Legal pillar · v0.8.1
control SecurityControl
Security control implementation aligned with OSCAL component definition model.
$id · https://corpospec.com/schemas/v0.8.1/control.schema.json
Fields
| Field | Type | Required | Description |
|---|---|---|---|
| catalog | ControlCatalog | yes | Catalog that defines `control_id`. Use a specific variant when available. |
| control_id | string | yes | Catalog-specific control identifier. The expected format depends on `catalog`: ISO 27001 uses `A.X.Y` (e.g. `A.9.1.1`), SOC 2 uses `CCx.y` (e.g. `CC6.1`), NIST 800-53 uses `AC-1` etc. Free-form string to accommodate any catalog. |
| id | PathRef | yes | Path-based cross-reference relative to .corpospec/ root. Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$` |
| status | ControlStatus | yes | Control implementation status. |
| title | string | yes | Short human-readable title of the control (e.g. "Access Control Policy"). |
| assessor | string? | — | Party that assessed the control. Accepts a CorpoSpec PathRef into `people/**` (e.g. `people/team/maik`) or an RFC 5321 email address for external assessors. Required for audit trail — omit only for self-attestations that have not yet been reviewed. |
| cis_mapping | CisMapping[] | — | CIS Controls safeguard mappings. |
| evidence | Evidence[] | — | |
| gdpr_mapping | GdprMapping[] | — | GDPR article mappings for controls that address data protection obligations. |
| implementation | ControlImplementation? | — | Description of how the control is implemented plus the components that realise it. Controls without an `implementation` are incomplete; populate this once the control moves beyond `planned`. |
| iso27001_mapping | Iso27001Mapping[] | — | |
| last_assessed | IsoDate? | — | |
| nist_csf_mapping | NistCsfMapping[] | — | NIST Cybersecurity Framework subcategory mappings. |
| soc2_mapping | Soc2Mapping[] | — |
Definitions
Shared types referenced within this schema.
CisMapping
CIS Controls mapping entry.
Stub type — structured safeguard fields can be added in a future pass.
type: object
ComponentType
Component type in a control implementation.
enum: "service", "process", "policy", "hardware", "software"
ControlCatalog
Control catalog that defines the control identifier space.
The `control_id` on `SecurityControl` is interpreted against this catalog;
e.g. ISO 27001 uses `A.X.Y` identifiers, SOC 2 uses `CCx.y`.
ControlComponent
Component of a control implementation.
type: object
ControlImplementation
Control implementation details.
type: object
ControlStatus
Control implementation status.
enum: "planned", "implemented", "partial", "not-applicable"
Evidence
Evidence record.
type: object
EvidenceType
Evidence type.
enum: "configuration", "process", "document", "screenshot", "log"
GdprMapping
GDPR article mapping entry.
Stub type — prefer adding structured fields (article, paragraph, subject-right) in a
future pass once GDPR mappings are authored in real YAML.
type: object
Iso27001Mapping
ISO 27001 mapping entry.
type: object
IsoDate
ISO 8601 date (YYYY-MM-DD).
type: string
NistCsfMapping
NIST Cybersecurity Framework mapping entry.
Stub type — structured subcategory fields can be added in a future pass.
type: object
PathRef
Path-based cross-reference relative to .corpospec/ root.
Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`
pattern: ^[a-z0-9_-]+(/[a-z0-9_.-]+)+$
Soc2Mapping
SOC2 mapping entry.
type: object
Reference in your YAML
# yaml-language-server: $schema=https://corpospec.com/schemas/v0.8.1/control.schema.json