Enterprise-Grade Security Assessment & Compliance Platform
๐ก๏ธ CIA triad assessment ยท ๐ Multi-framework compliance ยท ๐ฐ Cost & ROI analysis ยท ๐ฏ Threat modeling ยท ๐ท๏ธ Data classification ยท ๐ Business impact quantification
๐ Supply-Chain Security & Provenance:
๐ CI/CD Workflows:
๐ Code Quality & Metrics:
๐ ISMS & Compliance Framework:
๐ Documentation & Reports:
CIA Compliance Manager is both a live assessment platform and a reusable npm library for building security-first React applications. Two entry points serve different audiences:
|
๐ Live Assessment Platform Interactive web application for performing CIA triad security assessments, generating compliance reports, estimating implementation costs (CAPEX/OPEX), and quantifying business impact across ISO 27001, NIST 800-53, GDPR, HIPAA, SOC 2, PCI DSS, and EU CRA frameworks. Features real-time dashboards, STRIDE threat modeling, Porter's Five Forces strategic analysis, and professional data classification tools. Built with React 19.x, TypeScript 6.x, Vite 8.x, and Tailwind 4.x โ demonstrating Hack23's commitment to transparency and security by design. |
|
๐ฆ npm Library โ [email protected] Tree-shakeable ES module package with 10 subpath exports ( types, services, hooks, utils, components, components/widgets, constants, data, contexts, plus root). Provides React components, hooks, and services for building security assessment and compliance management features into your own applications. Fully typed with TypeScript, peer-dependency-light (React 18.2+ or 19.x, optional Chart.js 4.x), and SLSA 3 provenance-signed. Suitable for embedding CIA triad assessments, compliance dashboards, threat modeling, or business impact analysis into enterprise portals, GRC platforms, or security operations consoles.
|
|
๐บ๏ธ Full Site Map Comprehensive index of all platform pages, documentation sections, and reference materials. Includes assessment workflows, compliance mappings, technical architecture diagrams, and ISMS alignment documents. Best entry point for SEO crawlers and discovering deep-linked resources. |
|
๐ TypeDoc API Reference Complete API documentation for every exported symbol in the cia-compliance-manager package. Includes React components, TypeScript interfaces, service functions, custom hooks, utility helpers, and data constants. Companion ๐ Test Coverage and ๐ญ Cypress E2E Reports available from the same documentation hub.
|
Security and compliance are business-critical, but they're also expensive, complex, and frequently misunderstood by non-specialists. Organizations face a maze of overlapping frameworks (ISO 27001, NIST 800-53, GDPR, HIPAA, SOC 2, PCI DSS, EU CRA), each with hundreds of controls, unclear mapping, and no built-in cost transparency. CISOs struggle to translate technical security requirements into business-justifiable budgets. Compliance officers can't easily demonstrate ROI for security investments. Small-to-medium enterprises lack the tools that large consulting firms use internally.
CIA Compliance Manager bridges this gap โ it's the transparent, open-source compliance assessment platform that organizations can use to:
- Assess security posture systematically using the CIA triad (Confidentiality, Integrity, Availability) as the unifying lens across all frameworks.
- Map controls automatically to ISO 27001, NIST 800-53, GDPR, HIPAA, SOC 2, PCI DSS, and EU CRA โ see exactly which framework controls apply to your assessed security levels.
- Estimate costs realistically with detailed CAPEX and OPEX breakdowns, so you can justify budgets and track ROI.
- Model threats rigorously using STRIDE methodology, attack trees, and risk quantification โ go beyond checkbox compliance to actual risk management.
- Quantify business impact across financial, operational, reputational, and regulatory dimensions using our Classification Framework.
- Demonstrate transparency โ every methodology, every calculation, every control mapping is open-source and auditable.
