Digital Sovereignty GPT - Asset Files

This repository contains structured asset files for a custom GPT designed to perform Sovereign Ops operational analysis—comprehensive, sovereignty-aware threat and dependency mapping for any organization.

---

Purpose

These files provide:

• Schema definitions (XML Schema for validation)
• Configuration (JSON schema and framework definitions)
• Documentation (Markdown instructions, glossary, templates)
• Examples (Sample operational profiles)

They are designed to be machine-parsable and human-readable, with no scripts or CI tooling—just clean, atomic content.

---

Files in This Repository

Schema & Configuration

File	Format	Purpose
schema.xsd	XML Schema	Formal XML schema definition for Sovereign Ops profiles
config.json	JSON	Configuration schema for analysis framework settings
framework-definition.json	JSON	Complete framework specification with phases, taxonomy, and rules
creature-taxonomy.json	JSON	Comprehensive taxonomy of all creature categories

ISO Compliance Modules

File	Format	Purpose
iso-27001-mapping.json	JSON	ISO 27001:2022 - 93 Annex A controls with full guidance and Sovereign Ops mapping
iso-27002-mapping.json	JSON	ISO 27002:2022 - 114 detailed security controls with implementation guidance
iso-28000-mapping.json	JSON	ISO 28000:2022 - Supply chain security requirements
iso-9001-mapping.json	JSON	ISO 9001:2015 - Quality management system requirements
compliance-matrix.json	JSON	Cross-reference mapping between ISO standards, Essential Eight, NIST CSF, CIS, SMB1001

Australian & SMB Frameworks

File	Format	Purpose
essential-eight-mapping.json	JSON	ACSC Essential Eight - All 8 strategies with Maturity Levels 0-3, kill-switch prioritization
nist-csf-smb-mapping.json	JSON	NIST Cybersecurity Framework 2.0 - Small Business Quick Start with free tools and quick wins
cis-controls-smb-mapping.json	JSON	CIS Controls v8 IG1 - 56 foundational safeguards for small organizations
smb1001-mapping.json	JSON	SMB1001 (Digital Standards Institute) - 15 baseline requirements with 30/60/90 day plan
essential-eight-maturity-assessment.md	Markdown	Assessment template for determining Essential Eight maturity levels
smb-security-baseline.md	Markdown	Consolidated security baseline combining all SMB frameworks with cost estimates

Documentation

File	Format	Purpose
gpt-instructions.md	Markdown	Complete system prompt and instructions (includes Audit, Essential Eight, and SMB Baseline modes)
glossary.md	Markdown	Definitions of all terms, tags, and classifications
README.md	Markdown	This file—overview and usage guide

Compliance Templates

File	Format	Purpose
iso-27001-evidence-template.md	Markdown	Evidence collection template for ISO 27001 audit
iso-gap-analysis-template.md	Markdown	Gap analysis template for all ISO standards
audit-artifact-generator.md	Markdown	Instructions for generating ISO-compliant audit artifacts

Examples

File	Format	Purpose
example-profile.xml	XML	Sample operational profile for a fictional MSP

---

How to Use These Files

For GPT Configuration

1. Upload all files to your custom GPT's knowledge base (24 core files)
2. Use gpt-instructions.md as the primary system prompt (includes Audit Preparation, Essential Eight, and SMB Baseline modes)
3. Reference framework files during analysis:
   • glossary.md - Term definitions
   • framework-definition.json - 5-phase process
   • creature-taxonomy.json - Creature enumeration guide
   • ISO mapping files - Compliance controls and guidance
   • Essential Eight, NIST CSF, CIS, SMB1001 mapping files - Australian and SMB frameworks
   • compliance-matrix.json - Cross-framework mapping showing implementation overlaps

For Operational Analysis

• Follow the 5-phase Sovereign Ops Framework in gpt-instructions.md
• Use creature taxonomy to ensure comprehensive enumeration
• Apply sovereignty tagging (OWNED vs DEPENDENT)
• Classify blast radius (Red/Amber/Green)
• Prioritize kill switches (Red blast radius) first

