vaspera 2.5.0

package/dist/compliance/frameworks/iso-42001.js

@@ -0,0 +1,719 @@
+/**
+ * ISO/IEC 42001 AI Management System Compliance Framework
+ *
+ * Maps security findings to ISO/IEC 42001:2023 requirements.
+ * ISO/IEC 42001 specifies requirements for establishing, implementing,
+ * maintaining and continually improving an AI management system (AIMS).
+ *
+ * @see https://www.iso.org/standard/81230.html
+ * @module compliance/frameworks/iso-42001
+ */
+/**
+ * ISO/IEC 42001 Controls
+ *
+ * Based on ISO/IEC 42001:2023 requirements and Annex A controls.
+ * Controls cover both management system clauses and specific AI controls.
+ */
+export const ISO_42001_CONTROLS = [
+    // ============================================================================
+    // Clause 4: Context of the Organization
+    // ============================================================================
+    {
+        id: "ISO42001-4.1",
+        framework: "ISO-42001",
+        category: "Context",
+        title: "Understanding the Organization and Its Context",
+        description: "The organization shall determine external and internal issues that are relevant to its purpose and affect its ability to achieve the intended outcomes of its AI management system.",
+        keywords: [
+            "context",
+            "organizational issues",
+            "ai management system",
+        ],
+        findingCategories: [],
+        severityThreshold: "low",
+    },
+    {
+        id: "ISO42001-4.2",
+        framework: "ISO-42001",
+        category: "Context",
+        title: "Understanding Needs and Expectations of Interested Parties",
+        description: "The organization shall determine interested parties relevant to the AI management system and their requirements, including regulatory, legal, and contractual obligations.",
+        keywords: [
+            "stakeholders",
+            "interested parties",
+            "requirements",
+        ],
+        findingCategories: [
+            "overreliance",
+        ],
+        severityThreshold: "low",
+    },
+    {
+        id: "ISO42001-4.3",
+        framework: "ISO-42001",
+        category: "Context",
+        title: "Scope of the AI Management System",
+        description: "The organization shall determine the boundaries and applicability of the AI management system to establish its scope, considering AI systems and their deployment contexts.",
+        keywords: [
+            "scope",
+            "boundaries",
+            "applicability",
+        ],
+        findingCategories: [
+            "manifest-drift",
+        ],
+        severityThreshold: "low",
+    },
+    {
+        id: "ISO42001-4.4",
+        framework: "ISO-42001",
+        category: "Context",
+        title: "AI Management System",
+        description: "The organization shall establish, implement, maintain, and continually improve an AI management system in accordance with ISO 42001 requirements.",
+        keywords: [
+            "management system",
+            "continuous improvement",
+            "implementation",
+        ],
+        findingCategories: [],
+        severityThreshold: "low",
+    },
+    // ============================================================================
+    // Clause 5: Leadership
+    // ============================================================================
+    {
+        id: "ISO42001-5.1",
+        framework: "ISO-42001",
+        category: "Leadership",
+        title: "Leadership and Commitment",
+        description: "Top management shall demonstrate leadership and commitment with respect to the AI management system by ensuring AI policy, objectives, and resources are established.",
+        keywords: [
+            "leadership",
+            "commitment",
+            "top management",
+        ],
+        findingCategories: [],
+        severityThreshold: "low",
+    },
+    {
+        id: "ISO42001-5.2",
+        framework: "ISO-42001",
+        category: "Leadership",
+        title: "AI Policy",
+        description: "Top management shall establish an AI policy that is appropriate to the purpose of the organization, provides a framework for setting AI objectives, and includes commitment to continual improvement.",
+        keywords: [
+            "ai policy",
+            "objectives",
+            "framework",
+        ],
+        findingCategories: [
+            "excessive-agency",
+            "overscoped-permission",
+        ],
+        severityThreshold: "medium",
+    },
+    {
+        id: "ISO42001-5.3",
+        framework: "ISO-42001",
+        category: "Leadership",
+        title: "Organizational Roles, Responsibilities and Authorities",
+        description: "Top management shall ensure responsibilities and authorities for relevant roles are assigned and communicated within the organization for AI governance.",
+        keywords: [
+            "roles",
+            "responsibilities",
+            "authorities",
+        ],
+        findingCategories: [
+            "excessive-agency",
+        ],
+        severityThreshold: "medium",
+    },
+    // ============================================================================
+    // Clause 6: Planning
+    // ============================================================================
+    {
+        id: "ISO42001-6.1",
