| name | isms-compliance |
|---|---|
| description | Hack23 ISMS alignment — ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1, GDPR, NIS2, EU CRA — with policy citations |
| license | MIT |
Applies when adding features, dependencies, or security controls; editing security code; documenting architecture; touching CI/CD; or handling any sensitive data.
All practices align with Hack23 AB's ISMS-PUBLIC, implementing ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1, GDPR, NIS2, and EU CRA readiness.
| Concern | Policy |
|---|---|
| Overarching governance / incident / transparency | Information Security Policy |
| SDLC / CI / testing / deployment / threat modeling | Secure Development Policy |
| Dependencies / licenses / SBOM / supply chain | Open Source Policy |
| Auth / identity / access | Access Control Policy |
| Encryption / keys / hashing | Cryptography Policy |
| Data handling / classification | Data Classification Policy |
| Personal data / GDPR | Privacy Policy |
| STRIDE / abuse cases / MITRE ATT&CK | Threat Modeling |
| Vulnerability triage + patch SLAs | Vulnerability Management |
| Copilot / LLM / MCP governance | AI Policy |
| Agent / MCP / workflow edits | Change Management |
| BCP / DR / backup | Business Continuity / Disaster Recovery / Backup Recovery |
- Reference ISMS Policies — security-relevant code, docs, and PRs must cite the applicable policy (e.g., "ISMS: SDP §Phase 3")
- Defense in Depth — stack validation + sanitization + encoding + CSP + headers
- Document Decisions — ADRs and threat models cite ISMS policies
- Verify Dependencies —
npm audit+npm run test:licenses+ GitHub Advisory DB before adding - Security Headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options (see
SECURITY_HEADERS.md) - Secure Defaults — unused features off; risky options explicit opt-in
- Least Privilege — minimum token scopes, minimum workflow permissions, minimum tool scopes
- Validate All Inputs — never trust user input (validate / sanitize / encode)
- Encrypt Sensitive Data — AES-256 at rest, TLS 1.3+ in transit, SHA-256+ hashing
- Log Security Events — auth, authorization failures, security-relevant events; never secrets/PII
- Secure SDLC — security baked into design → dev → test → deploy → operate
- Test Security Controls — ≥ 95 % coverage on security-sensitive paths
- Patch within SLA — Critical ≤ 7 d, High ≤ 30 d, Medium ≤ 90 d
- No Production Data in Tests — anonymize / synthesize
| Phase | Gate |
|---|---|
| Plan & Design | Classification (CIA triad) + threat model + policy links |
| Develop | OWASP-aligned, typed, no hardcoded secrets, least-privilege tokens |
| Test | CodeQL clean, npm audit clean, coverage ≥ 80 / 70 (≥ 95 % security) |
| Deploy | SHA-pinned Actions, SLSA L3 attestations, SBOM + SBOMQS ≥ 7.0 |
| Operate | Scorecard ≥ 8.0, Dependabot green, patch SLAs honored, incident drills |
ISO 27001:2022 — A.5.23, A.5.30, A.8.25, A.8.28, A.8.29, A.8.30, A.8.31, A.8.32
NIST CSF 2.0 — GV (govern), ID.AM, PR.DS, PR.IR, DE.CM, RS.AN, RC.RP
CIS Controls v8.1 — 2, 3, 4, 6, 7, 8, 11, 16, 18
EU CRA — SBOM, CVE handling, security updates, conformity self-assessment
/**
* Persist the high score.
* ISMS: Secure Development Policy §Phase 2 — Secure Coding (input validation)
* ISMS: Data Classification Policy — local-only, non-PII
* Compliance: ISO 27001:2022 A.8.28, NIST CSF PR.DS-1
*/
export function saveHighScore(score: number): void {
if (!Number.isFinite(score) || score < 0) {
throw new RangeError('Invalid score value');
}
localStorage.setItem('highScore', String(Math.floor(score)));
}- Applicable ISMS policy cited in code, commit, or PR description
- Threat model reviewed if attack surface changed (STRIDE)
- Dependency audit clean; licenses approved
- Security coverage ≥ 95 % on changed security code
- CodeQL + Scorecard + Dependabot status green
- No PII / production data in code, fixtures, or tests
- Docs updated (README /
ISMS_POLICY_MAPPING.md/ SECURITY.md as applicable)