docs: add ISO cloud services evidence gates#1336
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e8596fffd2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| handling, data portability, and exit. | ||
|
|
||
| ``` | ||
| ISO-CLOUD-01: Cloud service inventory lacks owner, data classification, region, or business purpose |
There was a problem hiding this comment.
When this gate is followed, the skill now points the reviewer to ISO-CLOUD-* identifiers even though the same skill’s constraints require only real ISO 27001 clauses/Annex A control IDs and prohibit fabricated IDs. Because these labels are introduced without clarifying that they are internal checklist codes, reports driven by the new edge cases can emit non-auditable ISO-looking identifiers instead of tracing the finding back to A.5.23 and related Annex A controls; please either label these as internal checks or make the expected finding identifier the real ISO control mapping.
Useful? React with 👍 / 👎.
1 participant
Summary
Adds an ISO 27001 A.5.23 cloud services evidence gate to
iso27001-gapso cloud services cannot be marked conforming from supplier names or provider certificates alone.Changes
ISO-CLOUD-01throughISO-CLOUD-08for cloud service inventory, shared responsibility, supplier assurance, configuration evidence, data lifecycle, exit readiness, change notifications, and customer-managed controls.Validation
git diff --checkRelated issue
Created from review issue: #1335