@grc-claw/frameworks 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/dist/expanded-packs.d.ts +38 -0
  2. package/dist/expanded-packs.d.ts.map +1 -0
  3. package/dist/expanded-packs.js +993 -0
  4. package/dist/expanded-packs.js.map +1 -0
  5. package/dist/index.d.ts +16 -0
  6. package/dist/index.d.ts.map +1 -0
  7. package/dist/index.js +82 -0
  8. package/dist/index.js.map +1 -0
  9. package/dist/iso42001.d.ts +3 -0
  10. package/dist/iso42001.d.ts.map +1 -0
  11. package/dist/iso42001.js +57 -0
  12. package/dist/iso42001.js.map +1 -0
  13. package/package.json +26 -0
package/dist/expanded-packs.js ADDED
@@ -0,0 +1,993 @@
1
+ export const iso27001ExpandedPack = {
2
+ code: 'iso27001',
3
+ name: 'ISO/IEC 27001:2022',
4
+ version: '2022',
5
+ controls: [
6
+ { id: 'iso-a.5.1', controlCode: 'A.5.1', title: 'Policies for information security', frameworkCode: 'iso27001', domain: 'Organizational controls' },
7
+ { id: 'iso-a.5.2', controlCode: 'A.5.2', title: 'Information security roles and responsibilities', frameworkCode: 'iso27001', domain: 'Organizational controls' },
8
+ { id: 'iso-a.5.3', controlCode: 'A.5.3', title: 'Segregation of duties', frameworkCode: 'iso27001', domain: 'Organizational controls' },
9
+ { id: 'iso-a.5.4', controlCode: 'A.5.4', title: 'Management responsibilities', frameworkCode: 'iso27001', domain: 'Organizational controls' },
10
+ { id: 'iso-a.5.5', controlCode: 'A.5.5', title: 'Contact with authorities', frameworkCode: 'iso27001', domain: 'Organizational controls' },
11
+ { id: 'iso-a.5.6', controlCode: 'A.5.6', title: 'Contact with special interest groups', frameworkCode: 'iso27001', domain: 'Organizational controls' },
12
+ { id: 'iso-a.5.7', controlCode: 'A.5.7', title: 'Threat intelligence', frameworkCode: 'iso27001', domain: 'Organizational controls' },
13
+ { id: 'iso-a.5.8', controlCode: 'A.5.8', title: 'Information security in project management', frameworkCode: 'iso27001', domain: 'Organizational controls' },
14
+ { id: 'iso-a.5.9', controlCode: 'A.5.9', title: 'Inventory of information and other associated assets', frameworkCode: 'iso27001', domain: 'Organizational controls' },
15
+ { id: 'iso-a.5.10', controlCode: 'A.5.10', title: 'Acceptable use of information and other associated assets', frameworkCode: 'iso27001', domain: 'Organizational controls' },
16
+ { id: 'iso-a.5.11', controlCode: 'A.5.11', title: 'Return of assets', frameworkCode: 'iso27001', domain: 'Organizational controls' },
17
+ { id: 'iso-a.5.12', controlCode: 'A.5.12', title: 'Classification of information', frameworkCode: 'iso27001', domain: 'Organizational controls' },
18
+ { id: 'iso-a.5.13', controlCode: 'A.5.13', title: 'Labelling of information', frameworkCode: 'iso27001', domain: 'Organizational controls' },
19
+ { id: 'iso-a.5.14', controlCode: 'A.5.14', title: 'Information transfer', frameworkCode: 'iso27001', domain: 'Organizational controls' },
20
+ { id: 'iso-a.5.15', controlCode: 'A.5.15', title: 'Access control', frameworkCode: 'iso27001', domain: 'Organizational controls' },
21
+ { id: 'iso-a.5.16', controlCode: 'A.5.16', title: 'Identity management', frameworkCode: 'iso27001', domain: 'Organizational controls' },
22
+ { id: 'iso-a.5.17', controlCode: 'A.5.17', title: 'Authentication information', frameworkCode: 'iso27001', domain: 'Organizational controls' },
23
+ { id: 'iso-a.5.18', controlCode: 'A.5.18', title: 'Access rights', frameworkCode: 'iso27001', domain: 'Organizational controls' },
24
+ { id: 'iso-a.6.1', controlCode: 'A.6.1', title: 'Screening', frameworkCode: 'iso27001', domain: 'People controls' },
25
+ { id: 'iso-a.6.2', controlCode: 'A.6.2', title: 'Terms and conditions of employment', frameworkCode: 'iso27001', domain: 'People controls' },
26
+ { id: 'iso-a.6.3', controlCode: 'A.6.3', title: 'Information security awareness, education and training', frameworkCode: 'iso27001', domain: 'People controls' },
27
+ { id: 'iso-a.6.4', controlCode: 'A.6.4', title: 'Disciplinary process', frameworkCode: 'iso27001', domain: 'People controls' },
28
+ { id: 'iso-a.6.5', controlCode: 'A.6.5', title: 'Responsibilities after termination or change of employment', frameworkCode: 'iso27001', domain: 'People controls' },
29
+ { id: 'iso-a.7.1', controlCode: 'A.7.1', title: 'Physical security perimeters', frameworkCode: 'iso27001', domain: 'Physical controls' },
30
+ { id: 'iso-a.7.2', controlCode: 'A.7.2', title: 'Physical entry', frameworkCode: 'iso27001', domain: 'Physical controls' },
31
+ { id: 'iso-a.7.3', controlCode: 'A.7.3', title: 'Securing offices, rooms and facilities', frameworkCode: 'iso27001', domain: 'Physical controls' },
32
+ { id: 'iso-a.7.4', controlCode: 'A.7.4', title: 'Physical security monitoring', frameworkCode: 'iso27001', domain: 'Physical controls' },
33
+ { id: 'iso-a.7.5', controlCode: 'A.7.5', title: 'Protecting against physical and environmental threats', frameworkCode: 'iso27001', domain: 'Physical controls' },
34
+ { id: 'iso-a.7.7', controlCode: 'A.7.7', title: 'Clear desk and clear screen', frameworkCode: 'iso27001', domain: 'Physical controls' },
35
+ { id: 'iso-a.7.10', controlCode: 'A.7.10', title: 'Storage media', frameworkCode: 'iso27001', domain: 'Physical controls' },
36
+ { id: 'iso-a.7.11', controlCode: 'A.7.11', title: 'Supporting utilities', frameworkCode: 'iso27001', domain: 'Physical controls' },
37
+ { id: 'iso-a.7.13', controlCode: 'A.7.13', title: 'Equipment maintenance', frameworkCode: 'iso27001', domain: 'Physical controls' },
38
+ { id: 'iso-a.7.14', controlCode: 'A.7.14', title: 'Secure disposal or re-use of equipment', frameworkCode: 'iso27001', domain: 'Physical controls' },
39
+ { id: 'iso-a.8.1', controlCode: 'A.8.1', title: 'User endpoint devices', frameworkCode: 'iso27001', domain: 'Technological controls' },
40
+ { id: 'iso-a.8.2', controlCode: 'A.8.2', title: 'Privileged access rights', frameworkCode: 'iso27001', domain: 'Technological controls' },
41
+ { id: 'iso-a.8.3', controlCode: 'A.8.3', title: 'Information access restriction', frameworkCode: 'iso27001', domain: 'Technological controls' },
42
+ { id: 'iso-a.8.5', controlCode: 'A.8.5', title: 'Secure authentication', frameworkCode: 'iso27001', domain: 'Technological controls' },
43
+ { id: 'iso-a.8.6', controlCode: 'A.8.6', title: 'Capacity management', frameworkCode: 'iso27001', domain: 'Technological controls' },
44
+ { id: 'iso-a.8.7', controlCode: 'A.8.7', title: 'Protection against malware', frameworkCode: 'iso27001', domain: 'Technological controls' },
45
+ { id: 'iso-a.8.8', controlCode: 'A.8.8', title: 'Management of technical vulnerabilities', frameworkCode: 'iso27001', domain: 'Technological controls' },
46
+ { id: 'iso-a.8.9', controlCode: 'A.8.9', title: 'Configuration management', frameworkCode: 'iso27001', domain: 'Technological controls' },
47
+ { id: 'iso-a.8.10', controlCode: 'A.8.10', title: 'Information deletion', frameworkCode: 'iso27001', domain: 'Technological controls' },
48
+ { id: 'iso-a.8.11', controlCode: 'A.8.11', title: 'Data masking', frameworkCode: 'iso27001', domain: 'Technological controls' },
49
+ { id: 'iso-a.8.12', controlCode: 'A.8.12', title: 'Data leakage prevention', frameworkCode: 'iso27001', domain: 'Technological controls' },
50
+ { id: 'iso-a.8.13', controlCode: 'A.8.13', title: 'Information backup', frameworkCode: 'iso27001', domain: 'Technological controls' },
51
+ { id: 'iso-a.8.14', controlCode: 'A.8.14', title: 'Redundancy of information processing facilities', frameworkCode: 'iso27001', domain: 'Technological controls' },
52
+ { id: 'iso-a.8.15', controlCode: 'A.8.15', title: 'Logging', frameworkCode: 'iso27001', domain: 'Technological controls' },
53
+ { id: 'iso-a.8.16', controlCode: 'A.8.16', title: 'Monitoring activities', frameworkCode: 'iso27001', domain: 'Technological controls' },
54
+ { id: 'iso-a.8.20', controlCode: 'A.8.20', title: 'Networks security', frameworkCode: 'iso27001', domain: 'Technological controls' },
55
+ { id: 'iso-a.8.22', controlCode: 'A.8.22', title: 'Segregation of networks', frameworkCode: 'iso27001', domain: 'Technological controls' },
56
+ { id: 'iso-a.8.24', controlCode: 'A.8.24', title: 'Use of cryptography', frameworkCode: 'iso27001', domain: 'Technological controls' },
57
+ { id: 'iso-a.8.25', controlCode: 'A.8.25', title: 'Secure development life cycle', frameworkCode: 'iso27001', domain: 'Technological controls' },
58
+ { id: 'iso-a.8.28', controlCode: 'A.8.28', title: 'Secure coding', frameworkCode: 'iso27001', domain: 'Technological controls' },
59
+ { id: 'iso-a.8.29', controlCode: 'A.8.29', title: 'Security testing in development and acceptance', frameworkCode: 'iso27001', domain: 'Technological controls' },
60
+ { id: 'iso-a.8.32', controlCode: 'A.8.32', title: 'Change management', frameworkCode: 'iso27001', domain: 'Technological controls' },
61
+ { id: 'iso-a.9.1', controlCode: 'A.9.1', title: 'Supplier agreements', frameworkCode: 'iso27001', domain: 'Organizational controls' },
62
+ { id: 'iso-a.9.4', controlCode: 'A.9.4', title: 'Information security for use of cloud services', frameworkCode: 'iso27001', domain: 'Organizational controls' },
63
+ { id: 'iso-a.9.5', controlCode: 'A.9.5', title: 'Information security incident management planning and preparation', frameworkCode: 'iso27001', domain: 'Organizational controls' },
64
+ { id: 'iso-a.9.6', controlCode: 'A.9.6', title: 'Assessment and decision on information security events', frameworkCode: 'iso27001', domain: 'Organizational controls' },
65
+ { id: 'iso-a.9.7', controlCode: 'A.9.7', title: 'Response to information security incidents', frameworkCode: 'iso27001', domain: 'Organizational controls' },
66
+ { id: 'iso-a.9.8', controlCode: 'A.9.8', title: 'Learning from information security incidents', frameworkCode: 'iso27001', domain: 'Organizational controls' },
67
+ { id: 'iso-a.10.1', controlCode: 'A.10.1', title: 'Information security continuity', frameworkCode: 'iso27001', domain: 'Organizational controls' },
68
+ { id: 'iso-a.10.2', controlCode: 'A.10.2', title: 'Information security continuity planning', frameworkCode: 'iso27001', domain: 'Organizational controls' },
69
+ { id: 'iso-a.11.1', controlCode: 'A.11.1', title: 'Compliance with laws, regulations and contractual requirements', frameworkCode: 'iso27001', domain: 'Organizational controls' },
70
+ { id: 'iso-a.11.2', controlCode: 'A.11.2', title: 'Intellectual property rights', frameworkCode: 'iso27001', domain: 'Organizational controls' },
71
+ { id: 'iso-a.11.3', controlCode: 'A.11.3', title: 'Protection of records', frameworkCode: 'iso27001', domain: 'Organizational controls' },
72
+ { id: 'iso-a.11.4', controlCode: 'A.11.4', title: 'Privacy and protection of PII', frameworkCode: 'iso27001', domain: 'Organizational controls' },
73
+ ],
74
+ };
75
+ export const nistCsfExpandedPack = {
76
+ code: 'nist_csf',
77
+ name: 'NIST Cybersecurity Framework 2.0',
78
+ version: '2.0',
79
+ controls: [
80
+ { id: 'nist-gv.oc', controlCode: 'GV.OC', title: 'Organizational Context', frameworkCode: 'nist_csf', domain: 'Govern' },
81
+ { id: 'nist-gv.rm', controlCode: 'GV.RM', title: 'Risk Management Strategy', frameworkCode: 'nist_csf', domain: 'Govern' },
82
+ { id: 'nist-gv.rr', controlCode: 'GV.RR', title: 'Roles, Responsibilities, and Authorities', frameworkCode: 'nist_csf', domain: 'Govern' },
83
+ { id: 'nist-gv.po', controlCode: 'GV.PO', title: 'Policy', frameworkCode: 'nist_csf', domain: 'Govern' },
84
+ { id: 'nist-gv.om', controlCode: 'GV.OM', title: 'Oversight', frameworkCode: 'nist_csf', domain: 'Govern' },
85
+ { id: 'nist-gv.sc', controlCode: 'GV.SC', title: 'Cybersecurity Supply Chain Risk Management', frameworkCode: 'nist_csf', domain: 'Govern' },
86
+ { id: 'nist-id.am', controlCode: 'ID.AM', title: 'Asset Management', frameworkCode: 'nist_csf', domain: 'Identify' },
87
+ { id: 'nist-id.ra', controlCode: 'ID.RA', title: 'Risk Assessment', frameworkCode: 'nist_csf', domain: 'Identify' },
88
+ { id: 'nist-id.im', controlCode: 'ID.IM', title: 'Improvement', frameworkCode: 'nist_csf', domain: 'Identify' },
89
+ { id: 'nist-pr.ac', controlCode: 'PR.AC', title: 'Identity Management, Authentication and Access Control', frameworkCode: 'nist_csf', domain: 'Protect' },
90
+ { id: 'nist-pr.at', controlCode: 'PR.AT', title: 'Awareness and Training', frameworkCode: 'nist_csf', domain: 'Protect' },
91
+ { id: 'nist-pr.ds', controlCode: 'PR.DS', title: 'Data Security', frameworkCode: 'nist_csf', domain: 'Protect' },
92
+ { id: 'nist-pr.ps', controlCode: 'PR.PS', title: 'Platform Security', frameworkCode: 'nist_csf', domain: 'Protect' },
93
+ { id: 'nist-pr.ir', controlCode: 'PR.IR', title: 'Technology Infrastructure Resilience', frameworkCode: 'nist_csf', domain: 'Protect' },
94
+ { id: 'nist-de.cm', controlCode: 'DE.CM', title: 'Continuous Monitoring', frameworkCode: 'nist_csf', domain: 'Detect' },
95
+ { id: 'nist-de.ae', controlCode: 'DE.AE', title: 'Adverse Event Analysis', frameworkCode: 'nist_csf', domain: 'Detect' },
96
+ { id: 'nist-rs.co', controlCode: 'RS.CO', title: 'Incident Communications', frameworkCode: 'nist_csf', domain: 'Respond' },
97
+ { id: 'nist-rs.an', controlCode: 'RS.AN', title: 'Incident Analysis', frameworkCode: 'nist_csf', domain: 'Respond' },
98
+ { id: 'nist-rs.mi', controlCode: 'RS.MI', title: 'Incident Mitigation', frameworkCode: 'nist_csf', domain: 'Respond' },
99
+ { id: 'nist-rs.ma', controlCode: 'RS.MA', title: 'Incident Management', frameworkCode: 'nist_csf', domain: 'Respond' },
100
+ { id: 'nist-rc.rp', controlCode: 'RC.RP', title: 'Incident Recovery Plan Execution', frameworkCode: 'nist_csf', domain: 'Recover' },
101
+ { id: 'nist-rc.im', controlCode: 'RC.IM', title: 'Incident Recovery Communication', frameworkCode: 'nist_csf', domain: 'Recover' },
102
+ ],
103
+ };
104
+ export const soc2ExpandedPack = {
105
+ code: 'soc2',
106
+ name: 'SOC 2 Type II Trust Services',
107
+ version: '2017',
108
+ controls: [
109
+ { id: 'soc2-cc1.1', controlCode: 'CC1.1', title: 'COSO Principle 1: Demonstrates commitment to integrity and ethical values', frameworkCode: 'soc2', domain: 'Control Environment' },
110
+ { id: 'soc2-cc1.2', controlCode: 'CC1.2', title: 'Board exercises oversight responsibility', frameworkCode: 'soc2', domain: 'Control Environment' },
111
+ { id: 'soc2-cc1.3', controlCode: 'CC1.3', title: 'Management establishes structures, reporting lines, and authority', frameworkCode: 'soc2', domain: 'Control Environment' },
112
+ { id: 'soc2-cc1.4', controlCode: 'CC1.4', title: 'Demonstrates commitment to competence', frameworkCode: 'soc2', domain: 'Control Environment' },
