tlc-claude-code 1.4.7 → 1.4.9

package/server/lib/compliance/hipaa-checklist.js

@@ -0,0 +1,277 @@
+/**
+ * HIPAA Compliance Checklist
+ * Health Insurance Portability and Accountability Act safeguards
+ */
+
+// HIPAA Safeguards
+const SAFEGUARDS = [
+  // Administrative Safeguards
+  { id: 'security-management', name: 'Security Management Process', category: 'administrative', type: 'required', section: '164.308(a)(1)' },
+  { id: 'assigned-security', name: 'Assigned Security Responsibility', category: 'administrative', type: 'required', section: '164.308(a)(2)' },
+  { id: 'workforce-security', name: 'Workforce Security', category: 'administrative', type: 'addressable', section: '164.308(a)(3)' },
+  { id: 'info-access-mgmt', name: 'Information Access Management', category: 'administrative', type: 'required', section: '164.308(a)(4)' },
+  { id: 'security-training', name: 'Security Awareness and Training', category: 'administrative', type: 'addressable', section: '164.308(a)(5)' },
+  { id: 'security-incident', name: 'Security Incident Procedures', category: 'administrative', type: 'required', section: '164.308(a)(6)' },
+  { id: 'contingency-plan', name: 'Contingency Plan', category: 'administrative', type: 'required', section: '164.308(a)(7)' },
+  { id: 'evaluation', name: 'Evaluation', category: 'administrative', type: 'required', section: '164.308(a)(8)' },
+  { id: 'baa', name: 'Business Associate Contracts', category: 'administrative', type: 'required', section: '164.308(b)(1)' },
+
+  // Physical Safeguards
+  { id: 'facility-access', name: 'Facility Access Controls', category: 'physical', type: 'addressable', section: '164.310(a)(1)' },
+  { id: 'workstation-use', name: 'Workstation Use', category: 'physical', type: 'required', section: '164.310(b)' },
+  { id: 'workstation-security', name: 'Workstation Security', category: 'physical', type: 'required', section: '164.310(c)' },
+  { id: 'device-media', name: 'Device and Media Controls', category: 'physical', type: 'required', section: '164.310(d)(1)' },
+
+  // Technical Safeguards
+  { id: 'access-control', name: 'Access Control', category: 'technical', type: 'required', section: '164.312(a)(1)' },
+  { id: 'audit-controls', name: 'Audit Controls', category: 'technical', type: 'required', section: '164.312(b)' },
+  { id: 'integrity', name: 'Integrity', category: 'technical', type: 'addressable', section: '164.312(c)(1)' },
+  { id: 'person-auth', name: 'Person or Entity Authentication', category: 'technical', type: 'required', section: '164.312(d)' },
+  { id: 'transmission-security', name: 'Transmission Security', category: 'technical', type: 'addressable', section: '164.312(e)(1)' },
+  { id: 'encryption', name: 'Encryption', category: 'technical', type: 'addressable', section: '164.312(e)(2)' }
+];
+
+// PHI data element patterns
+const PHI_PATTERNS = {
+  ssn: { element: 'ssn', description: 'Social Security Number', sensitivity: 'high' },
+  'patient.ssn': { element: 'ssn', description: 'Patient Social Security Number', sensitivity: 'high' },
+  dateOfBirth: { element: 'dateOfBirth', description: 'Date of Birth', sensitivity: 'medium' },
+  'patient.dateOfBirth': { element: 'dateOfBirth', description: 'Patient Date of Birth', sensitivity: 'medium' },
+  medicalRecord: { element: 'medicalRecord', description: 'Medical Record', sensitivity: 'high' },
+  diagnosis: { element: 'diagnosis', description: 'Diagnosis Information', sensitivity: 'high' },
+  treatment: { element: 'treatment', description: 'Treatment Information', sensitivity: 'high' },
+  prescription: { element: 'prescription', description: 'Prescription Information', sensitivity: 'high' },
+  healthPlan: { element: 'healthPlan', description: 'Health Plan Information', sensitivity: 'medium' },
