Talk to us

All services CCSS Audit

CCSS Audit & Readiness

Independent CCSS audits at Levels 1, 2, and 3 plus the readiness work that gets you through the first audit cleanly.

The Cryptocurrency Security Standard (CCSS) is the framework written for this asset class by people who understand it. Maintained by the CryptoCurrency Certification Consortium (C4), the standard is currently at version 9.0, published December 2024. It is the closest thing the industry has to a credentialed test of whether an organization’s digital asset custody and operational practices actually work in practice, not just on paper. CCSS supplements ISO 27001 and SOC 2 with controls specific to private key management, wallet operations, and on-chain interactions; the standard itself notes that following CCSS while ignoring those frameworks will likely lead to compromise. The losses that drove and continue to drive demand for the standard, from Mt. Gox in 2014 to QuadrigaCX in 2019 to FTX in 2022 to Prime Trust (~$80 million, June 2023, improper private-key backup setup) to Bybit ($1.5 billion, February 2025, supply-chain breach in custody infrastructure), were operational, not cryptographic. The audit is built around that observation.

What we do

  • Full CCSS audits at Level 1, Level 2, or Level 3, producing the final audit report.
  • Readiness engagements for organizations preparing for their first audit: we assess current state, identify what is missing relative to the standard, and produce a remediation roadmap.
  • Re-audit support for organizations with prior CCSS work who need to renew, expand scope, or recover from a failed audit.

Every CCSS engagement we run is led by a CCSSA-certified auditor. The credential is held by a small number of practitioners worldwide; we do not delegate custody work to generalist consultants.

What a CCSS audit actually checks

CCSS was written specifically around the operational practices that secure digital asset custody. Aspect controls are organized around the lifecycle of cryptographic keys (generation, storage, use, backup, recovery, retirement, and personnel) and grouped into two categories: Cryptographic Asset Management and Operations. Each control has Level 1, Level 2, or Level 3 requirements; the level applied depends on the system’s risk profile. The full standard is open and free to read at cryptoconsortium.org/standards-2.

The biggest source of losses in this asset class is custody failure: private keys lost, stolen, or misused. The cause is rarely novel cryptography. It is usually a signing procedure that skipped a step, a backup that was never tested, an entropy source that wasn’t what the documentation claimed, or an access control that drifted over time.

CCSS covers:

  • Key generation. Entropy quality and conformance to NIST SP 800-90A where deterministic random bit generation is in scope. We check whether the entropy source is what the documentation says it is.
  • Key storage. HSM configuration, air-gapped ceremony integrity, cloud-HSM key-material handling, backup integrity.
  • Signing workflows. Quorum procedures, approval chains, break-glass paths.
  • Rotation and recovery. Whether the procedures have been exercised on real assets, not just documented.
  • Access controls. Who can initiate what, under which conditions, with what evidence trail.
  • Operational controls beyond cryptography. HR practices, third-party dependencies, incident response, logging and monitoring, third-party security testing, risk management framework, compliance and auditing.

We review documented procedures, then ask for evidence those procedures were actually followed on specific dates: signed runbooks, attestations from ceremony witnesses, logs from the signing infrastructure, reconciliation between documented quorum and actual quorum.

How the engagement runs

A full CCSS audit runs in five phases against a 12-month evidence look-back: scoping (define the system boundary and confirm target level), documentation review and interviews, evidence collection and control testing, report on compliance (ROC), and independent CCSSA-PR peer review before C4 issues the certificate. A full audit typically runs eight to twelve weeks; documentation quality is the single largest driver of timeline.

Most engagements start with a separate Readiness Assessment (four to eight weeks, covering phases 1 and 2). Readiness surfaces gaps before evidence collection, so the formal audit does not stall on stale evidence or unaddressed findings. Organizations that skip readiness and go straight to a formal audit typically fail or withdraw mid-engagement, because the evidence infrastructure (signed ceremony runbooks, reviewed access logs, documented quorum procedures) was never built. The standard expects evidence that procedures were followed on specific dates, not just documentation of what should have been done. A readiness engagement is cheaper than a failed audit and produces the artifacts your auditor needs to actually sign off.

What you get

A report that names concrete findings at the CCSS level applicable to your system, with severity and remediation guidance. Not a checklist. A document you can hand to a board, an LP, or a counterparty.

