Nuclear is not a place for shortcuts. Every procedure, every control, every record exists for a reason. The same standard applies to the AI systems that support nuclear operations. In March 2026, Nuclearn achieved ISO/IEC 27001:2022 certification, the internationally recognized standard for information security management. This is not a press release moment. It is a signal about how we build, how we operate, and what we owe our customers.
What ISO/IEC 27001:2022 Actually Is
ISO/IEC 27001:2022 is a global standard published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It defines the requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System, or ISMS.
Unlike a one-time audit or a checklist, an ISMS is a living framework. It covers the people, processes, and technology involved in protecting information. It requires documented risk assessments, defined security roles, measurable objectives, and annual management reviews. And it requires an independent third party to verify that all of it actually works.
Our certification was conducted by A-LIGN Compliance and Security, Inc., a firm accredited by both the ANSI National Accreditation Board (ANAB) and the United Kingdom Accreditation Service (UKAS). The audit covered two stages across several months, beginning with a Stage 1 review in October 2025 and concluding with a Stage 2 audit between January 12 and January 20, 2026. Certification was issued on March 17, 2026.
Why This Matters for Nuclear
Nuclear operators trust Nuclearn with data that matters: workforce records, training completions, corrective action programs, engineering documentation, and more. These are not generic enterprise files. In a regulated industry, this information touches safety, compliance, and operational continuity.
Our customers include utilities operating in the United States, Canada, and the United Kingdom. Many of them have their own information security requirements. Procurement teams ask about our controls. Legal teams review our policies. Security teams want to know how we handle access, incidents, and third parties.
ISO/IEC 27001:2022 certification gives everyone a common reference point. Instead of answering the same security questionnaire in ten different formats, we can point to an independently verified ISMS that meets a globally recognized standard. That is useful to procurement. It is useful to compliance. And it is honest.
What Our ISMS Covers
The certified scope covers the design, development, deployment, and support of AI solutions for the nuclear and regulated utility industries. Every product in our portfolio is included: CAP AI, AtomAssist, Engineering AI, Work AI, Observation Program, Capitalizer, and Project Genius. The scope applies across on-premises, hosted, and GovCloud deployments.
That breadth matters. A certification that covers only part of your product line or only one deployment type offers limited assurance to customers. Ours covers the full picture.
The ISMS includes formal risk assessments conducted annually, with risks classified by likelihood and impact. Our most recent assessment identified one high-level risk, four medium-level risks, and four low-level risks, each with defined treatment plans and ownership. Security controls are monitored daily through Wazuh across our networks, systems, and applications. Access is governed by least privilege, multi-factor authentication on critical systems, and role-based access control.
Security Built Into How We Work
One thing the certification process reinforced is that security cannot live only in a policy document. It has to live in how people do their jobs every day.
At Nuclearn, every new hire completes security and privacy awareness training within 30 days of onboarding, managed through our Fortinet LMS. Vendor and supplier relationships are governed by a formal Third Party Information Security Risk Management Policy. Incident response procedures are tiered and documented, from critical data loss events to management-level escalations. Business continuity and disaster recovery plans are tested annually.
Our development practices follow secure coding principles with baseline requirements and developer checklists. Environments for development, testing, and production are separated. Change management is controlled. This is not how most software companies build. It is how nuclear-grade software should be built.
Continuous, Not One-Time
ISO/IEC 27001:2022 certification is not a trophy you earn and display. It carries a three-year validity period with surveillance audits in between. Our current certificate runs through March 17, 2029. Between now and then, we will undergo regular reviews, maintain our controls, update our risk assessments, and continue improving.
That ongoing requirement is the point. Nuclear operators do not do annual safety reviews and then walk away until the next one. Neither do we.
What This Means If You Are a Nuclearn Customer
If you are already using Nuclearn products, this certification validates what we have been telling you about how we handle your data. The controls are real, documented, and verified.
If you are evaluating Nuclearn, you can request our security documentation directly. We are prepared to support procurement due diligence and answer specific questions about our ISMS scope, controls, and audit results.
Either way, the certification number is ISMS-NU-031726. It is publicly verifiable through A-LIGN.Nuclear AI has to be held to a higher standard. We agree with that. ISO/IEC 27001:2022 is one way we demonstrate it.
To learn more about Nuclearn’s security posture or to request documentation, contact us at contact@nuclearn.ai.