feat(system): add ISO 27001:2022 compliance schemas — incident response, supplier security, training, audit scheduling, security impact assessment

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Author: Copilot

ROADMAP.md

@@ -543,6 +543,31 @@ business/custom objects, aligning with industry best practices (e.g., ServiceNow
 - [ ] GDPR/CCPA compliance utilities (right to erasure, data export)
 - [ ] Change management and approval workflows for schema changes
 
+### 6.5 ISO 27001:2022 Compliance
+
+> **Goal:** Full schema coverage for ISO 27001:2022 Annex A controls to support certification readiness.
+
+#### 6.5.1 High Priority (Certification Blockers) — ✅ Schema Complete
+
+- [x] **Incident Response Protocol** (A.5.24–A.5.28) — `system/incident-response.zod.ts`: Incident classification, severity grading, response phases, notification matrix, escalation policies
+- [x] **Audit Scheduling & Finding Tracking** (A.5.35) — `system/compliance.zod.ts`: AuditScheduleSchema, AuditFindingSchema for independent review and remediation tracking
+- [x] **Change Management Security Approval** (A.8.32) — `system/change-management.zod.ts`: SecurityImpactAssessment with risk level, data classification, security reviewer workflow
+
+#### 6.5.2 Medium Priority (Compliance Completeness) — ✅ Schema Complete
+
+- [x] **Supplier Security Assessment** (A.5.19–A.5.22) — `system/supplier-security.zod.ts`: Supplier risk levels, security requirements, assessment lifecycle, remediation tracking
+- [x] **Information Security Training** (A.6.3) — `system/training.zod.ts`: Training courses, completion records, organizational training plans with recertification
+
+#### 6.5.3 Medium Priority (Pending)
+
+- [ ] **OAuth Scope Binding** (A.8.1) — API endpoint schema with required OAuth scopes
+- [ ] **Permission Registry** (A.8.2) — Transform `manifest.permissions` from `string[]` to structured registry enum
+
+#### 6.5.4 Low Priority (Enhancements)
+
+- [ ] Permission delegation and temporary privilege elevation protocol (AWS STS-style)
+- [ ] Device trust policy extensions
+
 ---
 
 ## Phase 7: AI & Intelligence (🔴 Planned)

packages/spec/src/system/change-management.test.ts

@@ -653,4 +653,120 @@ describe('ChangeRequestSchema', () => {
 
     expect(() => ChangeRequestSchema.parse(rolledBackChange)).not.toThrow();
   });
+
+  it('should accept change with security impact assessment (A.8.32)', () => {
+    const changeWithSecurityImpact = {
+      id: 'CHG-2024-SEC-001',
+      title: 'API Gateway Configuration Change',
+      description: 'Update API gateway security headers',
+      type: 'normal',
+      priority: 'high',
+      status: 'approved',
+      requestedBy: 'security_team',
+      requestedAt: Date.now(),
+      impact: {
+        level: 'high',
+        affectedSystems: ['api-gateway'],
+      },
+      implementation: {
+        description: 'Update security headers',
+        steps: [
+          {
+            order: 1,
+            description: 'Deploy configuration',
+            estimatedMinutes: 10,
+          },
+        ],
+      },
+      rollbackPlan: {
+        description: 'Revert configuration',
+        steps: [
+          {
+            order: 1,
+            description: 'Restore previous config',
+            estimatedMinutes: 5,
+          },
+        ],
+      },
+      securityImpact: {
+        assessed: true,
+        riskLevel: 'high',
+        affectedDataClassifications: ['pii', 'confidential'],
+        requiresSecurityApproval: true,
+        reviewedBy: 'ciso',
+        reviewedAt: Date.now(),
+        reviewNotes: 'Approved with monitoring requirement',
+      },
+    };
+
+    const parsed = ChangeRequestSchema.parse(changeWithSecurityImpact);
+    expect(parsed.securityImpact?.assessed).toBe(true);
+    expect(parsed.securityImpact?.riskLevel).toBe('high');
+    expect(parsed.securityImpact?.requiresSecurityApproval).toBe(true);
+  });
+
+  it('should accept change with minimal security impact', () => {
+    const change = {
+      id: 'CHG-2024-SEC-002',
+      title: 'Minor UI Change',
+      description: 'Update button color',
+      type: 'standard',
+      priority: 'low',
+      status: 'draft',
+      requestedBy: 'user_123',
+      requestedAt: Date.now(),
+      impact: {
+        level: 'low',
+        affectedSystems: ['ui'],
+      },
+      implementation: {
+        description: 'Update CSS',
+        steps: [{ order: 1, description: 'Deploy', estimatedMinutes: 5 }],
+      },
+      rollbackPlan: {
+        description: 'Revert CSS',
+        steps: [{ order: 1, description: 'Revert', estimatedMinutes: 5 }],
+      },
+      securityImpact: {
+        assessed: true,
+        riskLevel: 'none',
+      },
+    };
+
+    const parsed = ChangeRequestSchema.parse(change);
+    expect(parsed.securityImpact?.riskLevel).toBe('none');
+    expect(parsed.securityImpact?.requiresSecurityApproval).toBe(false);
+  });
+
+  it('should accept all security risk levels', () => {
+    const levels = ['none', 'low', 'medium', 'high', 'critical'] as const;
+
+    levels.forEach((riskLevel) => {
+      const change = {
+        id: `CHG-${riskLevel}`,
+        title: 'Test',
+        description: 'Test',
+        type: 'standard',
+        priority: 'low',
+        status: 'draft',
+        requestedBy: 'user',
+        requestedAt: Date.now(),
+        impact: { level: 'low', affectedSystems: ['test'] },
+        implementation: {
+          description: 'Test',
+          steps: [{ order: 1, description: 'Test', estimatedMinutes: 5 }],
+        },
+        rollbackPlan: {
+          description: 'Test',
+          steps: [{ order: 1, description: 'Test', estimatedMinutes: 5 }],
+        },
+        securityImpact: {
+          assessed: true,
+          riskLevel,
+        },
+      };
+
+      expect(() => ChangeRequestSchema.parse(change)).not.toThrow();
+    });
+  });
 });