This project is the open-source platform behind ciacompliancemanager.com: a production-ready assessment tool built following Hack23's Secure Development Policy and classified according to our ISMS standards. It serves as both an operational platform for security assessments and a live reference implementation of security-by-design principles.
| Pillar | What it means in this project |
|---|---|
| ๐ก๏ธ CIA Triad Assessment | Every security decision is evaluated across Confidentiality, Integrity, and Availability dimensions. We use a 5-level maturity model (Level 1: Basic โ Level 5: Optimized) mapped to concrete technical controls, so you know exactly what "High Confidentiality" means in practice (encryption at rest + in transit, key management, access controls, etc.). |
| ๐ Multi-Framework Compliance | Automated mapping to 7 major frameworks. Select your target security levels (e.g., "High Confidentiality, Medium Integrity, High Availability"), and the platform shows you which ISO 27001 Annex A controls, NIST 800-53 families, GDPR articles, HIPAA safeguards, SOC 2 criteria, PCI DSS requirements, and EU CRA essential requirements apply. |
| ๐ฐ Cost & ROI Transparency | Security has a price. We calculate CAPEX (licenses, hardware, consulting) and OPEX (staffing, maintenance, subscription costs) for each security level, broken down by category. ROI calculator lets you compare risk reduction value against implementation costs. |
| ๐ฏ Threat Modeling | Integrated STRIDE analysis (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). Build attack trees, assign likelihood and impact scores, prioritize mitigations. Structured threat intelligence aligned with ISMS threat modeling standards. |
| ๐ท๏ธ Data Classification | Systematic data classification engine based on CIA requirements. Input your data sensitivity, integrity needs, and availability SLAs; get back a clear classification label (Public, Internal, Confidential, Restricted) with handling requirements and retention policies. |
| ๐ Business Impact Analysis | Quantify what happens when security fails. Our Business Impact Matrix scores financial loss, operational disruption, reputational damage, and regulatory penalties across 5 severity levels. Connect security controls to business value, not just compliance checkboxes. |
The CIA Compliance Manager is a comprehensive application designed to help organizations assess, implement, and manage security controls across the CIA triad (Confidentiality, Integrity, and Availability). It provides detailed security assessments, cost estimation tools, business impact analysis, and technical implementation guidance to support organizations in achieving their security objectives within budget constraints.
This compliance tool demonstrates Hack23 AB's commitment to security by design and transparency, serving as both an operational platform and a live demonstration of our cybersecurity consulting expertise. Built following our Secure Development Policy and classified according to our Classification Framework, this project exemplifies security best practices through transparent implementation.
โ James Pether Sรถrling, CEO/Founder, Hack23 AB
The CIA Compliance Manager provides enterprise-grade capabilities for security assessment and compliance management:
|
Automated security level assessment across Confidentiality, Integrity, and Availability dimensions with real-time control effectiveness tracking. 5-level maturity model (Basic โ Optimized) mapped to concrete technical controls. |
Comprehensive compliance automation for NIST 800-53, ISO 27001, GDPR, HIPAA, SOC 2, PCI DSS, and EU Cyber Resilience Act (CRA). Automatic control mapping based on assessed security levels. |
Integrated STRIDE threat analysis with risk quantification and attack tree visualization for comprehensive security assessment. Align threats to security controls and business impact. |
|
Quantify financial, operational, reputational, and regulatory impacts using structured impact assessment methodologies from our Classification Framework. |
Calculate CAPEX (licenses, hardware, consulting) and OPEX (staffing, maintenance, subscriptions) for security implementations with detailed breakdown and ROI calculator to justify security investments. |
Apply systematic data classification based on confidentiality, integrity, and availability requirements aligned with ISMS standards. Generate handling requirements and retention policies. |
|
Real-time visualization of security posture, compliance status, and risk metrics through intuitive interactive charts and widgets. Export reports in multiple formats. |
Detailed technical guidance and best practices for deploying security controls across all CIA triad levels. Step-by-step roadmaps for moving from current state to target state. |
Generate compliance reports and collect evidence artifacts for audit preparation and regulatory requirements. Traceable lineage from controls to evidence to frameworks. |
This platform serves security professionals and decision-makers:
- ๐ฏ CISOs & Security Directors โ Strategic security posture management and compliance oversight
- ๐ Compliance & Risk Officers โ Regulatory compliance tracking and audit preparation
- ๐ผ IT Managers & System Administrators โ Security control implementation and operational management
- ๐๏ธ Security Architects & Engineers โ Technical security design and architecture validation
- ๐ฐ Business Stakeholders โ Security investment decisions and ROI analysis
CIA Compliance Manager includes a set of specialized GitHub Copilot custom agents tailored to this project's architecture, ISMS alignment, and quality standards. Each agent focuses on a specific domain (product, development, testing, documentation, or security) to provide context-aware assistance across the codebase.