Who this is for

Custody technology providers, qualified custodians, exchanges, stablecoin issuers (where the same standard applies to mint-and-burn key custody; see Stablecoin Operations), tokenization platforms (see RWA Tokenization Audit), prime brokers, and any operation that holds customer assets on-chain and needs an independent credential to point to. CCSS is the custody substrate; counterparties and LPs that want a broader operational read on the same target typically commission Operational Due Diligence alongside.

Scope depends on what the system does, not what the company does. CCSS distinguishes between Self-Custody Systems (entity’s own funds only, no customer funds), Full Systems (control of keys to customer funds), and Qualified Service Providers (facilitating a subset of custody services for other systems). The audit covers only the controls applicable to the scope.

When to engage

  • You are pursuing CCSS certification for the first time and want to build the documentation right the first time.
  • You have an audit scheduled and want a pressure-test before the auditor arrives.
  • A prior CCSS engagement has lapsed and you need to renew.
  • A counterparty, LP, or regulator is asking for CCSS as a precondition for a relationship.
  • You are launching a new custody product or expanding into a new asset class and want the design pressure-tested before it goes live.

Frequently asked questions

What does a CCSS audit actually check?

CCSS defines aspect controls organized around the lifecycle of cryptographic keys (generation, storage, use, backup, recovery, retirement, and personnel), spanning two categories: Cryptographic Asset Management and Operations. Each control has Level 1, Level 2, or Level 3 requirements; the level applied depends on the system's risk profile. We review documented procedures, then ask for evidence those procedures were actually followed on specific dates.

How long does a CCSS audit take?

Eight to twelve weeks from kickoff for a full audit, depending on documentation quality and the level being assessed. The audit assesses against a 12-month evidence look-back. Readiness engagements that precede the formal audit typically run four to eight weeks, depending on the gap between current state and the standard's requirements.

When do I need CCSS in addition to a SOC 2?

Whenever your system holds cryptocurrency. A SOC 2 audit covers the AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy) generically across industries and does not address private key custody, wallet operations, or any of the crypto-specific failure modes that produce most digital asset losses. CCSS is purpose-built for systems that hold cryptocurrency, supplementing ISO 27001 and SOC 2 rather than replacing them; the standard itself notes that following CCSS while ignoring those frameworks will likely lead to compromise. Counterparties and LPs that previously accepted SOC 2 alone have increasingly started asking for CCSS on top, particularly post-FTX and post-Bybit.

Do I need CCSS readiness work before my first audit?

For most organizations, yes. Organizations that skip readiness and go straight to a formal audit typically fail or withdraw mid-engagement because the evidence infrastructure (signed ceremony runbooks, reviewed access logs, documented quorum procedures) was never built. A readiness engagement is cheaper than a failed audit and produces the artifacts your auditor needs to actually sign off.

What does CCSS Level 3 cover that Level 2 does not?

Level 3 (Highest Assurance) requires formal key generation ceremonies, three-factor authentication, entity-level key segregation, and SOC 2 or ISO 27001-grade audit support. Level 2 (Resilience) requires redundancy and geographic distribution for multi-signer wallets, tamper-evident backups, Approved Communication Channels, and real-time log monitoring. Level 1 (Baseline) covers MFA on key material, threat modeling, a documented Key Compromise Policy, and personnel background checks. Most qualified custodians and large prime brokers target Level 3 because LPs and counterparties have started asking for it.

What scope of CCSS audit applies to my system?

CCSS distinguishes three system scopes: Self-Custody Systems (entity holds only its own funds, no customer funds), Full Systems (entity holds customer funds; the full set of controls applies), and Qualified Service Providers (facilitating a subset of custody services for other systems, only the relevant controls apply). Scope depends on what the system does, not what the company does. We confirm the right scope during the audit's first phase.

Who needs CCSS certification?

Custody technology providers, qualified custodians, exchanges, stablecoin issuers, tokenization platforms, and prime brokers that hold customer assets on-chain and need an independent credential to point to. Counterparties, LPs, and regulators have increasingly started asking for CCSS as a precondition for a commercial relationship.

Who created the CCSS and who maintains it?

The CryptoCurrency Security Standard is maintained by the CryptoCurrency Certification Consortium (C4), a non-profit body. The current version is v9.0, published December 2024. The full standard is open and free to read at cryptoconsortium.org/standards-2.

Scope a CCSS Audit engagement

Every engagement starts with a scoping call about what you're trying to assure and who you need to assure it to.

Prefer to schedule directly? Book a call