113
+ { id: 'soc2-cc1.5', controlCode: 'CC1.5', title: 'Enforces accountability', frameworkCode: 'soc2', domain: 'Control Environment' },
114
+ { id: 'soc2-cc2.1', controlCode: 'CC2.1', title: 'Internal communication of objectives', frameworkCode: 'soc2', domain: 'Communication and Information' },
115
+ { id: 'soc2-cc2.2', controlCode: 'CC2.2', title: 'External communication of objectives', frameworkCode: 'soc2', domain: 'Communication and Information' },
116
+ { id: 'soc2-cc3.1', controlCode: 'CC3.1', title: 'Identifies and selects risk assessment process', frameworkCode: 'soc2', domain: 'Risk Assessment' },
117
+ { id: 'soc2-cc3.2', controlCode: 'CC3.2', title: 'Assesses and analyzes risk', frameworkCode: 'soc2', domain: 'Risk Assessment' },
118
+ { id: 'soc2-cc3.3', controlCode: 'CC3.3', title: 'Assesses fraud risk', frameworkCode: 'soc2', domain: 'Risk Assessment' },
119
+ { id: 'soc2-cc4.1', controlCode: 'CC4.1', title: 'Selects and develops control activities', frameworkCode: 'soc2', domain: 'Monitoring Activities' },
120
+ { id: 'soc2-cc5.1', controlCode: 'CC5.1', title: 'Selects and develops general controls over technology', frameworkCode: 'soc2', domain: 'Control Activities' },
121
+ { id: 'soc2-cc6.1', controlCode: 'CC6.1', title: 'Logical access security software, infrastructure, and architectures', frameworkCode: 'soc2', domain: 'Logical and Physical Access' },
122
+ { id: 'soc2-cc6.2', controlCode: 'CC6.2', title: 'Before new system components are placed into production', frameworkCode: 'soc2', domain: 'Logical and Physical Access' },
123
+ { id: 'soc2-cc6.3', controlCode: 'CC6.3', title: 'Restricts logical access', frameworkCode: 'soc2', domain: 'Logical and Physical Access' },
124
+ { id: 'soc2-cc6.4', controlCode: 'CC6.4', title: 'Restricts physical access', frameworkCode: 'soc2', domain: 'Logical and Physical Access' },
125
+ { id: 'soc2-cc6.5', controlCode: 'CC6.5', title: 'Restricts transmission, movement, and removal of information', frameworkCode: 'soc2', domain: 'Logical and Physical Access' },
126
+ { id: 'soc2-cc6.6', controlCode: 'CC6.6', title: 'Logical access security measures', frameworkCode: 'soc2', domain: 'Logical and Physical Access' },
127
+ { id: 'soc2-cc7.1', controlCode: 'CC7.1', title: 'Detection and monitoring procedures', frameworkCode: 'soc2', domain: 'System Operations' },
128
+ { id: 'soc2-cc7.2', controlCode: 'CC7.2', title: 'Monitors system components and the operation for anomalies', frameworkCode: 'soc2', domain: 'System Operations' },
129
+ { id: 'soc2-cc7.3', controlCode: 'CC7.3', title: 'Evaluates and communicates security events', frameworkCode: 'soc2', domain: 'System Operations' },
130
+ { id: 'soc2-cc7.4', controlCode: 'CC7.4', title: 'Responds to identified security incidents', frameworkCode: 'soc2', domain: 'System Operations' },
131
+ { id: 'soc2-cc8.1', controlCode: 'CC8.1', title: 'Manages changes to infrastructure, data, software, and procedures', frameworkCode: 'soc2', domain: 'Change Management' },
132
+ { id: 'soc2-a1.1', controlCode: 'A1.1', title: 'Maintains, monitors, and analyzes compute capacity', frameworkCode: 'soc2', domain: 'Availability' },
133
+ { id: 'soc2-c1.1', controlCode: 'C1.1', title: 'Identifies and maintains confidential information', frameworkCode: 'soc2', domain: 'Confidentiality' },
134
+ { id: 'soc2-c1.2', controlCode: 'C1.2', title: 'Disposes of confidential information', frameworkCode: 'soc2', domain: 'Confidentiality' },
135
+ { id: 'soc2-p1.1', controlCode: 'P1.1', title: 'Provides notice of privacy information and purposes', frameworkCode: 'soc2', domain: 'Privacy' },
136
+ { id: 'soc2-p2.1', controlCode: 'P2.1', title: 'Provides notice of the choice and consent for collection, use, and disclosure', frameworkCode: 'soc2', domain: 'Privacy' },
137
+ { id: 'soc2-p3.1', controlCode: 'P3.1', title: 'Collects personal information only as needed for specified purposes', frameworkCode: 'soc2', domain: 'Privacy' },
138
+ { id: 'soc2-p4.1', controlCode: 'P4.1', title: 'Limits use of personal information to specified purposes', frameworkCode: 'soc2', domain: 'Privacy' },
139
+ { id: 'soc2-p5.1', controlCode: 'P5.1', title: 'Retention of personal information is limited to specified periods', frameworkCode: 'soc2', domain: 'Privacy' },
140
+ ],
141
+ };
142
+ export const iso42001ExpandedPack = {
143
+ code: 'iso42001',
144
+ name: 'ISO/IEC 42001 AI Management System',
145
+ version: '2023',
146
+ controls: [
147
+ { id: 'aims-a.2.1', controlCode: 'A.2.1', title: 'AI policy', frameworkCode: 'iso42001', domain: 'Policies' },
148
+ { id: 'aims-a.2.2', controlCode: 'A.2.2', title: 'AI objectives and planning to achieve them', frameworkCode: 'iso42001', domain: 'Policies' },
149
+ { id: 'aims-a.3.1', controlCode: 'A.3.1', title: 'Roles, responsibilities and authorities', frameworkCode: 'iso42001', domain: 'Organization' },
150
+ { id: 'aims-a.4.1', controlCode: 'A.4.1', title: 'Resources', frameworkCode: 'iso42001', domain: 'Support' },
151
+ { id: 'aims-a.5.1', controlCode: 'A.5.1', title: 'Competence', frameworkCode: 'iso42001', domain: 'Support' },
152
+ { id: 'aims-a.6.1', controlCode: 'A.6.1', title: 'Awareness', frameworkCode: 'iso42001', domain: 'Support' },
153
+ { id: 'aims-a.7.1', controlCode: 'A.7.1', title: 'Communication', frameworkCode: 'iso42001', domain: 'Support' },
154
+ { id: 'aims-a.8.1', controlCode: 'A.8.1', title: 'Documented information', frameworkCode: 'iso42001', domain: 'Support' },
155
+ { id: 'aims-a.9.1', controlCode: 'A.9.1', title: 'Third-party AI services and suppliers', frameworkCode: 'iso42001', domain: 'Third-party' },
156
+ { id: 'aims-a.10.1', controlCode: 'A.10.1', title: 'Monitoring and measurement of AI systems', frameworkCode: 'iso42001', domain: 'Performance evaluation' },
157
+ { id: 'aims-a.11.1', controlCode: 'A.11.1', title: 'Internal audit', frameworkCode: 'iso42001', domain: 'Performance evaluation' },
158
+ { id: 'aims-a.12.1', controlCode: 'A.12.1', title: 'AI system security - gateway access', frameworkCode: 'iso42001', domain: 'Security' },
159
+ { id: 'aims-a.12.2', controlCode: 'A.12.2', title: 'AI system security - tool mediation', frameworkCode: 'iso42001', domain: 'Security' },
160
+ { id: 'aims-a.12.3', controlCode: 'A.12.3', title: 'Human oversight of agent tools', frameworkCode: 'iso42001', domain: 'Security' },
161
+ { id: 'aims-a.13.1', controlCode: 'A.13.1', title: 'Nonconformity and corrective action', frameworkCode: 'iso42001', domain: 'Improvement' },
162
+ { id: 'aims-a.14.1', controlCode: 'A.14.1', title: 'Safety - destructive action approval', frameworkCode: 'iso42001', domain: 'Safety' },
163
+ { id: 'aims-a.15.1', controlCode: 'A.15.1', title: 'AI risk assessment', frameworkCode: 'iso42001', domain: 'Risk management' },
164
+ { id: 'aims-a.16.1', controlCode: 'A.16.1', title: 'AI system impact assessment', frameworkCode: 'iso42001', domain: 'Risk management' },
165
+ ],
166
+ };
167
+ export const gdprPack = {
168
+ code: 'gdpr',
169
+ name: 'GDPR - General Data Protection Regulation',
170
+ version: '2016/679',
171
+ controls: [
172
+ { id: 'gdpr-art.5', controlCode: 'Art.5', title: 'Principles relating to processing of personal data', frameworkCode: 'gdpr', domain: 'Principles' },
173
+ { id: 'gdpr-art.6', controlCode: 'Art.6', title: 'Lawfulness of processing', frameworkCode: 'gdpr', domain: 'Principles' },
174
+ { id: 'gdpr-art.7', controlCode: 'Art.7', title: 'Conditions for consent', frameworkCode: 'gdpr', domain: 'Principles' },
175
+ { id: 'gdpr-art.9', controlCode: 'Art.9', title: 'Processing of special categories of personal data', frameworkCode: 'gdpr', domain: 'Principles' },
176
+ { id: 'gdpr-art.12', controlCode: 'Art.12', title: 'Transparent information, communication and modalities for exercise of rights', frameworkCode: 'gdpr', domain: 'Data subject rights' },
177
+ { id: 'gdpr-art.13', controlCode: 'Art.13', title: 'Information to be provided where personal data are collected from data subject', frameworkCode: 'gdpr', domain: 'Data subject rights' },
178
+ { id: 'gdpr-art.15', controlCode: 'Art.15', title: 'Right of access by the data subject', frameworkCode: 'gdpr', domain: 'Data subject rights' },
179
+ { id: 'gdpr-art.17', controlCode: 'Art.17', title: 'Right to erasure (right to be forgotten)', frameworkCode: 'gdpr', domain: 'Data subject rights' },
180
+ { id: 'gdpr-art.20', controlCode: 'Art.20', title: 'Right to data portability', frameworkCode: 'gdpr', domain: 'Data subject rights' },
181
+ { id: 'gdpr-art.21', controlCode: 'Art.21', title: 'Right to object', frameworkCode: 'gdpr', domain: 'Data subject rights' },
182
+ { id: 'gdpr-art.22', controlCode: 'Art.22', title: 'Automated individual decision-making, including profiling', frameworkCode: 'gdpr', domain: 'Data subject rights' },
183
+ { id: 'gdpr-art.25', controlCode: 'Art.25', title: 'Data protection by design and by default', frameworkCode: 'gdpr', domain: 'Controller and processor' },
184
+ { id: 'gdpr-art.28', controlCode: 'Art.28', title: 'Processor', frameworkCode: 'gdpr', domain: 'Controller and processor' },
185
+ { id: 'gdpr-art.30', controlCode: 'Art.30', title: 'Records of processing activities', frameworkCode: 'gdpr', domain: 'Controller and processor' },
186
+ { id: 'gdpr-art.32', controlCode: 'Art.32', title: 'Security of processing', frameworkCode: 'gdpr', domain: 'Security' },
187
+ { id: 'gdpr-art.33', controlCode: 'Art.33', title: 'Notification of a personal data breach to the supervisory authority', frameworkCode: 'gdpr', domain: 'Breach notification' },
188
+ { id: 'gdpr-art.34', controlCode: 'Art.34', title: 'Communication of a personal data breach to the data subject', frameworkCode: 'gdpr', domain: 'Breach notification' },
189
+ { id: 'gdpr-art.35', controlCode: 'Art.35', title: 'Data protection impact assessment', frameworkCode: 'gdpr', domain: 'DPIA' },
190
+ { id: 'gdpr-art.37', controlCode: 'Art.37', title: 'Designation of data protection officer', frameworkCode: 'gdpr', domain: 'DPO' },
191
+ { id: 'gdpr-art.44', controlCode: 'Art.44', title: 'General principle for transfers to third countries', frameworkCode: 'gdpr', domain: 'International transfers' },
192
+ ],
193
+ };
194
+ export const hipaaPack = {
195
+ code: 'hipaa',
196
+ name: 'HIPAA - Health Insurance Portability and Accountability Act',
197
+ version: '2013',
198
+ controls: [
199
+ { id: 'hipaa-164.308a1', controlCode: '164.308(a)(1)', title: 'Security Management Process', frameworkCode: 'hipaa', domain: 'Administrative Safeguards' },
200
+ { id: 'hipaa-164.308a1i', controlCode: '164.308(a)(1)(i)', title: 'Risk Analysis', frameworkCode: 'hipaa', domain: 'Administrative Safeguards' },
201
+ { id: 'hipaa-164.308a1ii', controlCode: '164.308(a)(1)(ii)', title: 'Risk Management', frameworkCode: 'hipaa', domain: 'Administrative Safeguards' },
202
+ { id: 'hipaa-164.308a3', controlCode: '164.308(a)(3)', title: 'Workforce Security', frameworkCode: 'hipaa', domain: 'Administrative Safeguards' },
203
+ { id: 'hipaa-164.308a4', controlCode: '164.308(a)(4)', title: 'Information Access Management', frameworkCode: 'hipaa', domain: 'Administrative Safeguards' },
204
+ { id: 'hipaa-164.308a5', controlCode: '164.308(a)(5)', title: 'Security Awareness and Training', frameworkCode: 'hipaa', domain: 'Administrative Safeguards' },
205
+ { id: 'hipaa-164.308a6', controlCode: '164.308(a)(6)', title: 'Security Incident Procedures', frameworkCode: 'hipaa', domain: 'Administrative Safeguards' },
206
+ { id: 'hipaa-164.308a7', controlCode: '164.308(a)(7)', title: 'Contingency Plan', frameworkCode: 'hipaa', domain: 'Administrative Safeguards' },
207
+ { id: 'hipaa-164.310a1', controlCode: '164.310(a)(1)', title: 'Facility Access Controls', frameworkCode: 'hipaa', domain: 'Physical Safeguards' },
208
+ { id: 'hipaa-164.310b', controlCode: '164.310(b)', title: 'Workstation Use', frameworkCode: 'hipaa', domain: 'Physical Safeguards' },
209
+ { id: 'hipaa-164.310c', controlCode: '164.310(c)', title: 'Workstation Security', frameworkCode: 'hipaa', domain: 'Physical Safeguards' },
210
+ { id: 'hipaa-164.310d', controlCode: '164.310(d)', title: 'Device and Media Controls', frameworkCode: 'hipaa', domain: 'Physical Safeguards' },
211
+ { id: 'hipaa-164.312a1', controlCode: '164.312(a)(1)', title: 'Access Control', frameworkCode: 'hipaa', domain: 'Technical Safeguards' },
212
+ { id: 'hipaa-164.312b', controlCode: '164.312(b)', title: 'Audit Controls', frameworkCode: 'hipaa', domain: 'Technical Safeguards' },
213
+ { id: 'hipaa-164.312c', controlCode: '164.312(c)', title: 'Integrity', frameworkCode: 'hipaa', domain: 'Technical Safeguards' },
214
+ { id: 'hipaa-164.312d', controlCode: '164.312(d)', title: 'Person or Entity Authentication', frameworkCode: 'hipaa', domain: 'Technical Safeguards' },
215
+ { id: 'hipaa-164.312e', controlCode: '164.312(e)', title: 'Transmission Security', frameworkCode: 'hipaa', domain: 'Technical Safeguards' },
216
+ { id: 'hipaa-164.314a', controlCode: '164.314(a)', title: 'Business Associate Contracts', frameworkCode: 'hipaa', domain: 'Organizational Requirements' },
217
+ { id: 'hipaa-164.316', controlCode: '164.316', title: 'Policies and Procedures and Documentation Requirements', frameworkCode: 'hipaa', domain: 'Organizational Requirements' },
218
+ ],
219
+ };
220
+ export const pciDssPack = {
221
+ code: 'pci_dss',
222
+ name: 'PCI DSS 4.0 - Payment Card Industry Data Security Standard',
223
+ version: '4.0',
224
+ controls: [
225
+ { id: 'pci-1.1', controlCode: '1.1', title: 'Processes and mechanisms for identifying and classifying cardholder data', frameworkCode: 'pci_dss', domain: 'Build and Maintain a Secure Network and Systems' },
226
+ { id: 'pci-1.2', controlCode: '1.2', title: 'Network security controls are configured and maintained', frameworkCode: 'pci_dss', domain: 'Build and Maintain a Secure Network and Systems' },
227
+ { id: 'pci-1.3', controlCode: '1.3', title: 'Network access to the cardholder data environment is restricted', frameworkCode: 'pci_dss', domain: 'Build and Maintain a Secure Network and Systems' },
228
+ { id: 'pci-1.4', controlCode: '1.4', title: 'Network connections between trusted and untrusted networks are controlled', frameworkCode: 'pci_dss', domain: 'Build and Maintain a Secure Network and Systems' },
229
+ { id: 'pci-2.1', controlCode: '2.1', title: 'Default accounts are not present on system components', frameworkCode: 'pci_dss', domain: 'Build and Maintain a Secure Network and Systems' },
