docs: add ISO 27001 SoA traceability gates

[catcherintheroad-hub]

Created from review issue: #1412

Summary

• Add SoA risk traceability gates to iso27001-gap
• Require Annex A applicability decisions to link to risk or requirement drivers, treatment options, control owners, evidence locations, and residual risk acceptance
• Add edge-case fixtures for blanket inclusion, generic cloud-control exclusion, wrong residual-risk approver, and complete traceable SoA records

Validation

• git diff --check
• Markdown fence balance and ASCII check for the new test fixture
• Reference URL checks for ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27005 overview pages

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2ead44953c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid accepting future-dated SoA evidence

This "complete" passing fixture uses 2026-06-30 for both residual-risk acceptance and the last review, which is in the future relative to the commit/current review date of June 6, 2026. If this case is used to validate the skill, it teaches the gate to accept future-dated approvals/reviews as complete evidence, even though an auditor would treat those as not yet performed; use past dates or make the expected result flag the record as incomplete until those dates have occurred.

Useful? React with 👍 / 👎.