@greenarmor/ges-policy-engine 1.0.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/README.md +3 -3
  2. package/dist/index.d.ts +3 -0
  3. package/dist/index.js +12 -0
  4. package/dist/packs/hipaa.d.ts +2 -0
  5. package/dist/packs/hipaa.js +181 -0
  6. package/dist/packs/iso27001.d.ts +2 -0
  7. package/dist/packs/iso27001.js +177 -0
  8. package/dist/packs/iso27701.d.ts +2 -0
  9. package/dist/packs/iso27701.js +191 -0
  10. package/package.json +11 -10
  11. package/LICENSE +0 -21
package/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # @greenarmor/ges-policy-engine
2
2
 
3
- Policy pack management and enforcement for the [Green Engineering Standard Framework (GESF)](https://github.com/greenarmor/gesf).
3
+ Policy pack management and enforcement for the Green Engineering Standard Framework (GESF).
4
4
 
5
5
  Manages compliance policy packs for GDPR, OWASP, NIST, CIS, AI systems, blockchain, and government projects. Each policy pack defines the controls and standards applicable to a specific compliance domain.
6
6
 
@@ -51,8 +51,8 @@ allPacks.forEach(p => console.log(`${p.id}: ${p.name}`));
51
51
 
52
52
  ## Related Packages
53
53
 
54
- - [`@greenarmor/ges-core`](https://www.npmjs.com/package/@greenarmor/ges-core) — Types and constants
55
- - [`@greenarmor/ges-compliance-engine`](https://www.npmjs.com/package/@greenarmor/ges-compliance-engine) — Control evaluation
54
+ - `@greenarmor/ges-core` — Types and constants
55
+ - `@greenarmor/ges-compliance-engine` — Control evaluation
56
56
 
57
57
  ## License
58
58
 
package/dist/index.d.ts CHANGED
@@ -10,3 +10,6 @@ export { createBlockchainPolicyPack } from "./packs/blockchain.js";
10
10
  export { createGovernmentPolicyPack } from "./packs/government.js";
11
11
  export { createCISPolicyPack } from "./packs/cis.js";
12
12
  export { createNISTPolicyPack } from "./packs/nist.js";
13
+ export { createISO27001PolicyPack } from "./packs/iso27001.js";
14
+ export { createISO27701PolicyPack } from "./packs/iso27701.js";
15
+ export { createHIPAAPolicyPack } from "./packs/hipaa.js";
package/dist/index.js CHANGED
@@ -5,6 +5,9 @@ import { createBlockchainPolicyPack } from "./packs/blockchain.js";
5
5
  import { createGovernmentPolicyPack } from "./packs/government.js";
6
6
  import { createCISPolicyPack } from "./packs/cis.js";
7
7
  import { createNISTPolicyPack } from "./packs/nist.js";
8
+ import { createISO27001PolicyPack } from "./packs/iso27001.js";
9
+ import { createISO27701PolicyPack } from "./packs/iso27701.js";
10
+ import { createHIPAAPolicyPack } from "./packs/hipaa.js";
8
11
  const ALL_PACKS = [
9
12
  createGDPRPolicyPack,
10
13
  createOWASPPolicyPack,
@@ -13,6 +16,9 @@ const ALL_PACKS = [
13
16
  createGovernmentPolicyPack,
14
17
  createCISPolicyPack,
15
18
  createNISTPolicyPack,
19
+ createISO27001PolicyPack,
20
+ createISO27701PolicyPack,
21
+ createHIPAAPolicyPack,
16
22
  ];
17
23
  const PACK_MAP = {
18
24
  gdpr: createGDPRPolicyPack,
@@ -22,6 +28,9 @@ const PACK_MAP = {
22
28
  government: createGovernmentPolicyPack,
23
29
  cis: createCISPolicyPack,
24
30
  nist: createNISTPolicyPack,
31
+ iso27001: createISO27001PolicyPack,
32
+ iso27701: createISO27701PolicyPack,
33
+ hipaa: createHIPAAPolicyPack,
25
34
  };
26
35
  export function getAllPacks() {
27
36
  return ALL_PACKS.map(fn => fn());
@@ -43,3 +52,6 @@ export { createBlockchainPolicyPack } from "./packs/blockchain.js";
43
52
  export { createGovernmentPolicyPack } from "./packs/government.js";
44
53
  export { createCISPolicyPack } from "./packs/cis.js";
45
54
  export { createNISTPolicyPack } from "./packs/nist.js";
55
+ export { createISO27001PolicyPack } from "./packs/iso27001.js";
56
+ export { createISO27701PolicyPack } from "./packs/iso27701.js";
57
+ export { createHIPAAPolicyPack } from "./packs/hipaa.js";
package/dist/packs/hipaa.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ import type { PolicyPack } from "@greenarmor/ges-core";
2
+ export declare function createHIPAAPolicyPack(): PolicyPack;
package/dist/packs/hipaa.js ADDED
@@ -0,0 +1,181 @@
1
+ export function createHIPAAPolicyPack() {
2
+ const controls = [
3
+ {
4
+ id: "HIPAA-164.308",
5
+ name: "Administrative Safeguards",
6
+ description: "Establish administrative policies and procedures to manage the selection, development, implementation, and maintenance of security measures for ePHI.",
7
+ category: "security",
8
+ framework: "HIPAA",
9
+ article: "45 CFR 164.308",
10
+ status: "not-implemented",
11
+ severity: "critical",
12
