GCC Build OSv0
/api
Home/Ontology/Node types/Control

ControlControl

retention: reference

A compliance or governance control mapped to a framework (SOC 2, ISO 27001, SAMA, PDPL, NCA, etc.). Controls carry implementation status and evidence pointers; full PDPL/regulatory mapping work lands in Phase 1B (Q1).

RACI requirements

decision_maker
required
approver
optional
reviewer
required
contributor
optional
informed
optional

JSON Schema

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://gcc.bootminds.com/ontology/node-types/control.json",
  "title": "Control",
  "description": "A compliance or governance control mapped to a framework (SOC 2, ISO 27001, SAMA, PDPL, NCA, etc.). Controls carry implementation status and evidence pointers; full PDPL/regulatory mapping work lands in Phase 1B (Q1).",
  "type": "object",
  "x-node-type": "Control",
  "x-lifecycle-state-machine": null,
  "x-raci-requirements": {
    "decision_maker": "required",
    "approver": "optional",
    "reviewer": "required",
    "contributor": "optional",
    "informed": "optional"
  },
  "x-retention-class": "reference",
  "required": [
    "node_id",
    "node_type",
    "tenant_id",
    "attributes",
    "state",
    "created_at",
    "created_by"
  ],
  "properties": {
    "node_id": {
      "type": "string",
      "format": "uuid"
    },
    "node_type": {
      "const": "Control"
    },
    "tenant_id": {
      "type": "string",
      "format": "uuid"
    },
    "state": {
      "type": "string",
      "enum": [
        "NotImplemented",
        "PartiallyImplemented",
        "Implemented",
        "Verified"
      ],
      "description": "Control implementation status. No formal state machine in Phase 0."
    },
    "attributes": {
      "type": "object",
      "additionalProperties": false,
      "required": [
        "control_id",
        "framework",
        "description",
        "owner_id_ref"
      ],
      "properties": {
        "control_id": {
          "type": "string",
          "minLength": 1,
          "description": "Framework-native control identifier (e.g., 'CC6.1' for SOC 2, 'A.9.2.3' for ISO 27001). Unique within (tenant, framework)."
        },
        "framework": {
          "type": "string",
          "enum": [
            "SOC2",
            "ISO27001",
            "SAMA",
            "PDPL",
            "NCA",
            "other"
          ],
          "description": "Source framework. PDPL/SAMA/NCA mapping deepens in Phase 1B compliance posture work."
        },
        "description": {
          "type": "string",
          "minLength": 1,
          "description": "Plain-language description of what the control requires."
        },
        "owner_id_ref": {
          "type": "string",
          "format": "uuid",
          "description": "Stakeholder UUID accountable for this control."
        },
        "evidence_refs": {
          "type": "array",
          "description": "References to Document nodes providing evidence of implementation.",
          "items": {
            "type": "string",
            "format": "uuid"
          }
        },
        "last_verified_at": {
          "type": [
            "string",
            "null"
          ],
          "format": "date-time",
          "description": "Most recent verification timestamp; null until state == Verified."
        },
        "next_review_date": {
          "type": [
            "string",
            "null"
          ],
          "format": "date",
          "description": "Next scheduled review date."
        }
      }
    },
    "created_at": {
      "type": "string",
      "format": "date-time"
    },
    "created_by": {
      "type": "string",
      "format": "uuid"
    },
    "updated_at": {
      "type": "string",
      "format": "date-time"
    }
  }
}