+        framework: "ISO-42001",
+        category: "Planning",
+        title: "Actions to Address Risks and Opportunities",
+        description: "When planning for the AI management system, the organization shall consider issues, requirements, and determine risks and opportunities that need to be addressed.",
+        keywords: [
+            "risk planning",
+            "opportunities",
+            "risk assessment",
+        ],
+        findingCategories: [
+            "prompt-injection",
+            "exfil-path",
+            "supply-chain-vuln",
+        ],
+        severityThreshold: "high",
+    },
+    {
+        id: "ISO42001-6.1.3",
+        framework: "ISO-42001",
+        category: "Planning",
+        title: "AI Risk Assessment",
+        description: "The organization shall define and apply an AI risk assessment process that establishes risk criteria, identifies risks, analyzes and evaluates them.",
+        keywords: [
+            "risk assessment",
+            "risk criteria",
+            "risk analysis",
+        ],
+        findingCategories: [
+            "prompt-injection",
+            "insecure-plugin",
+            "excessive-agency",
+            "missing-sandbox",
+        ],
+        severityThreshold: "high",
+    },
+    {
+        id: "ISO42001-6.1.4",
+        framework: "ISO-42001",
+        category: "Planning",
+        title: "AI Risk Treatment",
+        description: "The organization shall define and apply an AI risk treatment process to select appropriate options, determine controls, and produce a statement of applicability.",
+        keywords: [
+            "risk treatment",
+            "controls",
+            "statement of applicability",
+        ],
+        findingCategories: [],
+        severityThreshold: "medium",
+    },
+    {
+        id: "ISO42001-6.2",
+        framework: "ISO-42001",
+        category: "Planning",
+        title: "AI Objectives and Planning to Achieve Them",
+        description: "The organization shall establish AI objectives at relevant functions, levels, and processes, ensuring they are consistent with the AI policy and measurable.",
+        keywords: [
+            "ai objectives",
+            "measurement",
+            "planning",
+        ],
+        findingCategories: [],
+        severityThreshold: "low",
+    },
+    // ============================================================================
+    // Clause 7: Support
+    // ============================================================================
+    {
+        id: "ISO42001-7.1",
+        framework: "ISO-42001",
+        category: "Support",
+        title: "Resources",
+        description: "The organization shall determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the AI management system.",
+        keywords: [
+            "resources",
+            "infrastructure",
+            "support",
+        ],
+        findingCategories: [],
+        severityThreshold: "low",
+    },
+    {
+        id: "ISO42001-7.2",
+        framework: "ISO-42001",
+        category: "Support",
+        title: "Competence",
+        description: "The organization shall determine necessary competence of persons doing work under its control that affects AI system performance and ensure persons are competent.",
+        keywords: [
+            "competence",
+            "training",
+            "qualifications",
+        ],
+        findingCategories: [
+            "overreliance",
+        ],
+        severityThreshold: "medium",
+    },
+    {
+        id: "ISO42001-7.3",
+        framework: "ISO-42001",
+        category: "Support",
+        title: "Awareness",
+        description: "Persons doing work under the organization's control shall be aware of the AI policy, their contribution to the effectiveness of the AI management system, and implications of not conforming.",
+        keywords: [
+            "awareness",
+            "policy understanding",
+            "implications",
+        ],
+        findingCategories: [],
+        severityThreshold: "low",
+    },
+    {
+        id: "ISO42001-7.4",
+        framework: "ISO-42001",
+        category: "Support",
+        title: "Communication",
+        description: "The organization shall determine internal and external communications relevant to the AI management system, including what, when, with whom, and how to communicate.",
+        keywords: [
+            "communication",
+            "internal",
+            "external",
+        ],
+        findingCategories: [],
+        severityThreshold: "low",
+    },
+    {
+        id: "ISO42001-7.5",
+        framework: "ISO-42001",
+        category: "Support",
+        title: "Documented Information",
+        description: "The AI management system shall include documented information required by ISO 42001 and determined by the organization as necessary for AI management system effectiveness.",
+        keywords: [
+            "documentation",
+            "documented information",
+            "records",
+        ],
+        findingCategories: [
+            "manifest-drift",
+            "tool-drift",
+            "unsigned-change",
+        ],
+        severityThreshold: "medium",
+    },
+    // ============================================================================
+    // Clause 8: Operation