+  'patient.name': { element: 'name', description: 'Patient Name', sensitivity: 'medium' },
+  'patient.address': { element: 'address', description: 'Patient Address', sensitivity: 'medium' },
+  'patient.phone': { element: 'phone', description: 'Patient Phone', sensitivity: 'medium' },
+  'patient.email': { element: 'email', description: 'Patient Email', sensitivity: 'medium' }
+};
+
+// Safeguard check implementations
+const SAFEGUARD_CHECKS = {
+  'access-control': (evidence) => {
+    return evidence.accessControls?.enabled === true;
+  },
+  'encryption': (evidence) => {
+    return evidence.encryption?.atRest === true && evidence.encryption?.inTransit === true;
+  },
+  'audit-controls': (evidence) => {
+    if (!evidence.auditLogs?.enabled) return false;
+    // Check retention period (HIPAA requires 6 years)
+    const retention = evidence.auditLogs.retention;
+    if (retention) {
+      const years = parseInt(retention);
+      return years >= 6;
+    }
+    return false;
+  }
+};
+
+/**
+ * Create a HIPAA checklist instance
+ * @returns {Object} Checklist instance
+ */
+export function createHipaaChecklist() {
+  return {
+    evaluate(evidence) {
+      const results = [];
+      const safeguards = getSafeguards();
+
+      for (const safeguard of safeguards) {
+        const result = checkSafeguard(safeguard.id, evidence);
+        results.push(result);
+      }
+
+      return {
+        results,
+        compliant: results.every(r => r.implemented || r.safeguard?.type === 'addressable'),
+        score: (results.filter(r => r.implemented).length / results.length) * 100
+      };
+    },
+
+    getSafeguards() {
+      return getSafeguards();
+    },
+
+    getCategories() {
+      return ['administrative', 'physical', 'technical'];
+    }
+  };
+}
+
+/**
+ * Get HIPAA safeguards
+ * @param {Object} options - Filter options
+ * @param {string} options.category - Filter by category
+ * @returns {Array} Safeguards list
+ */
+export function getSafeguards(options = {}) {
+  let safeguards = [...SAFEGUARDS];
+
+  if (options.category) {
+    safeguards = safeguards.filter(s => s.category === options.category);
+  }
+
+  return safeguards;
+}
+
+/**
+ * Check implementation of a specific safeguard
+ * @param {string} safeguardId - Safeguard identifier
+ * @param {Object} evidence - Evidence for compliance check
+ * @returns {Object} Check result
+ */
+export function checkSafeguard(safeguardId, evidence) {
+  const safeguard = SAFEGUARDS.find(s => s.id === safeguardId);
+  const checkFn = SAFEGUARD_CHECKS[safeguardId];
+
+  let implemented = false;
+
+  if (checkFn) {
+    implemented = checkFn(evidence);
+  }
+
+  return {
+    safeguardId,
+    safeguardName: safeguard?.name || 'Unknown safeguard',
+    category: safeguard?.category,
+    type: safeguard?.type,
+    implemented,
+    safeguard
+  };
+}
+
+/**
+ * Generate Business Associate Agreement template
+ * @param {Object} options - BAA options
+ * @param {string} options.coveredEntity - Covered entity name
+ * @param {string} options.businessAssociate - Business associate name
+ * @returns {string} BAA template
+ */
+export function generateBaaTemplate(options = {}) {
+  const coveredEntity = options.coveredEntity || '[COVERED ENTITY]';
+  const businessAssociate = options.businessAssociate || '[BUSINESS ASSOCIATE]';
+  const date = new Date().toISOString().split('T')[0];
+
+  return `# Business Associate Agreement
+
+**Effective Date:** ${date}
+
+**Between:**
+- Covered Entity: ${coveredEntity}
+- Business Associate: ${businessAssociate}
+
+## Recitals
+
+This Business Associate Agreement ("BAA") is entered into by and between ${coveredEntity} ("Covered Entity") and ${businessAssociate} ("Business Associate") to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").
