docs(security): add ISO/IEC 27001 control mapping

Publish docs/compliance/ISO_27001.md mapping the current codebase to
ISO/IEC 27001:2022 Annex A controls (A.5.15, A.5.17, A.8.5, A.8.15,
A.8.16, A.8.20, A.8.21, A.8.24, A.8.26, A.8.28) with source-code
citations. Controls that depend on operator procedures are marked
out of scope rather than claimed.

Add a "Security Posture" section to README.md summarising the new
default (USE_OPENSSL=ON) and linking to the compliance doc. Record
the change under the Unreleased entry in docs/CHANGELOG.md.

Relates to #569

Author: kcenon

README.md

@@ -21,6 +21,7 @@
 - [Documentation](#documentation)
 - [CMake Integration](#cmake-integration)
 - [Production Quality](#production-quality)
+- [Security Posture](#security-posture)
 - [Performance Baselines](#performance-baselines)
 - [Contributing](#contributing)
 - [License](#license)
@@ -587,7 +588,8 @@ graph TD
 ### Advanced Topics
 - 🏛️ [Architecture](docs/ARCHITECTURE.md) - System design and patterns
 - 📘 [API Reference](docs/API_REFERENCE.md) - Complete API documentation
-- 🔐 [Security Guide](SECURITY.md) - Security policy and reporting <!-- TODO: dedicated docs/advanced/SECURITY.md for TLS/SSL, RBAC, audit logging -->
+- 🔐 [Security Guide](SECURITY.md) - Security policy and reporting
+- 🛡️ [Security Posture](#security-posture) - TLS default, ISO/IEC 27001 mapping
 - 🔄 [Migration Guide](docs/advanced/MIGRATION.md) - Upgrading from previous versions
 
 ### Development
@@ -676,6 +678,26 @@ target_link_libraries(your_target PRIVATE database_system::database)
 
 ---
 
+## Security Posture
+
+**Secure defaults**: OpenSSL is enabled by default (`USE_OPENSSL=ON`). The
+`secure_connection` module therefore uses PBKDF2-HMAC-SHA256 for password
+hashing and AES-256-GCM for credential envelopes, and `security_credentials`
+defaults to `encryption_type::tls` with `verify_certificate=true`.
+
+Passing `-DUSE_OPENSSL=OFF` is supported only for minimal embedded builds that
+cannot ship OpenSSL; CMake emits a `WARNING` in that case and the library falls
+back to placeholder crypto that is explicitly *not* production-grade.
+
+**Standards mapping**: See [docs/compliance/ISO_27001.md](docs/compliance/ISO_27001.md)
+for a factual, source-cited mapping of implemented features to ISO/IEC 27001:2022
+Annex A controls (A.5.15, A.5.17, A.8.5, A.8.15, A.8.16, A.8.20, A.8.21, A.8.24,
+A.8.26, A.8.28). Out-of-scope controls are listed explicitly.
+
+**Reporting vulnerabilities**: see [SECURITY.md](SECURITY.md).
+
+---
+
 ## Performance Baselines
 
 **See [docs/performance/BASELINE.md](docs/performance/BASELINE.md) for detailed baseline metrics**

docs/CHANGELOG.md

@@ -38,6 +38,25 @@ category: "PROJ"
 
 ## [Unreleased] - 2026-01-23
 
+### 🔐 **Security**
+
+#### **Enable OpenSSL by default and publish ISO/IEC 27001 mapping (Issue #569)**
+- **`CMakeLists.txt`**: Introduced `USE_OPENSSL` option defaulting to `ON`. The
+  `secure_connection` module now links OpenSSL (PBKDF2-HMAC-SHA256, AES-256-GCM)
+  out of the box. `USE_OPENSSL=OFF` is still supported for minimal embedded
+  builds but emits a CMake `WARNING` and drops the module to non-production
+  placeholder crypto.
+- **New document**: `docs/compliance/ISO_27001.md` maps the current codebase to
+  ISO/IEC 27001:2022 Annex A controls (A.5.15, A.5.17, A.8.5, A.8.15, A.8.16,
+  A.8.20, A.8.21, A.8.24, A.8.26, A.8.28) with source-code citations. Out-of-
+  scope controls are listed explicitly.
+- **`README.md`**: Added "Security Posture" section summarising the new default
+  and linking to the compliance mapping.
+- **Note**: The default runtime TLS setting (`security_credentials::encryption =
+  encryption_type::tls` with `verify_certificate = true`) was already in place;
+  this change ensures the cryptographic primitives behind it are actually linked
+  in the default build.
+
 ### 📚 **Documentation**
 
