Skip to content

feat(iso27001-gap): add cryptographic asset inventory mapping gates#2709

Closed
zeroknowledge0x wants to merge 1 commit into
UnitOneAI:mainfrom
zeroknowledge0x:improve/iso27001-gap-crypto-inventory
Closed

feat(iso27001-gap): add cryptographic asset inventory mapping gates#2709
zeroknowledge0x wants to merge 1 commit into
UnitOneAI:mainfrom
zeroknowledge0x:improve/iso27001-gap-crypto-inventory

Conversation

@zeroknowledge0x

@zeroknowledge0x zeroknowledge0x commented Jun 16, 2026

Copy link
Copy Markdown

Summary

Adds structured cryptographic asset inventory mapping gates to the ISO 27001 gap analysis skill, addressing the gaps identified in #2705.

Changes

New: Cryptographic Asset Inventory Mapping Gates (A.8.24)

Added seven-field inventory framework:

Field Purpose
Asset Type Category of cryptographic asset (TLS, signing, encryption, HMAC, KMS)
Owner Named individual/role responsible for lifecycle management
Algorithm Cryptographic algorithm and key size
Storage Location Where the key/material is stored
Rotation Date Last/next rotation schedule
Data Scope What data/systems the key protects
Exception Status Documented exceptions for deprecated/weak algorithms

False Positive Guidance

Added explicit guidance that central KMS authority is valid when:

  • Central KMS maintains authoritative inventory
  • Service keys are tracked with owner, rotation, and algorithm fields
  • Service references central inventory by key ID or alias

Missed Variant Detection

Added detection patterns for:

  • "TLS certificates are inventoried, but application signing keys and webhook HMAC secrets are omitted"
  • "Deprecated algorithm use is known in code, but the asset inventory lacks owner, rotation date, or migration exception"
  • "Multiple services reference the same key alias but no single owner is accountable"

Edge Case Handling

Added validity criteria for:

  • BYOK keys (customer-managed)
  • Cloud-managed keys
  • Short-lived workload certificates
  • Offline backup keys
  • Third-party signing keys

Remediation Quality Checklist

Added seven-item checklist for cryptographic inventory improvement recommendations.

Testing

  • Verified SKILL.md syntax and structure
  • Confirmed all seven inventory fields are documented
  • Validated edge case tables render correctly
  • Checked false positive guidance alignment with review feedback

Related Issues

Closes #2705

Checklist

  • Changes are scoped to the reviewed skill
  • False positive analysis addressed
  • Coverage gaps filled with detection patterns
  • Edge cases documented
  • Remediation quality improved with structured checklist
  • No new security issues introduced
  • No functionality broken

@zeroknowledge0x
feat(iso27001-gap): add cryptographic asset inventory mapping gates
d551013 
Add structured cryptographic asset inventory framework to A.8.24:
- Asset Type: TLS, signing, encryption, HMAC, KMS master keys
- Owner: named individual/role responsible for lifecycle
- Algorithm: cryptographic algorithm and key size
- Storage Location: where key/material is stored
- Rotation Date: last/next rotation schedule
- Data Scope: what data/systems the key protects
- Exception Status: documented exceptions for deprecation

Add false positive guidance for central KMS authority.
Add missed variant detection for TLS-only inventory gaps.
Add edge case handling for BYOK, cloud-managed, short-lived certs.
Add remediation quality checklist for inventory improvements.

Closes UnitOneAI#2705

Signed-off-by: ZKA SUPER <zeroknowledge0x@users.noreply.github.com>
@github-actions github-actions Bot added the needs-approved-issue PR has no linked maintainer-approved issue label Jun 16, 2026
@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).

@github-actions github-actions Bot closed this Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kamalsrini kamalsrini Awaiting requested review from kamalsrini kamalsrini is a code owner

Assignees

No one assigned

Labels

needs-approved-issue PR has no linked maintainer-approved issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] iso27001-gap: add cryptographic asset inventory mapping gates

1 participant

@zeroknowledge0x