ISO 27001 Mapping
How hummbl-governance primitives produce evidence for ISO/IEC
27001:2022 Annex A controls (A.5–A.9, A.12). Generated via
compliance_mapper.generate_iso27001_report().
Control Mappings
A.5 — Information Security Policies
INTENT tuples capture stated objectives, policies, and purpose. Each governance entry records the agent, objective, and phase in the specification pipeline.
INTENT tuplestest_compliance_mapper.py → test_iso27001_intent_maps_to_a5
A.6 — Organization of Information Security
DCTX delegation chains capture organizational structure: who delegates to whom, for what event. Proves separation of duties and role assignment.
DelegationTokenManager DCTX tuplestest_compliance_mapper.py → test_iso27001_dctx_maps_to_a6
A.7 — Human Resource Security
DCT and CONTRACT tuples prove that agents operate under binding agreements. Each delegation token and contract binds an issuer to a subject with scoped operations.
DelegationTokenManager CONTRACT tuplestest_compliance_mapper.py → test_iso27001_dct_maps_to_a7, test_iso27001_contract_maps_to_a7
A.8 — Asset Management
DCT resource selectors and ATTEST evidence records track which assets (resources) are owned, accessed, and verified. Every resource binding is auditable.
DCT tuples ATTEST tuplestest_compliance_mapper.py → test_iso27001_dct_maps_to_a8, test_iso27001_attest_maps_to_a8
A.9 — Access Control
DCT ops_allowed fields prove scoped access. Each delegation token restricts which operations (read, write, delete) an agent may perform on which resources.
DelegationTokenManager DCT tuplestest_compliance_mapper.py → test_iso27001_dct_maps_to_a9
A.12 — Operations Security (Logging & Monitoring)
Every signed governance entry produces auditable operations evidence. The append-only, tamper-evident bus provides continuous logging per A.12 requirements.
AuditLog BusWritertest_compliance_mapper.py → test_iso27001_signed_maps_to_a12
Current Gaps (Annex A Controls Not Yet Mapped)
- A.10–A.11: Cryptographic and physical controls (partially covered by HMAC-SHA256 signing; physical controls are not code-level)
- A.13–A.17: Communications, acquisition, supplier, incident management (require organizational process beyond a library)
- A.18: Compliance (overlaps with dedicated HUMMBL frameworks for EU AI Act, SOC 2, GDPR)
Boundary Disclaimer
- HUMMBL is not an ISO 27001 certification body. The primitives produce technical evidence; certification requires an accredited registrar.
- Annex A contains 93 controls. This mapping covers 6 control families (A.5–A.9, A.12) directly addressable by code-level governance primitives. Remaining controls require organizational process evidence beyond a software library.
Evaluated: hummbl-governance v0.8.0 | Last updated: 2026-05-14 | CLI:
python -m hummbl_governance.compliance_mapper --framework
iso27001
| 10 dedicated tests