{ "$defs": { "CisMapping": { "description": "CIS Controls mapping entry.\n\nStub type — structured safeguard fields can be added in a future pass.", "properties": { "description": { "description": "Human-readable summary of the safeguard and how the implementation addresses it.", "type": [ "string", "null" ] }, "safeguard": { "description": "CIS Controls v8 safeguard identifier (e.g. `1.1`, `4.2`).", "type": "string" } }, "required": [ "safeguard" ], "type": "object" }, "ComponentType": { "description": "Component type in a control implementation.", "enum": [ "service", "process", "policy", "hardware", "software" ], "type": "string" }, "ControlCatalog": { "description": "Control catalog that defines the control identifier space.\n\nThe `control_id` on `SecurityControl` is interpreted against this catalog;\ne.g. ISO 27001 uses `A.X.Y` identifiers, SOC 2 uses `CCx.y`.", "oneOf": [ { "const": "iso27001", "description": "ISO/IEC 27001 Annex A (information security management).", "type": "string" }, { "const": "soc2", "description": "AICPA SOC 2 Trust Services Criteria.", "type": "string" }, { "const": "gdpr", "description": "EU General Data Protection Regulation (Regulation 2016/679).", "type": "string" }, { "const": "hipaa", "description": "US Health Insurance Portability and Accountability Act.", "type": "string" }, { "const": "pci-dss", "description": "Payment Card Industry Data Security Standard.", "type": "string" }, { "const": "cis", "description": "CIS Controls (Center for Internet Security).", "type": "string" }, { "const": "nist-csf", "description": "NIST Cybersecurity Framework.", "type": "string" }, { "const": "nist80053", "description": "NIST Special Publication 800-53.", "type": "string" }, { "const": "cobit", "description": "ISACA COBIT framework.", "type": "string" }, { "const": "other", "description": "Catalog not covered by a specific variant. Prefer a specific variant when possible.", "type": "string" } ] }, "ControlComponent": { "description": "Component of a control implementation.", "properties": { "name": { "description": "Human-readable identifier of the component (e.g. \"Privacy Policy\", \"Datadog\").", "type": "string" }, "role": { "description": "How this component contributes to the control — one sentence explaining its role.", "type": "string" }, "type": { "$ref": "#/$defs/ComponentType", "description": "Component category aligned with OSCAL component definition model." } }, "required": [ "name", "type", "role" ], "type": "object" }, "ControlImplementation": { "description": "Control implementation details.", "properties": { "components": { "default": [], "items": { "$ref": "#/$defs/ControlComponent" }, "type": "array" }, "description": { "type": "string" } }, "required": [ "description" ], "type": "object" }, "ControlStatus": { "description": "Control implementation status.", "enum": [ "planned", "implemented", "partial", "not-applicable" ], "type": "string" }, "Evidence": { "description": "Evidence record.", "properties": { "path": { "description": "Location of the evidence artifact. Accepts (in order of preference):\na CorpoSpec PathRef (e.g. `legal/policies/privacy-policy`), a repository-relative\nfilesystem path (e.g. `legal/policies/privacy-policy.md`), a URI, or a content hash.", "type": "string" }, "type": { "$ref": "#/$defs/EvidenceType", "description": "Artifact category of the evidence." } }, "required": [ "type", "path" ], "type": "object" }, "EvidenceType": { "description": "Evidence type.", "enum": [ "configuration", "process", "document", "screenshot", "log" ], "type": "string" }, "GdprMapping": { "description": "GDPR article mapping entry.