+ implementation_guidance: "Assign a Security Officer. Implement workforce security training. Establish access management procedures. Conduct periodic security evaluations. Maintain contingency plans.",
13
+ checks: [
14
+ { id: "HIPAA-164.308-C1", description: "Security Officer designated", status: "not-implemented" },
15
+ { id: "HIPAA-164.308-C2", description: "Workforce security training program", status: "not-implemented" },
16
+ { id: "HIPAA-164.308-C3", description: "Access management procedures documented", status: "not-implemented" },
17
+ { id: "HIPAA-164.308-C4", description: "Periodic security evaluations conducted", status: "not-implemented" },
18
+ { id: "HIPAA-164.308-C5", description: "Contingency plan established", status: "not-implemented" },
19
+ ],
20
+ },
21
+ {
22
+ id: "HIPAA-164.310",
23
+ name: "Physical Safeguards",
24
+ description: "Implement physical policies and procedures to protect electronic information systems, related buildings, and equipment from unauthorized physical access.",
25
+ category: "security",
26
+ framework: "HIPAA",
27
+ article: "45 CFR 164.310",
28
+ status: "not-implemented",
29
+ severity: "high",
30
+ implementation_guidance: "Implement facility access controls. Document device and media management procedures. Ensure workstation security. Maintain asset disposal procedures for media containing ePHI.",
31
+ checks: [
32
+ { id: "HIPAA-164.310-C1", description: "Facility access controls implemented", status: "not-implemented" },
33
+ { id: "HIPAA-164.310-C2", description: "Workstation security policy documented", status: "not-implemented" },
34
+ { id: "HIPAA-164.310-C3", description: "Device and media management procedures", status: "not-implemented" },
35
+ { id: "HIPAA-164.310-C4", description: "Media disposal procedures documented", status: "not-implemented" },
36
+ ],
37
+ },
38
+ {
39
+ id: "HIPAA-164.312-a",
40
+ name: "Access Control",
41
+ description: "Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs with appropriate access rights.",
42
+ category: "authentication",
43
+ framework: "HIPAA",
44
+ article: "45 CFR 164.312(a)",
45
+ status: "not-implemented",
46
+ severity: "critical",
47
+ implementation_guidance: "Implement unique user identification. Enable automatic logoff. Implement encryption and decryption of ePHI. Use role-based access control with least privilege.",
48
+ checks: [
49
+ { id: "HIPAA-164.312-a-C1", description: "Unique user identification enforced", status: "not-implemented" },
50
+ { id: "HIPAA-164.312-a-C2", description: "Automatic logoff configured", status: "not-implemented" },
51
+ { id: "HIPAA-164.312-a-C3", description: "Encryption and decryption implemented for ePHI", status: "not-implemented" },
52
+ { id: "HIPAA-164.312-a-C4", description: "Role-based access with least privilege", status: "not-implemented" },
53
+ ],
54
+ },
55
+ {
56
+ id: "HIPAA-164.312-b",
57
+ name: "Audit Controls",
58
+ description: "Implement hardware, software, and procedural mechanisms that record and examine activity in information systems containing ePHI.",
59
+ category: "audit",
60
+ framework: "HIPAA",
61
+ article: "45 CFR 164.312(b)",
62
+ status: "not-implemented",
63
+ severity: "critical",
64
+ implementation_guidance: "Implement comprehensive audit logging for all ePHI access. Log user ID, action, timestamp, resource accessed, and outcome. Protect logs from tampering. Review logs regularly.",
65
+ checks: [
66
+ { id: "HIPAA-164.312-b-C1", description: "Audit logging for all ePHI access", status: "not-implemented" },
67
+ { id: "HIPAA-164.312-b-C2", description: "Logs include user action timestamp resource", status: "not-implemented" },
68
+ { id: "HIPAA-164.312-b-C3", description: "Logs protected from tampering", status: "not-implemented" },
69
+ { id: "HIPAA-164.312-b-C4", description: "Regular log review process", status: "not-implemented" },
70
+ ],
71
+ },
72
+ {
73
+ id: "HIPAA-164.312-c",
74
+ name: "Integrity Controls",
75
+ description: "Implement policies and procedures to protect ePHI from improper alteration or destruction.",
76
+ category: "security",
77
+ framework: "HIPAA",
78
+ article: "45 CFR 164.312(c)",
79
+ status: "not-implemented",
80
+ severity: "high",
81
+ implementation_guidance: "Implement data integrity verification mechanisms. Use cryptographic hashing for ePHI. Detect unauthorized alterations. Maintain data integrity throughout lifecycle.",
82
+ checks: [
83
+ { id: "HIPAA-164.312-c-C1", description: "Data integrity verification implemented", status: "not-implemented" },
84
