bmad-plus 0.4.3 → 0.5.0

package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md

@@ -0,0 +1,211 @@
+# CMMC 2.0 — All 110 Practices (NIST SP 800-171 Rev 2 Mapped)
+
+Level codes: **L1** = Level 1 (17 practices) · **L2** = Level 2 (all 110) · **L3** = Level 3 (110 + SP 800-172 enhancements)
+
+---
+
+## AC — Access Control (22 practices)
+
+| Practice ID | Level | Requirement |
+|-------------|-------|-------------|
+| AC.L1-3.1.1 | L1 | Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). |
+| AC.L1-3.1.2 | L1 | Limit system access to the types of transactions and functions authorized users are permitted to execute. |
+| AC.L2-3.1.3 | L2 | Control the flow of CUI in accordance with approved authorizations. |
+| AC.L2-3.1.4 | L2 | Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
+| AC.L2-3.1.5 | L2 | Employ the principle of least privilege, including for specific security functions and privileged accounts. |
+| AC.L2-3.1.6 | L2 | Use non-privileged accounts or roles when accessing non-security functions. |
+| AC.L2-3.1.7 | L2 | Prevent non-privileged users from executing privileged functions and capture the execution in audit logs. |
+| AC.L2-3.1.8 | L2 | Limit unsuccessful logon attempts. |
+| AC.L2-3.1.9 | L2 | Provide privacy and security notices consistent with CUI rules. |
+| AC.L2-3.1.10 | L2 | Use session lock with pattern-hiding displays after a period of inactivity. |
+| AC.L2-3.1.11 | L2 | Terminate (automatically) a user session after a defined condition. |
+| AC.L2-3.1.12 | L2 | Monitor and control remote access sessions. |
+| AC.L2-3.1.13 | L2 | Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. |
+| AC.L2-3.1.14 | L2 | Route remote access via managed access control points. |
+| AC.L2-3.1.15 | L2 | Authorize remote execution of privileged commands and access to security-relevant information via remote access only for documented operational needs. |
+| AC.L2-3.1.16 | L2 | Authorize wireless access prior to allowing connections. |
+| AC.L2-3.1.17 | L2 | Protect wireless access using authentication and encryption. |
+| AC.L2-3.1.18 | L2 | Control connection of mobile devices. |
+| AC.L2-3.1.19 | L2 | Encrypt CUI on mobile devices and mobile computing platforms. |
+| AC.L2-3.1.20 | L2 | Verify and control/limit connections to external systems. |
+| AC.L2-3.1.21 | L2 | Limit use of portable storage devices on external systems. |
+| AC.L2-3.1.22 | L2 | Control CUI posted or processed on publicly accessible systems. |
+
+---
+
+## AT — Awareness and Training (3 practices)
+
+| Practice ID | Level | Requirement |
+|-------------|-------|-------------|
+| AT.L2-3.2.1 | L2 | Ensure personnel are aware of the security risks associated with their activities and policies/procedures related to CUI. |
+| AT.L2-3.2.2 | L2 | Ensure personnel are trained to carry out assigned security responsibilities. |
+| AT.L2-3.2.3 | L2 | Provide security awareness training on recognizing and reporting potential indicators of insider threat. |
+
+---
+
+## AU — Audit and Accountability (9 practices)
+
+| Practice ID | Level | Requirement |
+|-------------|-------|-------------|
+| AU.L2-3.3.1 | L2 | Create and retain system audit logs and records to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized activity. |
+| AU.L2-3.3.2 | L2 | Ensure that the actions of individual users can be uniquely traced to those users. |
+| AU.L2-3.3.3 | L2 | Review and update logged events. |
+| AU.L2-3.3.4 | L2 | Alert in the event of an audit logging process failure. |
+| AU.L2-3.3.5 | L2 | Correlate audit record review, analysis, and reporting processes. |
+| AU.L2-3.3.6 | L2 | Provide audit record reduction and report generation to support analysis and reporting. |
