{ "$defs": { "AuditKind": { "description": "Audit kind.", "oneOf": [ { "const": "soc2_type1", "description": "SOC 2 Type I.", "type": "string" }, { "const": "soc2_type2", "description": "SOC 2 Type II.", "type": "string" }, { "const": "soc1_type2", "description": "SOC 1 Type II.", "type": "string" }, { "const": "iso27001_certification", "description": "ISO 27001 certification (3-year cycle).", "type": "string" }, { "const": "iso27001_surveillance", "description": "ISO 27001 surveillance (annual within cycle).", "type": "string" }, { "const": "iso27701", "description": "ISO 27701 (PIMS extension).", "type": "string" }, { "const": "iso22301", "description": "ISO 22301 (BCMS).", "type": "string" }, { "const": "pci_dss", "description": "PCI DSS Assessment.", "type": "string" }, { "const": "hipaa", "description": "HIPAA assessment.", "type": "string" }, { "const": "gdpr", "description": "GDPR audit (DPA / DPO commissioned).", "type": "string" }, { "const": "internal_audit", "description": "Internal audit (no external auditor).", "type": "string" } ] }, "Confidentiality": { "description": "Cross-cutting confidentiality classification used across privacy,\nsecurity, knowledge, IR pillars. Default rendering rule: `corpospec-report`\nexcludes `Restricted | BoardOnly | InvestorOnly` records from public output\nunless an explicit audience parameter overrides. See BDR 0076 §1.", "oneOf": [ { "const": "public", "description": "Safe to publish anywhere.", "type": "string" }, { "const": "customer", "description": "Visible to customers under standard ToS.", "type": "string" }, { "const": "internal", "description": "Employees and contractors only.", "type": "string" }, { "const": "restricted", "description": "Need-to-know subset of internal.", "type": "string" }, { "const": "board_only", "description": "Board members and direct staff.", "type": "string" }, { "const": "investor_only", "description": "Existing investors + prospective with NDA.", "type": "string" } ] }, "EvidenceKind": { "description": "Evidence collection kind.", "oneOf": [ { "const": "screenshot", "description": "Screenshot of a system state.", "type": "string" }, { "const": "log_export", "description": "System log export (audit trail).", "type": "string" }, { "const": "config_snapshot", "description": "Config snapshot (IaC, system config).", "type": "string" }, { "const": "policy_document", "description": "Policy / procedure document.", "type": "string" }, { "const": "signed_acknowledgement", "description": "Signed acknowledgement (employee training, NDA).", "type": "string" }, { "const": "walkthrough", "description": "Walkthrough notes (auditor observation).", "type": "string" }, { "const": "interview", "description": "Interview transcript / notes.", "type": "string" }, { "const": "test_sample", "description": "Sample test output (re-performance).", "type": "string" }, { "const": "vendor_attestation", "description": "Vendor attestation (SOC 2 of sub-processor).", "type": "string" }, { "const": "risk_assessment", "description": "Risk assessment artefact.", "type": "string" }, { "const": "monitoring_export", "description": "Continuous-monitoring metric export.", "type": "string" } ] }, "EvidenceReviewStatus": { "description": "Evidence review status.", "oneOf": [ { "enum": [ "pending" ], "type": "string" }, { "const": "internally_reviewed", "description": "Reviewed by internal control owner.", "type": "string" }, { "const": "auditor_accepted", "description": "Auditor reviewed and accepted.", "type": "string" }, { "const": "auditor_follow_up", "description": "Auditor requested follow-up.", "type": "string" }, { "const": "rejected", "description": "Rejected.", "type": "string" } ] }, "IsoDate": { "description": "ISO 8601 date (YYYY-MM-DD).", "format": "date", "type": "string" }, "PathRef": { "description": "Path-based cross-reference relative to .corpospec/ root.\nPattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`", "pattern": "^[a-z0-9_-]+(/[a-z0-9_.-]+)+$", "type": "string" } }, "$id": "https://corpospec.com/schemas/v0.16.0/audit-evidence.schema.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "additionalProperties": false, "description": "One audit-evidence record.", "properties": { "artefact_ref": { "$ref": "#/$defs/PathRef", "description": "PathRef to the artefact (PDF, ZIP, screenshot)." }, "audit_id": { "$ref": "#/$defs/PathRef", "description": "Audit cycle this evidence belongs to (e.g. SOC 2 2026 Type II)." }, "audit_kind": { "$ref": "#/$defs/AuditKind" }, "collected_by": { "$ref": "#/$defs/PathRef" }, "collected_on": { "$ref": "#/$defs/IsoDate" }, "confidentiality": { "$ref": "#/$defs/Confidentiality" }, "control": { "$ref": "#/$defs/PathRef", "description": "PathRef to the security control proved." }, "entity": { "$ref": "#/$defs/PathRef" }, "id": { "$ref": "#/$defs/PathRef" }, "kind": { "$ref": "#/$defs/EvidenceKind" }, "review_status": { "$ref": "#/$defs/EvidenceReviewStatus" }, "reviewed_by": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ] }, "reviewed_on": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ] }, "reviewer_notes": { "description": "Auditor / reviewer notes.", "type": [ "string", "null" ] }, "valid_from": { "$ref": "#/$defs/IsoDate", "description": "Validity window — evidence is fresh between these dates." }, "valid_to": { "$ref": "#/$defs/IsoDate" } }, "required": [ "id", "entity", "audit_id", "audit_kind", "control", "kind", "artefact_ref", "collected_on", "collected_by", "valid_from", "valid_to", "review_status", "confidentiality" ], "title": "AuditEvidence", "type": "object", "x-corpospec-pillar": "legal" }