Refactor ISO compliance controls and enhance DevGuard integration in …

…compliance component
l3montree-dev · Jan 28, 2025 · eeb3327 · eeb3327
1 parent 3bbbedd
commit eeb3327
Show file tree

Hide file tree

Showing 2 changed files with 130 additions and 58 deletions.
diff --git a/src/components/compliance/complianceElements.tsx b/src/components/compliance/complianceElements.tsx
@@ -288,25 +288,56 @@ export const bsiComplianceControls = (asset: AssetDTO) => ({
 });
 
 export const isoComplianceControls = {
-  technologicalControls: [
+  technologicalControlsDevGuardSupport: [
     {
-      control: "User end point devices",
+      control: "Management of technical vulnerabilities",
       description:
-        "Information stored on, processed by or accessible via user end point devices shall be protected.",
-      maxEvidence: 0,
+        "Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.",
       currentEvidence: 0,
+      maxEvidence: 0,
     },
     {
-      control: "Privileged access rights",
+      control: "Configuration management",
       description:
-        "The allocation and use of privileged access rights shall be restricted and managed.",
+        "Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.",
+      currentEvidence: 0,
       maxEvidence: 0,
+    },
+    {
+      control: "Secure development life cycle",
+      description:
+        "Rules for the secure development of software and systems shall be established and applied.",
+      maxEvidence: 4,
       currentEvidence: 0,
     },
     {
-      control: "Information access restriction",
+      control: "Application security requirements",
       description:
-        "Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.",
+        "Information security requirements shall be identified, specified and approved when developing or acquiring applications.",
+      maxEvidence: 1,
+      currentEvidence: 1,
+    },
+    {
+      control: "Secure coding",
+      description:
+        "Secure coding principles shall be applied to software development.",
+      maxEvidence: 2,
+      currentEvidence: 0,
+    },
+    {
+      control: "Security testing in development and acceptance",
+      description:
+        "Security testing processes shall be defined and implemented in the development life cycle.",
+      maxEvidence: 10,
+      currentEvidence: 0,
+    },
+  ],
+
+  technologicalControlsDevGuardInsertion: [
+    {
+      control: "Privileged access rights",
+      description:
+        "The allocation and use of privileged access rights shall be restricted and managed.",
       maxEvidence: 0,
       currentEvidence: 0,
     },
@@ -325,30 +356,47 @@ export const isoComplianceControls = {
       currentEvidence: 0,
     },
     {
-      control: "Capacity management",
+      control: "Information access restriction",
       description:
-        "The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.",
+        "Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.",
+      maxEvidence: 0,
       currentEvidence: 0,
+    },
+    {
+      control: "Secure system architecture and engineering principles",
+      description:
+        "Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.",
       maxEvidence: 0,
+      currentEvidence: 0,
     },
     {
-      control: "Protection against malware",
+      control: "Separation of development, test and production environments",
       description:
-        "Protection against malware shall be implemented and supported by appropriate user awareness.",
+        "Development, testing and production environments shall be separated and secured.",
+      maxEvidence: 1,
       currentEvidence: 0,
+    },
+  ],
+
+  technologicalControls: [
+    {
+      control: "User end point devices",
+      description:
+        "Information stored on, processed by or accessible via user end point devices shall be protected.",
       maxEvidence: 0,
+      currentEvidence: 0,
     },
     {
-      control: "Management of technical vulnerabilities",
+      control: "Capacity management",
       description:
-        "Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.",
+        "The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.",
       currentEvidence: 0,
       maxEvidence: 0,
     },
     {
-      control: "Configuration management",
+      control: "Protection against malware",
       description:
-        "Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.",
+        "Protection against malware shall be implemented and supported by appropriate user awareness.",
       currentEvidence: 0,
       maxEvidence: 0,
     },
@@ -457,55 +505,13 @@ export const isoComplianceControls = {
       maxEvidence: 0,
       currentEvidence: 0,
     },
-    {
-      control: "Secure development life cycle",
-      description:
-        "Rules for the secure development of software and systems shall be established and applied.",
-      maxEvidence: 4,
-      currentEvidence: 0,
-    },
-    {
-      control: "Application security requirements",
-      description:
-        "Information security requirements shall be identified, specified and approved when developing or acquiring applications.",
-      maxEvidence: 1,
-      currentEvidence: 1,
-    },
-    {
-      control: "Secure system architecture and engineering principles",
-      description:
-        "Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.",
-      maxEvidence: 0,
-      currentEvidence: 0,
-    },
-    {
-      control: "Secure coding",
-      description:
-        "Secure coding principles shall be applied to software development.",
-      maxEvidence: 2,
-      currentEvidence: 0,
-    },
-    {
-      control: "Security testing in development and acceptance",
-      description:
-        "Security testing processes shall be defined and implemented in the development life cycle.",
-      maxEvidence: 10,
-      currentEvidence: 0,
-    },
     {
       control: "Outsourced development",
       description:
         "The organization shall direct, monitor and review the activities related to outsourced system development.",
       maxEvidence: 0,
       currentEvidence: 0,
     },
-    {
-      control: "Separation of development, test and production environments",
-      description:
-        "Development, testing and production environments shall be separated and secured.",
-      maxEvidence: 1,
-      currentEvidence: 0,
-    },
     {
       control: "Change management",
       description:

diff --git a/src/pages/[organizationSlug]/projects/[projectSlug]/assets/[assetSlug]/compliance.tsx b/src/pages/[organizationSlug]/projects/[projectSlug]/assets/[assetSlug]/compliance.tsx
@@ -157,11 +157,77 @@ const Compliance = ({ flaws }: { flaws: Paged<DetailedFlawDTO> }) => {
                   collects to demonstrate that your company fulfills the
                   requirements of that control.
                 </p>
+
+                <p>
+                  DevGuard helps you to implement the following controls from
+                  the ISO 27001:
+                </p>
+
+                <div className="grid grid-cols-12 font-bold">
+                  <div className="col-span-10">Control name</div>
+                  <div>Evidence</div>
+                </div>
+                {isoComplianceControls.technologicalControlsDevGuardSupport.map(
+                  (el) => (
+                    <Collapsible key={el.control} title={el.control}>
+                      <CollapsibleControlTrigger
+                        maxEvidence={el.maxEvidence}
+                        currentEvidence={el.currentEvidence}
+                      >
+                        <div className="grid w-full grid-cols-12 flex-row justify-between">
+                          <div className="col-span-11 text-left">
+                            {el.control}
+                          </div>
+                        </div>
+                      </CollapsibleControlTrigger>
+                      <div className="border-b">
+                        <CollapsibleContent className=" py-2 text-sm text-muted-foreground">
+                          <div>{el.description}</div>
+                        </CollapsibleContent>
+                      </div>
+                    </Collapsible>
+                  ),
+                )}
+
+                <p>
+                  DevGuard inserts the following controls from the ISO 27001
+                </p>
+
+                <div className="grid grid-cols-12 font-bold">
+                  <div className="col-span-10">Control name</div>
+                  <div>Evidence</div>
+                </div>
+                {isoComplianceControls.technologicalControlsDevGuardInsertion.map(
+                  (el) => (
+                    <Collapsible key={el.control} title={el.control}>
+                      <CollapsibleControlTrigger
+                        maxEvidence={el.maxEvidence}
+                        currentEvidence={el.currentEvidence}
+                      >
+                        <div className="grid w-full grid-cols-12 flex-row justify-between">
+                          <div className="col-span-11 text-left">
+                            {el.control}
+                          </div>
+                        </div>
+                      </CollapsibleControlTrigger>
+                      <div className="border-b">
+                        <CollapsibleContent className=" py-2 text-sm text-muted-foreground">
+                          <div>{el.description}</div>
+                        </CollapsibleContent>
+                      </div>
+                    </Collapsible>
+                  ),
+                )}
+
                 <div className="grid grid-cols-12 font-bold">
                   <div className="col-span-10">Control name</div>
                   <div>Evidence</div>
                 </div>
 
+                <p>
+                  DevGuard does NOT supports the following controls from the ISO
+                  27001:
+                </p>
                 {isoComplianceControls.technologicalControls.map((el) => (
                   <Collapsible key={el.control} title={el.control}>
                     <CollapsibleControlTrigger