%%{init: {'theme': 'neutral'}}%%
graph TB
subgraph "Product Coordination"
TASK[๐ฏ Product Task Agent]:::task
end
subgraph "Development Agents"
TS[โ๏ธ TypeScript React Agent]:::dev
TEST[๐งช Testing Agent]:::test
end
subgraph "Quality & Security"
CR[๐ Code Review Agent]:::review
SEC[๐ Security Compliance Agent]:::security
end
subgraph "Documentation"
DOC[๐ Documentation Agent]:::docs
end
TASK --> TS
TASK --> TEST
TASK --> CR
TASK --> SEC
TASK --> DOC
classDef task fill:#FFC107,stroke:#F57C00,stroke-width:3px,color:#000
classDef dev fill:#2E7D32,stroke:#1B5E20,stroke-width:2px,color:#fff
classDef test fill:#1565C0,stroke:#0D47A1,stroke-width:2px,color:#fff
classDef review fill:#7B1FA2,stroke:#4A148C,stroke-width:2px,color:#fff
classDef security fill:#D32F2F,stroke:#B71C1C,stroke-width:2px,color:#fff
classDef docs fill:#FF9800,stroke:#F57C00,stroke-width:2px,color:#fff
|
File: Expert product coordinator for creating GitHub issues, assigning tasks to agents, and ensuring quality across code, UX, security, and ISMS dimensions. Use for: product audits, issue creation, UI/UX and accessibility findings, ISMS alignment, and multiโagent task coordination. |
File: Specialist in Reactย 19.x and TypeScript 6.x for building secure, typeโsafe components that follow the project's architecture and reusability standards. Use for: new components, state management patterns, type definitions, refactoring, and typeโsafe integrations. |
|
File: Testing expert for Vitest 4.x, React Testing Library 16.x, and Cypress 15.x, aligned with the project's Secure Development Policy and coverage thresholds. Use for: unit tests, integration tests, E2E scenarios, improving coverage, and debugging failing tests. |
File: Reviewer focused on code quality, maintainability, performance, accessibility (WCAG 2.1 AA), and security hygiene across the TypeScript/React codebase. Use for: PR reviews, identifying code smells, performance tuning, and enforcing project coding standards. |
|
File: Documentation specialist for Markdown, JSDoc/TypeDoc, and Mermaid diagrams, aligned with the project's C4 architecture model and ISMS documentation portfolio. Use for: updating README files, writing API docs, creating architecture diagrams, and maintaining ISMS compliance docs. |
File: Security and compliance expert for CIA triad analysis, NIST/ISO/GDPR mapping, threat modeling (STRIDE), and secure coding practices aligned with OWASP Top 10. Use for: security control implementation, framework mapping, threat modeling, risk assessment, and vulnerability remediation. |
You can explicitly address agents in your prompts when working in this repository:
@product-task-agent, create GitHub issues for improving the CRA assessment documentation.
@typescript-react-agent, refactor the SecuritySummaryWidget to reuse existing types and constants.
@testing-agent, add Vitest unit tests for the BusinessImpactAnalysisWidget.
@security-compliance-agent, review the cost estimation logic for compliance with the Classification Framework.
For full configuration details and advanced usage, see the Agent README and Skills Framework.
Each agent is equipped with domain-specific skills that define reusable best practices, patterns, and compliance standards. Skills are stored in .github/skills/ and loaded by agents to ensure consistent, ISMS-aligned behavior across the codebase.