+
+## Article I: Definitions
+
+Terms used herein shall have the same meaning as defined in 45 CFR Parts 160 and 164.
+
+## Article II: Obligations of Business Associate
+
+### 2.1 Permitted Uses and Disclosures
+
+Business Associate agrees to not use or disclose PHI other than as permitted or required by this Agreement or as Required by Law.
+
+The permitted uses and disclosures of PHI are limited to:
+- Treatment, payment, and health care operations
+- Functions, activities, or services specified in the underlying agreement
+- As required by law
+
+### 2.2 Safeguards
+
+Business Associate agrees to use appropriate safeguards to prevent use or disclosure of PHI other than as provided for by this Agreement.
+
+Required safeguards include:
+- Administrative safeguards (policies and procedures)
+- Physical safeguards (facility access controls)
+- Technical safeguards (access controls, encryption)
+
+### 2.3 Breach Notification
+
+Business Associate agrees to report to Covered Entity any breach notification requirements under 45 CFR 164.410.
+
+In the event of a breach:
+- Notification within 60 days of discovery
+- Description of PHI involved
+- Recommended mitigation steps
+
+## Article III: Termination
+
+This Agreement may be terminated:
+- Upon termination of the underlying agreement
+- Upon breach of material terms
+- As required by law
+
+## Signatures
+
+_________________________
+${coveredEntity}
+Covered Entity
+
+_________________________
+${businessAssociate}
+Business Associate
+`;
+}
+
+/**
+ * Assess PHI handling in code patterns
+ * @param {Array} codePatterns - Array of code patterns to analyze
+ * @returns {Object} Assessment result
+ */
+export function assessPhiHandling(codePatterns) {
+  const dataElements = new Set();
+  const findings = [];
+  const recommendations = [];
+
+  for (const pattern of codePatterns) {
+    const patternStr = pattern.pattern || '';
+
+    // Check against known PHI patterns
+    for (const [key, info] of Object.entries(PHI_PATTERNS)) {
+      if (patternStr.toLowerCase().includes(key.toLowerCase())) {
+        dataElements.add(info.element);
+        findings.push({
+          file: pattern.file,
+          pattern: patternStr,
+          element: info.element,
+          description: info.description,
+          sensitivity: info.sensitivity
+        });
+      }
+    }
+  }
+
+  // Generate recommendations based on findings
+  if (findings.some(f => f.sensitivity === 'high')) {
+    recommendations.push('Implement encryption at rest for high-sensitivity PHI data');
+    recommendations.push('Use encryption in transit (TLS 1.2+) for all PHI transmissions');
+    recommendations.push('Implement access controls with role-based permissions');
+  }
+
+  if (dataElements.has('ssn')) {
+    recommendations.push('Consider tokenization for SSN storage');
+    recommendations.push('Implement audit logging for SSN access');
+  }
+
+  if (dataElements.has('medicalRecord')) {
+    recommendations.push('Implement audit logging for medical record access');
+    recommendations.push('Ensure minimum necessary access principle');
+  }
+
+  if (recommendations.length === 0 && findings.length > 0) {
+    recommendations.push('Review data handling practices for HIPAA compliance');
+    recommendations.push('Document PHI data flows');
+  }
+
+  return {
+    phiIdentified: dataElements.size > 0,
+    dataElements: Array.from(dataElements),
+    findings,
+    recommendations
+  };
+}

package/server/lib/compliance/hipaa-checklist.test.js

@@ -0,0 +1,101 @@
+/**
+ * HIPAA Checklist Tests
+ */
+import { describe, it, expect, vi } from 'vitest';
+import { createHipaaChecklist, getSafeguards, checkSafeguard, generateBaaTemplate, assessPhiHandling } from './hipaa-checklist.js';
+
+describe('hipaa-checklist', () => {
+  describe('createHipaaChecklist', () => {
+    it('creates HIPAA checklist', () => {
+      const checklist = createHipaaChecklist();
+      expect(checklist.evaluate).toBeDefined();
