feat(system): ISO 27001:2022 compliance schemas — incident response, supplier security, training, audit governance

ROADMAP.md

@@ -543,6 +543,31 @@ business/custom objects, aligning with industry best practices (e.g., ServiceNow
 - [ ] GDPR/CCPA compliance utilities (right to erasure, data export)
 - [ ] Change management and approval workflows for schema changes
 
+### 6.5 ISO 27001:2022 Compliance
+
+> **Goal:** Full schema coverage for ISO 27001:2022 Annex A controls to support certification readiness.
+
+#### 6.5.1 High Priority (Certification Blockers) — ✅ Schema Complete
+
+- [x] **Incident Response Protocol** (A.5.24–A.5.28) — `system/incident-response.zod.ts`: Incident classification, severity grading, response phases, notification matrix, escalation policies
+- [x] **Audit Scheduling & Finding Tracking** (A.5.35) — `system/compliance.zod.ts`: AuditScheduleSchema, AuditFindingSchema for independent review and remediation tracking
+- [x] **Change Management Security Approval** (A.8.32) — `system/change-management.zod.ts`: SecurityImpactAssessment with risk level, data classification, security reviewer workflow
+
+#### 6.5.2 Medium Priority (Compliance Completeness) — ✅ Schema Complete
+
+- [x] **Supplier Security Assessment** (A.5.19–A.5.22) — `system/supplier-security.zod.ts`: Supplier risk levels, security requirements, assessment lifecycle, remediation tracking
+- [x] **Information Security Training** (A.6.3) — `system/training.zod.ts`: Training courses, completion records, organizational training plans with recertification
+
+#### 6.5.3 Medium Priority (Pending)
+
+- [ ] **OAuth Scope Binding** (A.8.1) — API endpoint schema with required OAuth scopes
+- [ ] **Permission Registry** (A.8.2) — Transform `manifest.permissions` from `string[]` to structured registry enum
+
+#### 6.5.4 Low Priority (Enhancements)
+
+- [ ] Permission delegation and temporary privilege elevation protocol (AWS STS-style)
+- [ ] Device trust policy extensions
+
 ---
 