+| AU.L2-3.3.7 | L2 | Provide a system capability that compares and synchronizes internal clocks with authoritative sources. |
+| AU.L2-3.3.8 | L2 | Protect audit information and tools from unauthorized access, modification, and deletion. |
+| AU.L2-3.3.9 | L2 | Limit management of audit logging to a subset of privileged users. |
+
+---
+
+## CM — Configuration Management (9 practices)
+
+| Practice ID | Level | Requirement |
+|-------------|-------|-------------|
+| CM.L2-3.4.1 | L2 | Establish and maintain baseline configurations and inventories of organizational systems (hardware, software, firmware, and documentation). |
+| CM.L2-3.4.2 | L2 | Establish and enforce security configuration settings for IT products employed in systems. |
+| CM.L2-3.4.3 | L2 | Track, review, approve, and log changes to systems. |
+| CM.L2-3.4.4 | L2 | Analyze the security impact of changes prior to implementation. |
+| CM.L2-3.4.5 | L2 | Define, document, approve, and enforce physical and logical access restrictions associated with changes. |
+| CM.L2-3.4.6 | L2 | Employ the principle of least functionality by configuring systems to provide only essential capabilities. |
+| CM.L2-3.4.7 | L2 | Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. |
+| CM.L2-3.4.8 | L2 | Apply deny-by-exception (blacklisting) policy to prevent use of unauthorized software or deny-all, permit-by-exception (whitelisting). |
+| CM.L2-3.4.9 | L2 | Control and monitor user-installed software. |
+
+---
+
+## IA — Identification and Authentication (11 practices)
+
+| Practice ID | Level | Requirement |
+|-------------|-------|-------------|
+| IA.L1-3.5.1 | L1 | Identify system users, processes acting on behalf of users, and devices. |
+| IA.L1-3.5.2 | L1 | Authenticate (or verify) the identities of users, processes, or devices before allowing access. |
+| IA.L2-3.5.3 | L2 | Use multifactor authentication (MFA) for local and network access to privileged accounts and for network access to non-privileged accounts. |
+| IA.L2-3.5.4 | L2 | Employ replay-resistant authentication mechanisms for network access. |
+| IA.L2-3.5.5 | L2 | Employ identifier management to prevent reuse of identifiers for a defined period. |
+| IA.L2-3.5.6 | L2 | Disable identifiers after a defined inactivity period. |
+| IA.L2-3.5.7 | L2 | Enforce a minimum password complexity and change requirements. |
+| IA.L2-3.5.8 | L2 | Prohibit password reuse for a specified number of generations. |
+| IA.L2-3.5.9 | L2 | Allow temporary password use with immediate change requirement. |
+| IA.L2-3.5.10 | L2 | Store and transmit only cryptographically-protected passwords (FIPS 140-2/3 validated). |
+| IA.L2-3.5.11 | L2 | Obscure feedback of authentication information. |
+
+---
+
+## IR — Incident Response (3 practices)
+
+| Practice ID | Level | Requirement |
+|-------------|-------|-------------|
+| IR.L2-3.6.1 | L2 | Establish an operational incident-handling capability including preparation, detection, analysis, containment, recovery, and user response activities. |
+| IR.L2-3.6.2 | L2 | Track, document, and report incidents to designated officials and/or authorities both internal and external. |
+| IR.L2-3.6.3 | L2 | Test the organizational incident response capability. |
+
+---
+
+## MA — Maintenance (6 practices)
+
+| Practice ID | Level | Requirement |
+|-------------|-------|-------------|
+| MA.L2-3.7.1 | L2 | Perform maintenance on organizational systems. |
+| MA.L2-3.7.2 | L2 | Provide controls on the tools, techniques, mechanisms, and personnel that conduct system maintenance. |
+| MA.L2-3.7.3 | L2 | Ensure equipment removed for off-site maintenance is sanitized of CUI. |
