ISO 23975: Digital Asset Custody Certification for Crypto & Fintech

Introduction

Crypto exchanges, fintech wallets and digital asset custodians are now handling billions in client funds every day. They work with hot and cold wallets, complex key ceremonies, instant transfers and cross-border settlement. When controls are weak or unclear, a single failure can lead to theft, frozen withdrawals, regulatory action and loss of reputation.

ISO 23975 can be viewed as a digital asset custody management framework for organizations that store or move crypto on behalf of clients. In practice it follows the familiar logic of a management system standard: understand context, set policy and objectives, control risks, define processes, monitor performance and improve. For crypto and fintech institutions, it brings structure to how private keys, wallets, access rights, vendors and incident handling are managed.

If your institution wants to review digital asset custody controls or prepare for ISO 23975-style certification, you can request an audit plan from Pacific Certifications to discuss scope, timelines and evidence requirements.

Quick summary

ISO 23975 is focused on the governance of digital asset custody for crypto and fintech businesses. It covers topics like key management, wallet architecture, segregation of client assets, transaction controls, security monitoring, incident response and supplier oversight. The goal is a repeatable custody system that keeps client assets safe, traceable and recoverable, and that can be explained to regulators, banks and institutional clients.

Why ISO 23975 matters for crypto and fintech institutions?

Crypto and fintech firms often grow faster than their control framework. Teams race to launch new coins, staking services or yield products while custody design, access rights and reconciliation processes lag behind. In that situation, losses or frozen assets are not just possible, they are likely over time.

ISO 23975 brings a custody lens to the entire organization. It asks why you hold digital assets, which roles can touch what, how keys and wallets are structured, how client balances are tracked, how segregation works, how transactions are approved and how incidents are found and handled. It helps link business goals like new products or institutional onboarding with clear custody controls and records. That makes it easier to work with banks, auditors and regulators and to explain how your platform protects client funds.

What are the requirements for ISO 23975?

Before implementing ISO 23975, institutions should understand that it is not just an IT security checklist. It is a full custody management system that spans governance, technology, operations, legal and compliance. In practice, you can expect requirements in areas like these:

1. Define the scope of the digital asset custody system, including entities, platforms, asset types, wallet structures and third-party services.
2. Establish a custody policy and measurable objectives that cover client asset protection, availability, traceability and recovery.
3. Analyse internal and external issues such as business model, threat landscape, legal expectations, insurance conditions and counterparties.
4. Identify interested parties, including retail clients, institutional clients, regulators, banks, auditors and technology partners, and understand their needs around custody.
5. Define roles and responsibilities for custody, including board oversight, senior ownership, operational teams, security, compliance and independent assurance.

Tip:build a custody asset map early. List wallets, keys, systems, vendors and teams in a single view so that you can see who controls what and where gaps may exist.

How to prepare for ISO 23975 implementation?

Preparing for ISO 23975 means putting custody at the centre of how your platform works, not just adding a few security controls. Refer to the points below:

1. Run a custody gap analysis that compares your current controls to good practices in key management, wallet design, segregation, approvals and reconciliation.
2. Create an inventory of all wallets, keys, networks and supported assets, including internal and third-party custody solutions.
3. Define a clear custody model for each product line: who owns which risk, where keys live, how approvals work and how client balances are tracked.
4. Draft a custody policy and objectives that senior management can approve and communicate to the whole organization.
5. Align custody governance with risk, compliance, security and legal so that decisions are logged, reviewed and traceable.

Certification audit

Stage 1 audit: Review of custody scope, policies, wallet and key architecture, risk assessment methods and core procedures for deposits, withdrawals and storage.
Stage 2 audit: Verification of implementation across products, wallets, reconciliations, access controls, incident handling and transaction workflows.
Nonconformities: Must be corrected with documented root causes, updated controls and evidence of implementation.
Management review: Confirms leadership oversight of custody risks, incidents, performance and resource needs.
Final certification: Issued once the digital asset custody system meets ISO 23975 requirements for the defined scope.
Surveillance audits: Conducted annually to confirm that custody controls, reconciliations and operations remain in place and effective.
Recertification audits: Required every three years to review the full custody framework, new products and any major changes.

What are the benefits of ISO 23975?

ISO 23975 helps crypto and fintech firms move from ad-hoc custody arrangements to a clear, auditable system that can grow with the business.

Below are key benefits:

1. Stronger protection of client digital assets through clear key management and wallet architecture.
2. Clear segregation of client and company assets, which supports trust and simplifies audits.
3. Better readiness for bank relationships, institutional onboarding and regulator questions about how client funds are protected.
4. More reliable operations for deposits and withdrawals, with fewer manual workarounds and surprise bottlenecks.
5. Improved incident readiness, with defined runbooks for suspected theft, key loss, compromised devices and major technical failures.

Market Trends

Digital asset custody is moving closer to mainstream financial market practice. Large banks, payment providers and brokers are entering the space, and they expect documented controls, clear segregation and reliable reporting. At the same time, new custody models are emerging for staking, tokenized securities, stablecoins and cross-chain bridges, all of which add new risk paths.

More firms are adopting hardware security modules, dedicated key management systems and independent reconciliation tooling. Governance structures around cold storage, signing devices, change approval and vendor oversight are becoming more formal. Over time, digital asset custody is likely to resemble other capital market infrastructure, with clear separation of roles, more independent checks and a strong focus on audit trails across both on-chain and off-chain systems.

Training and courses

Pacific Certifications support crypto and fintech institutions with training programs aligned to digital asset custody and ISO-style management systems:

• Lead Auditor Training: for professionals who review custody frameworks, key management, wallet controls and incident records.
• Lead Implementer Training: for teams that design and roll out custody management systems across products, regions and platforms.

For custody training tailored to your platform and risk profile, contact [email protected].

How Pacific Certifications can help?

Pacific Certifications provides accredited audit and certification services for management system standards and can extend this approach to digital asset custody frameworks aligned with ISO 23975 principles. Our assessments review custody scope, policy, risk assessment, wallet and key design, segregation rules, operational controls, security measures, incident handling, internal audits and management review.

To request an audit plan for digital asset custody or to discuss ISO 23975-style certification for your crypto or fintech business, contact [email protected] or visit www.pacificcert.com.

Ready to get ISO 23975 certified?

Contact Pacific Certifications to begin your certification journey today!

Author: Alina Ansari

Suggested Certifications –

1. ISO 9001:2015
2. ISO 14001:2015
3. ISO 45001:2018
4. ISO 22000:2018
5. ISO 27001:2022
6. ISO 13485:2016
7. ISO 50001:2018

Read more: Pacific Blogs