+      expect(checklist.getSafeguards).toBeDefined();
+    });
+
+    it('covers all safeguard categories', () => {
+      const checklist = createHipaaChecklist();
+      const categories = checklist.getCategories();
+      expect(categories).toContain('administrative');
+      expect(categories).toContain('physical');
+      expect(categories).toContain('technical');
+    });
+  });
+
+  describe('getSafeguards', () => {
+    it('returns all HIPAA safeguards', () => {
+      const safeguards = getSafeguards();
+      expect(safeguards.length).toBeGreaterThan(0);
+    });
+
+    it('filters by category', () => {
+      const technical = getSafeguards({ category: 'technical' });
+      expect(technical.every(s => s.category === 'technical')).toBe(true);
+    });
+
+    it('distinguishes required vs addressable', () => {
+      const safeguards = getSafeguards();
+      expect(safeguards.some(s => s.type === 'required')).toBe(true);
+      expect(safeguards.some(s => s.type === 'addressable')).toBe(true);
+    });
+  });
+
+  describe('checkSafeguard', () => {
+    it('checks safeguard implementation', () => {
+      const evidence = { accessControls: { enabled: true } };
+      const result = checkSafeguard('access-control', evidence);
+      expect(result.safeguardId).toBe('access-control');
+      expect(result.implemented).toBeDefined();
+    });
+
+    it('checks encryption requirements', () => {
+      const evidence = { encryption: { atRest: true, inTransit: true } };
+      const result = checkSafeguard('encryption', evidence);
+      expect(result.implemented).toBe(true);
+    });
+
+    it('validates audit controls', () => {
+      const evidence = { auditLogs: { enabled: true, retention: '6years' } };
+      const result = checkSafeguard('audit-controls', evidence);
+      expect(result.implemented).toBe(true);
+    });
+  });
+
+  describe('generateBaaTemplate', () => {
+    it('generates Business Associate Agreement template', () => {
+      const baa = generateBaaTemplate({ coveredEntity: 'Hospital', businessAssociate: 'TLC Inc' });
+      expect(baa).toContain('Business Associate Agreement');
+      expect(baa).toContain('Hospital');
+      expect(baa).toContain('TLC Inc');
+    });
+
+    it('includes required provisions', () => {
+      const baa = generateBaaTemplate({});
+      expect(baa).toContain('permitted uses');
+      expect(baa).toContain('safeguards');
+      expect(baa).toContain('breach notification');
+    });
+  });
+
+  describe('assessPhiHandling', () => {
+    it('assesses PHI data handling', () => {
+      const codePatterns = [
+        { file: 'patient.js', pattern: 'patient.ssn' },
+        { file: 'records.js', pattern: 'medicalRecord' }
+      ];
+      const assessment = assessPhiHandling(codePatterns);
+      expect(assessment.phiIdentified).toBe(true);
+      expect(assessment.dataElements.length).toBeGreaterThan(0);
+    });
+
+    it('identifies PHI data elements', () => {
+      const codePatterns = [{ file: 'test.js', pattern: 'patient.dateOfBirth' }];
+      const assessment = assessPhiHandling(codePatterns);
+      expect(assessment.dataElements).toContain('dateOfBirth');
+    });
+
+    it('suggests protection measures', () => {
+      const assessment = assessPhiHandling([{ file: 'test.js', pattern: 'ssn' }]);
+      expect(assessment.recommendations.length).toBeGreaterThan(0);
+    });
+  });
+});

package/server/lib/compliance/iso27001-checklist.js

@@ -0,0 +1,287 @@
+/**
+ * ISO 27001:2022 Compliance Checklist
+ * Information Security Management System controls
+ */
+
+// ISO 27001:2022 Annex A Controls
+const CONTROLS = [
+  // Organizational controls (A.5)
+  { id: 'A.5.1', name: 'Policies for information security', theme: 'organizational', purpose: 'To provide management direction and support for information security' },
+  { id: 'A.5.2', name: 'Information security roles and responsibilities', theme: 'organizational', purpose: 'To establish a defined and approved information security organizational structure' },