+| MA.L2-3.7.4 | L2 | Check media containing diagnostic and test programs for malicious code before the media are used. |
+| MA.L2-3.7.5 | L2 | Require MFA to establish remote maintenance sessions and terminate sessions when maintenance is complete. |
+| MA.L2-3.7.6 | L2 | Supervise the maintenance activities of personnel without required access authorization. |
+
+---
+
+## MP — Media Protection (9 practices)
+
+| Practice ID | Level | Requirement |
+|-------------|-------|-------------|
+| MP.L1-3.8.3 | L1 | Sanitize or destroy system media before disposal or reuse. |
+| MP.L2-3.8.1 | L2 | Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. |
+| MP.L2-3.8.2 | L2 | Limit access to CUI on system media to authorized users. |
+| MP.L2-3.8.4 | L2 | Mark media with necessary CUI markings and distribution limitations. |
+| MP.L2-3.8.5 | L2 | Control access to media containing CUI and maintain accountability for media during transport. |
+| MP.L2-3.8.6 | L2 | Implement cryptographic mechanisms to protect CUI during transport unless otherwise protected by alternative physical safeguards. |
+| MP.L2-3.8.7 | L2 | Control the use of removable media on system components. |
+| MP.L2-3.8.8 | L2 | Prohibit the use of portable storage devices when such devices have no identifiable owner. |
+| MP.L2-3.8.9 | L2 | Protect the backups of CUI at storage locations. |
+
+---
+
+## PE — Physical Protection (6 practices)
+
+| Practice ID | Level | Requirement |
+|-------------|-------|-------------|
+| PE.L1-3.10.1 | L1 | Limit physical access to systems to authorized individuals. |
+| PE.L1-3.10.2 | L1 | Protect and monitor the physical facility and support infrastructure. |
+| PE.L1-3.10.3 | L1 | Escort visitors and monitor visitor activity. |
+| PE.L1-3.10.4 | L1 | Maintain audit logs of physical access. |
+| PE.L1-3.10.5 | L1 | Control and manage physical access devices. |
+| PE.L2-3.10.6 | L2 | Enforce safeguarding measures for CUI at alternate work sites. |
+
+---
+
+## PS — Personnel Security (2 practices)
+
+| Practice ID | Level | Requirement |
+|-------------|-------|-------------|
+| PS.L2-3.9.1 | L2 | Screen individuals prior to authorizing access to systems containing CUI. |
+| PS.L2-3.9.2 | L2 | Ensure CUI is protected during and after personnel actions such as terminations and transfers. |
+
+---
+
+## RA — Risk Assessment (3 practices)
+
+| Practice ID | Level | Requirement |
+|-------------|-------|-------------|
+| RA.L2-3.11.1 | L2 | Periodically assess the risk to organizational operations, assets, and individuals from the operation of systems and associated CUI processing. |
+| RA.L2-3.11.2 | L2 | Scan for vulnerabilities in organizational systems periodically and when new vulnerabilities affecting those systems are identified. |
+| RA.L2-3.11.3 | L2 | Remediate vulnerabilities in accordance with risk assessments. |
+
+---
+
+## CA — Security Assessment (4 practices)
+
+| Practice ID | Level | Requirement |
+|-------------|-------|-------------|
+| CA.L2-3.12.1 | L2 | Periodically assess the security controls in organizational systems to determine whether they are effective. |
+| CA.L2-3.12.2 | L2 | Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities. |
+| CA.L2-3.12.3 | L2 | Monitor security controls on an ongoing basis to ensure the continued effectiveness. |
+| CA.L2-3.12.4 | L2 | Develop, document, and periodically update system security plans (SSPs). |
+
+---
+
+## SC — System and Communications Protection (16 practices)
+
+| Practice ID | Level | Requirement |
+|-------------|-------|-------------|
+| SC.L1-3.13.1 | L1 | Monitor, control, and protect communications at external boundaries and key internal boundaries. |