230
+ { id: 'pci-2.2', controlCode: '2.2', title: 'System components are configured securely', frameworkCode: 'pci_dss', domain: 'Build and Maintain a Secure Network and Systems' },
231
+ { id: 'pci-3.1', controlCode: '3.1', title: 'Processes and mechanisms for protecting stored account data', frameworkCode: 'pci_dss', domain: 'Protect Stored Account Data' },
232
+ { id: 'pci-3.2', controlCode: '3.2', title: 'Sensitive authentication data (SAD) is not stored after authorization', frameworkCode: 'pci_dss', domain: 'Protect Stored Account Data' },
233
+ { id: 'pci-3.3', controlCode: '3.3', title: 'Primary account numbers are masked when displayed', frameworkCode: 'pci_dss', domain: 'Protect Stored Account Data' },
234
+ { id: 'pci-3.4', controlCode: '3.4', title: 'Primary account numbers are rendered unreadable anywhere they are stored', frameworkCode: 'pci_dss', domain: 'Protect Stored Account Data' },
235
+ { id: 'pci-3.5', controlCode: '3.5', title: 'Cryptographic keys used to protect stored account data are secured', frameworkCode: 'pci_dss', domain: 'Protect Stored Account Data' },
236
+ { id: 'pci-4.1', controlCode: '4.1', title: 'Protecting cardholder data during transmission over open networks', frameworkCode: 'pci_dss', domain: 'Protect Cardholder Data with Strong Cryptography During Transmission' },
237
+ { id: 'pci-5.1', controlCode: '5.1', title: 'Protecting all systems and networks from malicious software', frameworkCode: 'pci_dss', domain: 'Protect All Systems and Networks from Malicious Software' },
238
+ { id: 'pci-5.2', controlCode: '5.2', title: 'Anti-malware technologies are deployed and maintained', frameworkCode: 'pci_dss', domain: 'Protect All Systems and Networks from Malicious Software' },
239
+ { id: 'pci-6.1', controlCode: '6.1', title: 'Identifying and managing security vulnerabilities', frameworkCode: 'pci_dss', domain: 'Develop and Maintain Secure Systems and Software' },
240
+ { id: 'pci-6.2', controlCode: '6.2', title: 'Security patches/updates are installed', frameworkCode: 'pci_dss', domain: 'Develop and Maintain Secure Systems and Software' },
241
+ { id: 'pci-6.4', controlCode: '6.4', title: 'Public-facing web applications are protected against attacks', frameworkCode: 'pci_dss', domain: 'Develop and Maintain Secure Systems and Software' },
242
+ { id: 'pci-7.1', controlCode: '7.1', title: 'Restricting access to system components and cardholder data', frameworkCode: 'pci_dss', domain: 'Restrict Access to System Components and Cardholder Data' },
243
+ { id: 'pci-7.2', controlCode: '7.2', title: 'Access to system components and cardholder data is limited to authorized individuals', frameworkCode: 'pci_dss', domain: 'Restrict Access to System Components and Cardholder Data' },
244
+ { id: 'pci-8.1', controlCode: '8.1', title: 'Identifying users and authenticating access to system components', frameworkCode: 'pci_dss', domain: 'Identify Users and Authenticate Access to System Components' },
245
+ { id: 'pci-8.2', controlCode: '8.2', title: 'User identification and access authentication are managed', frameworkCode: 'pci_dss', domain: 'Identify Users and Authenticate Access to System Components' },
246
+ { id: 'pci-8.3', controlCode: '8.3', title: 'User identification and access authentication mechanisms are managed', frameworkCode: 'pci_dss', domain: 'Identify Users and Authenticate Access to System Components' },
247
+ { id: 'pci-9.1', controlCode: '9.1', title: 'Restricting physical access to cardholder data', frameworkCode: 'pci_dss', domain: 'Restrict Physical Access to Cardholder Data' },
248
+ { id: 'pci-10.1', controlCode: '10.1', title: 'Logging and monitoring all access to system components and cardholder data', frameworkCode: 'pci_dss', domain: 'Log and Monitor All Access' },
249
+ { id: 'pci-10.2', controlCode: '10.2', title: 'Audit logs are implemented', frameworkCode: 'pci_dss', domain: 'Log and Monitor All Access' },
250
+ { id: 'pci-10.3', controlCode: '10.3', title: 'Audit logs are protected', frameworkCode: 'pci_dss', domain: 'Log and Monitor All Access' },
251
+ { id: 'pci-10.4', controlCode: '10.4', title: 'Audit logs are reviewed', frameworkCode: 'pci_dss', domain: 'Log and Monitor All Access' },
252
+ { id: 'pci-11.1', controlCode: '11.1', title: 'Testing security of systems and networks', frameworkCode: 'pci_dss', domain: 'Test Security of Systems and Networks Regularly' },
253
+ { id: 'pci-11.2', controlCode: '11.2', title: 'Internal vulnerability scans are performed', frameworkCode: 'pci_dss', domain: 'Test Security of Systems and Networks Regularly' },
254
+ { id: 'pci-11.4', controlCode: '11.4', title: 'Internal penetration testing is performed', frameworkCode: 'pci_dss', domain: 'Test Security of Systems and Networks Regularly' },
255
+ { id: 'pci-12.1', controlCode: '12.1', title: 'Defining and understanding security policies', frameworkCode: 'pci_dss', domain: 'Support Information Security with Organizational Policies and Programs' },
256
+ ],
257
+ };
258
+ export const fedrampPack = {
259
+ code: 'fedramp',
260
+ name: 'FedRAMP - Federal Risk and Authorization Management Program',
261
+ version: '5.0',
262
+ controls: [
263
+ { id: 'fedramp-ac-1', controlCode: 'AC-1', title: 'Access Control Policy and Procedures', frameworkCode: 'fedramp', domain: 'Access Control' },
264
+ { id: 'fedramp-ac-2', controlCode: 'AC-2', title: 'Account Management', frameworkCode: 'fedramp', domain: 'Access Control' },
265
+ { id: 'fedramp-ac-3', controlCode: 'AC-3', title: 'Access Enforcement', frameworkCode: 'fedramp', domain: 'Access Control' },
266
+ { id: 'fedramp-ac-6', controlCode: 'AC-6', title: 'Least Privilege', frameworkCode: 'fedramp', domain: 'Access Control' },
267
+ { id: 'fedramp-ac-7', controlCode: 'AC-7', title: 'Unsuccessful Logon Attempts', frameworkCode: 'fedramp', domain: 'Access Control' },
268
+ { id: 'fedramp-ac-17', controlCode: 'AC-17', title: 'Remote Access', frameworkCode: 'fedramp', domain: 'Access Control' },
269
+ { id: 'fedramp-at-2', controlCode: 'AT-2', title: 'Literacy Training and Awareness', frameworkCode: 'fedramp', domain: 'Awareness and Training' },
270
+ { id: 'fedramp-au-2', controlCode: 'AU-2', title: 'Event Logging', frameworkCode: 'fedramp', domain: 'Audit and Accountability' },
271
+ { id: 'fedramp-au-3', controlCode: 'AU-3', title: 'Content of Audit Records', frameworkCode: 'fedramp', domain: 'Audit and Accountability' },
272
+ { id: 'fedramp-au-6', controlCode: 'AU-6', title: 'Audit Record Review, Analysis, and Reporting', frameworkCode: 'fedramp', domain: 'Audit and Accountability' },
273
+ { id: 'fedramp-ca-2', controlCode: 'CA-2', title: 'Control Assessments', frameworkCode: 'fedramp', domain: 'Security Assessment and Authorization' },
274
+ { id: 'fedramp-ca-7', controlCode: 'CA-7', title: 'Continuous Monitoring', frameworkCode: 'fedramp', domain: 'Security Assessment and Authorization' },
275
+ { id: 'fedramp-cm-2', controlCode: 'CM-2', title: 'Baseline Configuration', frameworkCode: 'fedramp', domain: 'Configuration Management' },
276
+ { id: 'fedramp-cm-3', controlCode: 'CM-3', title: 'Configuration Change Control', frameworkCode: 'fedramp', domain: 'Configuration Management' },
277
+ { id: 'fedramp-ia-2', controlCode: 'IA-2', title: 'Identification and Authentication (Organizational Users)', frameworkCode: 'fedramp', domain: 'Identification and Authentication' },
278
+ { id: 'fedramp-ir-4', controlCode: 'IR-4', title: 'Incident Handling', frameworkCode: 'fedramp', domain: 'Incident Response' },
279
+ { id: 'fedramp-ra-3', controlCode: 'RA-3', title: 'Risk Determination', frameworkCode: 'fedramp', domain: 'Risk Assessment' },
280
+ { id: 'fedramp-sc-7', controlCode: 'SC-7', title: 'Boundary Protection', frameworkCode: 'fedramp', domain: 'System and Communications Protection' },
281
+ { id: 'fedramp-si-2', controlCode: 'SI-2', title: 'Flaw Remediation', frameworkCode: 'fedramp', domain: 'System and Information Integrity' },
282
+ { id: 'fedramp-si-4', controlCode: 'SI-4', title: 'System Monitoring', frameworkCode: 'fedramp', domain: 'System and Information Integrity' },
283
+ ],
284
+ };
285
+ export const cmmcPack = {
286
+ code: 'cmmc',
287
+ name: 'CMMC 2.0 - Cybersecurity Maturity Model Certification',
288
+ version: '2.0',
289
+ controls: [
290
+ { id: 'cmmc-ac-l1', controlCode: 'AC.L1-3.1.1', title: 'Authorized Access Control', frameworkCode: 'cmmc', domain: 'Access Control' },
291
+ { id: 'cmmc-ac-l2', controlCode: 'AC.L2-3.1.2', title: 'Nonpublic Process Control', frameworkCode: 'cmmc', domain: 'Access Control' },
292
+ { id: 'cmmc-ac-l3', controlCode: 'AC.L2-3.1.3', title: 'Role-Based Access Control', frameworkCode: 'cmmc', domain: 'Access Control' },
293
+ { id: 'cmmc-ac-l5', controlCode: 'AC.L2-3.1.5', title: 'Least Privilege', frameworkCode: 'cmmc', domain: 'Access Control' },
294
+ { id: 'cmmc-ac-l6', controlCode: 'AC.L2-3.1.6', title: 'Non-Privileged Access for Privileged Functions', frameworkCode: 'cmmc', domain: 'Access Control' },
295
+ { id: 'cmmc-ac-l7', controlCode: 'AC.L2-3.1.7', title: 'Unsuccessful Logon Attempts', frameworkCode: 'cmmc', domain: 'Access Control' },
296
+ { id: 'cmmc-ac-l8', controlCode: 'AC.L2-3.1.8', title: 'Session Lock', frameworkCode: 'cmmc', domain: 'Access Control' },
297
+ { id: 'cmmc-ac-l9', controlCode: 'AC.L2-3.1.9', title: 'Session Termination', frameworkCode: 'cmmc', domain: 'Access Control' },
298
+ { id: 'cmmc-am-l1', controlCode: 'AM.L1-3.1.1', title: 'Asset Inventory', frameworkCode: 'cmmc', domain: 'Asset Management' },
299
+ { id: 'cmmc-au-l1', controlCode: 'AU.L1-3.1.1', title: 'Audit Log Retention', frameworkCode: 'cmmc', domain: 'Audit and Accountability' },
300
+ { id: 'cmmc-au-l2', controlCode: 'AU.L2-3.1.2', title: 'Audit Log Review', frameworkCode: 'cmmc', domain: 'Audit and Accountability' },
301
+ { id: 'cmmc-ca-l1', controlCode: 'CA.L1-3.1.1', title: 'Baseline Configuration', frameworkCode: 'cmmc', domain: 'Configuration Management' },
302
+ { id: 'cmmc-ca-l2', controlCode: 'CA.L2-3.1.2', title: 'Change Control', frameworkCode: 'cmmc', domain: 'Configuration Management' },
303
+ { id: 'cmmc-ia-l1', controlCode: 'IA.L1-3.1.1', title: 'Identification Policy', frameworkCode: 'cmmc', domain: 'Identification and Authentication' },
304
+ { id: 'cmmc-ia-l2', controlCode: 'IA.L2-3.1.2', title: 'Identification and Authentication', frameworkCode: 'cmmc', domain: 'Identification and Authentication' },
305
+ { id: 'cmmc-ir-l1', controlCode: 'IR.L1-3.1.1', title: 'Incident Response Policy', frameworkCode: 'cmmc', domain: 'Incident Response' },
306
+ { id: 'cmmc-sc-l1', controlCode: 'SC.L1-3.1.1', title: 'Boundary Protection', frameworkCode: 'cmmc', domain: 'System and Communications Protection' },
307
+ { id: 'cmmc-sc-l2', controlCode: 'SC.L2-3.1.2', title: 'Information at Rest', frameworkCode: 'cmmc', domain: 'System and Communications Protection' },
308
+ ],
309
+ };
310
+ export const nist80053Pack = {
311
+ code: 'nist_800_53',
312
+ name: 'NIST SP 800-53 Rev 5 - Security and Privacy Controls',
313
+ version: 'Rev 5',
314
+ controls: [
315
+ { id: 'nist53-ac-1', controlCode: 'AC-1', title: 'Access Control Policy and Procedures', frameworkCode: 'nist_800_53', domain: 'Access Control' },
316
+ { id: 'nist53-ac-2', controlCode: 'AC-2', title: 'Account Management', frameworkCode: 'nist_800_53', domain: 'Access Control' },
317
+ { id: 'nist53-ac-3', controlCode: 'AC-3', title: 'Access Enforcement', frameworkCode: 'nist_800_53', domain: 'Access Control' },
318
+ { id: 'nist53-ac-5', controlCode: 'AC-5', title: 'Separation of Duties', frameworkCode: 'nist_800_53', domain: 'Access Control' },
319
+ { id: 'nist53-ac-6', controlCode: 'AC-6', title: 'Least Privilege', frameworkCode: 'nist_800_53', domain: 'Access Control' },
320
+ { id: 'nist53-ac-7', controlCode: 'AC-7', title: 'Unsuccessful Logon Attempts', frameworkCode: 'nist_800_53', domain: 'Access Control' },
321
+ { id: 'nist53-ac-17', controlCode: 'AC-17', title: 'Remote Access', frameworkCode: 'nist_800_53', domain: 'Access Control' },
322
+ { id: 'nist53-at-2', controlCode: 'AT-2', title: 'Literacy Training and Awareness', frameworkCode: 'nist_800_53', domain: 'Awareness and Training' },
323
+ { id: 'nist53-at-3', controlCode: 'AT-3', title: 'Role-Based Training', frameworkCode: 'nist_800_53', domain: 'Awareness and Training' },
324
+ { id: 'nist53-au-2', controlCode: 'AU-2', title: 'Event Logging', frameworkCode: 'nist_800_53', domain: 'Audit and Accountability' },
325
+ { id: 'nist53-au-3', controlCode: 'AU-3', title: 'Content of Audit Records', frameworkCode: 'nist_800_53', domain: 'Audit and Accountability' },
326
+ { id: 'nist53-au-6', controlCode: 'AU-6', title: 'Audit Record Review, Analysis, and Reporting', frameworkCode: 'nist_800_53', domain: 'Audit and Accountability' },
327
+ { id: 'nist53-ca-2', controlCode: 'CA-2', title: 'Control Assessments', frameworkCode: 'nist_800_53', domain: 'Security Assessment and Authorization' },
328
+ { id: 'nist53-ca-7', controlCode: 'CA-7', title: 'Continuous Monitoring', frameworkCode: 'nist_800_53', domain: 'Security Assessment and Authorization' },
329
+ { id: 'nist53-cm-2', controlCode: 'CM-2', title: 'Baseline Configuration', frameworkCode: 'nist_800_53', domain: 'Configuration Management' },
330
+ { id: 'nist53-cm-3', controlCode: 'CM-3', title: 'Configuration Change Control', frameworkCode: 'nist_800_53', domain: 'Configuration Management' },
331
+ { id: 'nist53-cm-8', controlCode: 'CM-8', title: 'System Component Inventory', frameworkCode: 'nist_800_53', domain: 'Configuration Management' },
332
+ { id: 'nist53-ia-2', controlCode: 'IA-2', title: 'Identification and Authentication (Organizational Users)', frameworkCode: 'nist_800_53', domain: 'Identification and Authentication' },
333
+ { id: 'nist53-ia-5', controlCode: 'IA-5', title: 'Authenticator Management', frameworkCode: 'nist_800_53', domain: 'Identification and Authentication' },
334
+ { id: 'nist53-ir-4', controlCode: 'IR-4', title: 'Incident Handling', frameworkCode: 'nist_800_53', domain: 'Incident Response' },
335
+ { id: 'nist53-ir-5', controlCode: 'IR-5', title: 'Incident Monitoring', frameworkCode: 'nist_800_53', domain: 'Incident Response' },
336
+ { id: 'nist53-ra-3', controlCode: 'RA-3', title: 'Risk Assessment', frameworkCode: 'nist_800_53', domain: 'Risk Assessment' },
337
+ { id: 'nist53-ra-5', controlCode: 'RA-5', title: 'Vulnerability Monitoring and Scanning', frameworkCode: 'nist_800_53', domain: 'Risk Assessment' },
338
