ISO 27001 Mapping

How hummbl-governance primitives produce evidence for ISO/IEC 27001:2022 Annex A controls (A.5–A.9, A.12). Generated via compliance_mapper.generate_iso27001_report().

Control Mappings

A.5 — Information Security Policies

INTENT tuples capture stated objectives, policies, and purpose. Each governance entry records the agent, objective, and phase in the specification pipeline.

INTENT tuples

test_compliance_mapper.py → test_iso27001_intent_maps_to_a5

A.6 — Organization of Information Security

DCTX delegation chains capture organizational structure: who delegates to whom, for what event. Proves separation of duties and role assignment.

DelegationTokenManager DCTX tuples

test_compliance_mapper.py → test_iso27001_dctx_maps_to_a6

A.7 — Human Resource Security

DCT and CONTRACT tuples prove that agents operate under binding agreements. Each delegation token and contract binds an issuer to a subject with scoped operations.

DelegationTokenManager CONTRACT tuples

test_compliance_mapper.py → test_iso27001_dct_maps_to_a7, test_iso27001_contract_maps_to_a7

A.8 — Asset Management

DCT resource selectors and ATTEST evidence records track which assets (resources) are owned, accessed, and verified. Every resource binding is auditable.

DCT tuples ATTEST tuples

test_compliance_mapper.py → test_iso27001_dct_maps_to_a8, test_iso27001_attest_maps_to_a8

A.9 — Access Control

DCT ops_allowed fields prove scoped access. Each delegation token restricts which operations (read, write, delete) an agent may perform on which resources.

DelegationTokenManager DCT tuples

test_compliance_mapper.py → test_iso27001_dct_maps_to_a9

A.12 — Operations Security (Logging & Monitoring)

Every signed governance entry produces auditable operations evidence. The append-only, tamper-evident bus provides continuous logging per A.12 requirements.

AuditLog BusWriter

test_compliance_mapper.py → test_iso27001_signed_maps_to_a12

Current Gaps (Annex A Controls Not Yet Mapped)

  • A.10–A.11: Cryptographic and physical controls (partially covered by HMAC-SHA256 signing; physical controls are not code-level)
  • A.13–A.17: Communications, acquisition, supplier, incident management (require organizational process beyond a library)
  • A.18: Compliance (overlaps with dedicated HUMMBL frameworks for EU AI Act, SOC 2, GDPR)

Boundary Disclaimer

  • HUMMBL is not an ISO 27001 certification body. The primitives produce technical evidence; certification requires an accredited registrar.
  • Annex A contains 93 controls. This mapping covers 6 control families (A.5–A.9, A.12) directly addressable by code-level governance primitives. Remaining controls require organizational process evidence beyond a software library.

Evaluated: hummbl-governance v0.8.0 | Last updated: 2026-05-14 | CLI: python -m hummbl_governance.compliance_mapper --framework iso27001 | 10 dedicated tests