GRC API
Gestione controles de cumplimiento, evidencia, riesgos y auditorías de forma programática.
Controles
Endpoints
| Método | Endpoint | Descripción |
|---|---|---|
| GET | /api/v1/controls | Listar todos los controles |
| GET | /api/v1/controls/{id} | Obtener detalles de control |
| PATCH | /api/v1/controls/{id} | Actualizar estado de control |
| GET | /api/v1/controls/{id}/evidence | Listar evidencia de control |
Listar Controles
bash
GET /api/v1/controlsParámetros de Consulta
| Parámetro | Tipo | Descripción |
|---|---|---|
framework | string | Filtrar: soc2, iso27001, pci-dss, hipaa, gdpr, nist-csf, dora |
status | string | Filtrar: not_started, in_progress, implemented, not_applicable |
category | string | Filtrar por categoría de control |
Respuesta
json
{
"items": [
{
"id": "ctrl_abc123",
"control_id": "CC6.1",
"name": "Logical and Physical Access Controls",
"description": "The entity implements logical access security...",
"status": "implemented",
"implementation_notes": "Access managed via Okta SSO...",
"frameworks": ["SOC 2", "ISO 27001"],
"evidence_count": 5,
"last_assessed": "2025-12-15T00:00:00Z",
"owner": "[email protected]"
}
],
"total": 89,
"page": 1,
"per_page": 20
}Actualizar Control
bash
PATCH /api/v1/controls/{control_id}
Content-Type: application/json
{
"status": "implemented",
"implementation_notes": "Implemented using AWS IAM policies",
"owner": "[email protected]",
"next_review_date": "2026-06-01T00:00:00Z"
}Evidencia
Endpoints
| Método | Endpoint | Descripción |
|---|---|---|
| GET | /api/v1/evidence | Listar toda la evidencia |
| POST | /api/v1/evidence | Subir nueva evidencia |
| GET | /api/v1/evidence/{id} | Obtener detalles de evidencia |
| DELETE | /api/v1/evidence/{id} | Eliminar evidencia |
| POST | /api/v1/evidence/{id}/link | Vincular a controles |
Listar Evidencia
bash
GET /api/v1/evidenceRespuesta
json
{
"items": [
{
"id": "evd_abc123",
"name": "AWS IAM Policy Export",
"type": "document",
"file_type": "application/json",
"size_bytes": 45678,
"uploaded_by": "[email protected]",
"uploaded_at": "2025-12-20T14:00:00Z",
"linked_controls": ["CC6.1", "CC6.2", "A.9.1.1"],
"tags": ["access-control", "aws"],
"status": "approved"
}
],
"total": 234
}Subir Evidencia
bash
POST /api/v1/evidence
Content-Type: multipart/form-data
file: <binary>
name: "Security Policy Document"
description: "Annual security policy review 2025"
control_ids: ["CC1.1", "A.5.1"]
tags: ["policy", "annual-review"]Respuesta
json
{
"id": "evd_xyz789",
"name": "Security Policy Document",
"status": "pending_review",
"uploaded_at": "2025-12-21T15:00:00Z",
"scan_status": "clean"
}Registro de Riesgos
Endpoints
| Método | Endpoint | Descripción |
|---|---|---|
| GET | /api/v1/risks | Listar todos los riesgos |
| POST | /api/v1/risks | Crear nuevo riesgo |
| GET | /api/v1/risks/{id} | Obtener detalles de riesgo |
| PATCH | /api/v1/risks/{id} | Actualizar riesgo |
| DELETE | /api/v1/risks/{id} | Eliminar riesgo |
Listar Riesgos
bash
GET /api/v1/risksRespuesta
json
{
"items": [
{
"id": "risk_abc123",
"title": "Third-Party Data Breach",
"description": "Risk of data exposure through vendor systems",
"category": "third_party",
"likelihood": 3,
"impact": 5,
"inherent_score": 15,
"residual_score": 6,
"status": "mitigating",
"owner": "[email protected]",
"controls": ["CC9.2", "A.15.1.1"],
"treatment": "mitigate",
"review_date": "2026-01-15T00:00:00Z"
}
],
"total": 45
}Crear Riesgo
bash
POST /api/v1/risks
Content-Type: application/json
{
"title": "Cloud Service Outage",
"description": "Risk of service disruption due to cloud provider issues",
"category": "operational",
"likelihood": 2,
"impact": 4,
"owner": "[email protected]",
"controls": ["CC7.4", "A.17.1.1"],
"treatment": "mitigate",
"mitigation_plan": "Implement multi-region deployment..."