+    // ============================================================================
+    {
+        id: "ISO42001-8.1",
+        framework: "ISO-42001",
+        category: "Operation",
+        title: "Operational Planning and Control",
+        description: "The organization shall plan, implement, and control processes needed to meet requirements and implement actions determined in planning by establishing criteria and control.",
+        keywords: [
+            "operational planning",
+            "process control",
+            "criteria",
+        ],
+        findingCategories: [
+            "excessive-agency",
+            "overscoped-permission",
+        ],
+        severityThreshold: "medium",
+    },
+    {
+        id: "ISO42001-8.2",
+        framework: "ISO-42001",
+        category: "Operation",
+        title: "AI Risk Assessment",
+        description: "The organization shall perform AI risk assessments at planned intervals or when significant changes are proposed or occur, retaining documented results.",
+        keywords: [
+            "risk assessment",
+            "periodic assessment",
+            "significant changes",
+        ],
+        findingCategories: [
+            "manifest-drift",
+            "tool-drift",
+        ],
+        severityThreshold: "high",
+    },
+    {
+        id: "ISO42001-8.3",
+        framework: "ISO-42001",
+        category: "Operation",
+        title: "AI Risk Treatment",
+        description: "The organization shall implement the AI risk treatment plan and retain documented information on results of AI risk treatment.",
+        keywords: [
+            "risk treatment",
+            "implementation",
+            "documentation",
+        ],
+        findingCategories: [],
+        severityThreshold: "medium",
+    },
+    {
+        id: "ISO42001-8.4",
+        framework: "ISO-42001",
+        category: "Operation",
+        title: "AI System Impact Assessment",
+        description: "The organization shall establish and apply a process for AI system impact assessment to evaluate potential consequences of AI system deployment.",
+        keywords: [
+            "impact assessment",
+            "consequences",
+            "deployment evaluation",
+        ],
+        findingCategories: [
+            "excessive-agency",
+            "exfil-path",
+            "prompt-injection",
+        ],
+        severityThreshold: "high",
+    },
+    // ============================================================================
+    // Clause 9: Performance Evaluation
+    // ============================================================================
+    {
+        id: "ISO42001-9.1",
+        framework: "ISO-42001",
+        category: "Performance",
+        title: "Monitoring, Measurement, Analysis and Evaluation",
+        description: "The organization shall determine what needs to be monitored and measured, methods for monitoring and measurement, when monitoring and measuring shall be performed, and who shall analyze results.",
+        keywords: [
+            "monitoring",
+            "measurement",
+            "analysis",
+            "evaluation",
+        ],
+        findingCategories: [
+            "logging-failure",
+        ],
+        severityThreshold: "medium",
+    },
+    {
+        id: "ISO42001-9.2",
+        framework: "ISO-42001",
+        category: "Performance",
+        title: "Internal Audit",
+        description: "The organization shall conduct internal audits at planned intervals to provide information on whether the AI management system conforms to requirements and is effectively implemented.",
+        keywords: [
+            "internal audit",
+            "conformance",
+            "effectiveness",
+        ],
+        findingCategories: [],
+        severityThreshold: "medium",
+    },
+    {
+        id: "ISO42001-9.3",
+        framework: "ISO-42001",
+        category: "Performance",
+        title: "Management Review",
+        description: "Top management shall review the organization's AI management system at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.",
+        keywords: [
+            "management review",
+            "suitability",
+            "effectiveness",
+        ],
+        findingCategories: [],
+        severityThreshold: "low",
+    },
+    // ============================================================================
+    // Clause 10: Improvement
+    // ============================================================================
+    {
+        id: "ISO42001-10.1",
+        framework: "ISO-42001",
+        category: "Improvement",
+        title: "Continual Improvement",
+        description: "The organization shall continually improve the suitability, adequacy, and effectiveness of the AI management system.",
+        keywords: [
+            "continual improvement",
+            "suitability",
+            "effectiveness",
+        ],
+        findingCategories: [],
+        severityThreshold: "low",
+    },
+    {
+        id: "ISO42001-10.2",
+        framework: "ISO-42001",
+        category: "Improvement",
+        title: "Nonconformity and Corrective Action",
+        description: "When a nonconformity occurs, the organization shall react, evaluate the need for action, implement any action needed, review effectiveness, and make changes to the AI management system if necessary.",
