diff --git a/src/components/compliance/complianceElements.tsx b/src/components/compliance/complianceElements.tsx index d95809d..338dd6c 100644 --- a/src/components/compliance/complianceElements.tsx +++ b/src/components/compliance/complianceElements.tsx @@ -288,25 +288,56 @@ export const bsiComplianceControls = (asset: AssetDTO) => ({ }); export const isoComplianceControls = { - technologicalControls: [ + technologicalControlsDevGuardSupport: [ { - control: "User end point devices", + control: "Management of technical vulnerabilities", description: - "Information stored on, processed by or accessible via user end point devices shall be protected.", - maxEvidence: 0, + "Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.", currentEvidence: 0, + maxEvidence: 0, }, { - control: "Privileged access rights", + control: "Configuration management", description: - "The allocation and use of privileged access rights shall be restricted and managed.", + "Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.", + currentEvidence: 0, maxEvidence: 0, + }, + { + control: "Secure development life cycle", + description: + "Rules for the secure development of software and systems shall be established and applied.", + maxEvidence: 4, currentEvidence: 0, }, { - control: "Information access restriction", + control: "Application security requirements", description: - "Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.", + "Information security requirements shall be identified, specified and approved when developing or acquiring applications.", + maxEvidence: 1, + currentEvidence: 1, + }, + { + control: "Secure coding", + description: + "Secure coding principles shall be applied to software development.", + maxEvidence: 2, + currentEvidence: 0, + }, + { + control: "Security testing in development and acceptance", + description: + "Security testing processes shall be defined and implemented in the development life cycle.", + maxEvidence: 10, + currentEvidence: 0, + }, + ], + + technologicalControlsDevGuardInsertion: [ + { + control: "Privileged access rights", + description: + "The allocation and use of privileged access rights shall be restricted and managed.", maxEvidence: 0, currentEvidence: 0, }, @@ -325,30 +356,47 @@ export const isoComplianceControls = { currentEvidence: 0, }, { - control: "Capacity management", + control: "Information access restriction", description: - "The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.", + "Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.", + maxEvidence: 0, currentEvidence: 0, + }, + { + control: "Secure system architecture and engineering principles", + description: + "Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.", maxEvidence: 0, + currentEvidence: 0, }, { - control: "Protection against malware", + control: "Separation of development, test and production environments", description: - "Protection against malware shall be implemented and supported by appropriate user awareness.", + "Development, testing and production environments shall be separated and secured.", + maxEvidence: 1, currentEvidence: 0, + }, + ], + + technologicalControls: [ + { + control: "User end point devices", + description: + "Information stored on, processed by or accessible via user end point devices shall be protected.", maxEvidence: 0, + currentEvidence: 0, }, { - control: "Management of technical vulnerabilities", + control: "Capacity management", description: - "Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.", + "The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.", currentEvidence: 0, maxEvidence: 0, }, { - control: "Configuration management", + control: "Protection against malware", description: - "Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.", + "Protection against malware shall be implemented and supported by appropriate user awareness.", currentEvidence: 0, maxEvidence: 0, }, @@ -457,41 +505,6 @@ export const isoComplianceControls = { maxEvidence: 0, currentEvidence: 0, }, - { - control: "Secure development life cycle", - description: - "Rules for the secure development of software and systems shall be established and applied.", - maxEvidence: 4, - currentEvidence: 0, - }, - { - control: "Application security requirements", - description: - "Information security requirements shall be identified, specified and approved when developing or acquiring applications.", - maxEvidence: 1, - currentEvidence: 1, - }, - { - control: "Secure system architecture and engineering principles", - description: - "Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.", - maxEvidence: 0, - currentEvidence: 0, - }, - { - control: "Secure coding", - description: - "Secure coding principles shall be applied to software development.", - maxEvidence: 2, - currentEvidence: 0, - }, - { - control: "Security testing in development and acceptance", - description: - "Security testing processes shall be defined and implemented in the development life cycle.", - maxEvidence: 10, - currentEvidence: 0, - }, { control: "Outsourced development", description: @@ -499,13 +512,6 @@ export const isoComplianceControls = { maxEvidence: 0, currentEvidence: 0, }, - { - control: "Separation of development, test and production environments", - description: - "Development, testing and production environments shall be separated and secured.", - maxEvidence: 1, - currentEvidence: 0, - }, { control: "Change management", description: diff --git a/src/pages/[organizationSlug]/projects/[projectSlug]/assets/[assetSlug]/compliance.tsx b/src/pages/[organizationSlug]/projects/[projectSlug]/assets/[assetSlug]/compliance.tsx index ed90dac..34caace 100644 --- a/src/pages/[organizationSlug]/projects/[projectSlug]/assets/[assetSlug]/compliance.tsx +++ b/src/pages/[organizationSlug]/projects/[projectSlug]/assets/[assetSlug]/compliance.tsx @@ -157,11 +157,77 @@ const Compliance = ({ flaws }: { flaws: Paged }) => { collects to demonstrate that your company fulfills the requirements of that control.

+ +

+ DevGuard helps you to implement the following controls from + the ISO 27001: +

+ +
+
Control name
+
Evidence
+
+ {isoComplianceControls.technologicalControlsDevGuardSupport.map( + (el) => ( + + +
+
+ {el.control} +
+
+ +
+ +
{el.description}
+ +
+ + ), + )} + +

+ DevGuard inserts the following controls from the ISO 27001 +

+ +
+
Control name
+
Evidence
+
+ {isoComplianceControls.technologicalControlsDevGuardInsertion.map( + (el) => ( + + +
+
+ {el.control} +
+
+ +
+ +
{el.description}
+ +
+ + ), + )} +
Control name
Evidence
+

+ DevGuard does NOT supports the following controls from the ISO + 27001: +

{isoComplianceControls.technologicalControls.map((el) => (