+  { id: 'A.5.3', name: 'Segregation of duties', theme: 'organizational', purpose: 'To reduce the risk of fraud and error' },
+  { id: 'A.5.4', name: 'Management responsibilities', theme: 'organizational', purpose: 'To ensure all personnel support information security' },
+  { id: 'A.5.5', name: 'Contact with authorities', theme: 'organizational', purpose: 'To maintain appropriate contacts with relevant authorities' },
+  { id: 'A.5.6', name: 'Contact with special interest groups', theme: 'organizational', purpose: 'To maintain appropriate contacts with special interest groups' },
+  { id: 'A.5.7', name: 'Threat intelligence', theme: 'organizational', purpose: 'To provide awareness of the threat environment' },
+  { id: 'A.5.8', name: 'Information security in project management', theme: 'organizational', purpose: 'To ensure information security is integrated into project management' },
+  { id: 'A.5.9', name: 'Inventory of information and other associated assets', theme: 'organizational', purpose: 'To identify and manage information assets' },
+  { id: 'A.5.10', name: 'Acceptable use of information and other associated assets', theme: 'organizational', purpose: 'To ensure information assets are appropriately used' },
+  { id: 'A.5.11', name: 'Return of assets', theme: 'organizational', purpose: 'To protect assets when employment ends' },
+  { id: 'A.5.12', name: 'Classification of information', theme: 'organizational', purpose: 'To ensure information is classified appropriately' },
+  { id: 'A.5.13', name: 'Labelling of information', theme: 'organizational', purpose: 'To facilitate information classification' },
+  { id: 'A.5.14', name: 'Information transfer', theme: 'organizational', purpose: 'To maintain security during information transfer' },
+  { id: 'A.5.15', name: 'Access control', theme: 'organizational', purpose: 'To ensure authorized access to information' },
+  { id: 'A.5.16', name: 'Identity management', theme: 'organizational', purpose: 'To enable unique identification of individuals' },
+  { id: 'A.5.17', name: 'Authentication information', theme: 'organizational', purpose: 'To prevent unauthorized disclosure of authentication information' },
+  { id: 'A.5.18', name: 'Access rights', theme: 'organizational', purpose: 'To ensure access rights are authorized, reviewed, and removed' },
+
+  // People controls (A.6)
+  { id: 'A.6.1', name: 'Screening', theme: 'people', purpose: 'To ensure personnel are suitable and trustworthy' },
+  { id: 'A.6.2', name: 'Terms and conditions of employment', theme: 'people', purpose: 'To ensure personnel understand their responsibilities' },
+  { id: 'A.6.3', name: 'Information security awareness, education and training', theme: 'people', purpose: 'To ensure personnel are aware of security requirements' },
+  { id: 'A.6.4', name: 'Disciplinary process', theme: 'people', purpose: 'To ensure there are consequences for security violations' },
+  { id: 'A.6.5', name: 'Responsibilities after termination or change of employment', theme: 'people', purpose: 'To protect organizational interests during employment changes' },
+  { id: 'A.6.6', name: 'Confidentiality or non-disclosure agreements', theme: 'people', purpose: 'To protect confidential information' },
+  { id: 'A.6.7', name: 'Remote working', theme: 'people', purpose: 'To protect information when working remotely' },
+  { id: 'A.6.8', name: 'Information security event reporting', theme: 'people', purpose: 'To provide timely reporting of security events' },
+
+  // Physical controls (A.7)
+  { id: 'A.7.1', name: 'Physical security perimeters', theme: 'physical', purpose: 'To prevent unauthorized physical access' },
+  { id: 'A.7.2', name: 'Physical entry', theme: 'physical', purpose: 'To protect areas by appropriate entry controls' },
+  { id: 'A.7.3', name: 'Securing offices, rooms and facilities', theme: 'physical', purpose: 'To prevent unauthorized physical access' },
