{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://securitycompliancehub.io/schemas/iso27001-prefill.schema.json",
  "title": "SCH ISO 27001:2022 Pre-fill Schema",
  "description": "Schema for importing GRC tool, ITSM, and IAM data into the SCH ISO 27001:2022 ISMS assessment. 8 sections covering Clauses 4–10 and Annex A, 58 questions. Useful data sources: ServiceNow GRC, Archer, Entra ID, Jira.",
  "version": "1.0.0",
  "type": "object",
  "required": ["assessmentType", "generated", "questions"],
  "additionalProperties": false,
  "properties": {
    "assessmentType": {
      "type": "string",
      "const": "iso27001",
      "description": "Must be 'iso27001'."
    },
    "source": {
      "type": "string",
      "description": "Tool or pipeline that generated this file.",
      "examples": ["servicenow-grc", "archer", "entra-id", "jira", "custom-script"]
    },
    "generated": {
      "type": "string",
      "format": "date-time"
    },
    "questions": {
      "type": "object",
      "description": "Map of question radio names to pre-fill values. Key format: iso_{section}_{question}. Sections: CL1 (Context of the Organisation, Clause 4), CL2 (Leadership, Clause 5), CL3 (Planning, Clause 6), CL4 (Support, Clause 7), CL5 (Operation, Clause 8), CL6 (Performance Evaluation, Clause 9), CL7 (Improvement, Clause 10), AA (Annex A Controls). Example keys: iso_CL1_1, iso_CL3_2, iso_AA_4.",
      "propertyNames": {
        "pattern": "^iso_(CL[1-7]|AA)_[0-9]+$"
      },
      "additionalProperties": {
        "$ref": "#/$defs/questionEntry"
      },
      "examples": [
        {
          "iso_CL3_1": {
            "suggested_value": "partial",
            "evidence_summary": "Risk register exists in ServiceNow GRC; 23 open risks identified, 8 without treatment plans"
          },
          "iso_CL6_1": {
            "suggested_value": "implemented",
            "evidence_summary": "Monthly management reviews conducted; minutes archived in SharePoint for past 12 months"
          },
          "iso_AA_4": {
            "suggested_value": "partial",
            "evidence_summary": "Access review process documented; quarterly reviews completed for privileged accounts; standard user reviews annual only",
            "evidence_detail": "Privileged accounts last reviewed: 2026-03-15. Standard user accounts last reviewed: 2025-12-01. 14 orphaned accounts identified pending removal.",
            "raw_stats": {
              "privileged_accounts": 47,
              "standard_accounts": 312,
              "orphaned_accounts": 14,
              "last_privileged_review": "2026-03-15"
            }
          }
        }
      ]
    }
  },
  "$defs": {
    "questionEntry": {
      "type": "object",
      "required": ["suggested_value"],
      "additionalProperties": false,
      "properties": {
        "suggested_value": {
          "type": "string",
          "enum": ["implemented", "partial", "not-implemented", "na"],
          "description": "'implemented' = fully in place, 'partial' = partially in place, 'not-implemented' = not in place, 'na' = not applicable. The user reviews and confirms before submission."
        },
        "evidence_summary": {
          "type": "string",
          "maxLength": 500,
          "description": "CLAUDE-SAFE. Aggregated, identifier-free summary. May be included in Phronesis analysis. No personal data or system identifiers."
        },
        "evidence_detail": {
          "type": "string",
          "description": "EVIDENCE VAULT ONLY. Detailed data with specific identifiers. Never sent to Phronesis AI."
        },
        "raw_stats": {
          "type": "object",
          "description": "EVIDENCE VAULT ONLY. Machine-readable statistics. Never sent to Phronesis AI.",
          "additionalProperties": true
        }
      }
    }
  }
}