+ { id: "HIPAA-164.312-c-C2", description: "Cryptographic hashing for ePHI integrity", status: "not-implemented" },
85
+ { id: "HIPAA-164.312-c-C3", description: "Unauthorized alteration detection", status: "not-implemented" },
86
+ ],
87
+ },
88
+ {
89
+ id: "HIPAA-164.312-d",
90
+ name: "Person or Entity Authentication",
91
+ description: "Implement procedures to verify that a person seeking access to ePHI is the one claimed.",
92
+ category: "authentication",
93
+ framework: "HIPAA",
94
+ article: "45 CFR 164.312(d)",
95
+ status: "not-implemented",
96
+ severity: "critical",
97
+ implementation_guidance: "Implement strong authentication mechanisms. Use MFA for all ePHI system access. Verify identity before granting access. Maintain authentication audit trail.",
98
+ checks: [
99
+ { id: "HIPAA-164.312-d-C1", description: "Strong authentication mechanisms implemented", status: "not-implemented" },
100
+ { id: "HIPAA-164.312-d-C2", description: "MFA for all ePHI system access", status: "not-implemented" },
101
+ { id: "HIPAA-164.312-d-C3", description: "Authentication audit trail maintained", status: "not-implemented" },
102
+ ],
103
+ },
104
+ {
105
+ id: "HIPAA-164.312-e",
106
+ name: "Transmission Security",
107
+ description: "Implement technical security measures to guard against unauthorized access to ePHI transmitted over electronic communications networks.",
108
+ category: "encryption",
109
+ framework: "HIPAA",
110
+ article: "45 CFR 164.312(e)",
111
+ status: "not-implemented",
112
+ severity: "critical",
113
+ implementation_guidance: "Encrypt all ePHI in transit using TLS 1.2 or higher. Implement integrity controls for transmitted data. Verify endpoints before transmission. Use mutual TLS for system-to-system communication.",
114
+ checks: [
115
+ { id: "HIPAA-164.312-e-C1", description: "TLS 1.2 or higher for ePHI transmission", status: "not-implemented" },
116
+ { id: "HIPAA-164.312-e-C2", description: "Integrity controls for transmitted data", status: "not-implemented" },
117
+ { id: "HIPAA-164.312-e-C3", description: "Mutual TLS for system-to-system communication", status: "not-implemented" },
118
+ ],
119
+ },
120
+ {
121
+ id: "HIPAA-164.314",
122
+ name: "Business Associate Contracts",
123
+ description: "Establish contracts with business associates that access ePHI to ensure they implement required safeguards.",
124
+ category: "compliance",
125
+ framework: "HIPAA",
126
+ article: "45 CFR 164.314",
127
+ status: "not-implemented",
128
+ severity: "high",
129
+ implementation_guidance: "Execute Business Associate Agreements (BAAs) with all vendors accessing ePHI. Define permitted uses and disclosures. Include breach notification requirements. Terminate contracts on violation.",
130
+ checks: [
131
+ { id: "HIPAA-164.314-C1", description: "BAAs executed with all business associates", status: "not-implemented" },
132
+ { id: "HIPAA-164.314-C2", description: "Permitted uses and disclosures defined", status: "not-implemented" },
133
+ { id: "HIPAA-164.314-C3", description: "Breach notification requirements included", status: "not-implemented" },
134
+ ],
135
+ },
136
+ {
137
+ id: "HIPAA-164.502",
138
+ name: "Minimum Necessary Standard",
139
+ description: "Limit access to and use of PHI to the minimum necessary to accomplish the intended purpose.",
140
+ category: "compliance",
141
+ framework: "HIPAA",
142
+ article: "45 CFR 164.502(b)",
143
+ status: "not-implemented",
144
+ severity: "high",
145
+ implementation_guidance: "Implement role-based access limiting PHI to minimum necessary. Define access levels by job function. Review and audit access patterns. Enforce field-level restrictions where applicable.",
146
+ checks: [
147
+ { id: "HIPAA-164.502-C1", description: "Minimum necessary access policies defined", status: "not-implemented" },
148
+ { id: "HIPAA-164.502-C2", description: "Role-based access levels by job function", status: "not-implemented" },
149
+ { id: "HIPAA-164.502-C3", description: "Access pattern auditing implemented", status: "not-implemented" },
150
+ ],
151
+ },
152
+ {
153
+ id: "HIPAA-164.530",
154
+ name: "Administrative Requirements",
155
+ description: "Implement administrative requirements for privacy including designated privacy officer, training, and complaint procedures.",
156
+ category: "compliance",
157
+ framework: "HIPAA",
158
+ article: "45 CFR 164.530",
159
+ status: "not-implemented",
160
+ severity: "high",
161
+ implementation_guidance: "Designate a Privacy Officer. Implement privacy training for all workforce members. Establish complaint procedures. Maintain documentation of privacy policies and procedures for at least 6 years.",