Core Skills:
- documentation-standards.md โ JSDoc, TypeDoc, Markdown, Mermaid diagram standards
- c4-architecture-documentation.md โ C4 model (Context/Container/Component/Code) for architecture diagrams
- code-quality-excellence.md โ TypeScript best practices, React patterns, ESLint rules, code organization
- security-best-practices.md โ OWASP Top 10, secure coding patterns, input validation, authentication/authorization
- testing-excellence.md โ Vitest, React Testing Library, Cypress E2E, coverage thresholds, test design
- compliance-frameworks.md โ ISO 27001, NIST CSF 2.0, GDPR, HIPAA, SOC 2, PCI DSS, EU CRA control mapping
How Skills Work:
- Agents load skills from
.github/skills/based on their domain (e.g., Documentation Agent loadsdocumentation-standards.md+c4-architecture-documentation.md) - Skills define patterns using examples, rules, and constraints that agents apply when generating code, docs, or tests
- Skills evolve with the project โ when you update a skill file, all agents that reference it immediately adopt the new standard
- Skills are versioned alongside the codebase, ensuring traceability between code changes and the standards that governed them
Example: Documentation Agent + Skills:
When the Documentation Agent updates SECURITY_ARCHITECTURE.md, it:
- Follows documentation-standards.md for Markdown structure, heading hierarchy, and cross-references
- Applies c4-architecture-documentation.md for C4 Context/Container diagrams using the project's Mermaid palette
- Uses STYLE_GUIDE.md for CIA-triad colors (Confidentiality = Purple
#7B1FA2, Integrity = DarkGreen#2E7D32, Availability = DarkBlue#1565C0)
This ensures every diagram, every heading, every cross-link follows the same visual and structural conventions.
Expert analysis and thought leadership on CIA triad security, compliance frameworks, and business impact from industry professionals:
|
Author: Simon Moon (Independent Security Consultant) Published: DevGenius, 2024-12-15 Deep dive into using the CIA triad (Confidentiality, Integrity, Availability) as the foundation for business impact analysis. Explores how security professionals can translate technical security requirements into business-justifiable metrics, quantify risk across financial/operational/reputational dimensions, and align security investments with organizational value. |
Author: George Dorn (Security Strategist & Risk Analyst) Published: Medium, 2024-12-14 Practical guide to leveraging the CIA triad for strategic security decision-making. Covers real-world scenarios where Confidentiality, Integrity, and Availability trade-offs drive architecture choices, technology selection, and budget prioritization. Includes case studies from financial services, healthcare, and SaaS platforms. |
Want to contribute a blog post? We welcome guest articles on CIA triad security, compliance automation, threat modeling, and GRC best practices. See our Contributing Guidelines for submission details.
Version: 1.1.59 (Effective: 2026-04-28 | Next Review: 2026-07-28)
Package Health:
- Build Status: โ All workflows passing
- Test Coverage: 85%+ (Vitest + Cypress E2E)
- Bundle Size: ~120 KB minified+gzipped (tree-shakeable)
- Dependencies:
|
- ISMS Posture: ISO 27001:2022-aligned, NIST CSF 2.0-mapped, CIS Controls v8.1-compliant
Package Layout (10 Subpath Exports):
import { SecurityProfile, ComplianceFramework } from 'cia-compliance-manager'; // root
import { CIALevel, SecurityControlMapping } from 'cia-compliance-manager/types'; // types
import { AssessmentService, ComplianceService } from 'cia-compliance-manager/services'; // services
import { useSecurityProfile, useCompliance } from 'cia-compliance-manager/hooks'; // hooks
import { formatCurrency, calculateROI } from 'cia-compliance-manager/utils'; // utils
import { SecurityDashboard, ComplianceMatrix } from 'cia-compliance-manager/components'; // components
import { BusinessImpactWidget, ThreatModelWidget } from 'cia-compliance-manager/components/widgets'; // widgets
import { SECURITY_LEVELS, COMPLIANCE_FRAMEWORKS } from 'cia-compliance-manager/constants'; // constants
import { controlData, frameworkMappings } from 'cia-compliance-manager/data'; // data
import { SecurityProfileProvider, ComplianceContext } from 'cia-compliance-manager/contexts'; // contextsTechnology Stack:
- Runtime: Node โฅ25.0.0, npm โฅ10.0.0
- Language: TypeScript 6.0.3 (ES2025 target)
- Framework: React 19.2.5 + React DOM 19.2.5
- Build: Vite 8.0.10 (ES module bundler)
- Styling: Tailwind CSS 4.2.4
- Testing: Vitest 4.1.5, @vitest/coverage-v8 4.1.5, Cypress 15.14.1
- Linting: ESLint 10.2.1 + TypeScript ESLint 8.59.1
- Documentation: TypeDoc 0.28.19 + typedoc-plugin-mermaid 1.12.0
- Code Quality: Knip 6.7.0 (unused exports detection)
CIA Compliance Manager is classified as PUBLIC per Hack23's Classification Framework. This public classification enables transparency, community contributions, and serves as a reference implementation for security-by-design principles.
