Skip to main content

CC5.1 — Selection and development of control activities

Status: Implemented Owner: Agent #38 (Senior Compliance Lead, SOC 2 + ISO 27001) Last reviewed: 2026-05-28 Next review: 2026-08-28

Trust Services Criteria reference

The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. The control covers the linkage between identified risks and the controls put in place, the proportionality of controls to risks, the integration of preventive and detective controls, and the documentation of the selection rationale.

How ZeroAuth meets this control

The risk-to-control mapping is explicit. Each A-NN row in docs/threat_model.md carries a "Mitigation" field that names the implementing source file or test. The 21 Phase 0 audit findings in docs/security/audit-findings.md each have a "Notes" column that points to the closing commit hash + the regression test that pins the closure. The compliance-risk catalogue at docs/compliance/compliance-roadmap-v1.md §7 names eight R-COMP-NN risks with explicit mitigation paragraphs per risk.

The preventive-vs-detective taxonomy is built into the design. Examples:

  • Preventive: tenant isolation. src/middleware/tenant-auth.ts is required on every /v1/* route. The source-level guard tests/tenant-isolation.test.ts (commit a1bbc47) checks the static text of every route file and rejects any router.<verb> without the middleware. 14 intentionally-public exceptions live in PUBLIC_ROUTE_EXCEPTIONS with ≥ 20-character justifications. Mitigates threat-model row A-01.
  • Preventive: forbidden biometric payload key. tests/biometric-rejection.test.ts (commit c09c081) source-greps for 9 forbidden payload-key reads. ADR 0016 (commit 76f8d4e) layers runtime defence: zod .refine() against the same key list, defence-in-depth. Mitigates row A-15.
  • Preventive: circuit-vkey drift. Boot-time SHA-256 check in src/services/zkp.ts (commit e98d158); refuses to start on mismatch. Mitigates audit finding C-7.
  • Preventive: demo-bypass. 02e1734 removed the bypass branch from src/services/proof-pairing.ts; pairing_demo_mode field marked @deprecated; regression test tests/proof-pairing.test.ts::"P0 audit finding C-1 closure". Mitigates A-27.
  • Detective: audit hash chain drift detector. ADR 0013 specifies a lightweight hourly job that replays the last N rows per tenant and compares against event_hash. Mismatch triggers a sev-1 alert. Mitigates row A-22.
  • Detective: daily on-chain anchor. ADR 0014 schedules an anchor job at 00:30 IST each day; missed anchor surfaces in the audit_anchors table; 2 consecutive misses puts the tenant in "anchor-degraded" state with a dashboard banner. Mitigates the full pause-and-tamper scenario.
  • Detective: nightly CVE monitor. scripts/cve-monitor.sh (commit f8a756c) scans dependencies + alerts on high-severity findings. Mitigates audit finding C-14.
  • Detective: CI biometric source-grep. Re-runs tests/biometric-rejection.test.ts on every push; a regression is caught at the gate.

Compliance roadmap §4 enumerates the deliverable trail — every "control activity" in the SOC 2 + ISO sense is one of the rows in §4.1 (Q1, 20 rows), §4.2 (Q2, 14 rows), §4.3 (Q3, 16 rows), or §4.4 (Q4, 10 rows). Total: 60 named compliance deliverables across the 12-month roadmap, each with an owner agent + target week + dependency.

ADR-driven decision trail: ADR 0011 (commit 51bc705) — the branching workflow that constrains how controls land. ADR 0013 (commit 27ed93c) — the audit chain construction. ADR 0014 — the on-chain anchor. ADR 0015 — circuit version pinning. ADR 0016 (commit 76f8d4e) — the zod input validation layer. The ADR-first discipline (per dep-add skill + 06-ways-of-working.md) means controls have written rationale before they ship.

Evidence references

  • docs/threat_model.md — risk-to-mitigation map per A-NN row.
  • docs/security/audit-findings.md — 21 findings with implementing commit + test reference.
  • docs/compliance/compliance-roadmap-v1.md §7 — 8 R-COMP-NN risks with mitigations.
  • docs/compliance/compliance-roadmap-v1.md §4 — 60 quarterly deliverables = compliance control activities.
  • Commit a1bbc47 — tenant-isolation source-level guard.
  • Commit c09c081 — biometric forbidden-key grep + appendAuditEvent enforcement.
  • Commit e98d158 — boot-time vkey check.
  • Commit 02e1734 — demo-bypass removal.
  • Commit a475ed8 — audit hash chain.
  • Commit d634b2d — audit-integrity endpoint.
  • Commit d6c6a4eAuditAnchor contract.
  • Commit f8a756c — CVE monitor.
  • ADRs 0011, 0013, 0014, 0015, 0016 — control-design rationale.

Open gaps + remediation roadmap

  • Per-control "control activity" SOC 2 deliverable table — auditor expects a one-to-one mapping from criterion to implementing artefact. The 120+ control narratives in docs/compliance/soc2/control-narratives/ are the deliverable; 30 land week 4 (this batch), 60 by week 14, 120 by week 22 per agent-38 ticket plan.
  • Control-effectiveness sampling plan — sample-size + frequency per control for the Type II evidence period. Target week 14 (alongside Type I kickoff).
  • Compensating-control matrix — where a primary control has a known residual risk, document the compensating control. Target week 14.

Test or audit query

For each closed audit finding in docs/security/audit-findings.md, the Notes column names a test file or commit. git log --oneline <commit-hash> proves it exists; cat <test-file> proves the regression guard is in place.