packages/spec/src/system/change-management.zod.ts

@@ -319,6 +319,53 @@ export const ChangeRequestSchema = z.object({
     actualEnd: z.number().optional().describe('Actual end time'),
   }).optional().describe('Schedule'),
 
+  /**
+   * Security impact assessment for the change (A.8.32)
+   */
+  securityImpact: z.object({
+    /**
+     * Whether a security impact assessment has been performed
+     */
+    assessed: z.boolean().describe('Whether security impact has been assessed'),
+
+    /**
+     * Security risk level of this change
+     */
+    riskLevel: z.enum(['none', 'low', 'medium', 'high', 'critical']).optional()
+      .describe('Security risk level'),
+
+    /**
+     * Data classifications affected by this change
+     */
+    affectedDataClassifications: z.array(z.enum([
+      'pii', 'phi', 'pci', 'financial', 'confidential', 'internal', 'public',
+    ])).optional().describe('Affected data classifications'),
+
+    /**
+     * Whether the change requires security team approval
+     */
+    requiresSecurityApproval: z.boolean().default(false)
+      .describe('Whether security team approval is required'),
+
+    /**
+     * Security reviewer user ID
+     */
+    reviewedBy: z.string().optional()
+      .describe('Security reviewer user ID'),
+
+    /**
+     * Security review completion timestamp (Unix milliseconds)
+     */
+    reviewedAt: z.number().optional()
+      .describe('Security review timestamp'),
+
+    /**
+     * Security review notes or conditions
+     */
+    reviewNotes: z.string().optional()
+      .describe('Security review notes or conditions'),
+  }).optional().describe('Security impact assessment per ISO 27001:2022 A.8.32'),
+
   /**
    * Approval workflow configuration
    */

packages/spec/src/system/compliance.test.ts

@@ -5,6 +5,10 @@ import {
   PCIDSSConfigSchema,
   AuditLogConfigSchema,
   ComplianceConfigSchema,
+  AuditFindingSeveritySchema,
+  AuditFindingStatusSchema,
+  AuditFindingSchema,
+  AuditScheduleSchema,
 } from './compliance.zod';
 