+ { id: 'nist53-sc-7', controlCode: 'SC-7', title: 'Boundary Protection', frameworkCode: 'nist_800_53', domain: 'System and Communications Protection' },
339
+ { id: 'nist53-sc-8', controlCode: 'SC-8', title: 'Transmission Confidentiality and Integrity', frameworkCode: 'nist_800_53', domain: 'System and Communications Protection' },
340
+ { id: 'nist53-sc-13', controlCode: 'SC-13', title: 'Cryptographic Protection', frameworkCode: 'nist_800_53', domain: 'System and Communications Protection' },
341
+ { id: 'nist53-si-2', controlCode: 'SI-2', title: 'Flaw Remediation', frameworkCode: 'nist_800_53', domain: 'System and Information Integrity' },
342
+ { id: 'nist53-si-3', controlCode: 'SI-3', title: 'Malicious Code Protection', frameworkCode: 'nist_800_53', domain: 'System and Information Integrity' },
343
+ { id: 'nist53-si-4', controlCode: 'SI-4', title: 'System Monitoring', frameworkCode: 'nist_800_53', domain: 'System and Information Integrity' },
344
+ ],
345
+ };
346
+ export const nist800171Pack = {
347
+ code: 'nist_800_171',
348
+ name: 'NIST SP 800-171 Rev 3 - Protecting Controlled Unclassified Information',
349
+ version: 'Rev 3',
350
+ controls: [
351
+ { id: 'cui-3.1.1', controlCode: '3.1.1', title: 'Limit system access to authorized users', frameworkCode: 'nist_800_171', domain: 'Access Control' },
352
+ { id: 'cui-3.1.2', controlCode: '3.1.2', title: 'Limit system access to authorized processes', frameworkCode: 'nist_800_171', domain: 'Access Control' },
353
+ { id: 'cui-3.1.3', controlCode: '3.1.3', title: 'Control and manage user access', frameworkCode: 'nist_800_171', domain: 'Access Control' },
354
+ { id: 'cui-3.1.4', controlCode: '3.1.4', title: 'Separate duties of individuals', frameworkCode: 'nist_800_171', domain: 'Access Control' },
355
+ { id: 'cui-3.1.5', controlCode: '3.1.5', title: 'Employ least privilege for access', frameworkCode: 'nist_800_171', domain: 'Access Control' },
356
+ { id: 'cui-3.1.8', controlCode: '3.1.8', title: 'Limit unsuccessful logon attempts', frameworkCode: 'nist_800_171', domain: 'Access Control' },
357
+ { id: 'cui-3.1.10', controlCode: '3.1.10', title: 'Use session lock and session timer', frameworkCode: 'nist_800_171', domain: 'Access Control' },
358
+ { id: 'cui-3.1.11', controlCode: '3.1.11', title: 'Control remote access sessions', frameworkCode: 'nist_800_171', domain: 'Access Control' },
359
+ { id: 'cui-3.1.12', controlCode: '3.1.12', title: 'Control wireless access', frameworkCode: 'nist_800_171', domain: 'Access Control' },
360
+ { id: 'cui-3.1.13', controlCode: '3.1.13', title: 'Control mobile devices', frameworkCode: 'nist_800_171', domain: 'Access Control' },
361
+ { id: 'cui-3.4.1', controlCode: '3.4.1', title: 'Establish and manage identity and credentials', frameworkCode: 'nist_800_171', domain: 'Identification and Authentication' },
362
+ { id: 'cui-3.4.2', controlCode: '3.4.2', title: 'Identify and authenticate users', frameworkCode: 'nist_800_171', domain: 'Identification and Authentication' },
363
+ { id: 'cui-3.5.1', controlCode: '3.5.1', title: 'Identification and authentication policy', frameworkCode: 'nist_800_171', domain: 'Identification and Authentication' },
364
+ { id: 'cui-3.6.1', controlCode: '3.6.1', title: 'Audit logs of system access', frameworkCode: 'nist_800_171', domain: 'Audit and Accountability' },
365
+ { id: 'cui-3.6.2', controlCode: '3.6.2', title: 'Audit logs are reviewed', frameworkCode: 'nist_800_171', domain: 'Audit and Accountability' },
366
+ { id: 'cui-3.7.1', controlCode: '3.7.1', title: 'Screen for vulnerabilities before use', frameworkCode: 'nist_800_171', domain: 'Assessment, Authorization, and Monitoring' },
367
+ { id: 'cui-3.7.2', controlCode: '3.7.2', title: 'Risk assessment is performed', frameworkCode: 'nist_800_171', domain: 'Assessment, Authorization, and Monitoring' },
368
+ { id: 'cui-3.8.1', controlCode: '3.8.1', title: 'Authorized individuals operate system components', frameworkCode: 'nist_800_171', domain: 'Configuration Management' },
369
+ { id: 'cui-3.8.2', controlCode: '3.8.2', title: 'Configuration change control', frameworkCode: 'nist_800_171', domain: 'Configuration Management' },
370
+ { id: 'cui-3.8.3', controlCode: '3.8.3', title: 'Baseline configuration', frameworkCode: 'nist_800_171', domain: 'Configuration Management' },
371
+ ],
372
+ };
373
+ export const cisControlsPack = {
374
+ code: 'cis_controls',
375
+ name: 'CIS Controls v8 - Center for Internet Security',
376
+ version: 'v8',
377
+ controls: [
378
+ { id: 'cis-1.1', controlCode: '1.1', title: 'Establish and Maintain Detailed Enterprise Asset Inventory', frameworkCode: 'cis_controls', domain: 'Inventory and Control of Enterprise Assets' },
379
+ { id: 'cis-1.2', controlCode: '1.2', title: 'Address Unauthorized Assets', frameworkCode: 'cis_controls', domain: 'Inventory and Control of Enterprise Assets' },
380
+ { id: 'cis-2.1', controlCode: '2.1', title: 'Establish and Maintain Detailed Software Asset Inventory', frameworkCode: 'cis_controls', domain: 'Inventory and Control of Software Assets' },
381
+ { id: 'cis-2.2', controlCode: '2.2', title: 'Address Unauthorized Software', frameworkCode: 'cis_controls', domain: 'Inventory and Control of Software Assets' },
382
+ { id: 'cis-3.1', controlCode: '3.1', title: 'Establish and Maintain a Data Management Process', frameworkCode: 'cis_controls', domain: 'Data Protection' },
383
+ { id: 'cis-3.3', controlCode: '3.3', title: 'Configure Data Access Control Lists', frameworkCode: 'cis_controls', domain: 'Data Protection' },
384
+ { id: 'cis-3.8', controlCode: '3.8', title: 'Encrypt Sensitive Data at Rest', frameworkCode: 'cis_controls', domain: 'Data Protection' },
385
+ { id: 'cis-3.9', controlCode: '3.9', title: 'Encrypt Data in Transit', frameworkCode: 'cis_controls', domain: 'Data Protection' },
386
+ { id: 'cis-4.1', controlCode: '4.1', title: 'Establish and Maintain a Secure Configuration Process', frameworkCode: 'cis_controls', domain: 'Secure Configuration of Enterprise Assets and Software' },
387
+ { id: 'cis-4.4', controlCode: '4.4', title: 'Implement and Manage a Firewall Configuration for Enterprise Assets', frameworkCode: 'cis_controls', domain: 'Secure Configuration of Enterprise Assets and Software' },
388
+ { id: 'cis-5.1', controlCode: '5.1', title: 'Establish and Maintain an Inventory of Sensitive Data', frameworkCode: 'cis_controls', domain: 'Account Management' },
389
+ { id: 'cis-5.2', controlCode: '5.2', title: 'Use Unique Passwords', frameworkCode: 'cis_controls', domain: 'Account Management' },
390
+ { id: 'cis-5.4', controlCode: '5.4', title: 'Restrict Administrator Privileges', frameworkCode: 'cis_controls', domain: 'Account Management' },
391
+ { id: 'cis-5.5', controlCode: '5.5', title: 'Establish and Maintain an Inventory of Accounts', frameworkCode: 'cis_controls', domain: 'Account Management' },
392
+ { id: 'cis-5.6', controlCode: '5.6', title: 'Centralize Account Management', frameworkCode: 'cis_controls', domain: 'Account Management' },
393
+ { id: 'cis-6.1', controlCode: '6.1', title: 'Establish and Maintain a Process for Accepting and Addressing Reports of Vulnerabilities', frameworkCode: 'cis_controls', domain: 'Access Control Management' },
394
+ { id: 'cis-6.2', controlCode: '6.2', title: 'Establish and Maintain a Vulnerability Management Process', frameworkCode: 'cis_controls', domain: 'Access Control Management' },
395
+ { id: 'cis-6.3', controlCode: '6.3', title: 'Perform Automated Operating System Patch Management', frameworkCode: 'cis_controls', domain: 'Access Control Management' },
396
+ ],
397
+ };
398
+ export const cobitPack = {
399
+ code: 'cobit',
400
+ name: 'COBIT 2019 - Control Objectives for Information and Related Technology',
401
+ version: '2019',
402
+ controls: [
403
+ { id: 'cobit-edm01', controlCode: 'EDM01', title: 'Ensured Governance Framework Setting and Maintenance', frameworkCode: 'cobit', domain: 'Evaluate, Direct and Monitor' },
404
+ { id: 'cobit-edm02', controlCode: 'EDM02', title: 'Ensured Benefits Delivery', frameworkCode: 'cobit', domain: 'Evaluate, Direct and Monitor' },
405
+ { id: 'cobit-edm03', controlCode: 'EDM03', title: 'Ensured Risk Optimization', frameworkCode: 'cobit', domain: 'Evaluate, Direct and Monitor' },
406
+ { id: 'cobit-edm04', controlCode: 'EDM04', title: 'Ensured Resource Optimization', frameworkCode: 'cobit', domain: 'Evaluate, Direct and Monitor' },
407
+ { id: 'cobit-edm05', controlCode: 'EDM05', title: 'Ensured Stakeholder Engagement', frameworkCode: 'cobit', domain: 'Evaluate, Direct and Monitor' },
408
+ { id: 'cobit-apd01', controlCode: 'APD01', title: 'Managed Framework', frameworkCode: 'cobit', domain: 'Align, Plan and Organize' },
409
+ { id: 'cobit-apd02', controlCode: 'APD02', title: 'Managed Strategy', frameworkCode: 'cobit', domain: 'Align, Plan and Organize' },
410
+ { id: 'cobit-apd03', controlCode: 'APD03', title: 'Managed Enterprise Architecture', frameworkCode: 'cobit', domain: 'Align, Plan and Organize' },
411
+ { id: 'cobit-apd05', controlCode: 'APD05', title: 'Managed Portfolio', frameworkCode: 'cobit', domain: 'Align, Plan and Organize' },
412
+ { id: 'cobit-bai01', controlCode: 'BAI01', title: 'Managed Programs', frameworkCode: 'cobit', domain: 'Build, Acquire and Implement' },
413
+ { id: 'cobit-bai02', controlCode: 'BAI02', title: 'Managed Requirements Definition', frameworkCode: 'cobit', domain: 'Build, Acquire and Implement' },
414
+ { id: 'cobit-bai03', controlCode: 'BAI03', title: 'Managed Solutions Identification and Build', frameworkCode: 'cobit', domain: 'Build, Acquire and Implement' },
415
+ { id: 'cobit-bai04', controlCode: 'BAI04', title: 'Managed Availability and Capacity', frameworkCode: 'cobit', domain: 'Build, Acquire and Implement' },
416
+ { id: 'cobit-bai05', controlCode: 'BAI05', title: 'Managed Organizational Change', frameworkCode: 'cobit', domain: 'Build, Acquire and Implement' },
417
+ { id: 'cobit-dss01', controlCode: 'DSS01', title: 'Managed Operations', frameworkCode: 'cobit', domain: 'Deliver, Service and Support' },
418
+ { id: 'cobit-dss02', controlCode: 'DSS02', title: 'Managed Problems', frameworkCode: 'cobit', domain: 'Deliver, Service and Support' },
419
+ { id: 'cobit-dss03', controlCode: 'DSS03', title: 'Managed Continuity', frameworkCode: 'cobit', domain: 'Deliver, Service and Support' },
420
+ { id: 'cobit-dss04', controlCode: 'DSS04', title: 'Managed Security', frameworkCode: 'cobit', domain: 'Deliver, Service and Support' },
421
+ { id: 'cobit-dss05', controlCode: 'DSS05', title: 'Managed Business Process Controls', frameworkCode: 'cobit', domain: 'Deliver, Service and Support' },
422
+ { id: 'cobit-mea01', controlCode: 'MEA01', title: 'Managed Performance and Conformance Monitoring', frameworkCode: 'cobit', domain: 'Monitor, Evaluate and Assess' },
423
+ { id: 'cobit-mea02', controlCode: 'MEA02', title: 'Managed System of Internal Control', frameworkCode: 'cobit', domain: 'Monitor, Evaluate and Assess' },
424
+ { id: 'cobit-mea03', controlCode: 'MEA03', title: 'Managed Compliance with External Requirements', frameworkCode: 'cobit', domain: 'Monitor, Evaluate and Assess' },
425
+ ],
426
+ };
427
+ export const csaCcmPack = {
428
+ code: 'csa_ccm',
429
+ name: 'CSA CCM v4 - Cloud Security Alliance Cloud Controls Matrix',
430
+ version: 'v4.0',
431
+ controls: [
432
+ { id: 'csa-iam-01', controlCode: 'IAM-01', title: 'Identity and Access Management Policy', frameworkCode: 'csa_ccm', domain: 'IAM - Identity and Access Management' },
433
+ { id: 'csa-iam-02', controlCode: 'IAM-02', title: 'User Access Provisioning', frameworkCode: 'csa_ccm', domain: 'IAM - Identity and Access Management' },
434
+ { id: 'csa-iam-03', controlCode: 'IAM-03', title: 'User Access Reviews', frameworkCode: 'csa_ccm', domain: 'IAM - Identity and Access Management' },
435
+ { id: 'csa-iam-05', controlCode: 'IAM-05', title: 'User Authentication', frameworkCode: 'csa_ccm', domain: 'IAM - Identity and Access Management' },
436
+ { id: 'csa-iam-07', controlCode: 'IAM-07', title: 'Key Access Management', frameworkCode: 'csa_ccm', domain: 'IAM - Identity and Access Management' },
437
+ { id: 'csa-grm-01', controlCode: 'GRM-01', title: 'Governing Cloud Computing', frameworkCode: 'csa_ccm', domain: 'GRM - Governance and Risk Management' },
438
+ { id: 'csa-grm-02', controlCode: 'GRM-02', title: 'Cloud Computing Roles and Responsibilities', frameworkCode: 'csa_ccm', domain: 'GRM - Governance and Risk Management' },
439
+ { id: 'csa-grm-03', controlCode: 'GRM-03', title: 'Cloud Computing Risk Management', frameworkCode: 'csa_ccm', domain: 'GRM - Governance and Risk Management' },
440
+ { id: 'csa-grm-04', controlCode: 'GRM-04', title: 'Cloud Compliance Management', frameworkCode: 'csa_ccm', domain: 'GRM - Governance and Risk Management' },
441
+ { id: 'csa-grm-05', controlCode: 'GRM-05', title: 'Cloud Financial Management', frameworkCode: 'csa_ccm', domain: 'GRM - Governance and Risk Management' },
442
+ { id: 'csa-hrs-01', controlCode: 'HRS-01', title: 'Human Resources Security Policy', frameworkCode: 'csa_ccm', domain: 'HRS - Human Resources Security' },
443
+ { id: 'csa-hrs-02', controlCode: 'HRS-02', title: 'User Security Awareness and Training', frameworkCode: 'csa_ccm', domain: 'HRS - Human Resources Security' },
444
+ { id: 'csa-ivs-01', controlCode: 'IVS-01', title: 'Cryptographic Policies and Standards', frameworkCode: 'csa_ccm', domain: 'IVS - Infrastructure and Virtualization Security' },
445
+ { id: 'csa-ivs-02', controlCode: 'IVS-02', title: 'Encryption of Data in Transit', frameworkCode: 'csa_ccm', domain: 'IVS - Infrastructure and Virtualization Security' },
446
+ { id: 'csa-ivs-03', controlCode: 'IVS-03', title: 'Encryption of Data at Rest', frameworkCode: 'csa_ccm', domain: 'IVS - Infrastructure and Virtualization Security' },
447
+ { id: 'csa-ivs-04', controlCode: 'IVS-04', title: 'Virtualization Platform Security', frameworkCode: 'csa_ccm', domain: 'IVS - Infrastructure and Virtualization Security' },
448
+ { id: 'csa-ivs-05', controlCode: 'IVS-05', title: 'Virtualization Network Security', frameworkCode: 'csa_ccm', domain: 'IVS - Infrastructure and Virtualization Security' },
449
+ { id: 'csa-ivs-06', controlCode: 'IVS-06', title: 'Virtualization Management Security', frameworkCode: 'csa_ccm', domain: 'IVS - Infrastructure and Virtualization Security' },
450
+ { id: 'csa-sef-01', controlCode: 'SEF-01', title: 'Security Incident Management', frameworkCode: 'csa_ccm', domain: 'SEF - Security Incident Management, eDiscovery, and Cloud Forensics' },
451