 #### **Mark MongoDB and Redis Backends as Experimental (Issue #339)**

docs/compliance/ISO_27001.md

@@ -0,0 +1,238 @@
+---
+doc_id: "DBS-COMPL-001"
+doc_title: "Database System - ISO/IEC 27001 Control Mapping"
+doc_version: "0.1.0"
+doc_date: "2026-04-19"
+doc_status: "Draft"
+project: "database_system"
+category: "COMPLIANCE"
+---
+
+# ISO/IEC 27001 Control Mapping
+
+> **Scope**: This document maps the current `database_system` codebase to a curated
+> subset of ISO/IEC 27001:2022 Annex A controls. It records the mechanism in code and
+> the exact source references, and it is intentionally conservative: controls that
+> depend on environment configuration, operator procedures, or components outside
+> this repository are marked as **Out of scope** or **Partial**.
+>
+> This is **not** a certification statement. It is evidence a reviewer or adopter can
+> cross-check against the source tree.
+
+**Last updated**: 2026-04-19
+**Applies to**: `database_system` v1.0.0 and later, when built with `USE_OPENSSL=ON`
+(default since this release).
+
+---
+
+## Build-level Security Posture
+
+| Setting | Default | Where | Effect |
+|---------|---------|-------|--------|
+| `USE_OPENSSL` CMake option | `ON` | `CMakeLists.txt` | Links OpenSSL, defines `DATABASE_HAS_OPENSSL`, enables PBKDF2-HMAC-SHA256 and AES-256-GCM in `secure_connection` |
+| `security_credentials::encryption` | `encryption_type::tls` | `database/security/secure_connection.h` | Default transport encryption type is TLS |
+| `security_credentials::verify_certificate` | `true` | `database/security/secure_connection.h` | Default rejects unverified server certificates |
+
+Disabling `USE_OPENSSL` triggers a CMake `WARNING` and drops `secure_connection` to
+placeholder crypto — explicitly flagged as "NOT for production" in the source
+comment (`database/security/secure_connection.cpp`).
+
+---
+
+## A.5 — Organisational controls
+
+### A.5.15 Access control
+
+**Mechanism**: Role-Based Access Control (RBAC) via `access_control` class.
+- Roles with per-table allow/deny lists and per-operation permissions.
+- Session lifecycle (create, validate, terminate, expire).
+
+**Source**: `database/security/secure_connection.h` (lines 193-254),
+`database/security/secure_connection.cpp`.
+
+**Status**: Partial. The RBAC primitives are implemented and unit-tested, but
+enforcement at backend boundaries depends on the consuming application wiring
+`access_control::check_permission` into its query path.
+
+### A.5.17 Authentication information
+
+**Mechanism**: `credential_manager` stores credentials encrypted with the master
+key (AES-256-GCM when built with OpenSSL). Passwords are hashed via
+PBKDF2-HMAC-SHA256 (100,000 iterations) — see `secure_connection.cpp` fallback
+comment at line 211 (`Build with OpenSSL for PBKDF2-HMAC-SHA256 support.`).
+
+**Source**: `credential_manager` in `database/security/secure_connection.h`
+(lines 99-127) and `.cpp`.
+
+**Status**: Covered when `USE_OPENSSL=ON`. Without OpenSSL the fallback path is
+not suitable for production — documented in code and flagged at CMake time.
+
+---
+
+## A.8 — Technological controls
+
+### A.8.2 Privileged access rights
+
+**Mechanism**: Permission bitmask in `access_control::permission` distinguishes
+`admin` from data-plane permissions (`select`, `insert`, `update`,
+`delete_record`, `create`, `drop`, `alter`).
+
+**Source**: `database/security/secure_connection.h` (lines 196-205).
+
+**Status**: Partial (see A.5.15).
+
+### A.8.3 Information access restriction
+
+**Mechanism**: `access_control::check_table_access` and
+`query_security::validate_table_access` gate per-table access decisions.
+
+**Source**: `database/security/secure_connection.h` (lines 171, 241).
+
+**Status**: Partial. Enforcement is opt-in by the caller.
+
+### A.8.5 Secure authentication
+
+**Mechanism**: `authentication_method` enumerates `password`, `certificate`,
+`kerberos`, `oauth2`, `jwt`. Certificate-based and mutual-TLS are supported via
+`connection_security::perform_mutual_authentication` and
+`security_credentials::mutual_authentication`.
+
+**Source**: `database/security/secure_connection.h` (lines 35-41, 64-66, 141).
+
+**Status**: Covered (mechanism present); the actual auth provider is supplied
+by the consuming application or backend driver.
+
+### A.8.15 Logging
+
+**Mechanism**: `audit_logger` records database access, authentication events,
+and authorisation failures, with optional persistent file backing and a
+configurable retention window.
+
+**Source**: `database/security/secure_connection.h` (lines 268-318),
+`database/security/secure_connection.cpp`.
+
