[
'name' => 'NIS2 Directive',
'description' => 'An EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU.',
'controls' => [
['id' => 'C001', 'title' => 'Risk Assessment and Security Policies', 'description' => 'Conduct regular risk assessments and establish clear information security policies.'],
['id' => 'C002', 'title' => 'Incident Handling', 'description' => 'Establish procedures to detect, handle, and report cybersecurity incidents.'],
['id' => 'C003', 'title' => 'Business Continuity Management', 'description' => 'Develop plans for business continuity and crisis management to ensure operational resilience.'],
['id' => 'C004', 'title' => 'Supply Chain Security', 'description' => 'Address security in the supply chain, including relationships with suppliers and service providers.'],
['id' => 'C005', 'title' => 'Cryptography and Encryption', 'description' => 'Use of cryptography and encryption to protect data at rest and in transit.'],
]
],
'dora' => [
'name' => 'DORA',
'description' => 'The Digital Operational Resilience Act is an EU regulation that creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector.',
'controls' => [
['id' => 'D001', 'title' => 'ICT Risk Management Framework', 'description' => 'Implement a comprehensive ICT risk management framework with clear strategies and policies.'],
['id' => 'D002', 'title' => 'ICT-Related Incident Reporting', 'description' => 'Establish a process for classifying and reporting major ICT-related incidents to authorities.'],
['id' => 'D003', 'title' => 'Digital Operational Resilience Testing', 'description' => 'Conduct regular resilience testing, including threat-led penetration testing (TLPT).'],
['id' => 'D004', 'title' => 'Third-Party Risk Management', 'description' => 'Manage risks associated with third-party ICT service providers, including cloud services.'],
]
],
'iso27001' => [
'name' => 'ISO 27001',
'description' => 'An international standard on how to manage information security. It details requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS).',
'controls' => [
['id' => 'A.5.1', 'title' => 'Policies for information security', 'description' => 'A set of policies for information security shall be defined, approved by management, published and communicated.'],
['id' => 'A.6.1', 'title' => 'Information security roles and responsibilities', 'description' => 'All information security responsibilities shall be defined and allocated.'],
['id' => 'A.7.2', 'title' => 'Information security awareness, education and training', 'description' => 'All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training.'],
['id' => 'A.8.1', 'title' => 'Management of assets', 'description' => 'Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.'],
['id' => 'A.12.1', 'title' => 'Protection against malware', 'description' => 'Controls for protection against malware shall be implemented and combined with user awareness.'],
]
]
];
// --- Logic ---
$framework_id = $_GET['id'] ?? '';
$framework = $frameworks[$framework_id] ?? null;
// If framework not found, redirect to home
if (!$framework) {
header('Location: /');
exit;
}
?>
<?php echo htmlspecialchars($framework['name']); ?> - ComplianceOS