+ { id: 'csa-sef-02', controlCode: 'SEF-02', title: 'Incident Response Planning', frameworkCode: 'csa_ccm', domain: 'SEF - Security Incident Management, eDiscovery, and Cloud Forensics' },
452
+ ],
453
+ };
454
+ export const iso27701Pack = {
455
+ code: 'iso27701',
456
+ name: 'ISO/IEC 27701 Privacy Information Management System',
457
+ version: '2019',
458
+ controls: [
459
+ { id: 'pims-5.2.1', controlCode: '5.2.1', title: 'Understanding the organization and its context', frameworkCode: 'iso27701', domain: 'Context of the organization' },
460
+ { id: 'pims-5.2.2', controlCode: '5.2.2', title: 'Understanding the needs and expectations of interested parties', frameworkCode: 'iso27701', domain: 'Context of the organization' },
461
+ { id: 'pims-5.2.3', controlCode: '5.2.3', title: 'Determining the scope of the PIMS', frameworkCode: 'iso27701', domain: 'Context of the organization' },
462
+ { id: 'pims-6.9', controlCode: '6.9', title: 'PIMS-specific roles, responsibilities and authorities', frameworkCode: 'iso27701', domain: 'Leadership' },
463
+ { id: 'pims-7.2', controlCode: '7.2', title: 'Actions to address risks and opportunities', frameworkCode: 'iso27701', domain: 'Planning' },
464
+ { id: 'pims-7.3', controlCode: '7.3', title: 'PIMS objectives and planning to achieve them', frameworkCode: 'iso27701', domain: 'Planning' },
465
+ { id: 'pims-7.5', controlCode: '7.5', title: 'Privacy risk assessment', frameworkCode: 'iso27701', domain: 'Planning' },
466
+ { id: 'pims-8.2', controlCode: '8.2', title: 'Operational planning and control', frameworkCode: 'iso27701', domain: 'Support' },
467
+ { id: 'pims-9.1', controlCode: '9.1', title: 'Monitoring, measurement, analysis and evaluation', frameworkCode: 'iso27701', domain: 'Performance evaluation' },
468
+ { id: 'pims-9.2', controlCode: '9.2', title: 'Internal audit', frameworkCode: 'iso27701', domain: 'Performance evaluation' },
469
+ { id: 'pims-10.1', controlCode: '10.1', title: 'Nonconformity and corrective action', frameworkCode: 'iso27701', domain: 'Improvement' },
470
+ { id: 'pims-10.2', controlCode: '10.2', title: 'Continual improvement', frameworkCode: 'iso27701', domain: 'Improvement' },
471
+ { id: 'pims-a.7.1.1', controlCode: 'A.7.1.1', title: 'Policies for managing PII', frameworkCode: 'iso27701', domain: 'PII Controller' },
472
+ { id: 'pims-a.7.2.1', controlCode: 'A.7.2.1', title: 'Privacy by design', frameworkCode: 'iso27701', domain: 'PII Controller' },
473
+ { id: 'pims-a.7.2.2', controlCode: 'A.7.2.2', title: 'Privacy by default', frameworkCode: 'iso27701', domain: 'PII Controller' },
474
+ { id: 'pims-a.7.2.3', controlCode: 'A.7.2.3', title: 'Consent', frameworkCode: 'iso27701', domain: 'PII Controller' },
475
+ { id: 'pims-a.7.3.1', controlCode: 'A.7.3.1', title: 'Transparency for PII controllers', frameworkCode: 'iso27701', domain: 'PII Controller' },
476
+ { id: 'pims-a.7.4.1', controlCode: 'A.7.4.1', title: 'Rights of PII principals', frameworkCode: 'iso27701', domain: 'PII Controller' },
477
+ { id: 'pims-a.7.5.1', controlCode: 'A.7.5.1', title: 'Accountability for PII processors', frameworkCode: 'iso27701', domain: 'PII Processor' },
478
+ { id: 'pims-a.7.8.1', controlCode: 'A.7.8.1', title: 'Privacy by design and by default for PII processors', frameworkCode: 'iso27701', domain: 'PII Processor' },
479
+ ],
480
+ };
481
+ export const iso27017Pack = {
482
+ code: 'iso27017',
483
+ name: 'ISO/IEC 27017 Code of Practice for Cloud Security',
484
+ version: '2015',
485
+ controls: [
486
+ { id: 'cloud-5.1.1', controlCode: '5.1.1', title: 'Policies for information security', frameworkCode: 'iso27017', domain: 'Information security policies' },
487
+ { id: 'cloud-6.1.1', controlCode: '6.1.1', title: 'Information security roles and responsibilities', frameworkCode: 'iso27017', domain: 'Organization of information security' },
488
+ { id: 'cloud-8.1.1', controlCode: '8.1.1', title: 'Physical security perimeters', frameworkCode: 'iso27017', domain: 'Physical and environmental security' },
489
+ { id: 'cloud-12.1.1', controlCode: '12.1.1', title: 'Controls against malware', frameworkCode: 'iso27017', domain: 'Operations security' },
490
+ { id: 'cloud-14.1.1', controlCode: '14.1.1', title: 'Cryptographic controls', frameworkCode: 'iso27017', domain: 'Cryptography' },
491
+ { id: 'cloud-c.5.1', controlCode: 'C.5.1', title: 'Alignment of security policies for cloud services', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
492
+ { id: 'cloud-c.5.2', controlCode: 'C.5.2', title: 'Roles and responsibilities for cloud services', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
493
+ { id: 'cloud-c.6.1', controlCode: 'C.6.1', title: 'Securing the operating environment', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
494
+ { id: 'cloud-c.6.2', controlCode: 'C.6.2', title: 'Securing customer data', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
495
+ { id: 'cloud-c.7.1', controlCode: 'C.7.1', title: 'Virtualisation security', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
496
+ { id: 'cloud-c.7.2', controlCode: 'C.7.2', title: 'Network security management', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
497
+ { id: 'cloud-c.8.1', controlCode: 'C.8.1', title: 'Disposal of information', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
498
+ { id: 'cloud-c.8.2', controlCode: 'C.8.2', title: 'Secure disposal of equipment', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
499
+ { id: 'cloud-c.9.1', controlCode: 'C.9.1', title: 'Cloud service customer requirements', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
500
+ { id: 'cloud-c.9.2', controlCode: 'C.9.2', title: 'Monitoring and review of cloud services', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
501
+ { id: 'cloud-c.9.3', controlCode: 'C.9.3', title: 'Cloud service capability changes', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
502
+ { id: 'cloud-c.9.4', controlCode: 'C.9.4', title: 'Cloud service content changes', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
503
+ { id: 'cloud-c.9.5', controlCode: 'C.9.5', title: 'Cloud service data portability', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
504
+ { id: 'cloud-c.10.1', controlCode: 'C.10.1', title: 'Cloud service audit', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
505
+ { id: 'cloud-c.10.2', controlCode: 'C.10.2', title: 'Audit information and audit logging for cloud services', frameworkCode: 'iso27017', domain: 'Cloud-specific controls' },
506
+ ],
507
+ };
508
+ export const iso27018Pack = {
509
+ code: 'iso27018',
510
+ name: 'ISO/IEC 27018 Protection of PII in Public Clouds',
511
+ version: '2019',
512
+ controls: [
513
+ { id: 'pii-5.1.1', controlCode: '5.1.1', title: 'Policies for protection of PII', frameworkCode: 'iso27018', domain: 'Information security policies' },
514
+ { id: 'pii-6.1.1', controlCode: '6.1.1', title: 'PII protection roles and responsibilities', frameworkCode: 'iso27018', domain: 'Organization of PII protection' },
515
+ { id: 'pii-8.1.1', controlCode: '8.1.1', title: 'Physical security perimeters for PII', frameworkCode: 'iso27018', domain: 'Physical and environmental security' },
516
+ { id: 'pii-12.1.1', controlCode: '12.1.1', title: 'Controls against malware for PII', frameworkCode: 'iso27018', domain: 'Operations security' },
517
+ { id: 'pii-14.1.1', controlCode: '14.1.1', title: 'Cryptographic controls for PII', frameworkCode: 'iso27018', domain: 'Cryptography' },
518
+ { id: 'pii-c.5.1', controlCode: 'C.5.1', title: 'Consent for processing of PII', frameworkCode: 'iso27018', domain: 'PII protection controls' },
519
+ { id: 'pii-c.5.2', controlCode: 'C.5.2', title: 'Purpose limitation', frameworkCode: 'iso27018', domain: 'PII protection controls' },
520
+ { id: 'pii-c.5.3', controlCode: 'C.5.3', title: 'Minimization of PII', frameworkCode: 'iso27018', domain: 'PII protection controls' },
521
+ { id: 'pii-c.5.4', controlCode: 'C.5.4', title: 'Limit on PII retention', frameworkCode: 'iso27018', domain: 'PII protection controls' },
522
+ { id: 'pii-c.5.5', controlCode: 'C.5.5', title: 'Data subject rights', frameworkCode: 'iso27018', domain: 'PII protection controls' },
523
+ { id: 'pii-c.5.6', controlCode: 'C.5.6', title: 'Transparency of processing of PII', frameworkCode: 'iso27018', domain: 'PII protection controls' },
524
+ { id: 'pii-c.5.7', controlCode: 'C.5.7', title: 'Security of PII', frameworkCode: 'iso27018', domain: 'PII protection controls' },
525
+ { id: 'pii-c.5.8', controlCode: 'C.5.8', title: 'Notification of breaches of PII', frameworkCode: 'iso27018', domain: 'PII protection controls' },
526
+ { id: 'pii-c.6.1', controlCode: 'C.6.1', title: 'Personal data breach notification', frameworkCode: 'iso27018', domain: 'Breach notification' },
527
+ { id: 'pii-c.7.1', controlCode: 'C.7.1', title: 'De-identification of PII', frameworkCode: 'iso27018', domain: 'Privacy controls' },
528
+ { id: 'pii-c.7.2', controlCode: 'C.7.2', title: 'Anonymisation of PII', frameworkCode: 'iso27018', domain: 'Privacy controls' },
529
+ { id: 'pii-c.8.1', controlCode: 'C.8.1', title: 'Disposal of PII', frameworkCode: 'iso27018', domain: 'Data lifecycle' },
530
+ { id: 'pii-c.8.2', controlCode: 'C.8.2', title: 'Secure deletion of PII', frameworkCode: 'iso27018', domain: 'Data lifecycle' },
531
+ ],
532
+ };
533
+ export const soc1Pack = {
534
+ code: 'soc1',
535
+ name: 'SOC 1 Type II - Financial Reporting Controls',
536
+ version: '2017',
537
+ controls: [
538
+ { id: 'soc1-cc1.1', controlCode: 'CC1.1', title: 'COSO Principle 1: Demonstrates commitment to integrity and ethical values', frameworkCode: 'soc1', domain: 'Control Environment' },
539
+ { id: 'soc1-cc1.2', controlCode: 'CC1.2', title: 'Board exercises oversight responsibility', frameworkCode: 'soc1', domain: 'Control Environment' },
540
+ { id: 'soc1-cc1.3', controlCode: 'CC1.3', title: 'Management establishes structures, reporting lines, and authorities', frameworkCode: 'soc1', domain: 'Control Environment' },
541
+ { id: 'soc1-cc1.4', controlCode: 'CC1.4', title: 'Demonstrates commitment to competence', frameworkCode: 'soc1', domain: 'Control Environment' },
542
+ { id: 'soc1-cc1.5', controlCode: 'CC1.5', title: 'Enforces accountability', frameworkCode: 'soc1', domain: 'Control Environment' },
543
+ { id: 'soc1-cc2.1', controlCode: 'CC2.1', title: 'Internal information to support functioning of internal control', frameworkCode: 'soc1', domain: 'Information and Communication' },
544
+ { id: 'soc1-cc2.2', controlCode: 'CC2.2', title: 'External communication to support functioning of internal control', frameworkCode: 'soc1', domain: 'Information and Communication' },
545
+ { id: 'soc1-cc3.1', controlCode: 'CC3.1', title: 'Identifies and selects risk assessment process', frameworkCode: 'soc1', domain: 'Risk Assessment' },
546
+ { id: 'soc1-cc3.2', controlCode: 'CC3.2', title: 'Assesses and analyzes risk', frameworkCode: 'soc1', domain: 'Risk Assessment' },
547
+ { id: 'soc1-cc3.3', controlCode: 'CC3.3', title: 'Assesses fraud risk', frameworkCode: 'soc1', domain: 'Risk Assessment' },
548
+ { id: 'soc1-cc4.1', controlCode: 'CC4.1', title: 'Selects and develops control activities', frameworkCode: 'soc1', domain: 'Monitoring Activities' },
549
+ { id: 'soc1-cc5.1', controlCode: 'CC5.1', title: 'Selects and develops control activities that contribute to mitigation of risks', frameworkCode: 'soc1', domain: 'Control Activities' },
550
+ { id: 'soc1-cc6.1', controlCode: 'CC6.1', title: 'Logical access security software, infrastructure, and architectures', frameworkCode: 'soc1', domain: 'Logical and Physical Access' },
551
+ { id: 'soc1-cc6.2', controlCode: 'CC6.2', title: 'Before new system components are placed into production', frameworkCode: 'soc1', domain: 'Logical and Physical Access' },
552
+ { id: 'soc1-cc6.3', controlCode: 'CC6.3', title: 'Restricts logical access', frameworkCode: 'soc1', domain: 'Logical and Physical Access' },
553
+ { id: 'soc1-cc7.1', controlCode: 'CC7.1', title: 'Detection and monitoring procedures', frameworkCode: 'soc1', domain: 'System Operations' },
554
+ { id: 'soc1-cc7.2', controlCode: 'CC7.2', title: 'Monitors system components and the operation for anomalies', frameworkCode: 'soc1', domain: 'System Operations' },
555
+ { id: 'soc1-cc8.1', controlCode: 'CC8.1', title: 'Manages changes to infrastructure, data, software, and procedures', frameworkCode: 'soc1', domain: 'Change Management' },
556
+ ],
557
+ };
558
+ export const doraPack = {
559
+ code: 'dora',
560
+ name: 'DORA - Digital Operational Resilience Act',
561
+ version: '2022/2554',
562
+ controls: [
563
+ { id: 'dora-art.5', controlCode: 'Art.5', title: 'ICT risk management framework', frameworkCode: 'dora', domain: 'ICT Risk Management' },
564
+ { id: 'dora-art.6', controlCode: 'Art.6', title: 'ICT risk management framework - governance', frameworkCode: 'dora', domain: 'ICT Risk Management' },
565
+ { id: 'dora-art.7', controlCode: 'Art.7', title: 'ICT risk management framework - organization', frameworkCode: 'dora', domain: 'ICT Risk Management' },
566
+ { id: 'dora-art.8', controlCode: 'Art.8', title: 'ICT risk management framework - identification', frameworkCode: 'dora', domain: 'ICT Risk Management' },
567
+ { id: 'dora-art.9', controlCode: 'Art.9', title: 'ICT risk management framework - protection and prevention', frameworkCode: 'dora', domain: 'ICT Risk Management' },
568
+ { id: 'dora-art.10', controlCode: 'Art.10', title: 'ICT risk management framework - detection', frameworkCode: 'dora', domain: 'ICT Risk Management' },
569
+ { id: 'dora-art.11', controlCode: 'Art.11', title: 'ICT risk management framework - response and recovery', frameworkCode: 'dora', domain: 'ICT Risk Management' },
570
+ { id: 'dora-art.12', controlCode: 'Art.12', title: 'ICT risk management framework - learning and evolving', frameworkCode: 'dora', domain: 'ICT Risk Management' },
571
+ { id: 'dora-art.25', controlCode: 'Art.25', title: 'ICT-related incident management', frameworkCode: 'dora', domain: 'ICT-related Incident Management' },
572
+ { id: 'dora-art.26', controlCode: 'Art.26', title: 'Classification of ICT-related incidents', frameworkCode: 'dora', domain: 'ICT-related Incident Management' },
573
+ { id: 'dora-art.27', controlCode: 'Art.27', title: 'Reporting major ICT-related incidents', frameworkCode: 'dora', domain: 'ICT-related Incident Management' },
574
+ { id: 'dora-art.30', controlCode: 'Art.30', title: 'Digital operational resilience testing', frameworkCode: 'dora', domain: 'Digital Operational Resilience Testing' },