+| SC.L1-3.13.5 | L1 | Implement subnetworks for publicly accessible system components. |
+| SC.L2-3.13.2 | L2 | Employ architectural designs, software development techniques, and systems engineering principles that promote security. |
+| SC.L2-3.13.3 | L2 | Separate user functionality from system management functionality. |
+| SC.L2-3.13.4 | L2 | Prevent unauthorized and unintended information transfer via shared system resources. |
+| SC.L2-3.13.6 | L2 | Deny network communications traffic by default and allow by exception (i.e., deny all, permit by exception). |
+| SC.L2-3.13.7 | L2 | Prevent remote devices from simultaneously connecting to the system and to other resources (i.e., split tunneling). |
+| SC.L2-3.13.8 | L2 | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission (FIPS 140-2/3). |
+| SC.L2-3.13.9 | L2 | Terminate network connections after a defined period of inactivity. |
+| SC.L2-3.13.10 | L2 | Establish and manage cryptographic keys when cryptography is employed. |
+| SC.L2-3.13.11 | L2 | Employ FIPS-validated cryptography when used to protect CUI. |
+| SC.L2-3.13.12 | L2 | Prohibit remote activation of collaborative computing devices and provide indication of use to users present at the device. |
+| SC.L2-3.13.13 | L2 | Control and monitor the use of mobile code. |
+| SC.L2-3.13.14 | L2 | Control and monitor the use of VoIP technologies. |
+| SC.L2-3.13.15 | L2 | Protect the authenticity of communications sessions. |
+| SC.L2-3.13.16 | L2 | Protect CUI at rest. |
+
+---
+
+## SI — System and Information Integrity (7 practices)
+
+| Practice ID | Level | Requirement |
+|-------------|-------|-------------|
+| SI.L1-3.14.1 | L1 | Identify, report, and correct information and system flaws in a timely manner. |
+| SI.L1-3.14.2 | L1 | Provide protection from malicious code at appropriate locations within systems. |
+| SI.L1-3.14.4 | L1 | Update malicious code protection mechanisms when new releases are available. |
+| SI.L1-3.14.5 | L1 | Perform periodic scans of systems and real-time scans of files from external sources. |
+| SI.L2-3.14.3 | L2 | Monitor system security alerts and advisories and take action in response. |
+| SI.L2-3.14.6 | L2 | Monitor systems to detect attacks and indicators of potential attacks. |
+| SI.L2-3.14.7 | L2 | Identify unauthorized use of systems. |

package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md

@@ -0,0 +1,281 @@
+# CSRD Compliance Programme Reference
+
+## Programme Templates, Checklists, and Implementation Guidance
+
+---
+
+## 1. CSRD Implementation Roadmap
+
+### Phase 0 — Scoping (Months 1–2)
+- [ ] Confirm in-scope status: check size thresholds (employees, turnover, assets), listing status, PIE status
+- [ ] Determine first mandatory reporting year (FY 2024, 2025, 2026, or 2028)
+- [ ] Identify group structure: parent, subsidiaries; check if subsidiary can rely on group CSRD report
+- [ ] Assess non-EU company obligations if applicable (>€150M EU turnover)
+- [ ] Identify existing ESG reporting: GRI, TCFD, CDP, SASB, NFRD — baseline assessment
+
+### Phase 1 — Foundation (Months 2–5)
+- [ ] Appoint CSRD project lead and cross-functional team (Finance, Legal, Sustainability, HR, Risk)
+- [ ] Establish governance: board/committee oversight of CSRD preparation
+- [ ] Engage external advisors: CSRD consultant, assurance provider (early engagement recommended)
+- [ ] Conduct preliminary Double Materiality Assessment (DMA) — identify material ESRS topics
+- [ ] Map existing disclosures to ESRS datapoints — identify gaps
+- [ ] Assess data availability across all material ESRS topics
+
+### Phase 2 — Gap Assessment and Planning (Months 4–8)