+        keywords: [
+            "nonconformity",
+            "corrective action",
+            "root cause",
+        ],
+        findingCategories: [],
+        severityThreshold: "medium",
+    },
+    // ============================================================================
+    // Annex A: AI System Life Cycle Controls
+    // ============================================================================
+    {
+        id: "ISO42001-A.5.2",
+        framework: "ISO-42001",
+        category: "AI System Life Cycle",
+        title: "AI System Requirements",
+        description: "Requirements for the AI system shall be specified, including functional requirements, quality attributes, constraints, and acceptance criteria.",
+        keywords: [
+            "requirements",
+            "specifications",
+            "acceptance criteria",
+        ],
+        findingCategories: [
+            "manifest-drift",
+        ],
+        severityThreshold: "medium",
+    },
+    {
+        id: "ISO42001-A.5.3",
+        framework: "ISO-42001",
+        category: "AI System Life Cycle",
+        title: "AI System Design and Development",
+        description: "The organization shall design and develop AI systems considering identified risks, requirements, and the intended operational environment.",
+        keywords: [
+            "design",
+            "development",
+            "architecture",
+        ],
+        findingCategories: [
+            "insecure-plugin",
+            "excessive-agency",
+        ],
+        severityThreshold: "high",
+    },
+    {
+        id: "ISO42001-A.5.4",
+        framework: "ISO-42001",
+        category: "AI System Life Cycle",
+        title: "AI System Verification and Validation",
+        description: "Verification and validation activities shall be performed to ensure AI systems meet specified requirements and are fit for intended use.",
+        keywords: [
+            "verification",
+            "validation",
+            "testing",
+        ],
+        findingCategories: [
+            "prompt-injection",
+            "model-denial-of-service",
+        ],
+        severityThreshold: "high",
+    },
+    {
+        id: "ISO42001-A.5.5",
+        framework: "ISO-42001",
+        category: "AI System Life Cycle",
+        title: "AI System Deployment",
+        description: "Deployment of AI systems shall be planned and controlled, including monitoring and evaluation of deployment outcomes.",
+        keywords: [
+            "deployment",
+            "release",
+            "rollout",
+        ],
+        findingCategories: [
+            "unsigned-change",
+            "manifest-drift",
+        ],
+        severityThreshold: "medium",
+    },
+    {
+        id: "ISO42001-A.5.6",
+        framework: "ISO-42001",
+        category: "AI System Life Cycle",
+        title: "AI System Operation and Monitoring",
+        description: "AI systems shall be operated and monitored throughout their deployment to ensure continued conformance with requirements.",
+        keywords: [
+            "operation",
+            "monitoring",
+            "conformance",
+        ],
+        findingCategories: [
+            "logging-failure",
+            "tool-drift",
+        ],
+        severityThreshold: "high",
+    },
+    {
+        id: "ISO42001-A.5.7",
+        framework: "ISO-42001",
+        category: "AI System Life Cycle",
+        title: "AI System Retirement",
+        description: "Retirement of AI systems shall be planned and controlled, ensuring data and model handling comply with applicable requirements.",
+        keywords: [
+            "retirement",
+            "decommissioning",
+            "data handling",
+        ],
+        findingCategories: [],
+        severityThreshold: "low",
+    },
+    // ============================================================================
+    // Annex A: Data for AI Systems
+    // ============================================================================
+    {
+        id: "ISO42001-A.6.2",
+        framework: "ISO-42001",
+        category: "Data for AI Systems",
+        title: "Data Acquisition",
+        description: "Data acquisition for AI systems shall be controlled to ensure data is collected in accordance with applicable requirements and ethical considerations.",
+        keywords: [
+            "data acquisition",
+            "data collection",
+            "ethical data",
+        ],
+        findingCategories: [
+            "training-data-poisoning",
+            "pii-exposure",
+        ],
+        severityThreshold: "high",
+    },
+    {
+        id: "ISO42001-A.6.3",
+        framework: "ISO-42001",
+        category: "Data for AI Systems",
+        title: "Data Quality",
+        description: "The organization shall ensure data used in AI systems meets quality requirements, including accuracy, completeness, and relevance.",
+        keywords: [
+            "data quality",
+            "accuracy",
+            "completeness",
+        ],
+        findingCategories: [
+            "training-data-poisoning",
+            "integrity-failure",
+        ],
+        severityThreshold: "high",
+    },
+    {
+        id: "ISO42001-A.6.4",
+        framework: "ISO-42001",
+        category: "Data for AI Systems",