162
+ checks: [
163
+ { id: "HIPAA-164.530-C1", description: "Privacy Officer designated", status: "not-implemented" },
164
+ { id: "HIPAA-164.530-C2", description: "Privacy training program implemented", status: "not-implemented" },
165
+ { id: "HIPAA-164.530-C3", description: "Complaint procedures established", status: "not-implemented" },
166
+ { id: "HIPAA-164.530-C4", description: "Documentation retained for 6 years minimum", status: "not-implemented" },
167
+ ],
168
+ },
169
+ ];
170
+ return {
171
+ id: "hipaa",
172
+ name: "HIPAA Healthcare Policy Pack",
173
+ description: "HIPAA Security Rule and Privacy Rule controls for healthcare systems handling electronic Protected Health Information (ePHI).",
174
+ version: "1.0.0",
175
+ project_types: [
176
+ "healthcare-system", "saas",
177
+ ],
178
+ controls,
179
+ frameworks: ["HIPAA"],
180
+ };
181
+ }
package/dist/packs/iso27001.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ import type { PolicyPack } from "@greenarmor/ges-core";
2
+ export declare function createISO27001PolicyPack(): PolicyPack;
package/dist/packs/iso27001.js ADDED
@@ -0,0 +1,177 @@
1
+ export function createISO27001PolicyPack() {
2
+ const controls = [
3
+ {
4
+ id: "ISO27001-A5",
5
+ name: "Information Security Policies",
6
+ description: "Management direction and support for information security in accordance with business requirements and relevant laws and regulations.",
7
+ category: "security",
8
+ framework: "ISO27001",
9
+ article: "Annex A.5",
10
+ status: "not-implemented",
11
+ severity: "high",
12
+ implementation_guidance: "Define, approve, and publish an information security policy. Review at planned intervals. Communicate to employees and relevant external parties.",
13
+ checks: [
14
+ { id: "ISO27001-A5-C1", description: "Information security policy documented", status: "not-implemented" },
15
+ { id: "ISO27001-A5-C2", description: "Policy approved by management", status: "not-implemented" },
16
+ { id: "ISO27001-A5-C3", description: "Policy reviewed at planned intervals", status: "not-implemented" },
17
+ ],
18
+ },
19
+ {
20
+ id: "ISO27001-A6",
21
+ name: "Organization of Information Security",
22
+ description: "Establish management framework to initiate and control implementation and operation of information security within the organization.",
23
+ category: "security",
24
+ framework: "ISO27001",
25
+ article: "Annex A.6",
26
+ status: "not-implemented",
27
+ severity: "high",
28
+ implementation_guidance: "Define roles and responsibilities for information security. Establish segregation of duties. Establish contact with authorities and special interest groups.",
29
+ checks: [
30
+ { id: "ISO27001-A6-C1", description: "Roles and responsibilities defined", status: "not-implemented" },
31
+ { id: "ISO27001-A6-C2", description: "Segregation of duties implemented", status: "not-implemented" },
32
+ ],
33
+ },
34
+ {
35
+ id: "ISO27001-A8",
36
+ name: "Asset Management",
37
+ description: "Identify organizational assets and define appropriate protection responsibilities.",
38
+ category: "asset-management",
39
+ framework: "ISO27001",
40
+ article: "Annex A.8",
41
+ status: "not-implemented",
42
+ severity: "critical",
43
+ implementation_guidance: "Maintain inventory of assets (hardware, software, data, information). Assign ownership. Implement classification scheme. Handle media securely.",
44
+ checks: [
45
+ { id: "ISO27001-A8-C1", description: "Asset inventory maintained", status: "not-implemented" },
46
+ { id: "ISO27001-A8-C2", description: "Information classification scheme defined", status: "not-implemented" },
47
+ { id: "ISO27001-A8-C3", description: "Media handling procedures in place", status: "not-implemented" },
48
+ ],
49
+ },
50
+ {
51
+ id: "ISO27001-A9",
52
+ name: "Access Control",
53
+ description: "Limit access to information and information processing facilities.",
54
+ category: "authentication",
55
+ framework: "ISO27001",
56
+ article: "Annex A.9",
57
+ status: "not-implemented",
58
+ severity: "critical",
59
+ implementation_guidance: "Implement access control policy. Enforce least privilege. Implement unique user IDs. Use MFA. Implement session management and timeout.",
60
+ checks: [
61
+ { id: "ISO27001-A9-C1", description: "Access control policy documented", status: "not-implemented" },
62
+ { id: "ISO27001-A9-C2", description: "Unique user identification enforced", status: "not-implemented" },
