Quantum computing will break today's encryption within this decade. PICMS is already prepared — with a crypto-agile architecture, a complete cryptographic inventory, and automated data retention policies that satisfy ISO 27001 Annex A.10.1 today and NIST post-quantum standards tomorrow.
By 2030, current encryption methods will be vulnerable to quantum attacks. The UK ICO and NCSC are already urging organisations to prepare. PICMS is the first compliance platform built from the ground up to be crypto-agile, ensuring your ISMS is ready for the post-quantum future.
ISO 27001:2022 Annex A Control 8.24 (formerly A.10.1) requires organisations to define a policy on the use of cryptographic controls, including key management. As quantum computing advances, this obligation extends to planning and documenting your migration path from classical to quantum-resistant algorithms.
PICMS provides the framework to do exactly that. Our Cryptographic Bill of Materials (CBOM) gives you a complete, auditable inventory of every cryptographic primitive in use — the starting point for any transition plan. Our crypto-agile wrapper architecture means that when NIST finalises post-quantum standards, adoption is a configuration change rather than a re-engineering programme.
For certification auditors: PICMS itself serves as evidence that your chosen compliance platform takes cryptographic controls seriously — not as a checkbox, but as a continuously maintained engineering discipline.
These are not roadmap items. Every control below is live in production today, auditable, and documented in our public CBOM.
Every cryptographic primitive inventoried and classified by quantum vulnerability. Zero RSA, ECC, or ECDSA in application code. Full audit trail of what algorithms are used, where, and why.
Single wrapper (crypto-provider.js) for all cryptographic calls. Adopting NIST FIPS 203/204 (ML-KEM, ML-DSA) is a one-file change — not a six-month project.
Automated retention with daily enforcement. Briefing cache: 90-day hard-delete. Fleet patterns: 2-year archive. Full audit trail in retention_cleanup_log.
Weekly S3 data exports carry SHA-256 + HMAC-SHA-256 integrity signatures. Tamper detection built in. Every bundle verifiable with a single function call.
Choosing PICMS gives you documented evidence across multiple ISO 27001 controls — without lifting a finger.
Your platform vendor maintains a complete CBOM with zero quantum-vulnerable primitives in application code. This is documented evidence for your cryptographic controls policy.
The single-wrapper architecture demonstrates that algorithm migration has been planned and architected — not deferred. Auditors can inspect the wrapper and see the transition path.
Automated retention policies with daily enforcement and a complete audit trail. Reduces the "harvest now, decrypt later" attack surface by ensuring data doesn't persist beyond its useful life.
HMAC-signed exports provide cryptographic proof that your compliance data hasn't been tampered with in transit or at rest. Dual-hash verification (SHA-256 + HMAC-SHA-256) with constant-time comparison.
PICMS's posture aligns with the NCSC's "Preparing for Quantum-Safe Cryptography" guidance: inventory your cryptographic assets, plan for agility, and prioritise long-lived data.
The ICO expects controllers to consider future threats under UK GDPR Article 25. Choosing a crypto-agile platform demonstrates proactive data protection by design and by default.
The NCSC and ICO are not waiting for quantum computers to arrive before expecting organisations to act. Here is where we are.
NIST published FIPS 203 (ML-KEM, lattice-based key encapsulation), FIPS 204 (ML-DSA, lattice-based digital signatures), and FIPS 205 (SLH-DSA, hash-based signatures) as the first three post-quantum cryptographic standards.
NIST IR 8413 / PQC Standardisation ProjectThe UK National Cyber Security Centre published "Preparing for Quantum-Safe Cryptography" — urging organisations to inventory their cryptographic dependencies, identify long-lived data, and build migration roadmaps now, not after quantum computers arrive.
NCSC Quantum-Safe Cryptography GuidanceOrganisations that act now gain a multi-year head start. PICMS completed its CBOM audit, deployed crypto-agile architecture, and implemented automated data retention — turning guidance into engineering. Your ISMS documentation reflects a vendor that has already begun the transition.
PICMS PQC Sprint — April 2026Industry consensus places cryptographically relevant quantum computers (CRQC) within reach by the end of the decade. Data encrypted today with RSA-2048 or ECC P-256 and stored by adversaries can be decrypted retroactively — the "harvest now, decrypt later" threat. Organisations without crypto-agility will face emergency migrations under pressure.
ETSI QSC / BSI PQC ForecastYour compliance data deserves a platform that treats cryptographic controls as an engineering discipline, not a checkbox. Start your free trial and see the difference.