+        title: "Data Provenance",
+        description: "Information about data provenance shall be documented and maintained, including data sources, transformations, and lineage.",
+        keywords: [
+            "provenance",
+            "lineage",
+            "data sources",
+        ],
+        findingCategories: [
+            "supply-chain-vuln",
+            "unsigned-change",
+        ],
+        severityThreshold: "medium",
+    },
+    // ============================================================================
+    // Annex A: Third-Party Relationships
+    // ============================================================================
+    {
+        id: "ISO42001-A.9.2",
+        framework: "ISO-42001",
+        category: "Third-Party Relationships",
+        title: "Third-Party AI Components",
+        description: "Use of third-party AI components shall be controlled, including evaluation of risks and verification of compliance with requirements.",
+        keywords: [
+            "third-party",
+            "components",
+            "supply chain",
+        ],
+        findingCategories: [
+            "supply-chain-vuln",
+            "dependency-vuln",
+            "insecure-plugin",
+        ],
+        severityThreshold: "high",
+    },
+    {
+        id: "ISO42001-A.9.3",
+        framework: "ISO-42001",
+        category: "Third-Party Relationships",
+        title: "AI System Integration",
+        description: "Integration of AI systems with third-party systems shall be controlled to ensure security and reliability of the integrated solution.",
+        keywords: [
+            "integration",
+            "third-party systems",
+            "interfaces",
+        ],
+        findingCategories: [
+            "exfil-path",
+            "missing-sandbox",
+        ],
+        severityThreshold: "high",
+    },
+    // ============================================================================
+    // Annex A: AI System Resources (Security-Focused)
+    // ============================================================================
+    {
+        id: "ISO42001-A.3.3",
+        framework: "ISO-42001",
+        category: "AI System Resources",
+        title: "AI System Security",
+        description: "Security measures shall be implemented to protect AI systems from unauthorized access, use, disclosure, disruption, modification, or destruction.",
+        keywords: [
+            "security",
+            "protection",
+            "access control",
+        ],
+        findingCategories: [
+            "auth-bypass",
+            "broken-access-control",
+            "model-theft",
+        ],
+        severityThreshold: "critical",
+    },
+    {
+        id: "ISO42001-A.3.4",
+        framework: "ISO-42001",
+        category: "AI System Resources",
+        title: "AI System Resilience",
+        description: "AI systems shall be designed and operated to be resilient against disruptions, including adversarial attacks and system failures.",
+        keywords: [
+            "resilience",
+            "adversarial attacks",
+            "reliability",
+        ],
+        findingCategories: [
+            "prompt-injection",
+            "model-denial-of-service",
+        ],
+        severityThreshold: "high",
+    },
+];
+/**
+ * Get all ISO 42001 controls
+ */
+export function getISO42001Controls() {
+    return ISO_42001_CONTROLS;
+}
+/**
+ * Get ISO 42001 control by ID
+ */
+export function getISO42001ControlById(id) {
+    return ISO_42001_CONTROLS.find((c) => c.id === id);
+}
+/**
+ * Get ISO 42001 controls by clause
+ */
+export function getISO42001ControlsByClause(clause) {
+    return ISO_42001_CONTROLS.filter((c) => c.category === clause);
+}
+/**
+ * Get ISO 42001 controls by category
+ */
+export function getISO42001ControlsByCategory(category) {
+    return ISO_42001_CONTROLS.filter((c) => c.category === category);
+}
+/**
+ * Get all ISO 42001 categories
+ */
+export function getISO42001Categories() {
+    return [...new Set(ISO_42001_CONTROLS.map((c) => c.category))];
+}
+/**
+ * Get ISO 42001 clauses
+ */
+export function getISO42001Clauses() {
+    return ["Context", "Leadership", "Planning", "Support", "Operation", "Performance", "Improvement"];
+}
+/**
+ * Cross-mapping to ISO 27001 controls
+ */
+export const ISO_42001_TO_ISO_27001_MAPPING = {
+    "ISO42001-6.1.3": ["A.8.2", "A.12.6.1"], // Risk Assessment
+    "ISO42001-7.5": ["A.5.1.2", "A.18.1.3"], // Documentation
+    "ISO42001-8.4": ["A.14.2.1"], // Impact Assessment
+    "ISO42001-9.1": ["A.12.4.1"], // Monitoring
+    "ISO42001-9.2": ["A.18.2.1"], // Internal Audit
+    "ISO42001-A.3.3": ["A.9.1.1", "A.9.4.1"], // Security
+    "ISO42001-A.6.2": ["A.8.2.1"], // Data Classification
+    "ISO42001-A.9.2": ["A.15.1.1", "A.15.2.1"], // Third-Party
+};
+/**
+ * Cross-mapping to NIST AI RMF
+ */
+export const ISO_42001_TO_NIST_AI_RMF_MAPPING = {
+    "ISO42001-4.1": ["GOVERN-1.1"], // Context
+    "ISO42001-5.2": ["GOVERN-1.2"], // Policy
+    "ISO42001-6.1.3": ["MAP-3.1", "MEASURE-2.1"], // Risk Assessment
+    "ISO42001-8.4": ["MAP-3.1"], // Impact Assessment
+    "ISO42001-9.1": ["MEASURE-4.1"], // Monitoring
+    "ISO42001-A.5.4": ["MEASURE-2.3"], // Verification
+    "ISO42001-A.6.3": ["MAP-1.2"], // Data Quality
+};
+//# sourceMappingURL=iso-42001.js.map