 ## Phase 7: AI & Intelligence (🔴 Planned)

packages/spec/src/system/change-management.test.ts

@@ -653,4 +653,120 @@ describe('ChangeRequestSchema', () => {
 
     expect(() => ChangeRequestSchema.parse(rolledBackChange)).not.toThrow();
   });
+
+  it('should accept change with security impact assessment (A.8.32)', () => {
+    const changeWithSecurityImpact = {
+      id: 'CHG-2024-SEC-001',
+      title: 'API Gateway Configuration Change',
+      description: 'Update API gateway security headers',
+      type: 'normal',
+      priority: 'high',
+      status: 'approved',
+      requestedBy: 'security_team',
+      requestedAt: Date.now(),
+      impact: {
+        level: 'high',
+        affectedSystems: ['api-gateway'],
+      },
+      implementation: {
+        description: 'Update security headers',
+        steps: [
+          {
+            order: 1,
+            description: 'Deploy configuration',
+            estimatedMinutes: 10,
+          },
+        ],
+      },
+      rollbackPlan: {
+        description: 'Revert configuration',
+        steps: [
+          {
+            order: 1,
+            description: 'Restore previous config',
+            estimatedMinutes: 5,
+          },
+        ],
+      },
+      securityImpact: {
+        assessed: true,
+        riskLevel: 'high',
+        affectedDataClassifications: ['pii', 'confidential'],
+        requiresSecurityApproval: true,
+        reviewedBy: 'ciso',
+        reviewedAt: Date.now(),
+        reviewNotes: 'Approved with monitoring requirement',
+      },
+    };
+
+    const parsed = ChangeRequestSchema.parse(changeWithSecurityImpact);
+    expect(parsed.securityImpact?.assessed).toBe(true);
+    expect(parsed.securityImpact?.riskLevel).toBe('high');
+    expect(parsed.securityImpact?.requiresSecurityApproval).toBe(true);
+  });
+
+  it('should accept change with minimal security impact', () => {
+    const change = {
+      id: 'CHG-2024-SEC-002',
+      title: 'Minor UI Change',
+      description: 'Update button color',
+      type: 'standard',
+      priority: 'low',
+      status: 'draft',
+      requestedBy: 'user_123',
+      requestedAt: Date.now(),
+      impact: {
+        level: 'low',
+        affectedSystems: ['ui'],
+      },
+      implementation: {
+        description: 'Update CSS',
+        steps: [{ order: 1, description: 'Deploy', estimatedMinutes: 5 }],
+      },
+      rollbackPlan: {
+        description: 'Revert CSS',
+        steps: [{ order: 1, description: 'Revert', estimatedMinutes: 5 }],
+      },
+      securityImpact: {
+        assessed: true,
+        riskLevel: 'none',
+      },
+    };
+
+    const parsed = ChangeRequestSchema.parse(change);
+    expect(parsed.securityImpact?.riskLevel).toBe('none');
+    expect(parsed.securityImpact?.requiresSecurityApproval).toBe(false);
+  });
+
+  it('should accept all security risk levels', () => {
+    const levels = ['none', 'low', 'medium', 'high', 'critical'] as const;
+
+    levels.forEach((riskLevel) => {
+      const change = {
+        id: `CHG-${riskLevel}`,
+        title: 'Test',
+        description: 'Test',
+        type: 'standard',
+        priority: 'low',
+        status: 'draft',
+        requestedBy: 'user',
+        requestedAt: Date.now(),
+        impact: { level: 'low', affectedSystems: ['test'] },
+        implementation: {
+          description: 'Test',
+          steps: [{ order: 1, description: 'Test', estimatedMinutes: 5 }],
+        },
+        rollbackPlan: {
+          description: 'Test',
+          steps: [{ order: 1, description: 'Test', estimatedMinutes: 5 }],
+        },
+        securityImpact: {
+          assessed: true,
+          riskLevel,
+        },
+      };
+
+      expect(() => ChangeRequestSchema.parse(change)).not.toThrow();
+    });
+  });
 });

packages/spec/src/system/change-management.zod.ts

@@ -1,6 +1,7 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
 import { z } from 'zod';
+import { DataClassificationSchema } from './security-context.zod';
 
 /**
  * Change Type Enum
@@ -319,6 +320,52 @@ export const ChangeRequestSchema = z.object({
     actualEnd: z.number().optional().describe('Actual end time'),
   }).optional().describe('Schedule'),
 
+  /**
+   * Security impact assessment for the change (A.8.32)
+   */
+  securityImpact: z.object({
+    /**
+     * Whether a security impact assessment has been performed
+     */
+    assessed: z.boolean().describe('Whether security impact has been assessed'),
+
+    /**
+     * Security risk level of this change
+     */
+    riskLevel: z.enum(['none', 'low', 'medium', 'high', 'critical']).optional()
+      .describe('Security risk level'),
+
+    /**
+     * Data classifications affected by this change
+     */
+    affectedDataClassifications: z.array(DataClassificationSchema)
+      .optional().describe('Affected data classifications'),
+
+    /**
+     * Whether the change requires security team approval
+     */
+    requiresSecurityApproval: z.boolean().default(false)
+      .describe('Whether security team approval is required'),
+
+    /**
+     * Security reviewer user ID
+     */
+    reviewedBy: z.string().optional()
+      .describe('Security reviewer user ID'),
+
+    /**
+     * Security review completion timestamp (Unix milliseconds)
+     */
+    reviewedAt: z.number().optional()
+      .describe('Security review timestamp'),
+
+    /**
+     * Security review notes or conditions
+     */
+    reviewNotes: z.string().optional()
+      .describe('Security review notes or conditions'),
+  }).optional().describe('Security impact assessment per ISO 27001:2022 A.8.32'),
+
   /**
    * Approval workflow configuration
    */