For ISO Compliance Analysis

When preparing for ISO audits or certification:

1. Complete standard Sovereign Ops analysis (Phases 1-4)
2. Activate Audit Preparation Mode (Phase 5)
3. GPT will automatically:
   • Cross-reference outputs against ISO control requirements
   • Identify compliance gaps
   • Generate audit artifacts using templates
   • Prioritize gaps by blast radius

For Essential Eight Maturity Assessment (Australian Entities)

When assessing Essential Eight maturity:

1. Complete standard Sovereign Ops analysis (Phases 1-4)
2. Activate Essential Eight Maturity Assessment Mode (Phase 5)
3. Use essential-eight-maturity-assessment.md template
4. GPT will automatically:
   • Assess maturity level (0-3) for each of 8 strategies
   • Prioritize kill-switch strategies first (Admin Privileges, MFA, Backups)
   • Generate maturity progression roadmap
   • Show cross-framework efficiency with ISO 27001

For Small Business Security Baseline

When working with resource-constrained organizations:

1. Complete standard Sovereign Ops analysis (Phases 1-4)
2. Activate SMB Baseline Mode (Phase 5)
3. Use smb-security-baseline.md consolidated baseline
4. GPT will automatically:
   • Provide 30/60/90 day implementation roadmap
   • Recommend free/low-cost tools (Windows Defender, Bitwarden, OpenVAS)
   • Identify "Quick Wins" (hours/days, not months)
   • Provide cost estimates ($0-500 basic, $500-2000 intermediate, $2000-5000+ advanced)
   • Show multi-framework efficiency (one implementation = multiple standards)

For Validation

• Use schema.xsd to validate any XML outputs against the Sovereign Ops schema
• Use config.json as a JSON Schema to validate configuration files
• Use ISO mapping files to validate compliance assessments

For Templates

• Reference example-profile.xml for operational profile structure
• Use iso-27001-evidence-template.md for audit evidence collection
• Use iso-gap-analysis-template.md for compliance gap analysis
• Follow audit-artifact-generator.md for generating ISO-compliant documentation

---

Framework Overview

The Sovereign Ops Blueprint Framework is a five-phase analysis process:

Phase 1: Build the Master Creature Index

Enumerate all "creatures" (assets, dependencies, people, processes, contracts, vendors, technologies, threats, failure modes) across 20+ categories.

Phase 2: Group Creatures Into Domains

Cluster creatures into operational domains (e.g., Physical Infrastructure, Identity & Access, Finance & Vendor Control).

Phase 3: Produce the Sovereign Ops Ledger

For each domain, create a comprehensive ledger with:

• Purpose
• BOM (Bill of Materials)
• SBOM (Software Bill of Materials)
• Human Access Map
• Threat/Failure Surfaces
• Kill Switch Identification
• Degree of Sovereignty
• Blast Radius

Phase 4: Blast Radius Ranking

Classify all elements by catastrophic potential:

• Red = System-killer; total operational collapse
• Amber = Severe disruption, major recovery required
• Green = Low impact, manageable incidents

Phase 5: Output the Sovereign Ops Blueprint

Deliver actionable intelligence including:

• Engineering onboarding materials
• Kill-switch topology awareness
• Platform design inputs
• Compliance framework mapping (ISO, NIST, SOC2)
• Principal findings and next steps

---

Key Concepts

Sovereignty Tags

• OWNED = Entity has operational AND legal control
• DEPENDENT = External party can suspend or materially impact operations

Criticality Levels

• High = System-critical; immediate operational impact
• Med = Important; significant disruption but workarounds exist
• Low = Minimal impact; manageable with existing processes

Blast Radius

• Red = Kill switch; total collapse
• Amber = Severe degradation
• Green = Low impact

---

Style Guidelines

• Direct engineering language; no corporate euphemism
• Frame risks as explicit failure conditions, not "areas of concern"
• Tables first, paragraphs only when necessary
• Always ask: "If this fails, who is affected first?"
• No vague qualifiers ("usually", "probably") in critical fields

---

File Formats

Why XML?