+- [ ] Complete full DMA with stakeholder engagement
+- [ ] Document DMA methodology and outputs (ESRS 2 IRO-1 / SBM-3)
+- [ ] Conduct detailed gap assessment: required datapoints vs. data available
+- [ ] Assess value chain data collection feasibility for material topics
+- [ ] Evaluate IT/systems requirements: data collection, aggregation, reporting systems
+- [ ] Design data collection processes and assign ownership
+- [ ] Plan Scope 3 GHG emissions programme (if E1 material)
+- [ ] Engage assurance provider: agree scope, approach, timeline for limited assurance
+
+### Phase 3 — Data Collection and Controls (Months 6–14)
+- [ ] Implement data collection processes for all material ESRS datapoints
+- [ ] Develop and implement internal controls over sustainability reporting
+- [ ] Establish data quality review and sign-off procedures
+- [ ] Collect and verify Scope 1, 2, 3 GHG emissions data
+- [ ] Collect workforce data (ESRS S1 datapoints)
+- [ ] Implement value chain data collection: supplier questionnaires, CDP, proxy data
+- [ ] Develop transition plan (ESRS E1-1) if climate is material
+- [ ] Conduct scenario analysis for climate risks/opportunities (ESRS E1-9)
+
+### Phase 4 — Drafting and Assurance (Months 12–18 from first reporting year)
+- [ ] Draft CSRD disclosures for all material ESRS topics
+- [ ] Ensure dedicated section in management report (Accounting Directive Art. 19a)
+- [ ] Apply XBRL/iXBRL digital tagging to sustainability disclosures (ESEF taxonomy)
+- [ ] Internal review: legal, finance, sustainability, board review of disclosures
+- [ ] Engage assurance provider for limited assurance engagement
+- [ ] Respond to assurance queries and implement recommendations
+- [ ] Obtain assurance report
+- [ ] Board / supervisory body sign-off
+
+### Phase 5 — Publication and Ongoing Compliance
+- [ ] Publish sustainability disclosures in annual report
+- [ ] File ESEF-tagged annual report with national registry
+- [ ] Update DMA annually
+- [ ] Track ESRS amendments and Commission guidance
+- [ ] Monitor Omnibus Package simplifications (post-2025 legislative changes)
+- [ ] Begin preparation for reasonable assurance (phased in post-2028)
+
+---
+
+## 2. CSRD Gap Assessment Template
+
+### Instructions
+Complete this table after DMA. For each material ESRS topic, assess current data availability and identify gaps requiring action before first reporting year.
+
+| ESRS | Disclosure | Required Datapoint | Current State | Gap | Priority | Action Required | Owner | Target Date |
+|------|-----------|-------------------|--------------|-----|---------|----------------|-------|------------|
+| ESRS 2 | GOV-1 | Board sustainability oversight | Partial — board reviews ESG quarterly | Missing: expertise credentials, time spent | HIGH | Document board ESG discussion records; collect CV/bio data | Company Secretary | Q2 2025 |
+| ESRS 2 | GOV-3 | Sustainability in incentive schemes | No ESG KPIs in remuneration | Gap: no linkage | HIGH | Board Remuneration Committee to design ESG KPIs | CHRO + Board RemCo | Q1 2025 |
+| ESRS 2 | SBM-3 | DMA output — material IROs | DMA not conducted | Critical gap | CRITICAL | Conduct DMA with stakeholder engagement | Sustainability team | Q3 2024 |
+| E1 | E1-6 | Scope 1, 2, 3 GHG emissions | Scope 1+2 available; Scope 3 not measured | Scope 3 all 15 categories missing | CRITICAL | Implement Scope 3 measurement programme | Operations + Procurement | Q1 2025 |
+| E1 | E1-1 | Climate transition plan | No formal plan | Full gap | HIGH | Develop transition plan aligned with SBTi/Paris | CEO + Strategy | Q2 2025 |
