A CCSS audit is a point-in-time assessment of the system as it existed during the audit period. If the system changes substantially afterward, the original audit may no longer accurately reflect the current security posture of the environment.
Examples of changes that could impact certification include modifications to wallet architecture, key management processes, signing workflows, custody models, access control structures, infrastructure providers, or other security-critical components.
Organizations are therefore expected to evaluate how changes affect the controls and requirements that were originally assessed. Depending on the nature and scope of the changes, additional review, updated evidence, or a reassessment may be necessary.
To remain certified, systems must also undergo annual audits to verify continued compliance with the applicable CCSS requirements and certification level. Maintaining certification requires ongoing operational discipline, change management, and continued alignment with the Standard over time.