 describe('GDPRConfigSchema', () => {
@@ -226,4 +230,178 @@ describe('ComplianceConfigSchema', () => {
   it('should reject missing auditLog', () => {
     expect(() => ComplianceConfigSchema.parse({})).toThrow();
   });
+
+  it('should accept configuration with audit schedules', () => {
+    const config = ComplianceConfigSchema.parse({
+      auditLog: {
+        events: ['create', 'update'],
+      },
+      auditSchedules: [
+        {
+          id: 'AUDIT-2024-Q1',
+          title: 'Q1 ISO 27001 Internal Audit',
+          scope: ['access_control', 'encryption'],
+          framework: 'iso27001',
+          scheduledAt: 1711929600000,
+          assessor: 'internal_audit_team',
+        },
+      ],
+    });
+
+    expect(config.auditSchedules).toHaveLength(1);
+    expect(config.auditSchedules![0].framework).toBe('iso27001');
+  });
+});
+
+describe('AuditFindingSeveritySchema', () => {
+  it('should accept all valid severities', () => {
+    const severities = ['critical', 'major', 'minor', 'observation'];
+
+    severities.forEach((severity) => {
+      expect(() => AuditFindingSeveritySchema.parse(severity)).not.toThrow();
+    });
+  });
+
+  it('should reject invalid severity', () => {
+    expect(() => AuditFindingSeveritySchema.parse('warning')).toThrow();
+  });
+});
+
+describe('AuditFindingStatusSchema', () => {
+  it('should accept all valid statuses', () => {
+    const statuses = ['open', 'in_remediation', 'remediated', 'verified', 'accepted_risk', 'closed'];
+
+    statuses.forEach((status) => {
+      expect(() => AuditFindingStatusSchema.parse(status)).not.toThrow();
+    });
+  });
+
+  it('should reject invalid status', () => {
+    expect(() => AuditFindingStatusSchema.parse('pending')).toThrow();
+  });
+});
+
+describe('AuditFindingSchema', () => {
+  it('should accept valid finding', () => {
+    const finding = AuditFindingSchema.parse({
+      id: 'FIND-2024-001',
+      title: 'Insufficient access logging',
+      description: 'PHI access events are not being logged for HIPAA compliance',
+      severity: 'major',
+      status: 'in_remediation',
+      controlReference: 'A.8.15',
+      framework: 'iso27001',
+      identifiedAt: 1704067200000,
+      identifiedBy: 'external_auditor',
+      remediationPlan: 'Implement audit logging for all PHI access events',
+      remediationDeadline: 1706745600000,
+    });
+
+    expect(finding.severity).toBe('major');
+    expect(finding.framework).toBe('iso27001');
+  });
+
+  it('should accept minimal finding', () => {
+    const finding = AuditFindingSchema.parse({
+      id: 'FIND-2024-002',
+      title: 'Missing encryption',
+      description: 'Field-level encryption not enabled',
+      severity: 'minor',
+      status: 'open',
+      identifiedAt: Date.now(),
+      identifiedBy: 'internal_audit',
+    });
+
+    expect(finding.controlReference).toBeUndefined();
+    expect(finding.remediationPlan).toBeUndefined();
+  });
+
+  it('should accept verified finding', () => {
+    const finding = AuditFindingSchema.parse({
+      id: 'FIND-2024-003',
+      title: 'Weak password policy',
+      description: 'Password minimum length below 12 characters',
+      severity: 'observation',
+      status: 'verified',
+      identifiedAt: 1704067200000,
+      identifiedBy: 'auditor',
+      verifiedAt: 1706745600000,
+      verifiedBy: 'senior_auditor',
+      notes: 'Password policy updated and verified',
+    });
+
+    expect(finding.verifiedAt).toBe(1706745600000);
+    expect(finding.verifiedBy).toBe('senior_auditor');
+  });
+
+  it('should reject missing required fields', () => {
+    expect(() => AuditFindingSchema.parse({})).toThrow();
+  });
+});
+
+describe('AuditScheduleSchema', () => {
+  it('should accept valid schedule with defaults', () => {
+    const schedule = AuditScheduleSchema.parse({
+      id: 'AUDIT-2024-Q1',
+      title: 'Q1 ISO 27001 Internal Audit',
+      scope: ['access_control', 'encryption', 'incident_response'],
+      framework: 'iso27001',
+      scheduledAt: 1711929600000,
+      assessor: 'internal_audit_team',
+    });
+
+    expect(schedule.isExternal).toBe(false);
+    expect(schedule.recurrenceMonths).toBe(0);
+    expect(schedule.findings).toBeUndefined();
+  });
+
+  it('should accept full schedule with findings', () => {
+    const schedule = AuditScheduleSchema.parse({
+      id: 'AUDIT-2024-EXT',
+      title: 'Annual External ISO 27001 Audit',
+      scope: ['all_controls'],
+      framework: 'iso27001',
+      scheduledAt: 1711929600000,
+      completedAt: 1712534400000,
+      assessor: 'External Audit Firm LLC',
+      isExternal: true,
+      recurrenceMonths: 12,
+      findings: [
+        {
+          id: 'FIND-001',
+          title: 'Missing incident response plan',
+          description: 'No documented incident response procedure',
+          severity: 'major',
+          status: 'open',
+          controlReference: 'A.5.24',
+          framework: 'iso27001',
+          identifiedAt: 1712534400000,
+          identifiedBy: 'External Audit Firm LLC',
+        },
+      ],
+    });
+
+    expect(schedule.isExternal).toBe(true);
+    expect(schedule.recurrenceMonths).toBe(12);
+    expect(schedule.findings).toHaveLength(1);
+  });
+
+  it('should accept all framework values', () => {
+    const frameworks = ['gdpr', 'hipaa', 'sox', 'pci_dss', 'ccpa', 'iso27001'];
+
+    frameworks.forEach((framework) => {
+      expect(() => AuditScheduleSchema.parse({
+        id: `AUDIT-${framework}`,
+        title: `${framework} audit`,
+        scope: ['general'],
+        framework,
+        scheduledAt: Date.now(),
+        assessor: 'auditor',
+      })).not.toThrow();
+    });
+  });
+
+  it('should reject missing required fields', () => {
+    expect(() => AuditScheduleSchema.parse({})).toThrow();
+  });
 });