63
+ { id: "ISO27001-A9-C3", description: "MFA implemented for remote access", status: "not-implemented" },
64
+ { id: "ISO27001-A9-C4", description: "Session timeout configured", status: "not-implemented" },
65
+ ],
66
+ },
67
+ {
68
+ id: "ISO27001-A10",
69
+ name: "Cryptography",
70
+ description: "Ensure proper and effective use of cryptography to protect confidentiality, authenticity, or integrity of information.",
71
+ category: "encryption",
72
+ framework: "ISO27001",
73
+ article: "Annex A.10",
74
+ status: "not-implemented",
75
+ severity: "critical",
76
+ implementation_guidance: "Define cryptographic policy. Use approved algorithms (AES-256-GCM, ChaCha20-Poly1305). Use TLS 1.2+. Manage keys via vault or KMS. Plan for key lifecycle.",
77
+ checks: [
78
+ { id: "ISO27001-A10-C1", description: "Cryptographic policy defined", status: "not-implemented" },
79
+ { id: "ISO27001-A10-C2", description: "Key management process in place", status: "not-implemented" },
80
+ { id: "ISO27001-A10-C3", description: "Approved algorithms only", status: "not-implemented" },
81
+ ],
82
+ },
83
+ {
84
+ id: "ISO27001-A12",
85
+ name: "Operations Security",
86
+ description: "Ensure correct and secure operations of information processing facilities.",
87
+ category: "security",
88
+ framework: "ISO27001",
89
+ article: "Annex A.12",
90
+ status: "not-implemented",
91
+ severity: "high",
92
+ implementation_guidance: "Document operating procedures. Implement malware protection. Maintain audit logging. Synchronize clocks. Protect against technical vulnerabilities.",
93
+ checks: [
94
+ { id: "ISO27001-A12-C1", description: "Operating procedures documented", status: "not-implemented" },
95
+ { id: "ISO27001-A12-C2", description: "Malware protection in place", status: "not-implemented" },
96
+ { id: "ISO27001-A12-C3", description: "Audit logging implemented", status: "not-implemented" },
97
+ { id: "ISO27001-A12-C4", description: "Vulnerability management process", status: "not-implemented" },
98
+ ],
99
+ },
100
+ {
101
+ id: "ISO27001-A14",
102
+ name: "System Acquisition, Development and Maintenance",
103
+ description: "Ensure information security is an integral part of information systems across the entire lifecycle.",
104
+ category: "security",
105
+ framework: "ISO27001",
106
+ article: "Annex A.14",
107
+ status: "not-implemented",
108
+ severity: "high",
109
+ implementation_guidance: "Integrate security into SDLC. Implement secure coding practices. Conduct security testing. Perform penetration testing before deployment.",
110
+ checks: [
111
+ { id: "ISO27001-A14-C1", description: "Security integrated into SDLC", status: "not-implemented" },
112
+ { id: "ISO27001-A14-C2", description: "Secure coding practices enforced", status: "not-implemented" },
113
+ { id: "ISO27001-A14-C3", description: "Security testing in CI/CD", status: "not-implemented" },
114
+ ],
115
+ },
116
+ {
117
+ id: "ISO27001-A16",
118
+ name: "Incident Management",
119
+ description: "Ensure a consistent and effective approach to managing information security incidents.",
120
+ category: "incident-response",
121
+ framework: "ISO27001",
122
+ article: "Annex A.16",
123
+ status: "not-implemented",
124
+ severity: "critical",
125
+ implementation_guidance: "Define incident response plan. Establish incident reporting procedures. Assign roles. Conduct post-incident reviews. Collect evidence.",
126
+ checks: [
127
+ { id: "ISO27001-A16-C1", description: "Incident response plan documented", status: "not-implemented" },
128
+ { id: "ISO27001-A16-C2", description: "Incident reporting procedures defined", status: "not-implemented" },
129
+ { id: "ISO27001-A16-C3", description: "Post-incident review process", status: "not-implemented" },
130
+ ],
131
+ },
132
+ {
133
+ id: "ISO27001-A17",
134
+ name: "Business Continuity",
135
+ description: "Ensure availability of information processing facilities during disruptions.",
136
+ category: "backup",
137
+ framework: "ISO27001",
138
+ article: "Annex A.17",
139
+ status: "not-implemented",
140
+ severity: "high",
141
+ implementation_guidance: "Implement business continuity plans. Define RTO and RPO. Maintain backups. Test recovery procedures. Implement disaster recovery.",
142
+ checks: [
143
+ { id: "ISO27001-A17-C1", description: "Business continuity plan documented", status: "not-implemented" },
144
+ { id: "ISO27001-A17-C2", description: "Backups tested regularly", status: "not-implemented" },
145
+ { id: "ISO27001-A17-C3", description: "Disaster recovery procedures tested", status: "not-implemented" },
