During a CryptoCurrency Security Standard (CCSS) audit, requirements are evaluated based on whether the system sufficiently meets the intent and expectations of the control being audited.
If a system only partially meets a requirement, auditors will evaluate the nature and significance of the gaps, the effectiveness of any existing compensating controls, and the overall impact on the security posture of the system.
In some cases, a partially implemented control may result in a finding that must be remediated before certification can be granted or maintained. In other situations, compensating controls or additional evidence may demonstrate that the underlying security objective is still being effectively achieved.
Ultimately, certification decisions are based on the system’s ability to satisfy the applicable CCSS requirements at the audited certification level, not simply whether documentation or controls exist in a limited or incomplete form.