+  { id: 'A.7.4', name: 'Physical security monitoring', theme: 'physical', purpose: 'To detect and deter unauthorized access' },
+  { id: 'A.7.5', name: 'Protecting against physical and environmental threats', theme: 'physical', purpose: 'To protect against environmental damage' },
+  { id: 'A.7.6', name: 'Working in secure areas', theme: 'physical', purpose: 'To protect information in secure areas' },
+  { id: 'A.7.7', name: 'Clear desk and clear screen', theme: 'physical', purpose: 'To reduce risks from unattended workspaces' },
+  { id: 'A.7.8', name: 'Equipment siting and protection', theme: 'physical', purpose: 'To protect equipment from environmental threats' },
+  { id: 'A.7.9', name: 'Security of assets off-premises', theme: 'physical', purpose: 'To protect assets outside organizational premises' },
+  { id: 'A.7.10', name: 'Storage media', theme: 'physical', purpose: 'To prevent unauthorized disclosure from storage media' },
+  { id: 'A.7.11', name: 'Supporting utilities', theme: 'physical', purpose: 'To prevent loss or damage from utility failures' },
+  { id: 'A.7.12', name: 'Cabling security', theme: 'physical', purpose: 'To protect cabling from interception or damage' },
+  { id: 'A.7.13', name: 'Equipment maintenance', theme: 'physical', purpose: 'To ensure continued availability and integrity' },
+  { id: 'A.7.14', name: 'Secure disposal or re-use of equipment', theme: 'physical', purpose: 'To prevent information leakage from disposed equipment' },
+
+  // Technological controls (A.8)
+  { id: 'A.8.1', name: 'User endpoint devices', theme: 'technological', purpose: 'To protect information on endpoint devices' },
+  { id: 'A.8.2', name: 'Privileged access rights', theme: 'technological', purpose: 'To restrict and manage privileged access' },
+  { id: 'A.8.3', name: 'Information access restriction', theme: 'technological', purpose: 'To prevent unauthorized access to information' },
+  { id: 'A.8.4', name: 'Access to source code', theme: 'technological', purpose: 'To prevent unauthorized access to source code' },
+  { id: 'A.8.5', name: 'Secure authentication', theme: 'technological', purpose: 'To implement secure authentication mechanisms' },
+  { id: 'A.8.6', name: 'Capacity management', theme: 'technological', purpose: 'To ensure adequate resource capacity' },
+  { id: 'A.8.7', name: 'Protection against malware', theme: 'technological', purpose: 'To protect against malware' },
+  { id: 'A.8.8', name: 'Management of technical vulnerabilities', theme: 'technological', purpose: 'To prevent exploitation of vulnerabilities' },
+  { id: 'A.8.9', name: 'Configuration management', theme: 'technological', purpose: 'To ensure secure configurations' },
+  { id: 'A.8.10', name: 'Information deletion', theme: 'technological', purpose: 'To ensure secure deletion of information' },
+  { id: 'A.8.11', name: 'Data masking', theme: 'technological', purpose: 'To limit exposure of sensitive data' },
+  { id: 'A.8.12', name: 'Data leakage prevention', theme: 'technological', purpose: 'To prevent unauthorized data disclosure' },
+  { id: 'A.8.13', name: 'Information backup', theme: 'technological', purpose: 'To maintain backup copies of information' },
+  { id: 'A.8.14', name: 'Redundancy of information processing facilities', theme: 'technological', purpose: 'To ensure availability of processing facilities' },
+  { id: 'A.8.15', name: 'Logging', theme: 'technological', purpose: 'To record events for investigation' },
+  { id: 'A.8.16', name: 'Monitoring activities', theme: 'technological', purpose: 'To detect anomalous behavior' },
+  { id: 'A.8.17', name: 'Clock synchronization', theme: 'technological', purpose: 'To ensure consistent timestamps' },
+  { id: 'A.8.18', name: 'Use of privileged utility programs', theme: 'technological', purpose: 'To restrict use of privileged utilities' },