• Formal schema validation via XSD
• Hierarchical structure fits operational domains well
• Industry-standard for structured data interchange

Why JSON?

• Configuration and taxonomy definitions are naturally nested
• Easy to parse programmatically
• Standard for modern API integrations

Why Markdown?

• Human-readable documentation
• GPT-friendly formatting
• Version control friendly (diffable text)

---

Usage in Custom GPT

When configuring your custom GPT:

1. Knowledge Base: Upload all files
2. System Prompt: Use gpt-instructions.md as base instructions
3. Reference Materials: Point to glossary.md, framework-definition.json, creature-taxonomy.json for structured queries
4. Validation: Use schema.xsd to validate XML outputs
5. Examples: Use example-profile.xml to demonstrate expected output format

---

Maintenance

When to Update

• New creature categories identified during analysis
• Framework phases evolve or expand
• Terminology ambiguities discovered
• User feedback reveals gaps

How to Update

1. Edit relevant files (schema, config, docs)
2. Update version numbers in config.json and framework-definition.json
3. Regenerate example files if schema changes
4. Document changes in commit messages

---

Validation Checklist

Before using these files with a GPT, verify:

• All JSON files are valid JSON (use jq or JSON validator)
• XML example validates against schema.xsd
• Markdown files render correctly
• Cross-references between files are accurate (e.g., glossary terms match framework definitions)
• Version numbers are consistent across files

---

Anti-Patterns to Avoid

Vague Sovereignty

Bad: "Mostly owned but sometimes dependent" Good: Tag as DEPENDENT (default to conservative assessment)

Ambiguous Criticality

Bad: "Sort of important" Good: Use High, Med, or Low explicitly

Unclear Failure Triggers

Bad: "If something goes wrong" Good: "Account suspension after 30 days non-payment"

Abstract Creatures

Bad: "Various cloud services" Good: "AWS EC2, AWS RDS, AWS S3, CloudFlare DNS"

---

ISO Compliance Integration

Supported Standards

This framework includes comprehensive mappings for:

• ISO 27001:2022 - Information Security Management (93 Annex A controls)
• ISO 27002:2022 - Security Controls Implementation (114 detailed controls)
• ISO 28000:2022 - Supply Chain Security Management
• ISO 9001:2015 - Quality Management Systems

How ISO Integration Works

1. During Analysis (Phases 1-4): The GPT uses ISO control families to guide comprehensive creature enumeration and domain structuring

2. During Audit Preparation (Phase 5): The GPT automatically:

   • Maps operational findings to ISO control requirements
   • Identifies gaps where expected controls are missing
   • Generates ISO-compliant audit artifacts
   • Prioritizes remediation by blast radius

3. Cross-Standard Efficiency: Single operational improvement can satisfy multiple ISO standards simultaneously:

   • Example: Supplier security assessment → ISO 27001 (A.5.19) + ISO 28000 (8.1) + ISO 9001 (8.4)

Automatic Gap Detection

The framework automatically flags critical gaps including:

• Shared privileged accounts (ISO 27001 A.8.2) → Always Red (Kill Switch)
• Critical suppliers without security assessment (ISO 27001 A.5.19, ISO 28000 8.1) → Red if supplier is Kill Switch
• No supply chain risk assessment (ISO 28000 6.1) → Amber
• Core processes undocumented (ISO 9001 8.1) → Amber
• No quality metrics defined (ISO 9001 9.1.1) → Amber

Audit Artifacts Generated

When in Audit Preparation Mode, the GPT generates:

1. Control Implementation Statements - Detailed compliance status for each ISO control
2. Gap Analysis Reports - Prioritized remediation roadmap (Red/Amber/Green)
3. Evidence Collection - Cross-referenced to Sovereign Ops outputs
4. Compliance Percentage - Overall conformity assessment per standard
5. Remediation Plans - Timeline, ownership, resource requirements

