Conformance Assessment Model
This document defines assessment terminology for AEEF core controls, regional overlays, and national annexes.
It separates:
- framework guidance
- conformance assessment
- certification readiness
- future certification scheme design
Terminology Boundaries
- Conformance: Demonstrated alignment to documented AEEF controls/profiles within a declared scope.
- Assessment: Review of evidence and operating effectiveness against a defined scope.
- Certification readiness: Preparation for external assessment; evidence and governance maturity are in place.
- Certification: Formal attestation under published scheme rules by an authorized certification body.
Unless scheme rules are published, AEEF references to assessment should use conformance terminology, not certification claims.
Assessment Levels
Level A: Self-Attested Conformance
Use case:
- internal governance programs
- early adoption
- gap closure tracking
Minimum expectations:
- defined scope
- control mapping
- evidence list
- internal sign-off
- open gaps documented
Output:
- self-attestation statement
- gap register / remediation plan
Level B: Independent Assessed Conformance
Use case:
- customer assurance
- procurement support
- pre-certification maturity
Minimum expectations:
- defined scope statement
- evidence pack
- sampling method
- nonconformity log
- corrective action plan and closure tracking
- assessor independence declaration
Output:
- assessment report
- conformance status by control/profile
- nonconformity summary
Level C: Scheme Certification (Future)
This level is reserved for use under a formal AEEF certification scheme (if created). It requires:
- published scheme rules
- assessor competence criteria
- impartiality requirements
- appeals and complaints process
- certificate validity and surveillance rules
Until those documents exist, do not claim Level C outcomes.
Scope Declaration Rules
Every conformance assessment MUST declare:
- organizational boundary
- systems/processes in scope
- AEEF core version
- annexes/overlays applied
- excluded systems with rationale
- assessment date
Evidence Pack (Minimum)
- Scope statement
- Control mapping (core + annexes/overlays)
- Policy and standards references
- Operational evidence samples
- Audit/incident/CAPA evidence (if applicable)
- Open gaps and exceptions
Sampling and Nonconformity Handling
Sampling (Minimum Guidance)
- Use representative samples for:
- production changes
- incidents
- training/competence records
- evidence retention
- Increase sample size for high-risk systems and regulated sectors.
Nonconformity Classes
- Major -- control absent or ineffective in a material area
- Minor -- control exists but has evidence/process gaps
- Observation -- improvement recommendation; not a conformance failure
Validity and Reassessment (Conformance, Not Certification)
Recommended validity windows:
- Self-attested conformance: 6-12 months
- Independent assessed conformance: 12 months, with interim remediation checks for major findings
Relationship to Regional Annexes
Conformance statements should list applied annexes explicitly, for example:
AEEF Core vX.YKSA Regulatory Profile vA.BGovernment (Middle East) Profile vA.B
Do not use umbrella claims such as "Middle East compliant" unless country-specific annex coverage is explicitly listed and justified using the Regional Coverage Matrix.
Future Scheme Dependencies
Before launching a certification program, publish:
- certification scheme rules
- assessor competence requirements
- appeals and disputes process
- accreditation and mutual recognition model