\n\nStub type — prefer adding structured fields (article, paragraph, subject-right) in a\nfuture pass once GDPR mappings are authored in real YAML.", "properties": { "article": { "description": "GDPR article reference (e.g. `Art. 5(1)(c)`, `Art. 32`).", "type": "string" }, "description": { "description": "Human-readable summary of the article and how the implementation addresses it.", "type": [ "string", "null" ] } }, "required": [ "article" ], "type": "object" }, "Iso27001Mapping": { "description": "ISO 27001 mapping entry.", "properties": { "control": { "description": "ISO/IEC 27001:2022 Annex A control identifier (e.g. `A.9.1.1`, `A.18.1.4`).", "type": "string" }, "description": { "description": "Human-readable summary of the control and how the implementation addresses it.", "type": [ "string", "null" ] } }, "required": [ "control" ], "type": "object" }, "IsoDate": { "description": "ISO 8601 date (YYYY-MM-DD).", "format": "date", "type": "string" }, "NistCsfMapping": { "description": "NIST Cybersecurity Framework mapping entry.\n\nStub type — structured subcategory fields can be added in a future pass.", "properties": { "description": { "description": "Human-readable summary of the subcategory and how the implementation addresses it.", "type": [ "string", "null" ] }, "subcategory": { "description": "NIST CSF subcategory identifier (e.g. `ID.AM-1`, `PR.AC-4`).", "type": "string" } }, "required": [ "subcategory" ], "type": "object" }, "PathRef": { "description": "Path-based cross-reference relative to .corpospec/ root.\nPattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`", "pattern": "^[a-z0-9_-]+(/[a-z0-9_.-]+)+$", "type": "string" }, "Soc2Mapping": { "description": "SOC2 mapping entry.", "properties": { "criteria": { "description": "SOC 2 Trust Services Criteria identifier (e.g. `CC6.1`, `CC7.2`).", "type": "string" }, "description": { "description": "Human-readable summary of the criterion and how this control addresses it.", "type": [ "string", "null" ] } }, "required": [ "criteria" ], "type": "object" } }, "$id": "https://corpospec.com/schemas/v0.8.1/control.schema.json", "$schema": "https://json-schema.org/draft/2020-12/schema", "additionalProperties": false, "description": "Security control implementation aligned with OSCAL component definition model.", "properties": { "assessor": { "description": "Party that assessed the control. Accepts a CorpoSpec PathRef into `people/**`\n(e.g. `people/team/maik`) or an RFC 5321 email address for external assessors.\nRequired for audit trail — omit only for self-attestations that have not yet been reviewed.", "type": [ "string", "null" ] }, "catalog": { "$ref": "#/$defs/ControlCatalog", "description": "Catalog that defines `control_id`. Use a specific variant when available." }, "cis_mapping": { "default": [], "description": "CIS Controls safeguard mappings.", "items": { "$ref": "#/$defs/CisMapping" }, "type": "array" }, "control_id": { "description": "Catalog-specific control identifier. The expected format depends on `catalog`:\nISO 27001 uses `A.X.Y` (e.g. `A.9.1.1`), SOC 2 uses `CCx.y` (e.g. `CC6.1`),\nNIST 800-53 uses `AC-1` etc. Free-form string to accommodate any catalog.", "type": "string" }, "evidence": { "default": [], "items": { "$ref": "#/$defs/Evidence" }, "type": "array" }, "gdpr_mapping": { "default": [], "description": "GDPR article mappings for controls that address data protection obligations.", "items": { "$ref": "#/$defs/GdprMapping" }, "type": "array" }, "id": { "$ref": "#/$defs/PathRef" }, "implementation": { "anyOf": [ { "$ref": "#/$defs/ControlImplementation" }, { "type": "null" } ], "description": "Description of how the control is implemented plus the components that realise it.\nControls without an `implementation` are incomplete; populate this once the control\nmoves beyond `planned`." }, "iso27001_mapping": { "default": [], "items": { "$ref": "#/$defs/Iso27001Mapping" }, "type": "array" }, "last_assessed": { "anyOf": [ { "$ref": "#/$defs/IsoDate" }, { "type": "null" } ] }, "nist_csf_mapping": { "default": [], "description": "NIST Cybersecurity Framework subcategory mappings.", "items": { "$ref": "#/$defs/NistCsfMapping" }, "type": "array" }, "soc2_mapping": { "default": [], "items": { "$ref": "#/$defs/Soc2Mapping" }, "type": "array" }, "status": { "$ref": "#/$defs/ControlStatus" }, "title": { "description": "Short human-readable title of the control (e.g. \"Access Control Policy\").", "type": "string" } }, "required": [ "id", "control_id", "catalog", "title", "status" ], "title": "SecurityControl", "type": "object" }