575
+ { id: 'dora-art.31', controlCode: 'Art.31', title: 'General requirements for digital operational resilience testing', frameworkCode: 'dora', domain: 'Digital Operational Resilience Testing' },
576
+ { id: 'dora-art.32', controlCode: 'Art.32', title: 'Testing of ICT tools and systems', frameworkCode: 'dora', domain: 'Digital Operational Resilience Testing' },
577
+ { id: 'dora-art.33', controlCode: 'Art.33', title: 'Advanced testing by means of threat-led penetration testing', frameworkCode: 'dora', domain: 'Digital Operational Resilience Testing' },
578
+ { id: 'dora-art.35', controlCode: 'Art.35', title: 'Designation of critical ICT third-party service providers', frameworkCode: 'dora', domain: 'ICT Third-party Risk Management' },
579
+ ],
580
+ };
581
+ export const nis2Pack = {
582
+ code: 'nis2',
583
+ name: 'NIS2 - Network and Information Security Directive',
584
+ version: '2022/2555',
585
+ controls: [
586
+ { id: 'nis2-art.21.1', controlCode: 'Art.21(1)', title: 'Risk analysis and information system security policies', frameworkCode: 'nis2', domain: 'Cybersecurity risk management measures' },
587
+ { id: 'nis2-art.21.2', controlCode: 'Art.21(2)', title: 'Incident handling', frameworkCode: 'nis2', domain: 'Cybersecurity risk management measures' },
588
+ { id: 'nis2-art.21.3', controlCode: 'Art.21(3)', title: 'Business continuity and crisis management', frameworkCode: 'nis2', domain: 'Cybersecurity risk management measures' },
589
+ { id: 'nis2-art.21.4', controlCode: 'Art.21(4)', title: 'Supply chain security', frameworkCode: 'nis2', domain: 'Cybersecurity risk management measures' },
590
+ { id: 'nis2-art.21.5', controlCode: 'Art.21(5)', title: 'Security in network and information systems acquisition, development, and maintenance', frameworkCode: 'nis2', domain: 'Cybersecurity risk management measures' },
591
+ { id: 'nis2-art.21.7', controlCode: 'Art.21(7)', title: 'Basic cyber hygiene practices and cybersecurity training', frameworkCode: 'nis2', domain: 'Cybersecurity risk management measures' },
592
+ { id: 'nis2-art.21.8', controlCode: 'Art.21(8)', title: 'Policies on the use of cryptography and encryption', frameworkCode: 'nis2', domain: 'Cybersecurity risk management measures' },
593
+ { id: 'nis2-art.21.9', controlCode: 'Art.21(9)', title: 'Human resources security, access control policies, and asset management', frameworkCode: 'nis2', domain: 'Cybersecurity risk management measures' },
594
+ { id: 'nis2-art.21.10', controlCode: 'Art.21(10)', title: 'Multi-factor authentication or continuous authentication solutions', frameworkCode: 'nis2', domain: 'Cybersecurity risk management measures' },
595
+ { id: 'nis2-art.21.11', controlCode: 'Art.21(11)', title: 'Secured systems configuration, including patch management', frameworkCode: 'nis2', domain: 'Cybersecurity risk management measures' },
596
+ { id: 'nis2-art.23', controlCode: 'Art.23', title: 'Reporting obligations', frameworkCode: 'nis2', domain: 'Reporting obligations' },
597
+ { id: 'nis2-art.24', controlCode: 'Art.24', title: 'Early warning and incident notification', frameworkCode: 'nis2', domain: 'Reporting obligations' },
598
+ { id: 'nis2-art.25', controlCode: 'Art.25', title: 'Notification to recipients of service', frameworkCode: 'nis2', domain: 'Reporting obligations' },
599
+ { id: 'nis2-art.26', controlCode: 'Art.26', title: 'Cybersecurity crisis management', frameworkCode: 'nis2', domain: 'Crisis management' },
600
+ ],
601
+ };
602
+ export const ccpaPack = {
603
+ code: 'ccpa',
604
+ name: 'CCPA/CPRA - California Consumer Privacy Act',
605
+ version: '2023',
606
+ controls: [
607
+ { id: 'ccpa-1798.100', controlCode: '1798.100', title: 'Consumer right to know about personal information collected', frameworkCode: 'ccpa', domain: 'Consumer Rights' },
608
+ { id: 'ccpa-1798.105', controlCode: '1798.105', title: 'Consumer right to delete personal information', frameworkCode: 'ccpa', domain: 'Consumer Rights' },
609
+ { id: 'ccpa-1798.106', controlCode: '1798.106', title: 'Consumer right to correct inaccurate personal information', frameworkCode: 'ccpa', domain: 'Consumer Rights' },
610
+ { id: 'ccpa-1798.110', controlCode: '1798.110', title: 'Consumer right to know what personal information is sold or shared', frameworkCode: 'ccpa', domain: 'Consumer Rights' },
611
+ { id: 'ccpa-1798.115', controlCode: '1798.115', title: 'Consumer right to access personal information', frameworkCode: 'ccpa', domain: 'Consumer Rights' },
612
+ { id: 'ccpa-1798.120', controlCode: '1798.120', title: 'Consumer right to opt out of sale or sharing of personal information', frameworkCode: 'ccpa', domain: 'Consumer Rights' },
613
+ { id: 'ccpa-1798.121', controlCode: '1798.121', title: 'Consumer right to limit use of sensitive personal information', frameworkCode: 'ccpa', domain: 'Consumer Rights' },
614
+ { id: 'ccpa-1798.125', controlCode: '1798.125', title: 'Non-discrimination for exercising privacy rights', frameworkCode: 'ccpa', domain: 'Consumer Rights' },
615
+ { id: 'ccpa-1798.130', controlCode: '1798.130', title: 'Notice at collection of personal information', frameworkCode: 'ccpa', domain: 'Notice Requirements' },
616
+ { id: 'ccpa-1798.135', controlCode: '1798.135', title: 'Right to opt-out of sale or sharing of personal information', frameworkCode: 'ccpa', domain: 'Notice Requirements' },
617
+ { id: 'ccpa-1798.140', controlCode: '1798.140', title: 'Definitions of personal information', frameworkCode: 'ccpa', domain: 'Definitions' },
618
+ { id: 'ccpa-1798.145', controlCode: '1798.145', title: 'Service provider and contractor obligations', frameworkCode: 'ccpa', domain: 'Business Obligations' },
619
+ { id: 'ccpa-1798.150', controlCode: '1798.150', title: 'Private right of action for data breaches', frameworkCode: 'ccpa', domain: 'Enforcement' },
620
+ { id: 'ccpa-1798.155', controlCode: '1798.155', title: 'Administrative enforcement', frameworkCode: 'ccpa', domain: 'Enforcement' },
621
+ { id: 'ccpa-1798.175', controlCode: '1798.175', title: 'California Privacy Protection Agency', frameworkCode: 'ccpa', domain: 'Enforcement' },
622
+ ],
623
+ };
624
+ export const lgpdPack = {
625
+ code: 'lgpd',
626
+ name: 'LGPD - Lei Geral de Protecao de Dados (Brazil)',
627
+ version: '2020',
628
+ controls: [
629
+ { id: 'lgpd-art.7', controlCode: 'Art.7', title: 'Legal bases for processing personal data', frameworkCode: 'lgpd', domain: 'Data Processing Principles' },
630
+ { id: 'lgpd-art.8', controlCode: 'Art.8', title: 'Consent for processing personal data', frameworkCode: 'lgpd', domain: 'Data Processing Principles' },
631
+ { id: 'lgpd-art.9', controlCode: 'Art.9', title: 'Rights of the data subject', frameworkCode: 'lgpd', domain: 'Data Subject Rights' },
632
+ { id: 'lgpd-art.18', controlCode: 'Art.18', title: 'Confirmation and access to personal data', frameworkCode: 'lgpd', domain: 'Data Subject Rights' },
633
+ { id: 'lgpd-art.19', controlCode: 'Art.19', title: 'Correction of personal data', frameworkCode: 'lgpd', domain: 'Data Subject Rights' },
634
+ { id: 'lgpd-art.20', controlCode: 'Art.20', title: 'Anonymization, blocking, or deletion of unnecessary or excessive data', frameworkCode: 'lgpd', domain: 'Data Subject Rights' },
635
+ { id: 'lgpd-art.21', controlCode: 'Art.21', title: 'Portability of personal data', frameworkCode: 'lgpd', domain: 'Data Subject Rights' },
636
+ { id: 'lgpd-art.22', controlCode: 'Art.22', title: 'Elimination of personal data processed with consent', frameworkCode: 'lgpd', domain: 'Data Subject Rights' },
637
+ { id: 'lgpd-art.37', controlCode: 'Art.37', title: 'Record of processing operations', frameworkCode: 'lgpd', domain: 'Governance' },
638
+ { id: 'lgpd-art.38', controlCode: 'Art.38', title: 'Appointment of data protection officer', frameworkCode: 'lgpd', domain: 'Governance' },
639
+ { id: 'lgpd-art.41', controlCode: 'Art.41', title: 'Data protection impact assessment', frameworkCode: 'lgpd', domain: 'Governance' },
640
+ { id: 'lgpd-art.43', controlCode: 'Art.43', title: 'Data breach notification', frameworkCode: 'lgpd', domain: 'Security' },
641
+ { id: 'lgpd-art.46', controlCode: 'Art.46', title: 'Security measures for personal data', frameworkCode: 'lgpd', domain: 'Security' },
642
+ ],
643
+ };
644
+ export const pipedaPack = {
645
+ code: 'pipeda',
646
+ name: 'PIPEDA - Personal Information Protection and Electronic Documents Act',
647
+ version: '2019',
648
+ controls: [
649
+ { id: 'pipeda-4.1', controlCode: '4.1', title: 'Accountability', frameworkCode: 'pipeda', domain: 'Principle 1' },
650
+ { id: 'pipeda-4.2', controlCode: '4.2', title: 'Identifying purposes', frameworkCode: 'pipeda', domain: 'Principle 2' },
651
+ { id: 'pipeda-4.3', controlCode: '4.3', title: 'Consent', frameworkCode: 'pipeda', domain: 'Principle 3' },
652
+ { id: 'pipeda-4.4', controlCode: '4.4', title: 'Limiting collection', frameworkCode: 'pipeda', domain: 'Principle 4' },
653
+ { id: 'pipeda-4.5', controlCode: '4.5', title: 'Limiting use, disclosure, and retention', frameworkCode: 'pipeda', domain: 'Principle 5' },
654
+ { id: 'pipeda-4.6', controlCode: '4.6', title: 'Accuracy', frameworkCode: 'pipeda', domain: 'Principle 6' },
655
+ { id: 'pipeda-4.7', controlCode: '4.7', title: 'Safeguards', frameworkCode: 'pipeda', domain: 'Principle 7' },
656
+ { id: 'pipeda-4.8', controlCode: '4.8', title: 'Openness', frameworkCode: 'pipeda', domain: 'Principle 8' },
657
+ { id: 'pipeda-4.9', controlCode: '4.9', title: 'Individual access', frameworkCode: 'pipeda', domain: 'Principle 9' },
658
+ { id: 'pipeda-4.10', controlCode: '4.10', title: 'Challenging compliance', frameworkCode: 'pipeda', domain: 'Principle 10' },
659
+ { id: 'pipeda-s.6', controlCode: 'S.6', title: 'Notification requirement', frameworkCode: 'pipeda', domain: 'Breaches' },
660
+ { id: 'pipeda-s.10', controlCode: 'S.10', title: 'Notification to Privacy Commissioner', frameworkCode: 'pipeda', domain: 'Breaches' },
661
+ { id: 'pipeda-s.10.1', controlCode: 'S.10.1', title: 'Notification to affected individuals', frameworkCode: 'pipeda', domain: 'Breaches' },
662
+ { id: 'pipeda-s.10.3', controlCode: 'S.10.3', title: 'Record of breaches', frameworkCode: 'pipeda', domain: 'Breaches' },
663
+ ],
664
+ };
665
+ export const apraCps234Pack = {
666
+ code: 'apra_cps234',
667
+ name: 'APRA CPS 234 - Australian Prudential Regulation Authority',
668
+ version: '2019',
669
+ controls: [
670
+ { id: 'apra-1', controlCode: 'CPS234-1', title: 'Information security capability', frameworkCode: 'apra_cps234', domain: 'Information Security' },
671
+ { id: 'apra-2', controlCode: 'CPS234-2', title: 'Information security governance', frameworkCode: 'apra_cps234', domain: 'Information Security' },
672
+ { id: 'apra-3', controlCode: 'CPS234-3', title: 'Information asset classification', frameworkCode: 'apra_cps234', domain: 'Information Security' },
673
+ { id: 'apra-4', controlCode: 'CPS234-4', title: 'Information security controls', frameworkCode: 'apra_cps234', domain: 'Information Security' },
674
+ { id: 'apra-5', controlCode: 'CPS234-5', title: 'Internal audit of information security', frameworkCode: 'apra_cps234', domain: 'Information Security' },
675
+ { id: 'apra-6', controlCode: 'CPS234-6', title: 'Testing of controls', frameworkCode: 'apra_cps234', domain: 'Information Security' },
676
+ { id: 'apra-7', controlCode: 'CPS234-7', title: 'Notification of material incidents', frameworkCode: 'apra_cps234', domain: 'Information Security' },
677
+ { id: 'apra-8', controlCode: 'CPS234-8', title: 'Material information security incidents', frameworkCode: 'apra_cps234', domain: 'Information Security' },
678
+ { id: 'apra-9', controlCode: 'CPS234-9', title: 'Annual review', frameworkCode: 'apra_cps234', domain: 'Information Security' },
679
+ { id: 'apra-10', controlCode: 'CPS234-10', title: 'Board and senior management responsibilities', frameworkCode: 'apra_cps234', domain: 'Information Security' },
680
+ { id: 'apra-11', controlCode: 'CPS234-11', title: 'Information security management framework', frameworkCode: 'apra_cps234', domain: 'Information Security' },
681
+ { id: 'apra-12', controlCode: 'CPS234-12', title: 'Control of information assets', frameworkCode: 'apra_cps234', domain: 'Information Security' },
682
+ { id: 'apra-13', controlCode: 'CPS234-13', title: 'Monitoring and review of information security controls', frameworkCode: 'apra_cps234', domain: 'Information Security' },
683
+ { id: 'apra-14', controlCode: 'CPS234-14', title: 'Testing of information security controls', frameworkCode: 'apra_cps234', domain: 'Information Security' },
684
+ { id: 'apra-15', controlCode: 'CPS234-15', title: 'Incident management', frameworkCode: 'apra_cps234', domain: 'Information Security' },
685
+ ],
686
+ };
687
+ export const masTrmPack = {
688
+ code: 'mas_trm',
689
+ name: 'MAS TRM - Monetary Authority of Singapore Technology Risk Management',
690
+ version: '2021',
691
+ controls: [
692
+ { id: 'mas-1', controlCode: 'TRM-1', title: 'IT governance', frameworkCode: 'mas_trm', domain: 'IT Governance' },
693
+ { id: 'mas-2', controlCode: 'TRM-2', title: 'IT strategy', frameworkCode: 'mas_trm', domain: 'IT Governance' },
694
+ { id: 'mas-3', controlCode: 'TRM-3', title: 'IT risk management', frameworkCode: 'mas_trm', domain: 'IT Risk Management' },
695
+ { id: 'mas-4', controlCode: 'TRM-4', title: 'IT risk assessment', frameworkCode: 'mas_trm', domain: 'IT Risk Management' },
696
+ { id: 'mas-5', controlCode: 'TRM-5', title: 'IT security management', frameworkCode: 'mas_trm', domain: 'IT Security Management' },
697
+ { id: 'mas-6', controlCode: 'TRM-6', title: 'Access control', frameworkCode: 'mas_trm', domain: 'IT Security Management' },
698
+ { id: 'mas-7', controlCode: 'TRM-7', title: 'Authentication and authorization', frameworkCode: 'mas_trm', domain: 'IT Security Management' },
699
+ { id: 'mas-8', controlCode: 'TRM-8', title: 'Network security', frameworkCode: 'mas_trm', domain: 'IT Security Management' },
700
+ { id: 'mas-9', controlCode: 'TRM-9', title: 'Endpoint security', frameworkCode: 'mas_trm', domain: 'IT Security Management' },
701
+ { id: 'mas-10', controlCode: 'TRM-10', title: 'Data protection', frameworkCode: 'mas_trm', domain: 'IT Security Management' },
702
+ { id: 'mas-11', controlCode: 'TRM-11', title: 'Data backup and recovery', frameworkCode: 'mas_trm', domain: 'IT Operations Management' },
703
+ { id: 'mas-12', controlCode: 'TRM-12', title: 'Incident management', frameworkCode: 'mas_trm', domain: 'IT Operations Management' },
704