Benefits of Integrated Compliance

• Single Analysis, Multiple Standards: One operational assessment produces compliance evidence for all ISO standards
• Priority-Driven: Blast Radius ensures critical operational risks = critical compliance gaps
• Evidence-Based: Every compliance assessment references specific operational findings (not generic)
• Efficiency: Identifies where one improvement satisfies multiple standards
• Audit-Ready: Generated artifacts meet auditor evidence requirements

---

License

[Specify your license here—e.g., MIT, Apache 2.0, proprietary]

---

Changelog

v1.2.0 (2025-01-15)

• Added Australian & SMB Frameworks Integration
  • Essential Eight (ACSC) mapping with Maturity Levels 0-3 for all 8 strategies
  • NIST Cybersecurity Framework 2.0 - Small Business Quick Start
  • CIS Controls v8 - Implementation Group 1 (IG1 - 56 foundational safeguards)
  • SMB1001 (Digital Standards Institute) - 15 baseline requirements with 30/60/90 day plan
  • Essential Eight maturity assessment template
  • Consolidated SMB security baseline combining all frameworks
• Added Essential Eight Maturity Assessment Mode
  • Automatic maturity level (0-3) determination for each strategy
  • Kill-switch strategy prioritization (#5 Admin, #7 MFA, #8 Backups)
  • Maturity progression roadmap with cost/time estimates
  • Cross-framework integration with ISO 27001
• Added SMB Baseline Mode
  • 30/60/90 day implementation roadmap
  • Free/low-cost tool recommendations (Windows Defender, Bitwarden, OpenVAS)
  • "Quick Wins" identification (hours/days, not months)
  • Cost estimates for Basic ($0-500), Intermediate ($500-2000), Advanced ($2000-5000+) tiers
  • Multi-framework efficiency highlighting (one implementation = multiple standards)
• Updated Compliance Matrix
  • Cross-framework control mapping for all 8 frameworks
  • 15 common security controls mapped across Essential Eight, ISO, NIST CSF, CIS, SMB1001
  • SMB implementation roadmap with 30/60/90 day priorities
  • Maturity assessment cross-reference for all frameworks
• Updated GPT Instructions
  • Integrated Essential Eight Maturity Assessment Mode
  • Integrated SMB Baseline Mode
  • Kill-switch prioritization guidance
  • Free/low-cost tool recommendation requirements
• Total Files: 24 (up from 16)

v1.1.0 (2025-01-15)

• Added ISO Compliance Integration
  • ISO 27001:2022 mapping (93 Annex A controls with full guidance)
  • ISO 27002:2022 mapping (114 detailed controls with implementation steps)
  • ISO 28000:2022 mapping (Supply chain security requirements)
  • ISO 9001:2015 mapping (Quality management requirements)
  • Compliance matrix for cross-standard mapping
• Added Audit Preparation Mode
  • Automatic gap identification against ISO requirements
  • ISO-compliant audit artifact generation
  • Evidence collection templates
  • Gap analysis and remediation roadmap templates
• Updated GPT Instructions
  • Integrated Audit Preparation Mode activation and workflow
  • ISO control cross-referencing during all analysis phases
  • Automatic critical gap flagging rules
• Total Files: 16 (up from 8)

v1.0.0 (2025-01-15)

• Initial release
• Complete schema definitions (XML, JSON)
• GPT instructions and glossary
• Example operational profile
• Framework definition and creature taxonomy

---

Contributing

[Specify contribution guidelines if this is a collaborative project]

---

Support

For questions or issues:

• Review glossary.md for terminology clarification
• Check example-profile.xml for formatting guidance
• Refer to gpt-instructions.md for framework usage

---

Quick Reference

Concept	Values
Sovereignty	OWNED, DEPENDENT
Criticality	High, Med, Low
Blast Radius	Red, Amber, Green
Location	Internal, External
Data Classes	PII, Payment, Telemetry, CustomerContent

---

This repository contains atomic, machine-parsable assets for operational threat and dependency analysis. No scripts. No CI. Just structure and content.