# ISO 27001 Annex A Controls → NATS Event Streams Mapping
#
# Maps governance event types to ISO 27001:2022 Annex A controls.
# Used by the Evidence Collector to tag evidence with applicable controls.

version: "1.0.0"

mappings:
  # A.5 — Organizational Controls (Information Security Policies)
  - controls:
      - "A.5.1"   # Policies for information security
      - "A.5.2"   # Information security roles and responsibilities
      - "A.5.4"   # Management responsibilities
    event_types:
      - policy_evaluation
      - policy_update
      - policy_violation
    nats_subjects:
      - "governance.policy.>"

  # A.5.10-12 — Acceptable use, return, classification
  - controls:
      - "A.5.10"  # Acceptable use of information
      - "A.5.12"  # Classification of information
      - "A.5.13"  # Labelling of information
    event_types:
      - data_access
      - data_classification
      - data_export
    nats_subjects:
      - "governance.data.>"

  # A.8 — Technology Controls (Asset Management)
  - controls:
      - "A.8.1"   # User endpoint devices
      - "A.8.2"   # Privileged access rights
      - "A.8.5"   # Secure authentication
      - "A.8.9"   # Configuration management
      - "A.8.16"  # Monitoring activities
    event_types:
      - agent_authentication
      - agent_action
      - system_configuration
      - monitoring_alert
    nats_subjects:
      - "governance.agent.>"
      - "governance.system.>"

  # A.9 — Access Control
  - controls:
      - "A.5.15"  # Access control
      - "A.5.16"  # Identity management
      - "A.5.17"  # Authentication information
      - "A.5.18"  # Access rights
    event_types:
      - access_request
      - access_granted
      - access_denied
      - role_change
    nats_subjects:
      - "governance.access.>"

  # A.5.23-25 — Supplier/Cloud
  - controls:
      - "A.5.23"  # Information security for cloud services
    event_types:
      - external_api_call
      - cloud_service_access
    nats_subjects:
      - "governance.external.>"