CIA Triad Assessment:
- Confidentiality: MEDIUM (Public data, but architecture patterns demonstrate security controls)
- Integrity: HIGH (Code provenance, SLSA 3 attestations, immutable audit trails)
- Availability: MEDIUM (Public CDN, GitHub Pages, S3 static hosting with CloudFront)
Recovery Time Objective (RTO): 4 hours
Recovery Point Objective (RPO): 1 hour
Maximum Tolerable Downtime (MTD): 24 hours
For detailed DR procedures, see Business Continuity Plan.
Assessment of impact if CIA Compliance Manager were unavailable or compromised:
| Impact Dimension | Severity Level | Financial Impact | Description |
|---|---|---|---|
| Financial | MEDIUM | $10Kโ$100K | Loss of demonstration platform affects consulting sales pipeline and SaaS revenue potential |
| Operational | LOW | <$10K | Alternative assessment tools available; manual processes feasible for short-term |
| Reputational | MEDIUM | Brand damage | Security consulting firm with insecure platform creates trust deficit; media coverage risk |
| Regulatory | LOW | Minimal | No regulated data processed; GDPR/HIPAA compliance demonstration affected but not business-critical |
Detailed methodology and scoring rubric: ISMS Classification Framework ยง Business Impact Matrix
Primary ROI Drivers:
- Consulting Sales Enablement โ Live platform demonstrates Hack23's security expertise to potential clients; reference implementation shortens sales cycles
- Product Differentiation โ Only open-source CIA triad assessment platform with multi-framework mapping and cost transparency; competitive moat in GRC consulting
- Community Trust โ Transparency builds credibility; security professionals prefer vendors who "eat their own dog food"
- Reusable IP โ npm library enables Hack23 to embed compliance features into client projects; reduces custom development costs
vs. Commercial GRC Platforms (e.g., OneTrust, LogicGate):
- โ Transparency: Every control mapping, every calculation is auditable โ no vendor lock-in
- โ Cost: Open-source library + self-hosted option vs. $50K+ annual licenses
- โ Customization: Fork, extend, embed โ vs. rigid SaaS feature sets
vs. Consulting Spreadsheets:
- โ Automation: Real-time calculations, live dashboards vs. error-prone manual updates
- โ Frameworks: 7 frameworks mapped simultaneously vs. single-framework silos
- โ Evidence: Traceable lineage from controls to frameworks to audit artifacts
vs. Other Open-Source Tools (e.g., OWASP Threat Dragon):
- โ Multi-Framework: ISO 27001 + NIST + GDPR + HIPAA + SOC 2 + PCI DSS + EU CRA vs. single-purpose tools
- โ Business Focus: Cost estimation, ROI analysis, business impact quantification โ not just technical checklists
How CIA Compliance Manager affects Hack23's competitive position:
| Force | Impact | Analysis |
|---|---|---|
| ๐ Competitive Rivalry | Reduces intensity | Demonstrates superior technical capability vs. consulting competitors; transparent implementation builds trust faster than marketing claims |
| ๐ช Threat of New Entrants | Raises barriers | Open-source platform + community contributions create network effects; new entrants must match feature breadth + framework coverage |
| ๐ Supplier Power | Reduces dependency | Self-hosted option eliminates reliance on third-party GRC vendors; control over roadmap and pricing |
| ๐ฅ Buyer Power | Strengthens position | Transparent pricing (free OSS + paid consulting) vs. opaque vendor contracts; clients choose based on value, not negotiation leverage |
| ๐ Substitutes | Mitigates threat | Superior UX + automation vs. manual spreadsheets; broader framework coverage vs. single-purpose tools; cost transparency vs. commercial SaaS black boxes |
CIA Compliance Manager is built and operated in full compliance with Hack23's ISMS framework:
- โ Secure Development Policy: SLSA 3 provenance, SBOM generation, automated vulnerability scanning (Dependabot, CodeQL, ZAP), peer-reviewed PRs