+  { id: 'A.8.19', name: 'Installation of software on operational systems', theme: 'technological', purpose: 'To control software installation' },
+  { id: 'A.8.20', name: 'Networks security', theme: 'technological', purpose: 'To protect network infrastructure' },
+  { id: 'A.8.21', name: 'Security of network services', theme: 'technological', purpose: 'To ensure security of network services' },
+  { id: 'A.8.22', name: 'Segregation of networks', theme: 'technological', purpose: 'To segregate network segments' },
+  { id: 'A.8.23', name: 'Web filtering', theme: 'technological', purpose: 'To restrict access to external websites' },
+  { id: 'A.8.24', name: 'Use of cryptography', theme: 'technological', purpose: 'To ensure proper use of cryptography' },
+  { id: 'A.8.25', name: 'Secure development life cycle', theme: 'technological', purpose: 'To establish secure development practices' },
+  { id: 'A.8.26', name: 'Application security requirements', theme: 'technological', purpose: 'To identify security requirements' },
+  { id: 'A.8.27', name: 'Secure system architecture and engineering principles', theme: 'technological', purpose: 'To establish secure design principles' },
+  { id: 'A.8.28', name: 'Secure coding', theme: 'technological', purpose: 'To apply secure coding practices' },
+  { id: 'A.8.29', name: 'Security testing in development and acceptance', theme: 'technological', purpose: 'To test security during development' },
+  { id: 'A.8.30', name: 'Outsourced development', theme: 'technological', purpose: 'To manage security of outsourced development' },
+  { id: 'A.8.31', name: 'Separation of development, test and production environments', theme: 'technological', purpose: 'To separate environments' },
+  { id: 'A.8.32', name: 'Change management', theme: 'technological', purpose: 'To control changes' },
+  { id: 'A.8.33', name: 'Test information', theme: 'technological', purpose: 'To protect test information' },
+  { id: 'A.8.34', name: 'Protection of information systems during audit testing', theme: 'technological', purpose: 'To minimize impact of audit testing' }
+];
+
+// Control check implementations
+const CONTROL_CHECKS = {
+  'A.5.1': (evidence) => {
+    const implemented = evidence.policies?.informationSecurity === true;
+    return {
+      implemented,
+      effectiveness: implemented ? 'full' : 'none',
+      missingEvidence: implemented ? [] : ['Information security policy document']
+    };
+  },
+  'A.5.15': (evidence) => {
+    const ac = evidence.accessControl;
+    const implemented = ac?.implemented === true;
+    const tested = ac?.tested === true;
+    const documented = ac?.documented === true;
+
+    let effectiveness = 'none';
+    if (implemented && tested && documented) effectiveness = 'full';
+    else if (implemented && (tested || documented)) effectiveness = 'partial';
+    else if (implemented) effectiveness = 'limited';
+
+    const missing = [];
+    if (!implemented) missing.push('Access control implementation');
+    if (!tested) missing.push('Access control testing evidence');
+    if (!documented) missing.push('Access control documentation');
+
+    return {
+      implemented,
+      effectiveness,
+      missingEvidence: missing
+    };
+  }
+};
+
+// Control to technical implementation mappings
+const CONTROL_MAPPINGS = {
+  'A.8.24': [
+    { type: 'encryption', description: 'Data encryption implementation', patterns: ['encrypt', 'aes', 'crypto', 'tls'] },
+    { type: 'key-management', description: 'Cryptographic key management', patterns: ['key-vault', 'kms', 'secret'] }
+  ],
+  'A.8.3': [
+    { type: 'access-control', description: 'Information access restriction', patterns: ['rbac', 'acl', 'permission', 'authorize'] },
+    { type: 'authentication', description: 'User authentication', patterns: ['auth', 'login', 'session'] }
+  ]
+};
+
+/**
+ * Create an ISO 27001 checklist instance
+ * @param {Object} options - Configuration options
+ * @param {string} options.version - ISO 27001 version (default: '2022')
