Skip to content

DOMAIN:COMPLIANCE_FRAMEWORKS

OWNER: julian
UPDATED: 2026-04-12
SCOPE: GE internal infrastructure, client projects requiring certifications

MASTER_REFERENCE

START HERE: development/standards/compliance-framework.md — the single source of truth for GE's compliance system, including the YAML catalog architecture, 5-tier framework classification (34 frameworks), CI check mappings, and how frameworks are assigned to projects.

YAML Catalogs: All 34 compliance frameworks are defined in config/compliance-catalogs/*.yaml. Adding a new framework = one YAML file, zero code changes. See the master reference for the full catalog structure and how to add frameworks.

Tier Rules: config/compliance-framework-rules.yaml defines auto-attach rules by tier (Tier 1: always EU, Tier 2: sector, Tier 3: certs, Tier 4: AI emerging, Tier 5: on-request).

ISO_27001:2022

STRUCTURE

VERSION: 2022 (replaces 2013)
THEMES: 4 (Organizational, People, Physical, Technological)
CONTROLS: 93 (down from 114)

NEW_CONTROLS_2022

5.7: threat intelligence — collect, analyze, use
5.23: cloud security — cloud services and infrastructure
5.30: ICT readiness for business continuity
8.9: configuration management — security configurations
8.10: information deletion — secure deletion when no longer needed
8.11: data masking — mask personal/sensitive data per policy
8.12: DLP — data leakage prevention
8.16: monitoring — monitor for anomalous behavior
8.23: web filtering — manage external website access
8.28: secure coding — secure development principles

GE_MAPPING

8.28 (secure coding) → semgrep rules, security linting, code review = Julian's scope
5.23 (cloud security) → k3s Pod Security Standards, RBAC, Network Policies
8.9 (config management) → GitOps, infrastructure-as-code
8.16 (monitoring) → Falco, audit logs, centralized logging
8.12 (DLP) → secrets scanning, data classification
8.10 (deletion) → automated retention policies, secure delete

ISO_27701:2019

WHAT: privacy extension to ISO 27001 for GDPR compliance
ADDS: PII Controller controls, PII Processor controls, privacy risk assessment, privacy incident management
VALUE: demonstrates GDPR compliance through structured framework — increasingly requested by enterprise clients

SOC_2

TRUST_SERVICE_CRITERIA

  1. SECURITY (mandatory) — protection against unauthorized access
  2. AVAILABILITY — system available for operation and use
  3. PROCESSING_INTEGRITY — processing complete, valid, accurate, timely
  4. CONFIDENTIALITY — designated info protected
  5. PRIVACY — personal info per privacy notice

TYPE_1_VS_TYPE_2

TYPE_1: point-in-time snapshot
TYPE_2: period of time (6-12 months) — demonstrates sustained compliance
NOTE: Type II preferred by enterprise clients

COMMON_CRITERIA

CC1: control environment
CC2: communication and information
CC3: risk assessment
CC4: monitoring activities
CC5: control activities
CC6: logical and physical access controls
CC7: system operations
CC8: change management
CC9: risk mitigation

CIS_CONTROLS_V8

IMPLEMENTATION_GROUPS

IG1 (essential hygiene): 56 safeguards — baseline for every org
IG2: adds 74 safeguards — orgs with IT security capability
IG3: adds 23 safeguards — mature security programs

TOP_CONTROLS (highest impact)

  1. inventory enterprise assets — can't protect what you don't know
  2. inventory software assets — track all, detect unauthorized
  3. data protection — classify and protect sensitive
  4. secure configuration — harden defaults, remove unnecessary
  5. account management — least privilege, lifecycle
  6. access control — RBAC, MFA, sessions

GE_MAPPING

1 (asset inventory) → AGENT-REGISTRY.json, k8s resource inventory
2 (software inventory) → SBOM generation, dependency tracking
4 (secure config) → kube-bench, CIS K8s Benchmark
6 (access control) → k8s RBAC, Vault, MFA on admin-ui
7 (vuln management) → Trivy scanning, patch SLAs
8 (audit logs) → centralized logging, k8s audit policy
16 (app security) → Semgrep, secure coding standards

NIST_CSF_2.0

VERSION: February 2024
NOTE: US-origin but globally referenced. Maps to ISO 27001 and SOC 2.

FUNCTIONS:
GOVERN (new in 2.0): cybersecurity governance, risk management strategy, policy
IDENTIFY: asset management, risk assessment, improvement
PROTECT: access control, data security, platform security, resilience
DETECT: continuous monitoring, adverse event analysis
RESPOND: incident management, analysis, mitigation, reporting
RECOVER: recovery plan execution, communication

FRAMEWORK_SELECTION

enterprise SaaS with EU clients?
→ ISO 27001 + ISO 27701 (GDPR) + SOC 2 Type II + CIS Controls IG2

handling payments?
→ add PCI DSS v4.0.1

health sector?
→ add NEN 7510 + MDR (if SaMD)

financial sector?
→ add DORA

general web application?
→ CIS Controls IG1 + OWASP ASVS Level 1

COMPLIANCE_AS_CODE

PRINCIPLE: express compliance controls as automated tests wherever possible
ARCHITECTURE: 34 framework YAML catalogs in config/compliance-catalogs/
LOADER: admin-ui/lib/services/compliance-catalog-loader.ts (cached, typed)
MAPPER: admin-ui/lib/services/compliance-mapper.ts (dossier → control evidence)
RULES: config/compliance-framework-rules.yaml (5-tier auto-attach)

EVIDENCE_PRODUCTION

SECURITY_CONFIG: kube-bench, Checkov, OPA/Kyverno policies
CODE_SECURITY: semgrep rules mapped to OWASP ASVS requirements
DEPENDENCY: trivy scanning with severity thresholds
ACCESS_CONTROL: RBAC audit scripts, unused permission detection
DATA_PROTECTION: automated PII detection in logs, retention enforcement

EVIDENCE_CHAIN

  1. YAML catalog defines control → ci_checks + evidence_types
  2. CI/CD pipeline produces evidence artifacts
  3. Framework gate validates per-control status
  4. OSCAL Assessment Results document generated
  5. Cosign-signed attestation bound to container image
  6. Persisted to DB (compliance_attestations + compliance_evidence)
  7. Hash-chained via AAT records (10-year retention)

BENEFITS:
- continuous compliance (not just before audits)
- automated evidence collection across 34 frameworks
- developer-friendly (part of CI/CD)
- drift detection (alert on deviation from compliant state)
- new framework = one YAML file, zero code changes

READ_ALSO: development/standards/compliance-framework.md, domains/security/index.md, domains/eu-regulation/index.md