Trust Signal Catalogue
The Trust Signal Catalogue defines the observable indicators used to assess an organisation’s digital trust posture.
Trust Signals represent measurable evidence that digital systems are:
- authentic
- well-governed
- resilient
- responsibly managed
Signals may be:
- externally observable (e.g. DNS records)
- internally verifiable (e.g. identity governance controls)
Together, these signals provide insight into how trustworthy an organisation’s digital environment appears to stakeholders.
Trust Signal Structure
Each Trust Signal is defined by four attributes.
| Attribute |
Description |
| Signal Name |
The observable indicator |
| Domain |
The Trust Surface domain where the signal applies |
| Observation Method |
How the signal can be observed or verified |
| Trust Implication |
What the signal reveals about trust posture |
Signals are evaluated using a maturity model described later in this document.
Identity Signals
Multi-Factor Authentication Enforcement
| Attribute |
Value |
| Domain |
Identity |
| Observation Method |
Internal verification of authentication policies |
| Trust Implication |
Reduces risk of account compromise and unauthorised access |
Strong MFA enforcement is one of the most important identity trust signals.
Privileged Access Governance
| Attribute |
Value |
| Domain |
Identity |
| Observation Method |
Internal review of privileged access policies |
| Trust Implication |
Ensures administrative privileges are controlled and monitored |
Weak privileged access controls often lead to major security incidents.
Identity Lifecycle Management
| Attribute |
Value |
| Domain |
Identity |
| Observation Method |
Internal policy and operational review |
| Trust Implication |
Prevents orphaned accounts and unmanaged access |
Organisations must demonstrate that identities are properly provisioned and removed.
Domain & DNS Signals
Domain Ownership Integrity
| Attribute |
Value |
| Domain |
Domains & DNS |
| Observation Method |
Review of domain registration and ownership records |
| Trust Implication |
Ensures domains are controlled, monitored, and not exposed to takeover risk |
Unclear domain ownership undermines confidence in digital identity.
DNSSEC Adoption
| Attribute |
Value |
| Domain |
Domains & DNS |
| Observation Method |
External DNS configuration review |
| Trust Implication |
Strengthens integrity of DNS responses |
DNSSEC helps protect trust in domain resolution.
Domain Monitoring and Renewal Governance
| Attribute |
Value |
| Domain |
Domains & DNS |
| Observation Method |
Internal governance review |
| Trust Implication |
Reduces risk of domain expiry and service disruption |
Expired or neglected domains can quickly erode trust.
Email Integrity Signals
SPF Configuration
| Attribute |
Value |
| Domain |
Email Integrity |
| Observation Method |
External DNS record inspection |
| Trust Implication |
Indicates which systems are authorised to send email for the domain |
DKIM Deployment
| Attribute |
Value |
| Domain |
Email Integrity |
| Observation Method |
External DNS and mail header review |
| Trust Implication |
Supports message authenticity and integrity |
DMARC Enforcement
| Attribute |
Value |
| Domain |
Email Integrity |
| Observation Method |
External DNS record inspection |
| Trust Implication |
Demonstrates active resistance to email impersonation |
DMARC enforcement is a highly visible trust signal because it directly affects email authenticity.
Digital Service Signals
TLS Certificate Validity
| Attribute |
Value |
| Domain |
Digital Services |
| Observation Method |
External service inspection |
| Trust Implication |
Signals secure communication channels |
Service Availability
| Attribute |
Value |
| Domain |
Digital Services |
| Observation Method |
Monitoring and uptime review |
| Trust Implication |
Demonstrates operational reliability |
| Attribute |
Value |
| Domain |
Digital Services |
| Observation Method |
External HTTP response review |
| Trust Implication |
Indicates disciplined service configuration |
| Attribute |
Value |
| Domain |
Infrastructure & Platforms |
| Observation Method |
Internal review of patching practices |
| Trust Implication |
Indicates whether underlying systems are responsibly maintained |
Backup and Recovery Assurance
| Attribute |
Value |
| Domain |
Infrastructure & Platforms |
| Observation Method |
Internal operational review |
| Trust Implication |
Supports resilience and service continuity |
Third-Party Signals
Vendor Security Attestations
| Attribute |
Value |
| Domain |
Third-Party Ecosystem |
| Observation Method |
Review of vendor-provided security evidence |
| Trust Implication |
Indicates whether delegated trust is responsibly managed |
Third-Party Dependency Visibility
| Attribute |
Value |
| Domain |
Third-Party Ecosystem |
| Observation Method |
Internal inventory and vendor review |
| Trust Implication |
Improves awareness of digital trust dependencies |
Signal Maturity Levels
| Level |
Description |
| Level 1 |
Signal absent or unmanaged |
| Level 2 |
Signal partially implemented or inconsistent |
| Level 3 |
Signal implemented consistently across key systems |
| Level 4 |
Signal governed, monitored, and regularly reviewed |
| Level 5 |
Signal optimised, measurable, and transparently communicated |
Status of This Document
This catalogue forms part of the Trust Surface Framework draft, published for consultation and discussion.
Additional signals may be added over time as the framework evolves.