The UK NCSC expects organisations handling sensitive data to complete a cryptographic inventory and migration plan by 2028, and full migration by 2035. PICMS started early. Today, all cryptographic operations in our application code go through a single audited wrapper. Our internal Cryptographic Bill of Materials documents every primitive, where it is used, and how it would migrate to NIST FIPS 203/204 algorithms when those become available in our runtime. Automated data retention reduces our “harvest now, decrypt later” exposure by removing data we no longer need.
The UK NCSC and ICO have published guidance asking organisations handling sensitive data to inventory their cryptographic surface by 2028 and complete migration to post-quantum algorithms by 2035. PICMS has chosen to start early. Our cryptographic posture, documented inventory, and migration plan are designed to meet those dates — and to give your ISMS a vendor whose work is already showing on the page.
ISO 27001:2022 Annex A Control 8.24 (the 2013 standard called this A.10.1) requires organisations to define a policy on the use of cryptography, including key management. As quantum computing advances, this obligation extends to planning and documenting your migration path from classical to quantum-resistant algorithms.
PICMS provides the framework to do exactly that. Our Cryptographic Bill of Materials documents every cryptographic primitive used in PICMS application code, the algorithm in use, and its quantum-vulnerability classification — available to your auditor on request. Symmetric-cryptography callsites are concentrated behind a single audited wrapper module so algorithm migration can be planned, not improvised, when NIST post-quantum primitives become available in our runtime.
For certification auditors: every claim on this page is backed by code we have audited internally and are willing to walk through with you. Where a claim is forward-looking (for example, ML-KEM/ML-DSA adoption), we say so — we don't dress roadmap items as shipped controls.
These are not roadmap items. Every control below runs in production today and is documented in our internal Cryptographic Bill of Materials — available to your auditor on request.
Every cryptographic primitive in our application code is inventoried and classified by quantum vulnerability. All in-application cryptography is symmetric (AES-256-GCM, HMAC-SHA-256, SHA-256) — no asymmetric primitives are invoked in PICMS source code. Transport-layer TLS and identity-token verification inherit the AWS and Auth0 cryptographic stacks, which are on their own published PQC roadmaps. Live and queryable at picms.com/cbom.json.
PICMS centralises symmetric cryptographic operations through a single wrapper module (crypto-provider.js). This concentrates our hash, HMAC, AES-GCM, and CSPRNG calls behind one audited entry point — the foundation an organisation needs in order to migrate algorithms quickly when NIST post-quantum primitives become available in our runtime.
Briefing-cache rows older than 90 days are hard-deleted daily; fleet-learning-patterns older than 2 years are archived to a separate table on the same schedule. Every cleanup run writes a row to retention_cleanup_log with table, policy, row count, and timestamp.
Weekly S3 export bundles are signed with both an HMAC-SHA-256 (PICMS-internal) and an Ed25519 detached signature that any customer can verify independently with just the public key — no PICMS contact required. The public key, a zero-dependency verifier script, and a fingerprint published in /cbom.json are all live. Sidecar <key>.sig file carries both signatures + a plaintext SHA-256.
Choosing PICMS gives you documented evidence across multiple ISO 27001 controls — without lifting a finger.
Your platform vendor maintains a public Cryptographic Bill of Materials covering every primitive used in PICMS application code, available at picms.com/security/cbom. This supports the documentation expectations of A.8.24 (use of cryptography) when PICMS is in scope of your ISMS as a supplier.
The wrapper architecture demonstrates that algorithm migration has been planned for symmetric-cryptography callsites. Auditors can inspect the wrapper, the public CBOM, and our published PQC roadmap to see the planned transition path and current state.
Automated retention policies with daily enforcement and a complete audit trail. Reduces the “harvest now, decrypt later” attack surface by ensuring data doesn't persist beyond its useful life.
Each weekly S3 export bundle is signed with both an HMAC-SHA-256 (PICMS-internal) and an Ed25519 detached signature. Your auditor can verify any bundle independently with just the published public key plus a zero-dependency Node script — no PICMS server contact, no shared secret. Sidecar dual-hash verification (SHA-256 plaintext digest + HMAC-SHA-256 over gzipped bytes) with constant-time comparison. Migration path to ML-DSA (NIST FIPS 204) documented for the wrapper module when Node ships it.
PICMS's posture aligns with the NCSC's "Preparing for Quantum-Safe Cryptography" guidance: inventory your cryptographic assets, plan for agility, and prioritise long-lived data.
The ICO expects controllers to consider future threats under UK GDPR Article 25. Choosing a crypto-agile platform demonstrates proactive data protection by design and by default.
The NCSC and ICO are not waiting for quantum computers to arrive before expecting organisations to act. Here is where we are.
NIST published FIPS 203 (ML-KEM, lattice-based key encapsulation), FIPS 204 (ML-DSA, lattice-based digital signatures), and FIPS 205 (SLH-DSA, hash-based signatures) as the first three post-quantum cryptographic standards.
NIST IR 8413 / PQC Standardisation ProjectThe UK National Cyber Security Centre published "Preparing for Quantum-Safe Cryptography" — urging organisations to inventory their cryptographic dependencies, identify long-lived data, and build migration roadmaps now, not after quantum computers arrive.
NCSC Quantum-Safe Cryptography GuidanceCryptographic Bill of Materials live at picms.com/security/cbom, with the live algorithm configuration queryable at picms.com/cbom.json. Cryptographic inventory complete; symmetric-crypto wrapper live in production; migration path documented — two years ahead of NCSC's 2028 inventory deadline.
PICMS PQC Sprint — April 2026, position published May 2026The UK National Cyber Security Centre expects organisations handling sensitive data to have completed a cryptographic inventory and documented their migration plan by 2028. PICMS aims to be a vendor whose own work is already showing on the page when your auditor asks.
NCSC PQC Migration Guidance, Phase 1NCSC guidance asks organisations handling sensitive data to complete migration to NIST post-quantum algorithms by 2035. Data encrypted today with RSA-2048 or ECC P-256 that is harvested now and stored by adversaries could be decrypted retroactively once a cryptographically relevant quantum computer is available — the “harvest now, decrypt later” threat. Organisations without a documented plan and an agile architecture risk emergency migrations under pressure.
NCSC PQC Migration Guidance, Phase 3 / ETSI QSCYour compliance data deserves a platform that treats cryptographic controls as an engineering discipline, not a checkbox. Start your free trial — or read the security & compliance roadmap.