{ "$defs": { "AssessmentDimension": { "description": "Assessment scope dimension.", "oneOf": [ { "const": "governance", "description": "Governance + integrity (board, ownership transparency, AML).", "type": "string" }, { "const": "information_security", "description": "Information security (ISO 27001 / SOC 2).", "type": "string" }, { "const": "privacy", "description": "Privacy (GDPR Art. 28 / 30 / 32).", "type": "string" }, { "const": "financial", "description": "Financial soundness (audited financials, going-concern).", "type": "string" }, { "const": "business_continuity", "description": "Business continuity (BCP, DR).", "type": "string" }, { "const": "human_rights", "description": "Human rights (LkSG / CSDDD / UN Guiding Principles).", "type": "string" }, { "const": "environmental", "description": "Environmental (CSRD ESRS / GHG Protocol).", "type": "string" }, { "const": "trade_compliance", "description": "Trade compliance (sanctions, export control).", "type": "string" }, { "const": "anti_bribery", "description": "Anti-bribery / anti-corruption (OECD Convention).", "type": "string" } ] }, "AssessmentFinding": { "description": "One assessment finding.", "properties": { "closed": { "type": "boolean" }, "description": { "type": "string" }, "dimension": { "$ref": "#/$defs/AssessmentDimension" }, "due_date": { "$ref": "#/$defs/IsoDate" }, "remediation_required": { "type": "string" }, "severity": { "$ref": "#/$defs/FindingSeverity" }, "tracker_ref": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "PathRef to the remediation tracker / ticket." } }, "required": [ "dimension", "severity", "description", "remediation_required", "due_date", "closed" ], "type": "object" }, "AssessmentOutcome": { "description": "Assessment outcome.", "oneOf": [ { "const": "approved", "description": "Vendor cleared without conditions.", "type": "string" }, { "const": "approved_conditional", "description": "Approved subject to remediation.", "type": "string" }, { "const": "rejected", "description": "Rejected (do not engage).", "type": "string" }, { "const": "pending", "description": "In progress.", "type": "string" } ] }, "AssessmentStatus": { "description": "Lifecycle.", "oneOf": [ { "enum": [ "initial", "annual", "closed" ], "type": "string" }, { "const": "triggered", "description": "Triggered by an event (incident, news, ownership change).", "type": "string" } ] }, "Confidentiality": { "description": "Cross-cutting confidentiality classification used across privacy,\nsecurity, knowledge, IR pillars. Default rendering rule: `corpospec-report`\nexcludes `Restricted | BoardOnly | InvestorOnly` records from public output\nunless an explicit audience parameter overrides. See BDR 0076 ยง1.", "oneOf": [ { "const": "public", "description": "Safe to publish anywhere.", "type": "string" }, { "const": "customer", "description": "Visible to customers under standard ToS.", "type": "string" }, { "const": "internal", "description": "Employees and contractors only.", "type": "string" }, { "const": "restricted", "description": "Need-to-know subset of internal.", "type": "string" }, { "const": "board_only", "description": "Board members and direct staff.", "type": "string" }, { "const": "investor_only", "description": "Existing investors + prospective with NDA.", "type": "string" } ] }, "FindingSeverity": { "description": "Finding severity.", "enum": [ "observation", "low", "medium", "high", "critical" ], "type": "string" }, "IsoDate": { "description": "ISO 8601 date (YYYY-MM-DD).", "format": "date", "type": "string" }, "PathRef": { "description": "Path-based cross-reference relative to .corpospec/ root.\nPattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`", "pattern": "^[a-z0-9_-]+(/[a-z0-9_.-]+)+$", "type": "string" }, "VendorRiskTier": { "description": "Risk tier.", "enum": [ "low", "material", "critical" ], "type": "string" } }, "$id": "https://corpospec.com/schemas/v0.16.0/vendor-risk-assessment.schema.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "additionalProperties": false, "description": "Vendor risk-assessment record.", "properties": { "assessed_at": { "$ref": "#/$defs/IsoDate" }, "assessed_by": { "$ref": "#/$defs/PathRef" }, "confidentiality": { "$ref": "#/$defs/Confidentiality" }, "ddq_ref": { "anyOf": [ { "$ref": "#/$defs/PathRef" }, { "type": "null" } ], "description": "PathRef to the DDQ artefact + vendor's responses." }, "dimensions_assessed": { "items": { "$ref": "#/$defs/AssessmentDimension" }, "type": "array" }, "due_for_next_assessment": { "$ref": "#/$defs/IsoDate" }, "evidence_refs": { "description": "PathRefs to evidence artefacts (SOC 2 reports, ISO certificates).", "items": { "$ref": "#/$defs/PathRef" }, "type": "array" }, "findings": { "items": { "$ref": "#/$defs/AssessmentFinding" }, "type": "array" }, "id": { "$ref": "#/$defs/PathRef" }, "outcome": { "$ref": "#/$defs/AssessmentOutcome" }, "status": { "$ref": "#/$defs/AssessmentStatus" }, "tier": { "$ref": "#/$defs/VendorRiskTier" }, "vendor": { "$ref": "#/$defs/PathRef" } }, "required": [ "id", "vendor", "tier", "dimensions_assessed", "findings", "outcome", "status", "assessed_at", "assessed_by", "due_for_next_assessment", "confidentiality" ], "title": "VendorRiskAssessment", "type": "object", "x-corpospec-pillar": "operations" }