Legal pillar · v0.16.0
security-incident SecurityIncident
Security incident.
$id · https://corpospec.com/schemas/v0.16.0/security-incident.schema.json
Fields
| Field | Type | Required | Description |
|---|---|---|---|
| affected | AffectedScope | yes | Affected-asset / data narrative. |
| confidentiality | Confidentiality | yes | Cross-cutting confidentiality classification used across privacy, security, knowledge, IR pillars. Default rendering rule: `corpospec-report` excludes `Restricted | BoardOnly | InvestorOnly` records from public output unless an explicit audience parameter overrides. See BDR 0076 §1. |
| created_at | IsoDate | yes | ISO 8601 date (YYYY-MM-DD). |
| detected_at | IsoDate | yes | When the incident was detected by us. |
| entity | PathRef | yes | Path-based cross-reference relative to .corpospec/ root. Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$` |
| id | PathRef | yes | Path-based cross-reference relative to .corpospec/ root. Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$` |
| is_personal_data_breach | boolean | yes | Whether a personal-data breach (triggers Art. 33/34). |
| kind | IncidentKind | yes | Incident kind. |
| last_updated | IsoDate | yes | ISO 8601 date (YYYY-MM-DD). |
| severity | IncidentSeverity | yes | Incident severity. |
| status | IncidentStatus | yes | Lifecycle. |
| summary | string | yes | Narrative summary. |
| timeline | IncidentTimelineEvent[] | yes | |
| title | string | yes | Title (one-line summary). |
| art33_filing_ref | PathRef? | — | Reference to the Art. 33 filing. |
| art33_notified_at | IsoDate? | — | Art. 33 supervisory authority notification date (None if not notified yet / not applicable). |
| art34_notified_at | IsoDate? | — | Art. 34 data-subject notification date. |
| art34_skip_reason | string? | — | Reason Art. 34 was not invoked (when applicable). |
| contained_at | IsoDate? | — | When the incident was contained. |
| follow_up_refs | PathRef[] | — | PathRefs to follow-up issues / BDRs / runbooks. |
| lessons_learned | string? | — | Lessons-learned narrative. |
| nis2_early_warning_at | IsoDate? | — | NIS2 24h early-warning timestamp. |
| nis2_final_report_at | IsoDate? | — | NIS2 1-month final-report timestamp. |
| nis2_notification_at | IsoDate? | — | NIS2 72h incident-notification timestamp. |
| occurred_at | IsoDate? | — | When the underlying event actually started. |
| postmortem_ref | PathRef? | — | PathRef to the post-mortem document. |
| root_cause | string? | — | Root-cause analysis narrative. |
Definitions
Shared types referenced within this schema.
AffectedScope
Affected-asset / data narrative.
type: object
Confidentiality
Cross-cutting confidentiality classification used across privacy,
security, knowledge, IR pillars. Default rendering rule: `corpospec-report`
excludes `Restricted | BoardOnly | InvestorOnly` records from public output
unless an explicit audience parameter overrides. See BDR 0076 §1.
IncidentKind
Incident kind.
IncidentSeverity
Incident severity.
IncidentStatus
Lifecycle.
enum: "detected", "triaging", "confirmed", "contained", "eradicated", "recovering", "closed", "post_mortem"
IncidentTimelineEvent
One timeline event.
type: object
IsoDate
ISO 8601 date (YYYY-MM-DD).
type: string
PathRef
Path-based cross-reference relative to .corpospec/ root.
Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`
pattern: ^[a-z0-9_-]+(/[a-z0-9_.-]+)+$
Reference in your YAML
# yaml-language-server: $schema=https://corpospec.com/schemas/v0.16.0/security-incident.schema.json