maintain an inventory of assets associated with information and information processing facilities.

Struktive outputs that satisfy this requirement
  • Normalised asset register with asset type classification (Compute, Storage, Network, Power, Cooling)
  • Vendor and model normalisation resolving aliases to canonical names
  • Location hierarchy standardisation (site > hall > row > rack > unit)
  • Asset status classification (Active, Inactive, Decommissioned, Unknown)
  • Baseline diffing: periodic re-ingestion shows what changed between inventory snapshots
Why it matters: ISO 27001 certification bodies expect a defensible, structured asset inventory that is maintained over time. Struktive's re-ingestion and baseline diffing directly address the 'maintained' requirement — every re-upload produces a Change Report showing additions, removals, and modifications since the last baseline.
NIST SP 800-53 CM-8

NIST Special Publication 800-53 — Control CM-8

Information System Component Inventory. Requires organisations to develop and document an inventory of information system components that accurately reflects the current system.

Struktive outputs that satisfy this requirement
  • Component inventory with make, model, serial number, and location fields
  • Asset category and sub-category classification for each component
  • Change history tracking via transformation audit trail
  • Exception and anomaly register for components that could not be fully normalised
  • Baseline Change Report: six-sheet XLSX showing Added, Removed, and Changed records between inventory cycles
Why it matters: CM-8 requires both the inventory and evidence that it is maintained. Struktive's audit trail, exception log, and baseline Change Report provide the 'how it was produced' and 'how it has changed' documentation that NIST assessors require.
PCI DSS 12.5.1

PCI DSS v4.0 — Requirement 12.5.1

Inventory of System Components in Scope. Requires a documented inventory of all system components that are in scope for the cardholder data environment.

Struktive outputs that satisfy this requirement
  • Scoped asset register with location and network segment fields
  • Vendor and model normalisation for accurate component identification
  • Duplicate detection to prevent double-counting of in-scope components
  • Data quality score per record to flag low-confidence entries for manual review
  • Immutable audit pack with public verification URL — shareable directly with QSAs
Why it matters: QSAs reviewing PCI DSS scope need a clean, deduplicated list of in-scope components with a verifiable chain of custody. Struktive's quality scoring helps prioritise which records need manual verification, and the WORM-sealed audit pack gives QSAs a tamper-proof evidence document they can independently verify.

European Regulatory

EU EED 2024/1364 · EN 50600 · NIS2

EU EED 2024/1364

EU Energy Efficiency Directive — Annex I & II

Requires data centre operators above 500 kW IT load to report annual energy consumption, IT equipment inventory, and cooling infrastructure to the European Commission.

Struktive outputs that satisfy this requirement
  • IT power demand classification by asset category (server, storage, network)
  • Rack count and rack unit utilisation summary
  • Cooling equipment inventory with classification (CRAC, CRAH, in-row, liquid)
  • UPS and power distribution inventory for PUE calculation support
Why it matters: EU EED Annex I requires specific asset-derived fields that most DCIM tools don't export in the required format. Struktive's EU EED Pre-Report tab produces the asset inventory section of the Annex I submission.
EN 50600

EN 50600 — European Data Centre Standard

The European equivalent of TIA-942. Defines availability classes (1–4), physical security requirements, energy efficiency metrics, and telecommunications cabling infrastructure standards for data centres.

Struktive outputs that satisfy this requirement
  • Infrastructure category classification aligned to EN 50600 availability classes
  • Physical location hierarchy documentation (site, building, room, row, rack)
  • Power and cooling equipment classification for redundancy documentation
  • Vendor and model normalisation for accurate infrastructure mapping
Why it matters: EN 50600 is increasingly cited in EU procurement RFPs alongside TIA-942. Struktive's normalised asset data provides the infrastructure documentation layer that EN 50600 availability class assessments require.
NIS2 DirectiveIn force Oct 2024

EU Network and Information Security Directive 2 (2022/2555)

In force since October 2024. Broadens the EU's cybersecurity regime to cover more sectors including data centre operators serving essential or important entities. Requires supply chain visibility, change tracking, and business continuity documentation.