146
+ ],
147
+ },
148
+ {
149
+ id: "ISO27001-A18",
150
+ name: "Compliance",
151
+ description: "Avoid breaches of legal, statutory, regulatory, or contractual obligations related to information security.",
152
+ category: "audit",
153
+ framework: "ISO27001",
154
+ article: "Annex A.18",
155
+ status: "not-implemented",
156
+ severity: "high",
157
+ implementation_guidance: "Identify applicable legal and regulatory requirements. Conduct regular compliance reviews. Maintain records. Implement privacy protection measures.",
158
+ checks: [
159
+ { id: "ISO27001-A18-C1", description: "Legal requirements identified", status: "not-implemented" },
160
+ { id: "ISO27001-A18-C2", description: "Regular compliance reviews scheduled", status: "not-implemented" },
161
+ { id: "ISO27001-A18-C3", description: "Privacy protection measures in place", status: "not-implemented" },
162
+ ],
163
+ },
164
+ ];
165
+ return {
166
+ id: "iso27001",
167
+ name: "ISO 27001 Information Security Management Policy Pack",
168
+ description: "ISO/IEC 27001:2022 Annex A controls covering information security management system requirements.",
169
+ version: "1.0.0",
170
+ project_types: [
171
+ "saas", "government-system", "healthcare-system",
172
+ "generic-web-application", "api-backend",
173
+ ],
174
+ controls,
175
+ frameworks: ["ISO27001"],
176
+ };
177
+ }
package/dist/packs/iso27701.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ import type { PolicyPack } from "@greenarmor/ges-core";
2
+ export declare function createISO27701PolicyPack(): PolicyPack;
package/dist/packs/iso27701.js ADDED
@@ -0,0 +1,191 @@
1
+ export function createISO27701PolicyPack() {
2
+ const controls = [
3
+ {
4
+ id: "ISO27701-5.2",
5
+ name: "Information Privacy Policies",
6
+ description: "Define, approve, and publish privacy policies that are appropriate for the organization's role as PII controller and/or processor.",
7
+ category: "privacy",
8
+ framework: "ISO27701",
9
+ article: "Clause 5.2",
10
+ status: "not-implemented",
11
+ severity: "high",
12
+ implementation_guidance: "Document privacy policies covering collection, processing, sharing, retention, and deletion of PII. Review at planned intervals. Communicate to data subjects.",
13
+ checks: [
14
+ { id: "ISO27701-5.2-C1", description: "Privacy policy documented and approved", status: "not-implemented" },
15
+ { id: "ISO27701-5.2-C2", description: "Policy reviewed at planned intervals", status: "not-implemented" },
16
+ { id: "ISO27701-5.2-C3", description: "Policy communicated to data subjects", status: "not-implemented" },
17
+ ],
18
+ },
19
+ {
20
+ id: "ISO27701-5.3",
21
+ name: "Roles and Responsibilities for PII",
22
+ description: "Assign roles and responsibilities for privacy and PII protection aligned with controller/processor obligations.",
23
+ category: "privacy",
24
+ framework: "ISO27701",
25
+ article: "Clause 5.3",
26
+ status: "not-implemented",
27
+ severity: "high",
28
+ implementation_guidance: "Identify PII controller vs processor roles. Assign a Data Protection Officer (DPO) where required. Define privacy responsibilities for all roles handling PII.",
29
+ checks: [
30
+ { id: "ISO27701-5.3-C1", description: "Controller/processor role identified", status: "not-implemented" },
31
+ { id: "ISO27701-5.3-C2", description: "DPO or privacy owner assigned", status: "not-implemented" },
32
+ { id: "ISO27701-5.3-C3", description: "Privacy responsibilities documented per role", status: "not-implemented" },
33
+ ],
34
+ },
35
+ {
36
+ id: "ISO27701-5.4",
37
+ name: "Privacy Risk Assessment",
38
+ description: "Conduct privacy impact assessments (PIA/DPIA) for processing activities likely to result in high risk to data subjects.",
39
+ category: "privacy",
40
+ framework: "ISO27701",
41
+ article: "Clause 5.4",
42
+ status: "not-implemented",
43
+ severity: "critical",
44
+ implementation_guidance: "Establish a PIA/DPIA process. Identify privacy risks for new processing activities. Document mitigations. Review periodically.",
45
+ checks: [
46
+ { id: "ISO27701-5.4-C1", description: "PIA/DPIA process established", status: "not-implemented" },
47
+ { id: "ISO27701-5.4-C2", description: "PIAs conducted for high-risk processing", status: "not-implemented" },
48
+ { id: "ISO27701-5.4-C3", description: "Risks documented with mitigations", status: "not-implemented" },
49
+ ],
50
+ },
51
+ {
52
+ id: "ISO27701-6.2",
53
+ name: "PII Identification and Classification",
54