}Frameworks
Endpoints
| Método | Endpoint | Descripción |
|---|---|---|
| GET | /api/v1/frameworks | Listar frameworks habilitados |
| GET | /api/v1/frameworks/{id} | Obtener detalles de framework |
| GET | /api/v1/frameworks/{id}/progress | Obtener progreso de cumplimiento |
Obtener Progreso de Framework
bash
GET /api/v1/frameworks/soc2/progressRespuesta
json
{
"framework": "SOC 2 Type II",
"overall_score": 78,
"by_category": {
"CC1": {"name": "Control Environment", "score": 85, "controls": 5, "implemented": 4},
"CC2": {"name": "Communication", "score": 80, "controls": 4, "implemented": 3},
"CC3": {"name": "Risk Assessment", "score": 75, "controls": 6, "implemented": 4},
"CC4": {"name": "Monitoring", "score": 70, "controls": 5, "implemented": 3},
"CC5": {"name": "Control Activities", "score": 80, "controls": 8, "implemented": 6},
"CC6": {"name": "Logical Access", "score": 90, "controls": 10, "implemented": 9},
"CC7": {"name": "System Operations", "score": 75, "controls": 6, "implemented": 4},
"CC8": {"name": "Change Management", "score": 70, "controls": 4, "implemented": 3},
"CC9": {"name": "Risk Mitigation", "score": 65, "controls": 3, "implemented": 2}
},
"gaps": [
{
"control_id": "CC4.2",
"name": "Monitoring Security Events",
"priority": "high",
"recommendation": "Implement SIEM solution"
}
]
}Proveedores
Endpoints
| Método | Endpoint | Descripción |
|---|---|---|
| GET | /api/v1/vendors | Listar todos los proveedores |
| POST | /api/v1/vendors | Agregar nuevo proveedor |
| GET | /api/v1/vendors/{id} | Obtener detalles de proveedor |
| PATCH | /api/v1/vendors/{id} | Actualizar proveedor |
Listar Proveedores
bash
GET /api/v1/vendorsRespuesta
json
{
"items": [
{
"id": "vendor_abc123",
"name": "AWS",
"category": "cloud_infrastructure",
"criticality": "critical",
"risk_level": "low",
"soc2_certified": true,
"iso27001_certified": true,
"last_assessment": "2025-11-01T00:00:00Z",
"next_review": "2026-05-01T00:00:00Z",
"contracts": 3,
"data_types": ["customer_data", "system_logs"]
}
],
"total": 28
}Compromisos de Auditoría
Endpoints
| Método | Endpoint | Descripción |
|---|---|---|
| GET | /api/v1/audits | Listar compromisos de auditoría |
| POST | /api/v1/audits | Crear compromiso de auditoría |
| GET | /api/v1/audits/{id} | Obtener detalles de auditoría |
| GET | /api/v1/audits/{id}/requests | Listar solicitudes de auditoría |
Listar Auditorías
bash
GET /api/v1/auditsRespuesta
json
{
"items": [
{
"id": "audit_abc123",
"name": "SOC 2 Type II 2025",
"framework": "SOC 2",
"auditor": "Big Four LLP",
"status": "in_progress",
"start_date": "2025-11-01",
"end_date": "2025-12-31",
"requests_total": 45,
"requests_completed": 32,
"progress": 71
}
],
"total": 3
}Reportes de Cumplimiento
Generar Reporte
bash
POST /api/v1/reports
Content-Type: application/json
{
"type": "compliance_summary",
"framework": "soc2",
"format": "pdf",
"include_evidence": true,
"date_range": {
"from": "2025-01-01",
"to": "2025-12-31"
}
}Respuesta
json
{
"id": "report_xyz789",
"status": "generating",
"estimated_completion": "2025-12-21T15:05:00Z"
}Obtener Reporte
bash
GET /api/v1/reports/{report_id}Cuando esté listo:
json
{
"id": "report_xyz789",
"status": "completed",
"download_url": "https://storage.cyberorigen.com/reports/...",
"expires_at": "2025-12-22T15:00:00Z"
}