- โ Threat Modeling: STRIDE analysis documented in THREAT_MODEL.md; attack surfaces mapped to mitigations
- โ Vulnerability Management: 24-hour critical-patch SLA; automated dependency updates; public disclosure policy
- โ Open Source Policy: Apache-2.0 licensed; CLA for contributors; FOSSA license compliance checks
- โ Transparency Plan: Public ISMS docs, public roadmap, public incident response procedures
- โ Data Classification: No PII/PHI processed; all data is PUBLIC per classification framework
- โ Business Continuity: RTO 4h, RPO 1h, MTD 24h; DR procedures documented in BCPPlan.md
This project demonstrates compliance controls for multiple frameworks simultaneously:
| Framework | Standard/Version | Alignment Level | Evidence |
|---|---|---|---|
| ISO 27001 | 2022 (Annex A controls) | HIGH | Control Mapping, ISMS Reference |
| NIST CSF | 2.0 | HIGH | Traceability Matrix |
| CIS Controls | v8.1 | MEDIUM | CIS Mapping |
| EU CRA | 2024/2847 (Essential Requirements) | MEDIUM | CRA Assessment |
| GDPR | Regulation 2016/679 | MEDIUM | Data minimization, no personal data processing |
| OWASP Top 10 | 2021 | HIGH | Input validation, CSP, HTTPS-only, secure dependencies |
| WCAG | 2.1 Level AA | HIGH | Accessibility tested with Lighthouse, keyboard navigation, ARIA labels |
If you're a CISO or Security Leader:
- See how Hack23 implements its own ISMS policies in production code
- Use this platform to assess your own organization's security posture
- Fork and customize for your compliance framework mix
If you're a Developer or Architect:
- Study a real-world React 19 + TypeScript 6 + Vite 8 project with 85%+ test coverage
- Learn security-by-design patterns: input validation, CSP, HTTPS enforcement, least-privilege access
- Explore C4 architecture diagrams, STRIDE threat models, and state machines
If you're a Compliance Professional:
- Map your controls to multiple frameworks simultaneously
- Generate audit-ready evidence with traceable lineage
- Estimate compliance program costs with transparency
- ๐ Live Application โ Interactive assessment platform
- ๐ฆ npm Package โ Reusable React library (v1.1.59)
- ๐บ๏ธ Site Map โ All platform pages and docs
- ๐ API Reference โ TypeDoc-generated symbol documentation
- ๐ Test Coverage โ Interactive Vitest coverage report
- ๐ญ E2E Report โ Cypress test results
- ๐ค Ask DeepWiki โ AI-powered codebase Q&A
Current State (v1.1.59):
| Document | Description | Last Updated |
|---|---|---|
| ARCHITECTURE.md | C4 Context + Container diagrams; system boundaries; external integrations | 2026-04-28 |
| SYSTEM_ARCHITECTURE.md | Component-level architecture; React component tree; service layer | 2026-04-28 |
| SECURITY_ARCHITECTURE.md | Trust boundaries, authentication/authorization, data flow security controls | 2026-04-28 |
| THREAT_MODEL.md | STRIDE analysis; attack trees; mitigations mapped to threats | 2026-04-28 |
| DATA_MODEL.md | TypeScript interfaces; data structures; state management patterns | 2026-04-28 |
| FLOWCHART.md | User workflows; assessment processes; compliance report generation | 2026-04-28 |
| STATEDIAGRAM.md | Security profile states; compliance status transitions | 2026-04-28 |
| MINDMAP.md | Conceptual overview; feature hierarchy; domain model | 2026-04-28 |
| SWOT.md | Strengths/Weaknesses/Opportunities/Threats analysis | 2026-04-28 |
| WORKFLOWS.md | CI/CD pipelines; GitHub Actions workflows; deployment process | 2026-04-28 |
| WIDGET_ANALYSIS.md | Dashboard widget architecture; reusable component patterns | 2026-04-28 |
Future State (Target Architecture):
| Document | Description | Purpose |
|---|---|---|
| FUTURE_ARCHITECTURE.md | Target system boundaries; planned integrations (SIEM, SOAR, GRC platforms) | Roadmap clarity |
| FUTURE_SECURITY_ARCHITECTURE.md | Zero-trust model; mTLS; hardware security modules (HSM) integration | Security maturity |