+| S1 | S1-16 | Gender pay gap | Partial HR data | Missing: median pay by gender | HIGH | Commission pay analysis; align with EU Pay Transparency Dir. | CHRO | Q3 2025 |
+| S1 | S1-14 | LTIFR (lost time injury rate) | Available for own employees | Missing: contractor data | MEDIUM | Extend H&S data collection to contractors | EHS Manager | Q4 2025 |
+| G1 | G1-3 | Anti-corruption training coverage | 60% employees trained | Missing: updated coverage data; need >80% | MEDIUM | Run annual anti-corruption training campaign | Legal/Compliance | Q2 2025 |
+
+**Priority Definitions:**
+- **CRITICAL:** Legal requirement; cannot publish without this data
+- **HIGH:** Material gap; will result in qualified assurance if not resolved
+- **MEDIUM:** Gap exists; resolution improves quality but limited assurance achievable
+- **LOW:** Enhancement opportunity; not essential for first-year compliance
+
+---
+
+## 3. Data Collection Framework
+
+### Governance Data (ESRS 2 GOV)
+
+| Datapoint | Data Source | Frequency | Owner |
+|-----------|------------|-----------|-------|
+| Board member sustainability expertise | Board CVs / biography | Annual | Company Secretary |
+| Board ESG agenda items / time spent | Board meeting minutes | Annual | Company Secretary |
+| ESG KPIs in executive remuneration | RemCo decisions / contracts | Annual | CHRO / Legal |
+| Due diligence process coverage | Procurement / Legal | Annual | Legal |
+
+### Climate Data (ESRS E1)
+
+| Datapoint | Data Source | Frequency | Owner |
+|-----------|------------|-----------|-------|
+| Scope 1 emissions | Fuel consumption records, fleet data | Monthly → Annual | Facilities / Fleet |
+| Scope 2 (location-based) | Electricity invoices + IEA grid factors | Monthly → Annual | Finance / Facilities |
+| Scope 2 (market-based) | Energy certificates (RECs, GOs, PPAs) | Annual | Energy Procurement |
+| Scope 3 Cat. 1 (purchased goods) | Supplier spend × emission factors (EPA/ecoinvent) | Annual | Procurement |
+| Scope 3 Cat. 3 (fuel & energy) | Calculated from S1+S2 data | Annual | Facilities |
+| Scope 3 Cat. 6 (business travel) | Travel management system | Annual | HR / Travel |
+| Scope 3 Cat. 7 (commuting) | Employee survey / commuting patterns | Annual | HR |
+| Scope 3 Cat. 11 (product use) | Product emission factors + sales data | Annual | Product team |
+| Scope 3 Cat. 12 (end-of-life) | Waste management data + product specs | Annual | Product team |
+| Energy consumption total | All energy bills / smart metering | Monthly → Annual | Facilities |
+| Renewable energy share | Energy purchase contracts / guarantees of origin | Annual | Energy Procurement |
+
+### Workforce Data (ESRS S1)
+
+| Datapoint | Data Source | Frequency | Owner |
+|-----------|------------|-----------|-------|
+| Headcount by gender / contract type | HRIS system | Monthly → Annual | HR |
+| Turnover rate | HRIS system | Annual | HR |
+| Gender pay gap (median) | Payroll system analysis | Annual | HR / Finance |
+| Collective bargaining coverage | HR records / legal | Annual | HR |
+| LTIFR, fatalities | EHS / incident management system | Monthly → Annual | EHS |
+| Training hours per employee | LMS (Learning Management System) | Annual | L&D |
+| Parental leave uptake | HR records | Annual | HR |
+| CEO pay ratio | Remuneration disclosures / payroll | Annual | Finance / HR |
+
+---
+
+## 4. Scope 3 GHG Emissions Programme
+
+### Category Priority Matrix
+
+| Category | Typically Material? | Data Availability | Recommended Approach |
+|----------|-------------------|------------------|---------------------|
+| Cat. 1: Purchased goods & services | Yes (for most) | Low-Medium | Spend-based with EEIO factors → supplier surveys for key items |