+**Status**: Covered for the events enumerated in `audit_logger`. Centralised
+log aggregation is out of scope for this repository.
+
+### A.8.16 Monitoring activities
+
+**Mechanism**: `security_monitor` performs brute-force detection, privilege-
+escalation monitoring, query-pattern analysis, and alert dispatch through a
+pluggable handler.
+
+**Source**: `database/security/secure_connection.h` (lines 332-381).
+
+**Status**: Covered at library level. Integration with a SIEM is the adopter's
+responsibility.
+
+### A.8.20 Network security
+
+**Mechanism**: TLS transport is the default encryption mode
+(`security_credentials::encryption = encryption_type::tls`).
+`connection_security::configure_tls` accepts CA bundle, client certificate, and
+client key; `set_cipher_suite` restricts allowed ciphers.
+
+**Source**: `database/security/secure_connection.h` (lines 24-29, 55, 143-145).
+
+**Status**: Covered. Cipher-suite selection and certificate management are the
+deployer's responsibility.
+
+### A.8.21 Security of network services
+
+**Mechanism**: `security_credentials::verify_certificate` defaults to `true`;
+`mutual_authentication` can be enabled to require a client certificate.
+
+**Source**: `database/security/secure_connection.h` (lines 63-66).
+
+**Status**: Covered (default-secure).
+
+### A.8.23 Web filtering
+
+**Status**: **Out of scope** — `database_system` is a database abstraction
+library and does not perform web filtering.
+
+### A.8.24 Use of cryptography
+
+**Mechanism**:
+- Password hashing: PBKDF2-HMAC-SHA256 with 100,000 iterations and a per-credential salt (OpenSSL `PKCS5_PBKDF2_HMAC`).
+- Symmetric encryption: AES-256-GCM (authenticated) for credential envelopes.
+- Random generation: OpenSSL `RAND_bytes` for salts and IVs.
+- Transport: TLS via the database driver (libpqxx, etc.) and/or `connection_security::configure_tls`.
+
+**Source**: `database/security/secure_connection.cpp` (guarded by
+`DATABASE_HAS_OPENSSL`, lines 15-21 and the comments at 206-211, 278, 331).
+
+**Status**: Covered when `USE_OPENSSL=ON` (default). Disabling OpenSSL reverts
+to placeholder crypto that is explicitly *not* A.8.24-compliant.
+
+### A.8.25 Secure development lifecycle
+
+**Mechanism**:
+- CI runs on Ubuntu (GCC/Clang), macOS, Windows (MSVC) with sanitizers
+  (`asan`, `tsan`, `ubsan`), static analysis (`clang-tidy`, `cppcheck`), and
+  coverage tracking.
+- CVE scan and SBOM generation are part of the pipeline (see
+  `docs/contributing/CI_CD_GUIDE.md`).
+- Branch protection: `main` accepts only squash-merged PRs; CI must pass.
+
+**Status**: Covered at process level. See `docs/contributing/CI_CD_GUIDE.md`
+and `.github/workflows/` for the concrete gates.
+
+### A.8.26 Application security requirements
+
+**Mechanism**: `query_security` provides SQL-injection detection,
+sanitisation, parameterisation helpers (`convert_to_prepared_statement`),
+and table-access validation.
+
+**Source**: `database/security/secure_connection.h` (lines 160-179).
+
+**Status**: Covered for the library-level surface. Application-level input
+validation is still required from the caller.
+
+### A.8.28 Secure coding
+
+**Mechanism**: All public synchronous APIs return `kcenon::common::Result<T>`
+(no exceptions across the public ABI); clang-tidy enforces snake_case and
+trailing-underscore conventions; RAII is used for all owned resources.
+
+**Source**: `CLAUDE.md` "Key Patterns" section; header reviews in
+`database/core/` and `database/security/`.
+
+**Status**: Covered at project policy level.
+
+---
+
+## A.5.30 / A.5.34 — Operational resilience & privacy
+
+These controls depend heavily on deployment configuration (BCP, DPIA, data
+residency). They are tracked at the ecosystem level (`pacs_system`,
+`logger_system`) and are **Out of scope** for this repository in isolation.
+
+---
+
+## Controls explicitly out of scope
+
+| Control | Reason |
+|---------|--------|
+| A.5.7 Threat intelligence | Handled by operator, not library |
+| A.6 People controls | Organisational, not code |
+| A.7 Physical controls | Organisational, not code |
+| A.8.6 Capacity management | Deployment concern |
+| A.8.9 Configuration management | Deployment/IaC concern |
+| A.8.22 Segregation of networks | Deployment/network concern |
+
+---
+
+## Change log for this document
+
+| Date | Version | Change |
+|------|---------|--------|
+| 2026-04-19 | 0.1.0 | Initial mapping, issue #569. |
+
+---
+
+## See also
+
+- [SECURITY.md](../../SECURITY.md) — vulnerability reporting
+- [FEATURES_POOLING_SECURITY.md](../FEATURES_POOLING_SECURITY.md) — security feature reference
+- [PRODUCTION_QUALITY.md](../PRODUCTION_QUALITY.md) — production-readiness posture