Five international management standards, clipped together into a single integrated management system. Each answers one question about how a trustworthy organisation should behave — and each is backed not by paperwork alone, but by tamper-evident, cryptographically verifiable evidence.
Modern ISO management-system standards share a common backbone — the Harmonised Structure (Annex SL). That shared architecture is what lets these five operate as one system rather than five silos: the same context, leadership, planning, support, operation, evaluation and improvement clauses, applied to five different concerns.
ISO 9001 ensures the organisation consistently delivers value — meeting commitments and improving, every time, not occasionally.
A process-based system built on Plan–Do–Check–Act: define what good looks like, do it repeatably, measure it, and correct course. For the Foundation, this is the discipline that keeps every programme, product and partnership dependable rather than heroic.
ISO/IEC 27001 protects information and the trust placed in it — confidentiality, integrity and availability, managed by design.
An Information Security Management System (ISMS) that treats security as an ongoing risk-managed programme, not a checklist. Its 93 Annex A controls span people, process and technology — and map directly onto selfdriven's identity-first architecture.
ISO/IEC 42001 governs the responsible use of AI — the world's first certifiable AI Management System (AIMS).
It brings AI under the same disciplined lifecycle as quality and security: accountability, transparency, human oversight, and continuous risk assessment across every model and agent. Essential for an organisation where AI agents do real work under real authority.
ISO 22301 ensures resilience under disruption — the ability to keep delivering when something goes wrong, and to recover deliberately.
A Business Continuity Management System built around impact analysis, recovery objectives and tested response plans. It turns "we hope we'd cope" into a rehearsed, evidenced capability that stakeholders can rely on.
ISO 31000 provides the decision-making framework for managing uncertainty. It is guidance, not a certifiable requirement — because it isn't a box to tick, it's how the whole organisation thinks.
Every one of the standards above is risk-based at its core. ISO 31000 is the shared reasoning that runs underneath them: identify what's uncertain, understand it, decide proportionately, and treat it. It's the operating system; quality, security, AI governance and continuity are the applications that run on top.
Risk is the substrate. Four disciplines stand on it. Trust is what the whole structure produces.
Because four of the five share the Harmonised Structure (Annex SL), they don't compete for attention — they reuse the same leadership, planning, evaluation and improvement machinery. One internal audit, one management review, one risk register, one culture. That's the difference between running five certificates and running one integrated management system.
Conventional assurance rests on documents and an annual audit — you trust that what's written down reflects what actually happened. selfdriven closes that gap. The management system defines what good looks like; KERI/ACDC produces the evidence; a human conductor stays accountable for the judgement. Assurance stops being a yearly snapshot and becomes a continuous property of the system.
ISO 9001, 27001, 42001, 22301 and 31000 set the requirements and the reasoning — the agreed-upon definition of a well-run, trustworthy organisation.
// requirementKey decisions, controls and events are recorded as witnessed KERI key events and ACDC credentials, anchored to Cardano — append-only, tamper-evident, independently verifiable.
// KEL · ACDC · anchorUnder the Human Conductor model, a named person owns the judgement in each Area of Focus. AI agents operate under scoped, time-limited, KERI-delegated authority — never unaccountable.
// conductor · delegated AIDThe Foundation runs on 8 Areas of Focus, each led by a human conductor. The assurance stack isn't a separate compliance function bolted on the side — it threads through the areas that carry it.
Strategy, governance and risk appetite. Sets the tolerance for uncertainty that ISO 31000 then operationalises.
Identity infrastructure and technical standards — the KERI/ACDC layer that turns policy into architectural enforcement.
Operations, service delivery and incident management — the day-to-day where quality and continuity are actually earned.
Compliance, audit trails, transparency and reporting. Where the witnessed evidence becomes something a stakeholder can inspect.
Resource stewardship and long-term viability — resilience as a design goal, not an afterthought.
Education and onboarding so the system is understood and lived — culture is where standards either take hold or don't.
Whether you're a philanthropic partner, a government stakeholder or a fellow builder, we'd welcome the chance to walk you through the assurance stack — and show you the difference between being told to trust an organisation and being able to verify one.