+| Cat. 2: Capital goods | Medium | Medium | Asset registry × emission factors |
+| Cat. 3: Fuel & energy (upstream) | Yes | High | Calculate from S1+S2 using GHG Protocol factors |
+| Cat. 4: Upstream transport | Medium | Low | Tonne-km × emission factors; freight invoices |
+| Cat. 5: Waste in operations | Low-Medium | Medium | Waste management invoices |
+| Cat. 6: Business travel | Medium | High | Travel management system data |
+| Cat. 7: Employee commuting | Medium | Low | Annual employee survey |
+| Cat. 8: Upstream leased assets | Sector-specific | Medium | Lease registry |
+| Cat. 9: Downstream transport | Sector-specific | Low | Distribution data |
+| Cat. 10: Processing of sold products | Sector-specific | Low | Industry averages |
+| Cat. 11: Use of sold products | Yes (for manufacturers) | Medium-High | Product emission factors × sales volume |
+| Cat. 12: End-of-life treatment | Medium | Low | Industry averages; waste composition |
+| Cat. 13: Downstream leased assets | Sector-specific | Low | Lease register |
+| Cat. 14: Franchises | Sector-specific | Low | Franchise data collection |
+| Cat. 15: Investments | Sector-specific (financial) | Medium | PCAF methodology |
+
+**Recommended Scope 3 Phasing:**
+- **Year 1:** Cats. 1, 3, 6, 7, 11 (typically 80%+ of emissions)
+- **Year 2:** Add Cats. 2, 4, 5, 12
+- **Year 3:** Full coverage with improved primary data
+
+---
+
+## 5. Assurance Readiness Checklist
+
+### Pre-Assurance Requirements
+
+**Governance and Responsibility**
+- [ ] Named individual responsible for each material ESRS topic and its data
+- [ ] Clear escalation path for sustainability data queries
+- [ ] Board/audit committee oversight of sustainability reporting
+
+**Documentation**
+- [ ] DMA documented with methodology, scoring, stakeholder inputs
+- [ ] Data collection procedures documented for each datapoint
+- [ ] Calculation methodology documented (GHG Protocol, ESRS guidance)
+- [ ] Internal review and sign-off process documented
+- [ ] Correction procedure for sustainability data errors
+
+**Data Quality**
+- [ ] Data trail from source system to reported figure for each datapoint
+- [ ] Evidence of data completeness checks (coverage of operations)
+- [ ] Prior year comparatives available and reconciled
+- [ ] Estimation methodology documented for gaps (proxy data, interpolation)
+- [ ] Restatement policy defined
+
+**Controls**
+- [ ] Internal controls documented for key sustainability data processes
+- [ ] Evidence of management review and approval of sustainability disclosures
+- [ ] Segregation of duties between data collectors and approvers
+
+**Boundary and Scope**
+- [ ] Reporting boundary clearly defined (consolidation approach: financial control, operational control, equity share)
+- [ ] Any boundary differences vs. financial reporting documented and justified
+- [ ] Value chain scope clearly defined and disclosed
+
+### Limited Assurance vs. Reasonable Assurance
+
+| Aspect | Limited Assurance (Current) | Reasonable Assurance (Future) |
+|--------|----------------------------|------------------------------|
+| Standard | ISAE 3000 (Revised) | ISAE 3000 (Revised) — higher standard |
+| Procedures | Inquiries + analytical procedures | As above + substantive testing |
+| Evidence | Less extensive | More extensive; site visits typical |
+| Conclusion | "Nothing came to our attention" | "The information is fairly presented" |
+| Documentation | Less detailed | Detailed audit-like evidence file |
+| Timeline | CSRD Phase 1 (now) | Commission review by 2028 |
+
+**Practical Tip:** Build reasonable assurance-quality documentation from day one — retroactively improving evidence trails is very difficult and expensive.