+ * @returns {Object} Checklist instance
+ */
+export function createIso27001Checklist(options = {}) {
+  const version = options.version || '2022';
+
+  return {
+    evaluate(evidence) {
+      const results = [];
+      const controls = getControls();
+
+      for (const control of controls) {
+        const result = checkControl(control.id, evidence);
+        results.push(result);
+      }
+
+      return {
+        version,
+        results,
+        compliant: results.every(r => r.implemented),
+        score: (results.filter(r => r.implemented).length / results.length) * 100
+      };
+    },
+
+    getControls() {
+      return getControls();
+    }
+  };
+}
+
+/**
+ * Get ISO 27001 controls
+ * @param {Object} options - Filter options
+ * @param {string} options.groupBy - Group by 'theme' or return flat list
+ * @returns {Array|Object} Controls list or grouped object
+ */
+export function getControls(options = {}) {
+  if (options.groupBy === 'theme') {
+    const grouped = {
+      organizational: [],
+      people: [],
+      physical: [],
+      technological: []
+    };
+
+    for (const control of CONTROLS) {
+      grouped[control.theme].push(control);
+    }
+
+    return grouped;
+  }
+
+  return [...CONTROLS];
+}
+
+/**
+ * Check implementation of a specific control
+ * @param {string} controlId - Control identifier (e.g., 'A.5.1')
+ * @param {Object} evidence - Evidence for compliance check
+ * @returns {Object} Check result
+ */
+export function checkControl(controlId, evidence) {
+  const control = CONTROLS.find(c => c.id === controlId);
+  const checkFn = CONTROL_CHECKS[controlId];
+
+  let implemented = false;
+  let effectiveness = 'none';
+  let missingEvidence = ['Evidence not provided'];
+
+  if (checkFn) {
+    const result = checkFn(evidence);
+    implemented = result.implemented;
+    effectiveness = result.effectiveness;
+    missingEvidence = result.missingEvidence;
+  }
+
+  return {
+    controlId,
+    controlName: control?.name || 'Unknown control',
+    theme: control?.theme,
+    purpose: control?.purpose,
+    implemented,
+    effectiveness,
+    missingEvidence
+  };
+}
+
+/**
+ * Generate Statement of Applicability
+ * @param {Array} assessments - Array of control assessments
+ * @returns {string} SoA document
+ */
+export function generateSoa(assessments) {
+  const date = new Date().toISOString().split('T')[0];
+
+  let soa = `# Statement of Applicability
+
+**Document Date:** ${date}
+**ISO 27001:2022**
+
+## Purpose
+
+This Statement of Applicability (SoA) documents the applicability and implementation status of ISO 27001:2022 Annex A controls.
+
+## Control Assessment
+
+| Control ID | Control Name | Applicable | Implemented | Justification |
+|------------|--------------|------------|-------------|---------------|
+`;
+
+  for (const assessment of assessments) {
+    const control = CONTROLS.find(c => c.id === assessment.controlId);
+    const name = control?.name || 'Unknown';
+    const applicable = assessment.applicable ? 'Yes' : 'No';
+    const implemented = assessment.implemented ? 'Yes' : 'No';
+    const justification = assessment.justification || '-';
+
+    soa += `| ${assessment.controlId} | ${name} | ${applicable} | ${implemented} | ${justification} |\n`;
+  }
+
+  soa += `
+## Summary
+
+- **Total Controls:** ${assessments.length}
+- **Applicable:** ${assessments.filter(a => a.applicable).length}
+- **Not Applicable:** ${assessments.filter(a => !a.applicable).length}
+- **Implemented:** ${assessments.filter(a => a.implemented).length}
+
+## Approval
+
+_________________________
+Information Security Manager
+
+_________________________
+Management Representative
+`;
+
+  return soa;
+}
+
+/**
+ * Map Annex A control to technical implementations
+ * @param {string} controlId - Control identifier
+ * @returns {Array} Technical implementation mappings
+ */
+export function mapAnnexAControls(controlId) {
+  return CONTROL_MAPPINGS[controlId] || [];
+}