+ { id: 'mas-13', controlCode: 'TRM-13', title: 'IT service management', frameworkCode: 'mas_trm', domain: 'IT Operations Management' },
705
+ { id: 'mas-14', controlCode: 'TRM-14', title: 'IT change management', frameworkCode: 'mas_trm', domain: 'IT Operations Management' },
706
+ { id: 'mas-15', controlCode: 'TRM-15', title: 'IT business continuity management', frameworkCode: 'mas_trm', domain: 'IT Operations Management' },
707
+ { id: 'mas-16', controlCode: 'TRM-16', title: 'Technology resilience', frameworkCode: 'mas_trm', domain: 'IT Operations Management' },
708
+ { id: 'mas-17', controlCode: 'TRM-17', title: 'Cloud and third-party service management', frameworkCode: 'mas_trm', domain: 'Third-party Management' },
709
+ { id: 'mas-18', controlCode: 'TRM-18', title: 'Cyber surveillance', frameworkCode: 'mas_trm', domain: 'Cyber Surveillance' },
710
+ { id: 'mas-19', controlCode: 'TRM-19', title: 'Cyber surveillance - threat detection', frameworkCode: 'mas_trm', domain: 'Cyber Surveillance' },
711
+ { id: 'mas-20', controlCode: 'TRM-20', title: 'Cyber surveillance - threat response', frameworkCode: 'mas_trm', domain: 'Cyber Surveillance' },
712
+ ],
713
+ };
714
+ export const sgpdpaPack = {
715
+ code: 'sg_pdpa',
716
+ name: 'Singapore PDPA - Personal Data Protection Act',
717
+ version: '2012',
718
+ controls: [
719
+ { id: 'pdpa-s12', controlCode: 'S12', title: 'Consent obligation', frameworkCode: 'sg_pdpa', domain: 'Consent Obligation' },
720
+ { id: 'pdpa-s13', controlCode: 'S13', title: 'Purpose limitation obligation', frameworkCode: 'sg_pdpa', domain: 'Consent Obligation' },
721
+ { id: 'pdpa-s14', controlCode: 'S14', title: 'Notification obligation', frameworkCode: 'sg_pdpa', domain: 'Consent Obligation' },
722
+ { id: 'pdpa-s15', controlCode: 'S15', title: 'Obligation to protect personal data', frameworkCode: 'sg_pdpa', domain: 'Protection Obligation' },
723
+ { id: 'pdpa-s16', controlCode: 'S16', title: 'Retention limitation obligation', frameworkCode: 'sg_pdpa', domain: 'Limitation Obligation' },
724
+ { id: 'pdpa-s17', controlCode: 'S17', title: 'Transfer limitation obligation', frameworkCode: 'sg_pdpa', domain: 'Limitation Obligation' },
725
+ { id: 'pdpa-s18', controlCode: 'S18', title: 'Access and correction obligation', frameworkCode: 'sg_pdpa', domain: 'Access and Correction Obligation' },
726
+ { id: 'pdpa-s19', controlCode: 'S19', title: 'Data breach notification obligation', frameworkCode: 'sg_pdpa', domain: 'Data Breach Notification' },
727
+ { id: 'pdpa-s20', controlCode: 'S20', title: 'Significant harm assessment for data breaches', frameworkCode: 'sg_pdpa', domain: 'Data Breach Notification' },
728
+ { id: 'pdpa-s21', controlCode: 'S21', title: 'Notification to PDPC for significant data breaches', frameworkCode: 'sg_pdpa', domain: 'Data Breach Notification' },
729
+ { id: 'pdpa-s22', controlCode: 'S22', title: 'Accountability obligation', frameworkCode: 'sg_pdpa', domain: 'Accountability' },
730
+ { id: 'pdpa-s24', controlCode: 'S24', title: 'Do Not Call provisions', frameworkCode: 'sg_pdpa', domain: 'DNC' },
731
+ { id: 'pdpa-s25', controlCode: 'S25', title: 'Organizations must implement reasonable security arrangements', frameworkCode: 'sg_pdpa', domain: 'Protection Obligation' },
732
+ { id: 'pdpa-s26', controlCode: 'S26', title: 'DPO appointment', frameworkCode: 'sg_pdpa', domain: 'Accountability' },
733
+ { id: 'pdpa-s27', controlCode: 'S27', title: 'Data protection policies', frameworkCode: 'sg_pdpa', domain: 'Accountability' },
734
+ ],
735
+ };
736
+ export const japanAppiPack = {
737
+ code: 'japan_appi',
738
+ name: 'Japan APPI - Act on Protection of Personal Information',
739
+ version: '2022',
740
+ controls: [
741
+ { id: 'appi-art.17', controlCode: 'Art.17', title: 'Proper acquisition of personal data', frameworkCode: 'japan_appi', domain: 'Acquisition' },
742
+ { id: 'appi-art.18', controlCode: 'Art.18', title: 'Proper acquisition of personal information requiring special care', frameworkCode: 'japan_appi', domain: 'Acquisition' },
743
+ { id: 'appi-art.20', controlCode: 'Art.20', title: 'Purpose of utilization', frameworkCode: 'japan_appi', domain: 'Utilization' },
744
+ { id: 'appi-art.21', controlCode: 'Art.21', title: 'Proper control of personal data', frameworkCode: 'japan_appi', domain: 'Utilization' },
745
+ { id: 'appi-art.22', controlCode: 'Art.22', title: 'Security controls measures', frameworkCode: 'japan_appi', domain: 'Security' },
746
+ { id: 'appi-art.23', controlCode: 'Art.23', title: 'Employee data handling', frameworkCode: 'japan_appi', domain: 'Security' },
747
+ { id: 'appi-art.24', controlCode: 'Art.24', title: 'Supervision of contractors', frameworkCode: 'japan_appi', domain: 'Security' },
748
+ { id: 'appi-art.25', controlCode: 'Art.25', title: 'Measures against unauthorized access', frameworkCode: 'japan_appi', domain: 'Security' },
749
+ { id: 'appi-art.26', controlCode: 'Art.26', title: 'Third-party provision restriction', frameworkCode: 'japan_appi', domain: 'Third-party provision' },
750
+ { id: 'appi-art.28', controlCode: 'Art.28', title: 'Provision to third parties in foreign countries', frameworkCode: 'japan_appi', domain: 'Cross-border' },
751
+ { id: 'appi-art.33', controlCode: 'Art.33', title: 'Disclosure of personal data', frameworkCode: 'japan_appi', domain: 'Data subject rights' },
752
+ { id: 'appi-art.34', controlCode: 'Art.34', title: 'Correction of personal data', frameworkCode: 'japan_appi', domain: 'Data subject rights' },
753
+ { id: 'appi-art.35', controlCode: 'Art.35', title: 'Cessation of utilization of personal data', frameworkCode: 'japan_appi', domain: 'Data subject rights' },
754
+ { id: 'appi-art.37', controlCode: 'Art.37', title: 'Reporting of incidents to PPC', frameworkCode: 'japan_appi', domain: 'Incident response' },
755
+ { id: 'appi-art.38', controlCode: 'Art.38', title: 'Notification of data breaches to data subjects', frameworkCode: 'japan_appi', domain: 'Incident response' },
756
+ ],
757
+ };
758
+ export const indiaDpdpPack = {
759
+ code: 'india_dpdp',
760
+ name: 'India DPDP Act - Digital Personal Data Protection Act',
761
+ version: '2023',
762
+ controls: [
763
+ { id: 'dpdp-s3', controlCode: 'S.3', title: 'Definitions and interpretation', frameworkCode: 'india_dpdp', domain: 'Definitions' },
764
+ { id: 'dpdp-s4', controlCode: 'S.4', title: 'Applicability of this Act', frameworkCode: 'india_dpdp', domain: 'Applicability' },
765
+ { id: 'dpdp-s5', controlCode: 'S.5', title: 'Processing of digital personal data', frameworkCode: 'india_dpdp', domain: 'Data Processing' },
766
+ { id: 'dpdp-s6', controlCode: 'S.6', title: 'Notice to data principal', frameworkCode: 'india_dpdp', domain: 'Consent' },
767
+ { id: 'dpdp-s7', controlCode: 'S.7', title: 'Consent of data principal', frameworkCode: 'india_dpdp', domain: 'Consent' },
768
+ { id: 'dpdp-s8', controlCode: 'S.8', title: 'Purpose limitation', frameworkCode: 'india_dpdp', domain: 'Processing Obligations' },
769
+ { id: 'dpdp-s9', controlCode: 'S.9', title: 'Data principal rights', frameworkCode: 'india_dpdp', domain: 'Data Principal Rights' },
770
+ { id: 'dpdp-s10', controlCode: 'S.10', title: 'Right to access information', frameworkCode: 'india_dpdp', domain: 'Data Principal Rights' },
771
+ { id: 'dpdp-s11', controlCode: 'S.11', title: 'Right to correction and erasure', frameworkCode: 'india_dpdp', domain: 'Data Principal Rights' },
772
+ { id: 'dpdp-s12', controlCode: 'S.12', title: 'Grievance redressal', frameworkCode: 'india_dpdp', domain: 'Data Principal Rights' },
773
+ { id: 'dpdp-s13', controlCode: 'S.13', title: 'Obligations of data fiduciary', frameworkCode: 'india_dpdp', domain: 'Data Fiduciary Obligations' },
774
+ { id: 'dpdp-s14', controlCode: 'S.14', title: 'Security safeguards', frameworkCode: 'india_dpdp', domain: 'Security' },
775
+ { id: 'dpdp-s15', controlCode: 'S.15', title: 'Data breach notification', frameworkCode: 'india_dpdp', domain: 'Breach Notification' },
776
+ { id: 'dpdp-s16', controlCode: 'S.16', title: 'Significant data fiduciary obligations', frameworkCode: 'india_dpdp', domain: 'Significant Data Fiduciary' },
777
+ ],
778
+ };
779
+ export const chinaPiplPack = {
780
+ code: 'china_pipl',
781
+ name: 'China PIPL - Personal Information Protection Law',
782
+ version: '2021',
783
+ controls: [
784
+ { id: 'pipl-art.13', controlCode: 'Art.13', title: 'Legal basis for processing personal information', frameworkCode: 'china_pipl', domain: 'Processing Principles' },
785
+ { id: 'pipl-art.14', controlCode: 'Art.14', title: 'Consent requirements', frameworkCode: 'china_pipl', domain: 'Processing Principles' },
786
+ { id: 'pipl-art.17', controlCode: 'Art.17', title: 'Notification to individuals', frameworkCode: 'china_pipl', domain: 'Transparency' },
787
+ { id: 'pipl-art.23', controlCode: 'Art.23', title: 'Cross-border transfer requirements', frameworkCode: 'china_pipl', domain: 'Cross-border Transfer' },
788
+ { id: 'pipl-art.24', controlCode: 'Art.24', title: 'Security assessment for cross-border transfer', frameworkCode: 'china_pipl', domain: 'Cross-border Transfer' },
789
+ { id: 'pipl-art.25', controlCode: 'Art.25', title: 'Prohibition on providing personal information to foreign judicial or law enforcement', frameworkCode: 'china_pipl', domain: 'Cross-border Transfer' },
790
+ { id: 'pipl-art.28', controlCode: 'Art.28', title: 'Sensitive personal information', frameworkCode: 'china_pipl', domain: 'Sensitive Data' },
791
+ { id: 'pipl-art.29', controlCode: 'Art.29', title: 'Impact assessment for sensitive information processing', frameworkCode: 'china_pipl', domain: 'Sensitive Data' },
792
+ { id: 'pipl-art.30', controlCode: 'Art.30', title: 'Record of processing activities', frameworkCode: 'china_pipl', domain: 'Governance' },
793
+ { id: 'pipl-art.31', controlCode: 'Art.31', title: 'Personal information protection impact assessment', frameworkCode: 'china_pipl', domain: 'Governance' },
794
+ { id: 'pipl-art.38', controlCode: 'Art.38', title: 'Security assessment or certification for cross-border transfer', frameworkCode: 'china_pipl', domain: 'Cross-border Transfer' },
795
+ { id: 'pipl-art.44', controlCode: 'Art.44', title: 'Right to know and decide', frameworkCode: 'china_pipl', domain: 'Individual Rights' },
796
+ { id: 'pipl-art.45', controlCode: 'Art.45', title: 'Right of access and portability', frameworkCode: 'china_pipl', domain: 'Individual Rights' },
797
+ { id: 'pipl-art.46', controlCode: 'Art.46', title: 'Right to correction and deletion', frameworkCode: 'china_pipl', domain: 'Individual Rights' },
798
+ { id: 'pipl-art.47', controlCode: 'Art.47', title: 'Right to request explanation of automated decision-making', frameworkCode: 'china_pipl', domain: 'Individual Rights' },
799
+ ],
800
+ };
801
+ export const saudiPdplPack = {
802
+ code: 'saudi_pdpl',
803
+ name: 'Saudi Arabia PDPL - Personal Data Protection Law',
804
+ version: '2023',
805
+ controls: [
806
+ { id: 'pdpl-art.1', controlCode: 'Art.1', title: 'Definitions and scope', frameworkCode: 'saudi_pdpl', domain: 'General' },
807
+ { id: 'pdpl-art.2', controlCode: 'Art.2', title: 'Applicability', frameworkCode: 'saudi_pdpl', domain: 'General' },
808
+ { id: 'pdpl-art.3', controlCode: 'Art.3', title: 'Data processing principles', frameworkCode: 'saudi_pdpl', domain: 'Processing Principles' },
809
+ { id: 'pdpl-art.5', controlCode: 'Art.5', title: 'Consent requirements', frameworkCode: 'saudi_pdpl', domain: 'Consent' },
810
+ { id: 'pdpl-art.8', controlCode: 'Art.8', title: 'Data subject rights', frameworkCode: 'saudi_pdpl', domain: 'Data Subject Rights' },
811
+ { id: 'pdpl-art.10', controlCode: 'Art.10', title: 'Right of access', frameworkCode: 'saudi_pdpl', domain: 'Data Subject Rights' },
812
+ { id: 'pdpl-art.12', controlCode: 'Art.12', title: 'Right to deletion', frameworkCode: 'saudi_pdpl', domain: 'Data Subject Rights' },
813
+ { id: 'pdpl-art.15', controlCode: 'Art.15', title: 'Cross-border transfer requirements', frameworkCode: 'saudi_pdpl', domain: 'Cross-border Transfer' },
814
+ { id: 'pdpl-art.18', controlCode: 'Art.18', title: 'Data breach notification', frameworkCode: 'saudi_pdpl', domain: 'Breach Notification' },
815
+ { id: 'pdpl-art.21', controlCode: 'Art.21', title: 'Data protection officer', frameworkCode: 'saudi_pdpl', domain: 'Governance' },
816
+ { id: 'pdpl-art.24', controlCode: 'Art.24', title: 'Data protection impact assessment', frameworkCode: 'saudi_pdpl', domain: 'Governance' },
817
+ { id: 'pdpl-art.28', controlCode: 'Art.28', title: 'Security measures for personal data', frameworkCode: 'saudi_pdpl', domain: 'Security' },
818
+ { id: 'pdpl-art.30', controlCode: 'Art.30', title: 'Record of processing activities', frameworkCode: 'saudi_pdpl', domain: 'Governance' },
819
+ { id: 'pdpl-art.34', controlCode: 'Art.34', title: 'Controller and processor obligations', frameworkCode: 'saudi_pdpl', domain: 'Obligations' },
820
+ ],
821
+ };
822
+ export const tisaxPack = {
823
+ code: 'tisax',
824
+ name: 'TISAX - Trusted Information Security Assessment Exchange',
825
+ version: '2023',
826
+ controls: [
827
+ { id: 'tisax-1.1.1', controlCode: '1.1.1', title: 'Information security policy', frameworkCode: 'tisax', domain: 'Information Security' },
828
+ { id: 'tisax-1.1.2', controlCode: '1.1.2', title: 'Information security objectives', frameworkCode: 'tisax', domain: 'Information Security' },
829
+ { id: 'tisax-1.2.1', controlCode: '1.2.1', title: 'Information security risk management', frameworkCode: 'tisax', domain: 'Information Security' },
830
+ { id: 'tisax-1.3.1', controlCode: '1.3.1', title: 'Information security roles and responsibilities', frameworkCode: 'tisax', domain: 'Information Security' },
831
+ { id: 'tisax-1.4.1', controlCode: '1.4.1', title: 'Information security awareness and training', frameworkCode: 'tisax', domain: 'Information Security' },
832
+ { id: 'tisax-2.1.1', controlCode: '2.1.1', title: 'Access control policy', frameworkCode: 'tisax', domain: 'Access Control' },
833
+ { id: 'tisax-2.1.2', controlCode: '2.1.2', title: 'User access provisioning', frameworkCode: 'tisax', domain: 'Access Control' },
834
+ { id: 'tisax-2.1.3', controlCode: '2.1.3', title: 'Privileged access management', frameworkCode: 'tisax', domain: 'Access Control' },
835
+ { id: 'tisax-2.2.1', controlCode: '2.2.1', title: 'Cryptographic controls', frameworkCode: 'tisax', domain: 'Cryptography' },
836
+ { id: 'tisax-3.1.1', controlCode: '3.1.1', title: 'Prototype protection policy', frameworkCode: 'tisax', domain: 'Prototype Protection' },
