[REVIEW] iso27001-gap: add SoA risk traceability gates

[catcherintheroad-hub]

Review target

Skill: iso27001-gap
Path: skills/compliance/iso27001-gap/

Problem

The skill requires a Statement of Applicability (SoA) listing all 93 Annex A controls with applicability, justification, implementation status, maturity score, and gaps. It does not require each SoA decision to trace back to a risk, legal/contractual requirement, risk treatment option, control owner, residual risk acceptance, or evidence location.

This can produce a false positive where the SoA is complete as a checklist but not defensible as a risk-driven ISO 27001 artifact.

False positive example

soa:
  control: A.5.23
  title: Information security for use of cloud services
  applicable: false
  justification: "not relevant"
  linked_risks: missing
  legal_contractual_driver: missing
  risk_treatment_option: missing
  owner: missing
  residual_risk_acceptance: missing

Why this is incomplete:

• ISO 27001 Clause 6.1.3 expects controls to be selected through risk treatment and compared against Annex A so none are overlooked.
• Excluded controls need specific justification tied to ISMS scope and risk context, not generic "not relevant" statements.
• Included controls need a risk or requirement driver, implementation evidence, owner, and treatment status.
• Residual risk acceptance should be traceable to an accountable risk owner.

Suggested coverage

Add SoA traceability gates for:

1. Risk, legal, statutory, regulatory, contractual, or business driver for every included control.
2. Exclusion justification that explains why the control is outside scope and why exclusion does not weaken ISMS conformity.
3. Risk treatment option, treatment plan link, control owner, evidence location, residual risk, and approval.
4. Classification of weak SoA records as major/minor nonconformities depending on systemic scope.
5. Edge cases for blanket inclusion, generic exclusions, missing residual risk acceptance, and complete traceable SoA records.

References

• ISO/IEC 27001 overview: https://www.iso.org/standard/27001
• ISO/IEC 27002 overview: https://www.iso.org/standard/75652.html
• ISO/IEC 27005 overview: https://www.iso.org/standard/80585.html

[danyili2632]

/attempt #1412

I am taking a focused implementation pass for skills/compliance/iso27001-gap/ covering SoA risk traceability: risk/legal/contractual/business drivers, exclusion justification, treatment option, treatment plan, control owner, evidence location, residual risk acceptance, approval, weak-record classification, and traceable SoA output fields. Bounty target: Improver Moderate if accepted; preferred payment is Base USDC.

[danyili2632]

Implemented in PR #1421: #1421

What changed:

• Added SoA risk traceability gates for every included and excluded Annex A control.
• Added checks for linked risk/requirement/business drivers, exclusion justification, risk treatment option, treatment plan, owner, evidence location, residual risk acceptance, approval, and weak-record classification.
• Updated the output template with a SoA Risk Traceability table.

Validation completed:

• git diff --check clean (CRLF warning only)
• Markdown fence count balanced
• Required content markers present for SoA Risk Traceability, SOA-TRACE checks, driver/linked risk, treatment option, residual risk acceptance, traceability status, and weak SoA records

Requested tier: Improver Moderate ($100) if accepted. Preferred payment: Base USDC.