Simple, audit‑focused metrics that show readiness and sustain compliance over time.
% of 4.0 requirements with verified evidence, by requirement family and overall.
% of artifacts updated inside 90 days (logs, screenshots, configs, tickets).
% of sampled items passing pre‑assessor dry‑run (policies, tech, process).
We align fix SLOs (e.g., S1 ≤14d) with your vulnerability program; MTTR kept below SLO windows.