+ description: "Identify and classify PII within information systems to apply appropriate controls.",
55
+ category: "privacy",
56
+ framework: "ISO27701",
57
+ article: "Clause 6.2",
58
+ status: "not-implemented",
59
+ severity: "high",
60
+ implementation_guidance: "Maintain a data inventory of all PII. Classify PII by sensitivity (standard, sensitive, special category). Map data flows.",
61
+ checks: [
62
+ { id: "ISO27701-6.2-C1", description: "PII inventory maintained", status: "not-implemented" },
63
+ { id: "ISO27701-6.2-C2", description: "PII classified by sensitivity", status: "not-implemented" },
64
+ { id: "ISO27701-6.2-C3", description: "Data flow maps documented", status: "not-implemented" },
65
+ ],
66
+ },
67
+ {
68
+ id: "ISO27701-6.4",
69
+ name: "PII De-identification and Anonymization",
70
+ description: "Implement de-identification, pseudonymization, and anonymization techniques to reduce privacy risk.",
71
+ category: "privacy",
72
+ framework: "ISO27701",
73
+ article: "Clause 6.4",
74
+ status: "not-implemented",
75
+ severity: "critical",
76
+ implementation_guidance: "Use pseudonymization for analytics. Implement anonymization where re-identification is not required. Document techniques used.",
77
+ checks: [
78
+ { id: "ISO27701-6.4-C1", description: "De-identification techniques applied", status: "not-implemented" },
79
+ { id: "ISO27701-6.4-C2", description: "Pseudonymization used where feasible", status: "not-implemented" },
80
+ { id: "ISO27701-6.4-C3", description: "Re-identification risk assessed", status: "not-implemented" },
81
+ ],
82
+ },
83
+ {
84
+ id: "ISO27701-6.5",
85
+ name: "PII Segregation",
86
+ description: "Segregate PII from other data to limit access and reduce exposure.",
87
+ category: "privacy",
88
+ framework: "ISO27701",
89
+ article: "Clause 6.5",
90
+ status: "not-implemented",
91
+ severity: "high",
92
+ implementation_guidance: "Store PII in separate databases or schemas. Apply stricter access controls. Use encryption at rest for PII stores.",
93
+ checks: [
94
+ { id: "ISO27701-6.5-C1", description: "PII segregated from non-PII data", status: "not-implemented" },
95
+ { id: "ISO27701-6.5-C2", description: "Stricter access controls on PII stores", status: "not-implemented" },
96
+ ],
97
+ },
98
+ {
99
+ id: "ISO27701-6.7",
100
+ name: "PII Retention and Disposal",
101
+ description: "Define and enforce retention periods and secure disposal procedures for PII.",
102
+ category: "privacy",
103
+ framework: "ISO27701",
104
+ article: "Clause 6.7",
105
+ status: "not-implemented",
106
+ severity: "critical",
107
+ implementation_guidance: "Define retention schedules per PII category. Implement automated deletion. Document secure disposal methods.",
108
+ checks: [
109
+ { id: "ISO27701-6.7-C1", description: "Retention schedule defined per PII category", status: "not-implemented" },
110
+ { id: "ISO27701-6.7-C2", description: "Automated deletion implemented", status: "not-implemented" },
111
+ { id: "ISO27701-6.7-C3", description: "Secure disposal documented", status: "not-implemented" },
112
+ ],
113
+ },
114
+ {
115
+ id: "ISO27701-6.9",
116
+ name: "PII Transfer Controls",
117
+ description: "Control and document transfers of PII between systems, organizations, and jurisdictions.",
118
+ category: "privacy",
119
+ framework: "ISO27701",
120
+ article: "Clause 6.9",
121
+ status: "not-implemented",
122
+ severity: "critical",
123
+ implementation_guidance: "Document all PII transfers. Ensure legal basis for cross-border transfers. Use encryption in transit. Maintain transfer logs.",
124
+ checks: [
125
+ { id: "ISO27701-6.9-C1", description: "PII transfers documented", status: "not-implemented" },
126
+ { id: "ISO27701-6.9-C2", description: "Cross-border legal basis confirmed", status: "not-implemented" },
127
+ { id: "ISO27701-6.9-C3", description: "Transfer logging implemented", status: "not-implemented" },
128
+ ],
129
+ },
130
+ {
131
+ id: "ISO27701-7.3",
132
+ name: "PII Controller Obligations",
133
+ description: "Fulfill controller obligations including consent management, data subject rights, and transparency.",
134
+ category: "privacy",
135
+ framework: "ISO27701",
136
+ article: "Clause 7.3",
137
+ status: "not-implemented",
138
+ severity: "critical",
139
+ implementation_guidance: "Implement consent capture and management. Provide data subject rights (access, rectification, erasure, portability). Maintain processing records.",
140
+ checks: [
141
+ { id: "ISO27701-7.3-C1", description: "Consent management system in place", status: "not-implemented" },