Struktive outputs that satisfy this requirement
  • Complete asset register with vendor and supply chain provenance
  • Change tracking via transformation audit trail (what changed, when, from what source)
  • Duplicate and anomaly detection for data integrity assurance
  • Asset status classification supporting business continuity planning
  • Baseline diffing: periodic re-ingestion with Change Report satisfies NIS2 change management evidence requirements
  • WORM-sealed audit pack: tamper-evident evidence that cannot be altered after generation
Why it matters: NIS2 auditors will ask for evidence of what assets exist, who supplies them, and how changes are tracked. Struktive's audit trail, vendor normalisation, and WORM-sealed audit pack directly support the supply chain visibility, change management, and evidence integrity requirements.

Industry Standards

TIA-942 · ASHRAE TC 9.9

TIA-942

TIA-942 — Telecommunications Infrastructure Standard for Data Centers

Defines four infrastructure ratings (Rating 1–4) covering power, cooling, cabling, and physical security. The North American equivalent of EN 50600 and widely referenced in global DC procurement.

Struktive outputs that satisfy this requirement
  • Infrastructure category breakdown by asset type and location
  • Power and cooling equipment classification for redundancy tier documentation
  • Physical location hierarchy aligned to TIA-942 space planning requirements
  • Vendor and model normalisation for accurate infrastructure mapping
Why it matters: Struktive's normalised outputs support the asset documentation layer required for TIA-942 Rating assessments and certification preparation. Note: TIA-942 certification is a facility assessment — Struktive provides the documentation inputs, not the certification itself.
ASHRAE TC 9.9

ASHRAE Technical Committee 9.9 — Thermal Guidelines for Data Processing Environments

Defines equipment thermal classes (A1–A4, H1) and recommended temperature/humidity operating ranges. Used by facilities engineers for cooling adequacy assessment and capacity planning.

Struktive outputs that satisfy this requirement
  • Server and compute equipment classification by thermal class (A1–A4) based on vendor/model
  • Cooling equipment inventory (CRAC, CRAH, in-row, liquid cooling) for cooling capacity planning
  • IT load distribution by rack and row for hot-spot identification
  • Equipment age and model data supporting thermal class assignment
Why it matters: Facilities engineers evaluating cooling adequacy need to know what equipment is installed and what its thermal requirements are. Struktive's asset classification and cooling equipment inventory feed directly into ASHRAE-aligned capacity planning workbooks.

OT / ICS Cyber Security — IEC 62443, NIST 800-82, NIS2

DC & Mining

IEC 62443, NIST SP 800-82, and NIS2 all require operators to maintain a current inventory of network-addressable OT and IoT assets as the foundation of any industrial cyber security programme. Without a clean, classified asset register, there is no defensible attack surface to assess, no baseline to diff against, and no evidence to present to auditors.

Struktive's Cyber Readiness Export runs every asset through a 3-tier IoT/OT classification engine — model-level lookup for 70+ OEM product lines, category-level fallback, and ISA-95 Purdue Model layer assignment (Level 0–3). The output is a CSV with IoT_Capable, IoT_Confidence, Cyber_Risk_Tier, OT_Layer, and IoT_Evidence columns — ready to import into a CMDB, feed into a vulnerability scanner scope, or attach to a NIS2 asset inventory submission.

  • IEC 62443-2-1: Asset inventory as a prerequisite for zone and conduit modelling
  • NIST SP 800-82 Rev 3: OT asset inventory supporting network architecture documentation
  • NIS2 Article 21: Risk management measures require knowledge of all network-connected assets
  • ISA-95 Purdue Model layer assignment (Level 0 Sensors through Level 3 MES)
  • Wireless blasting system flag for mining operations (IEC 62443 Zone 0 equivalent)

DORA — Financial Sector

In force Jan 2025

The Digital Operational Resilience Act applies to banks, insurers, and their ICT service providers. DORA requires a complete ICT asset inventory, third-party dependency mapping, and defensible documentation of change management processes. Struktive's audit trail, WORM-sealed audit pack, and baseline Change Report directly support all three.

DORA is sector-specific and not included in the main framework grid above. If your customers include financial services firms or you operate as an ICT third-party provider to regulated entities, contact us to discuss how Struktive's outputs map to your DORA obligations.

Ready to produce compliance-ready asset data?

Upload a CSV of your data centre assets. Struktive normalises, classifies, and scores every record — returning a six-tab Compliance Audit Pack that is tamper-evident, independently verifiable, and aligned to the frameworks your auditors, regulators, and procurement teams require.

No login required. First 350 records free.