| FUTURE_THREAT_MODEL.md | Advanced persistent threats (APT); supply-chain attack scenarios | Proactive defense |
| FUTURE_DATA_MODEL.md | Multi-tenant data isolation; encrypted storage at rest | Scalability + privacy |
| FUTURE_FLOWCHART.md | Automated remediation workflows; AI-assisted control selection | Automation vision |
| FUTURE_STATEDIAGRAM.md | Advanced compliance states (e.g., "Continuous Monitoring", "Auto-Remediation") | Maturity progression |
| FUTURE_MINDMAP.md | Strategic expansion into GRC, ITSM, DevSecOps tooling | Product vision |
| FUTURE_SWOT.md | Market analysis for SaaS offering; competitive positioning | Business strategy |
| FUTURE_WORKFLOWS.md | GitOps deployment; infrastructure-as-code pipelines | Operational excellence |
| Document | Framework Alignment | Purpose |
|---|---|---|
| ISMS_IMPLEMENTATION_GUIDE.md | ISO 27001:2022, NIST CSF 2.0 | How Hack23 implements ISMS controls in this project |
| ISMS_REFERENCE_MAPPING.md | ISO 27001 Annex A โ Codebase | Traceable mapping from ISMS policies to code artifacts |
| TRACEABILITY_MATRIX.md | NIST CSF 2.0, CIS Controls v8.1 | Control-to-evidence traceability for audits |
| CRA-ASSESSMENT.md | EU Cyber Resilience Act 2024/2847 | Essential requirements compliance self-assessment |
| control-mapping.md | ISO 27001, NIST 800-53, GDPR, HIPAA, SOC 2, PCI DSS | Multi-framework control mapping by CIA level |
| SECURITY.md | ISMS Vulnerability Management Policy | Security disclosure process; vulnerability reporting |
| BCPPlan.md | ISO 22301 (BCMS) | Business continuity and disaster recovery procedures |
- CONTRIBUTING.md โ How to contribute code, docs, or bug reports
- CODE_OF_CONDUCT.md โ Community standards and expected behavior
- CODEOWNERS โ Maintainer responsibilities and review assignments
- .github/agents/README.md โ GitHub Copilot custom agents documentation
- .github/skills/README.md โ Shared skills framework for agents
CIA Compliance Manager is part of the Hack23 open-source intelligence and security ecosystem. Explore our family of projects:
- Hack23.com โ Cybersecurity consulting, ISMS implementation, and political intelligence services
- ISMS-PUBLIC โ Public Information Security Management System (ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1)
- CIA (Citizen Intelligence Agency) โ Political transparency platform for Swedish Riksdag data (Java, Spring, Hibernate)
- riksdagsmonitor.com โ Live Swedish Parliament monitor
- EU Parliament Monitor โ European Parliament political intelligence platform with AI-generated news in 14 languages
- euparliamentmonitor.com โ Live EU Parliament news + analysis portal
- European Parliament MCP Server โ Model Context Protocol server for EP open data (60+ OSINT tools)
- Black Trigram โ Korean-themed RPG game demonstrating secure gaming architecture and ISMS alignment
Cross-Project Benefits:
- Shared ISMS policies and compliance frameworks reduce audit overhead
- Reusable security patterns (e.g., SLSA 3 provenance, CodeQL scanning, ZAP penetration testing)
- Cross-linking boosts SEO across the Hack23 domain ecosystem
- Unified documentation standards (C4 diagrams, Mermaid, TypeDoc) accelerate onboarding
# Install as npm dependency
npm install cia-compliance-manager
# or with yarn
yarn add cia-compliance-manager
# or with pnpm
pnpm add cia-compliance-managerimport { SecurityProfile, AssessmentService } from 'cia-compliance-manager';
import { CIALevel } from 'cia-compliance-manager/types';
// Create a security profile
const profile: SecurityProfile = {
confidentialityLevel: CIALevel.HIGH,
integrityLevel: CIALevel.MEDIUM,
availabilityLevel: CIALevel.HIGH
};
// Generate compliance mapping
const assessment = AssessmentService.generateAssessment(profile);
console.log(`Compliance Frameworks: ${assessment.frameworks.join(', ')}`);