142
+ { id: "ISO27701-7.3-C2", description: "Data subject rights process documented", status: "not-implemented" },
143
+ { id: "ISO27701-7.3-C3", description: "Processing records maintained (Art 30)", status: "not-implemented" },
144
+ ],
145
+ },
146
+ {
147
+ id: "ISO27701-7.5",
148
+ name: "PII Processor Obligations",
149
+ description: "When acting as processor, only process PII per controller instructions and maintain subprocessor controls.",
150
+ category: "privacy",
151
+ framework: "ISO27701",
152
+ article: "Clause 7.5",
153
+ status: "not-implemented",
154
+ severity: "high",
155
+ implementation_guidance: "Process PII only per documented controller instructions. Maintain DPAs with all subprocessors. Notify controllers of breaches.",
156
+ checks: [
157
+ { id: "ISO27701-7.5-C1", description: "Processing limited to controller instructions", status: "not-implemented" },
158
+ { id: "ISO27701-7.5-C2", description: "DPAs with subprocessors maintained", status: "not-implemented" },
159
+ { id: "ISO27701-7.5-C3", description: "Breach notification to controllers defined", status: "not-implemented" },
160
+ ],
161
+ },
162
+ {
163
+ id: "ISO27701-8.4",
164
+ name: "Privacy by Design",
165
+ description: "Integrate privacy considerations into the design and development of systems, products, and services.",
166
+ category: "privacy",
167
+ framework: "ISO27701",
168
+ article: "Clause 8.4",
169
+ status: "not-implemented",
170
+ severity: "high",
171
+ implementation_guidance: "Apply privacy by design principles. Conduct privacy reviews in SDLC. Minimize PII collection. Default to privacy-protective settings.",
172
+ checks: [
173
+ { id: "ISO27701-8.4-C1", description: "Privacy by design principles applied", status: "not-implemented" },
174
+ { id: "ISO27701-8.4-C2", description: "Privacy reviews in SDLC", status: "not-implemented" },
175
+ { id: "ISO27701-8.4-C3", description: "Privacy-protective defaults configured", status: "not-implemented" },
176
+ ],
177
+ },
178
+ ];
179
+ return {
180
+ id: "iso27701",
181
+ name: "ISO 27701 Privacy Information Management Policy Pack",
182
+ description: "ISO/IEC 27701:2019 controls for Privacy Information Management Systems (PIMS), extending ISO 27001 with privacy and PII protection requirements.",
183
+ version: "1.0.0",
184
+ project_types: [
185
+ "saas", "ai-application", "government-system", "healthcare-system",
186
+ "generic-web-application", "api-backend", "mobile-application",
187
+ ],
188
+ controls,
189
+ frameworks: ["ISO27701"],
190
+ };
191
+ }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@greenarmor/ges-policy-engine",
3
- "version": "1.0.0",
3
+ "version": "1.1.0",
4
4
  "type": "module",
5
5
  "description": "GESF Policy Engine - Policy packs management and enforcement",
6
6
  "main": "./dist/index.js",
@@ -11,17 +11,18 @@
11
11
  "default": "./dist/index.js"
12
12
  }
13
13
  },
14
+ "scripts": {
15
+ "build": "tsc",
16
+ "clean": "rm -rf dist tsconfig.tsbuildinfo",
17
+ "test": "vitest run"
18
+ },
14
19
  "dependencies": {
15
- "@greenarmor/ges-core": "1.0.0",
16
- "@greenarmor/ges-compliance-engine": "1.0.0"
20
+ "@greenarmor/ges-core": "workspace:*",
21
+ "@greenarmor/ges-compliance-engine": "workspace:*"
17
22
  },
18
23
  "devDependencies": {
19
24
  "typescript": "^6.0.0",
20
- "@types/node": "^22.0.0"
21
- },
22
- "scripts": {
23
- "build": "tsc",
24
- "clean": "rm -rf dist tsconfig.tsbuildinfo",
25
- "test": "echo \"no tests yet\""
25
+ "@types/node": "^22.0.0",
26
+ "vitest": "^4.1.8"
26
27
  }
27
- }
28
+ }
package/LICENSE DELETED
@@ -1,21 +0,0 @@
1
- MIT License
2
-
3
- Copyright (c) 2025–2026 greenarmor
4
-
5
- Permission is hereby granted, free of charge, to any person obtaining a copy
6
- of this software and associated documentation files (the "Software"), to deal
7
- in the Software without restriction, including without limitation the rights
8
- to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
- copies of the Software, and to permit persons to whom the Software is
10
- furnished to do so, subject to the following conditions:
11
-
12
- The above copyright notice and this permission notice shall be included in all
13
- copies or substantial portions of the Software.
14
-
15
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
- IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
- AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
- LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
- OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
- SOFTWARE.