+
+---
+
+## 6. XBRL Digital Tagging — Practical Guide
+
+### What Must Be Tagged
+- All quantitative datapoints in the sustainability disclosures
+- Key qualitative disclosures (policy statements, targets)
+- Taxonomy: European Single Electronic Format (ESEF) extended with CSRD sustainability taxonomy
+
+### Tagging Approach Options
+1. **Software-integrated:** Sustainability reporting software with built-in XBRL tagging (SAP Sustainability Footprint Management, Workiva, Sweep, etc.)
+2. **Post-report tagging:** Tag the final report using ESEF tagging tools
+3. **Outsourced:** Use XBRL tagging service provider
+
+### Timeline
+- ESEF sustainability taxonomy: Commission in development (consult ESMA for latest timeline)
+- First XBRL-tagged sustainability reports: aligned with first CSRD reporting year
+
+---
+
+## 7. Value Chain Data Collection — Supplier Engagement
+
+### Supplier Prioritisation Framework
+
+Prioritise suppliers based on:
+1. **Spend-based emissions significance** (Cat. 1 Scope 3 contribution)
+2. **High-risk sectors** (garments, electronics, agriculture, extractives)
+3. **High-risk geographies** (countries with elevated labour/environmental risks)
+4. **Strategic / sole-source relationships** (limited substitutability)
+
+### Data Collection Methods
+
+| Method | Best for | Effort | Data Quality |
+|--------|---------|--------|-------------|
+| CDP Supply Chain | Large, listed suppliers | Low (for company) | High |
+| Supplier questionnaire (EcoVadis, custom) | Tier-1 suppliers | Medium | Medium-High |
+| Spend-based emission factors (EEIO) | Long-tail suppliers | Very low | Low-Medium |
+| Industry sector averages | Where direct data unavailable | Very low | Low |
+| Site audits | High-risk suppliers | High | Very High |
+
+### Disclosure of Estimation Approaches (ESRS 1, para. 64)
+Where value chain data is not directly available, companies must disclose:
+- Which datapoints use estimated/proxy data
+- The estimation methodology applied
+- The level of accuracy and main sources of uncertainty
+- Steps being taken to improve data quality over time
+
+---
+
+## 8. CSRD vs. NFRD — Key Differences
+
+| Aspect | NFRD (old) | CSRD (new) |
+|--------|-----------|-----------|
+| Companies in scope | ~11,000 (PIEs >500 employees) | ~50,000 (all large + listed SMEs) |
+| Non-EU companies | Not covered | >€150M EU turnover |
+| Standards | No mandatory standards | Mandatory ESRS |
+| Materiality | Financial only | Double materiality (impact + financial) |
+| Value chain | Not required | Required where material |
+| Assurance | Not required (some member states) | Mandatory limited assurance |
+| Digital tagging | Not required | XBRL/iXBRL mandatory |
+| Location | Flexible (separate report allowed) | Dedicated section of management report |
+
+---
+
+## 9. Omnibus Package Watch (2025)
+
+The European Commission proposed CSRD simplifications in the "Omnibus Package" (February 2025):
+
+**Proposed changes (not yet final as of ESRS publication date):**
+- Narrowing scope: may raise employee threshold to 1,000 (from 250)
+- Reducing mandatory datapoints
+- Delaying listed SME obligations
+- Simplifying value chain reporting requirements
+
+**Important:** Always verify the current legislative status before advising clients on scope and datapoint requirements. Check EUR-Lex and the European Commission website for latest developments.
+
+The underlying ESRS standards issued under Commission Delegated Regulation (EU) 2023/2772 remain the definitive source until amended.