console.log(`Total Controls: ${assessment.controls.length}`);
console.log(`Estimated Cost: $${assessment.estimatedCost.toLocaleString()}`);# Clone repository
git clone https://github.com/Hack23/cia-compliance-manager.git
cd cia-compliance-manager
# Install dependencies (requires Node โฅ25.0.0, npm โฅ10.0.0)
npm install
# Run development server
npm run dev
# Run tests
npm test
# Run E2E tests
npm run test:e2e
# Build library
npm run build:lib
# Generate documentation
npm run docs:bundleCIA Compliance Manager provides 10 subpath exports for tree-shaking and selective imports:
// Root export (all public symbols)
import { SecurityProfile } from 'cia-compliance-manager';
// Type definitions
import { CIALevel, ComplianceFramework } from 'cia-compliance-manager/types';
// Services (assessment, compliance, cost estimation)
import { AssessmentService, ComplianceService } from 'cia-compliance-manager/services';
// React hooks
import { useSecurityProfile, useCompliance } from 'cia-compliance-manager/hooks';
// Utility functions
import { formatCurrency, calculateROI } from 'cia-compliance-manager/utils';
// React components
import { SecurityDashboard, ComplianceMatrix } from 'cia-compliance-manager/components';
// Dashboard widgets
import { BusinessImpactWidget, ThreatModelWidget } from 'cia-compliance-manager/components/widgets';
// Constants
import { SECURITY_LEVELS, COMPLIANCE_FRAMEWORKS } from 'cia-compliance-manager/constants';
// Data (control mappings, framework definitions)
import { controlData, frameworkMappings } from 'cia-compliance-manager/data';
// React contexts
import { SecurityProfileProvider, ComplianceContext } from 'cia-compliance-manager/contexts';We welcome contributions from the community! See CONTRIBUTING.md for guidelines on:
- Code contributions โ Bug fixes, features, refactoring
- Documentation โ Improving guides, fixing typos, adding examples
- Testing โ Writing unit/integration/E2E tests
- Security โ Responsible disclosure of vulnerabilities (see SECURITY.md)
- Compliance โ Adding framework mappings, improving control definitions
Before submitting a PR:
- Read CODE_OF_CONDUCT.md
- Ensure tests pass (
npm test) - Run linter (
npm run lint) - Update documentation if changing public APIs
- Sign the Contributor License Agreement (CLA)
This project is licensed under the Apache License 2.0 โ see LICENSE for details.
Key permissions:
- โ Commercial use โ Use in proprietary products
- โ Modification โ Fork, extend, customize
- โ Distribution โ Redistribute modified versions
- โ Patent grant โ Protection from patent litigation
Conditions:
- ๐ License and copyright notice โ Include LICENSE and NOTICE files
- ๐ State changes โ Document modifications clearly
- ๐ Trademark โ Cannot use "Hack23" or "CIA Compliance Manager" trademarks without permission
- James Pether Sรถrling (CEO/Founder, Hack23 AB) โ Architecture, ISMS implementation, product vision
- Simon Moon (Independent Security Consultant) โ Business impact analysis methodology, blog post contributions
- George Dorn (Security Strategist) โ CIA triad strategic analysis, threat modeling patterns
- Hack23 Community Contributors โ Bug reports, feature requests, documentation improvements
- OpenSSF Community โ Scorecards, best practices guidance, SLSA framework
- OWASP Community โ Threat modeling resources, secure coding patterns
Special thanks to the maintainers of React, TypeScript, Vite, Vitest, Cypress, Tailwind CSS, and the broader open-source ecosystem.
- ๐ Bug Reports: GitHub Issues
- ๐ฌ Discussions: GitHub Discussions
- ๐ Security: [email protected] (PGP key: keybase.io/hack23)
- ๐ง General: [email protected]
- ๐ Website: hack23.com
- ๐ผ LinkedIn: Hack23 AB
Built with โค๏ธ by Hack23 AB
Security by Design ยท Transparency by Default ยท Compliance by Example
Version 1.1.59 | Effective 2026-04-28 | Next Review 2026-07-28 | Classification: PUBLIC