837
+ { id: 'tisax-3.1.2', controlCode: '3.1.2', title: 'Prototype protection measures', frameworkCode: 'tisax', domain: 'Prototype Protection' },
838
+ { id: 'tisax-3.1.3', controlCode: '3.1.3', title: 'Prototype protection during development', frameworkCode: 'tisax', domain: 'Prototype Protection' },
839
+ { id: 'tisax-4.1.1', controlCode: '4.1.1', title: 'Part material development security', frameworkCode: 'tisax', domain: 'Part Material Development' },
840
+ { id: 'tisax-4.1.2', controlCode: '4.1.2', title: 'Part material data protection', frameworkCode: 'tisax', domain: 'Part Material Development' },
841
+ { id: 'tisax-5.1.1', controlCode: '5.1.1', title: 'Communication via TISAX', frameworkCode: 'tisax', domain: 'Communication via TISAX' },
842
+ ],
843
+ };
844
+ export const swiftCspPack = {
845
+ code: 'swift_csp',
846
+ name: 'SWIFT CSP - Customer Security Programme Controls',
847
+ version: '2024',
848
+ controls: [
849
+ { id: 'swift-1.1', controlCode: 'CSP-1.1', title: 'Restrict internet access and segregate critical systems', frameworkCode: 'swift_csp', domain: 'Restrict Internet Access' },
850
+ { id: 'swift-1.2', controlCode: 'CSP-1.2', title: 'Protect critical systems from internet-originating traffic', frameworkCode: 'swift_csp', domain: 'Restrict Internet Access' },
851
+ { id: 'swift-2.1', controlCode: 'CSP-2.1', title: 'Restrict and protect privileged access', frameworkCode: 'swift_csp', domain: 'Manage Privileged Access' },
852
+ { id: 'swift-2.2', controlCode: 'CSP-2.2', title: 'Manage privileges on critical systems', frameworkCode: 'swift_csp', domain: 'Manage Privileged Access' },
853
+ { id: 'swift-3.1', controlCode: 'CSP-3.1', title: 'Control user access to critical systems', frameworkCode: 'swift_csp', domain: 'Control Access to Critical Systems' },
854
+ { id: 'swift-3.2', controlCode: 'CSP-3.2', title: 'Authenticate users accessing critical systems', frameworkCode: 'swift_csp', domain: 'Control Access to Critical Systems' },
855
+ { id: 'swift-4.1', controlCode: 'CSP-4.1', title: 'Detect anomalous activity on critical systems', frameworkCode: 'swift_csp', domain: 'Detect Anomalous Activity' },
856
+ { id: 'swift-4.2', controlCode: 'CSP-4.2', title: 'Perform periodic health checks of critical systems', frameworkCode: 'swift_csp', domain: 'Detect Anomalous Activity' },
857
+ { id: 'swift-5.1', controlCode: 'CSP-5.1', title: 'Prevent compromise of credentials', frameworkCode: 'swift_csp', domain: 'Prevent Compromise of Credentials' },
858
+ { id: 'swift-5.2', controlCode: 'CSP-5.2', title: 'Securely manage credentials', frameworkCode: 'swift_csp', domain: 'Prevent Compromise of Credentials' },
859
+ { id: 'swift-6.1', controlCode: 'CSP-6.1', title: 'Ensure physical security of critical systems', frameworkCode: 'swift_csp', domain: 'Physical Security' },
860
+ { id: 'swift-6.2', controlCode: 'CSP-6.2', title: 'Maintain physical security policies', frameworkCode: 'swift_csp', domain: 'Physical Security' },
861
+ { id: 'swift-7.1', controlCode: 'CSP-7.1', title: 'Establish incident response plan', frameworkCode: 'swift_csp', domain: 'Incident Response' },
862
+ { id: 'swift-7.2', controlCode: 'CSP-7.2', title: 'Test incident response plan', frameworkCode: 'swift_csp', domain: 'Incident Response' },
863
+ { id: 'swift-8.1', controlCode: 'CSP-8.1', title: 'Perform software integrity validation', frameworkCode: 'swift_csp', domain: 'Software Integrity' },
864
+ ],
865
+ };
866
+ export const ffiecPack = {
867
+ code: 'ffiec',
868
+ name: 'FFIEC - Federal Financial Institutions Examination Council',
869
+ version: '2024',
870
+ controls: [
871
+ { id: 'ffiec-efm', controlCode: 'EFM-1', title: 'IT governance and oversight', frameworkCode: 'ffiec', domain: 'Enterprise IT Management' },
872
+ { id: 'ffiec-efm2', controlCode: 'EFM-2', title: 'IT strategic planning', frameworkCode: 'ffiec', domain: 'Enterprise IT Management' },
873
+ { id: 'ffiec-efm3', controlCode: 'EFM-3', title: 'IT organizational structure', frameworkCode: 'ffiec', domain: 'Enterprise IT Management' },
874
+ { id: 'ffiec-efm4', controlCode: 'EFM-4', title: 'IT budget and investment management', frameworkCode: 'ffiec', domain: 'Enterprise IT Management' },
875
+ { id: 'ffiec-csr', controlCode: 'CSR-1', title: 'Information security program', frameworkCode: 'ffiec', domain: 'Information Security' },
876
+ { id: 'ffiec-csr2', controlCode: 'CSR-2', title: 'Information security risk assessment', frameworkCode: 'ffiec', domain: 'Information Security' },
877
+ { id: 'ffiec-csr3', controlCode: 'CSR-3', title: 'Information security controls', frameworkCode: 'ffiec', domain: 'Information Security' },
878
+ { id: 'ffiec-csr4', controlCode: 'CSR-4', title: 'Security awareness training', frameworkCode: 'ffiec', domain: 'Information Security' },
879
+ { id: 'ffiec-csr5', controlCode: 'CSR-5', title: 'Incident response', frameworkCode: 'ffiec', domain: 'Information Security' },
880
+ { id: 'ffiec-csr6', controlCode: 'CSR-6', title: 'Vulnerability management', frameworkCode: 'ffiec', domain: 'Information Security' },
881
+ { id: 'ffiec-csr7', controlCode: 'CSR-7', title: 'Penetration testing', frameworkCode: 'ffiec', domain: 'Information Security' },
882
+ { id: 'ffiec-ds', controlCode: 'DS-1', title: 'Business continuity planning', frameworkCode: 'ffiec', domain: 'Business Continuity' },
883
+ { id: 'ffiec-ds2', controlCode: 'DS-2', title: 'Disaster recovery planning', frameworkCode: 'ffiec', domain: 'Business Continuity' },
884
+ { id: 'ffiec-ds3', controlCode: 'DS-3', title: 'Incident management and testing', frameworkCode: 'ffiec', domain: 'Business Continuity' },
885
+ { id: 'ffiec-om', controlCode: 'OM-1', title: 'Outsourcing and third-party management', frameworkCode: 'ffiec', domain: 'Outsourcing Management' },
886
+ ],
887
+ };
888
+ export const soxPack = {
889
+ code: 'sox',
890
+ name: 'SOX - Sarbanes-Oxley Act',
891
+ version: '2002',
892
+ controls: [
893
+ { id: 'sox-s302', controlCode: 'S.302', title: 'Corporate responsibility for financial reports', frameworkCode: 'sox', domain: 'Financial Reporting' },
894
+ { id: 'sox-s302a', controlCode: 'S.302(a)', title: 'CEO/CFO certification of financial statements', frameworkCode: 'sox', domain: 'Financial Reporting' },
895
+ { id: 'sox-s302b', controlCode: 'S.302(b)', title: 'CEO/CFO certification of internal controls', frameworkCode: 'sox', domain: 'Financial Reporting' },
896
+ { id: 'sox-s404', controlCode: 'S.404', title: 'Management assessment of internal controls', frameworkCode: 'sox', domain: 'Internal Controls' },
897
+ { id: 'sox-s404a', controlCode: 'S.404(a)', title: 'Management responsibility for internal controls', frameworkCode: 'sox', domain: 'Internal Controls' },
898
+ { id: 'sox-s404b', controlCode: 'S.404(b)', title: 'Auditor attestation of internal controls', frameworkCode: 'sox', domain: 'Internal Controls' },
899
+ { id: 'sox-s802', controlCode: 'S.802', title: 'Criminal penalties for altering documents', frameworkCode: 'sox', domain: 'Record Retention' },
900
+ { id: 'sox-s802a', controlCode: 'S.802(a)', title: 'Destruction of records to obstruct investigation', frameworkCode: 'sox', domain: 'Record Retention' },
901
+ { id: 'sox-s802b', controlCode: 'S.802(b)', title: 'Document retention policy requirements', frameworkCode: 'sox', domain: 'Record Retention' },
902
+ { id: 'sox-s906', controlCode: 'S.906', title: 'Corporate responsibility for financial reports (criminal)', frameworkCode: 'sox', domain: 'Criminal Penalties' },
903
+ { id: 'sox-s906a', controlCode: 'S.906(a)', title: 'CEO certification with knowledge', frameworkCode: 'sox', domain: 'Criminal Penalties' },
904
+ { id: 'sox-s906b', controlCode: 'S.906(b)', title: 'CFO certification with knowledge', frameworkCode: 'sox', domain: 'Criminal Penalties' },
905
+ { id: 'sox-s1107', controlCode: 'S.1107', title: 'Retaliation against whistleblowers', frameworkCode: 'sox', domain: 'Whistleblower Protection' },
906
+ { id: 'sox-s1102', controlCode: 'S.1102', title: 'Tampering with a record or otherwise obstructing an investigation', frameworkCode: 'sox', domain: 'Anti-Tampering' },
907
+ { id: 'sox-s1104', controlCode: 'S.1104', title: 'Securities fraud - criminal penalties', frameworkCode: 'sox', domain: 'Criminal Penalties' },
908
+ ],
909
+ };
910
+ export const ensHighPack = {
911
+ code: 'ens_high',
912
+ name: 'ENS High - Spanish National Security Framework (Alto)',
913
+ version: '2022',
914
+ controls: [
915
+ { id: 'ens-a.1', controlCode: 'A.1', title: 'Security policy', frameworkCode: 'ens_high', domain: 'Governance' },
916
+ { id: 'ens-a.2', controlCode: 'A.2', title: 'Organization of information security', frameworkCode: 'ens_high', domain: 'Governance' },
917
+ { id: 'ens-a.3', controlCode: 'A.3', title: 'Human resource security', frameworkCode: 'ens_high', domain: 'Governance' },
918
+ { id: 'ens-a.4', controlCode: 'A.4', title: 'Asset management', frameworkCode: 'ens_high', domain: 'Governance' },
919
+ { id: 'ens-b.1', controlCode: 'B.1', title: 'Access control policy', frameworkCode: 'ens_high', domain: 'Access Control' },
920
+ { id: 'ens-b.2', controlCode: 'B.2', title: 'User access management', frameworkCode: 'ens_high', domain: 'Access Control' },
921
+ { id: 'ens-b.3', controlCode: 'B.3', title: 'User responsibilities', frameworkCode: 'ens_high', domain: 'Access Control' },
922
+ { id: 'ens-b.4', controlCode: 'B.4', title: 'System and application access control', frameworkCode: 'ens_high', domain: 'Access Control' },
923
+ { id: 'ens-c.1', controlCode: 'C.1', title: 'Cryptographic controls', frameworkCode: 'ens_high', domain: 'Cryptography' },
924
+ { id: 'ens-c.2', controlCode: 'C.2', title: 'Key management', frameworkCode: 'ens_high', domain: 'Cryptography' },
925
+ { id: 'ens-d.1', controlCode: 'D.1', title: 'Operations security procedures', frameworkCode: 'ens_high', domain: 'Operations' },
926
+ { id: 'ens-d.2', controlCode: 'D.2', title: 'Protection from malware', frameworkCode: 'ens_high', domain: 'Operations' },
927
+ { id: 'ens-d.3', controlCode: 'D.3', title: 'Backup and recovery', frameworkCode: 'ens_high', domain: 'Operations' },
928
+ { id: 'ens-d.4', controlCode: 'D.4', title: 'Logging and monitoring', frameworkCode: 'ens_high', domain: 'Operations' },
929
+ { id: 'ens-d.5', controlCode: 'D.5', title: 'Vulnerability management', frameworkCode: 'ens_high', domain: 'Operations' },
930
+ { id: 'ens-d.6', controlCode: 'D.6', title: 'Technical vulnerability assessment', frameworkCode: 'ens_high', domain: 'Operations' },
931
+ { id: 'ens-d.7', controlCode: 'D.7', title: 'Change management', frameworkCode: 'ens_high', domain: 'Operations' },
932
+ { id: 'ens-e.1', controlCode: 'E.1', title: 'Network security management', frameworkCode: 'ens_high', domain: 'Communications' },
933
+ { id: 'ens-e.2', controlCode: 'E.2', title: 'Security of network services', frameworkCode: 'ens_high', domain: 'Communications' },
934
+ { id: 'ens-f.1', controlCode: 'F.1', title: 'Information security requirements in project management', frameworkCode: 'ens_high', domain: 'Acquisition' },
935
+ { id: 'ens-f.2', controlCode: 'F.2', title: 'Security in development and support processes', frameworkCode: 'ens_high', domain: 'Acquisition' },
936
+ { id: 'ens-f.3', controlCode: 'F.3', title: 'Test data security', frameworkCode: 'ens_high', domain: 'Acquisition' },
937
+ { id: 'ens-g.1', controlCode: 'G.1', title: 'Supplier relationships security', frameworkCode: 'ens_high', domain: 'Supplier Relations' },
938
+ { id: 'ens-g.2', controlCode: 'G.2', title: 'Cloud services security', frameworkCode: 'ens_high', domain: 'Supplier Relations' },
939
+ { id: 'ens-h.1', controlCode: 'H.1', title: 'Incident management', frameworkCode: 'ens_high', domain: 'Incident Management' },
940
+ { id: 'ens-h.2', controlCode: 'H.2', title: 'Incident response', frameworkCode: 'ens_high', domain: 'Incident Management' },
941
+ { id: 'ens-h.3', controlCode: 'H.3', title: 'Learning from incidents', frameworkCode: 'ens_high', domain: 'Incident Management' },
942
+ { id: 'ens-i.1', controlCode: 'I.1', title: 'Business continuity policy', frameworkCode: 'ens_high', domain: 'Business Continuity' },
943
+ { id: 'ens-i.2', controlCode: 'I.2', title: 'Business continuity planning', frameworkCode: 'ens_high', domain: 'Business Continuity' },
944
+ { id: 'ens-i.3', controlCode: 'I.3', title: 'Business continuity testing', frameworkCode: 'ens_high', domain: 'Business Continuity' },
945
+ { id: 'ens-j.1', controlCode: 'J.1', title: 'Compliance with legal requirements', frameworkCode: 'ens_high', domain: 'Compliance' },
946
+ { id: 'ens-j.2', controlCode: 'J.2', title: 'Compliance with security policies and standards', frameworkCode: 'ens_high', domain: 'Compliance' },
947
+ { id: 'ens-j.3', controlCode: 'J.3', title: 'Information security reviews', frameworkCode: 'ens_high', domain: 'Compliance' },
948
+ { id: 'ens-k.1', controlCode: 'K.1', title: 'Physical security perimeter', frameworkCode: 'ens_high', domain: 'Physical Security' },
949
+ { id: 'ens-k.2', controlCode: 'K.2', title: 'Physical entry controls', frameworkCode: 'ens_high', domain: 'Physical Security' },
950
+ { id: 'ens-k.3', controlCode: 'K.3', title: 'Securing offices, rooms and facilities', frameworkCode: 'ens_high', domain: 'Physical Security' },
951
+ { id: 'ens-k.4', controlCode: 'K.4', title: 'Protection against physical and environmental threats', frameworkCode: 'ens_high', domain: 'Physical Security' },
952
+ { id: 'ens-k.5', controlCode: 'K.5', title: 'Working in secure areas', frameworkCode: 'ens_high', domain: 'Physical Security' },
953
+ { id: 'ens-k.6', controlCode: 'K.6', title: 'Equipment security', frameworkCode: 'ens_high', domain: 'Physical Security' },
954
+ ],
955
+ };
956
+ export const EXPANDED_FRAMEWORK_PACKS = [
957
+ iso27001ExpandedPack,
958
+ nistCsfExpandedPack,
959
+ soc2ExpandedPack,
960
+ iso42001ExpandedPack,
961
+ gdprPack,
962
+ hipaaPack,
963
+ pciDssPack,
964
+ fedrampPack,
965
+ cmmcPack,
966
+ nist80053Pack,
967
+ nist800171Pack,
968
+ cisControlsPack,
969
+ cobitPack,
970
+ csaCcmPack,
971
+ iso27701Pack,
972
+ iso27017Pack,
973
+ iso27018Pack,
974
+ soc1Pack,
975
+ doraPack,
976
+ nis2Pack,
977
+ ccpaPack,
978
+ lgpdPack,
979
+ pipedaPack,
980
+ apraCps234Pack,
981
+ masTrmPack,
982
+ sgpdpaPack,
983
+ japanAppiPack,
984
+ indiaDpdpPack,
985
+ chinaPiplPack,
986
+ saudiPdplPack,
987
+ tisaxPack,
988
+ swiftCspPack,
989
+ ffiecPack,
990
+ soxPack,
991
+ ensHighPack,
992
+ ];
993
+ //# sourceMappingURL=expanded-packs.js.map