Features • Screenshots • Quick Start • API • Contributing

The CORF Compliance Tool is an open-source, full-stack web application that helps security consultants, assessors, and compliance officers conduct structured assessments against the Central Bank of Kuwait's Cyber and Operational Resilience Framework (CORF), issued December 2025.

It replaces manual spreadsheets with a structured, database-backed tool featuring automated scoring, interactive dashboards, PDF/Excel reporting, and a full remediation tracker.

Built for the Kuwait Cybersecurity Community — by security consultants, for security consultants.

Real-time maturity and compliance metrics with radar charts and bar visualizations.

Domain/sub-domain accordion with maturity scoring, compliance sliders, evidence tracking, and auto-save.

Track findings with priority, status, ownership, due dates, overdue detection, and maturity uplift projections.

• Real-time maturity and compliance metrics across all 3 baselines
• Recharts radar + bar charts per baseline
• Overall CORF posture summary with tier estimate
• Remediation status overview with overdue alerts

• Full domain/sub-domain accordion UI for all 3 baselines (876 controls)
• Maturity scoring: 1-Initial → 2-Ad-hoc → 3-Baseline → 4-Advanced → 5-Innovative
• Compliance % slider per sub-domain
• Mark sub-domains as Not Applicable (N/A)
• Evidence reference + assessor notes per sub-domain
• Auto-save with debounce

• Complete SoA builder covering all 93 sub-domains
• Toggle applicable / not applicable per domain and sub-domain
• Justification fields for N/A exclusions (CBK requirement)
• Bulk save to database

• 11 CBK tiering dimensions fully implemented
• Real-time tier estimate (Tier 1 / 2 / 3)
• Scoring model based on CORF Framework Section 10
• Save profile to database for reporting

• Add, edit, and track remediation items per sub-domain
• Priority levels: Critical / High / Medium / Low
• Status: Open / In Progress / Completed / Accepted Risk
• Owner assignment + target date with overdue detection
• Maturity uplift tracking (current → target)
• Inline status updates

• PDF Report: Cover page, executive summary, domain table, remediation plan
• Excel Report: 5 worksheets — Dashboard, Assessment Results, SoA, Remediation Plan, Risk Profile
• Color-coded, CBK-ready format

• Node.js 18+
• npm or yarn

# Clone the repo
git clone https://github.com/SiteQ8/corf-compliance-tool.git
cd corf-compliance-tool

# Backend
cd backend
npm install
npm run dev        # Runs on http://localhost:3001

# Frontend (new terminal)
cd frontend
npm install
npm run dev        # Runs on http://localhost:5173

Open http://localhost:5173

docker-compose up --build

Opens on http://localhost:80

corf-compliance-tool/
├── backend/
│   ├── server.js              # Express entry point
│   ├── db/database.js         # SQLite schema & initialization
│   ├── routes/
│   │   ├── engagements.js     # Engagements + assessments CRUD
│   │   ├── data.js            # SoA, risk profile, remediation
│   │   └── reports.js         # PDF + Excel generation
│   └── data/corf-domains.js   # Full CORF domain structure (876 controls)
│
├── frontend/
│   ├── src/
│   │   ├── App.jsx             # Shell, routing, engagement management
│   │   ├── api/client.js       # Axios API client
│   │   ├── styles/global.css   # Dark navy/gold theme
│   │   └── components/
│   │       ├── Dashboard.jsx
│   │       ├── Assessment.jsx
│   │       ├── SoABuilder.jsx
│   │       ├── TierCalculator.jsx
│   │       └── RemediationTracker.jsx
│   └── vite.config.js
│
├── docker-compose.yml
├── docs/screenshots/           # Documentation screenshots
├── SECURITY.md                 # Security policy
├── CONTRIBUTING.md             # Contribution guidelines
├── CODE_OF_CONDUCT.md          # Code of conduct
├── CHANGELOG.md                # Version history
└── LICENSE                     # MIT License

• Full 876 individual control entries with descriptions
• Evidence file attachment support (PDF, images)
• Multi-user / role-based access (assessor vs reviewer vs approver)
• Gap auto-detection from low-scoring sub-domains
• CORWG report templates (official CBK format)
• Comparison view between assessment periods
• Sector-level benchmarking (anonymized)
• Arabic language (RTL) support
• SSO / LDAP authentication
• Audit trail logging

Contributions from the Kuwait Cybersecurity Community are welcome! Whether it's new features, bug fixes, CORF domain data improvements, or documentation.

See CONTRIBUTING.md for guidelines.

• 📝 Control Descriptions — Add full descriptions for all 876 controls
• 🌐 Arabic Support — RTL layout and Arabic translations
• 📎 Evidence Uploads — File attachment support per sub-domain
• 👥 Multi-User — Role-based access control
• 📊 Additional Charts — Trend lines, gap analysis, heatmaps
• 🧪 Testing — Unit tests, integration tests, E2E tests
• 📖 Documentation — Tutorials, video walkthroughs

Found a vulnerability? Please report it responsibly.

See SECURITY.md for our security policy and disclosure process. Do NOT open public issues for security vulnerabilities.

This is a community tool intended to support CORF preparation and self-assessment. It does not replace:

• Official CBK CORF assessments
• Independent third-party assessments (required annually per CORF Toolkit)
• CBK supervisory review and formal tier classification

Always refer to the official CBK CORF documentation for authoritative requirements.

Framework Reference: Cyber and Operational Resilience Framework for All Local Banks and Financial Institutions, Version 1.0, Central Bank of Kuwait, December 2025.

• CBK CORWG: CORWG@cbk.gov.kw
• Community: GitHub Issues · Discussions

MIT License — see LICENSE for details.

_{Built for the Kuwait Cybersecurity Community by @SiteQ8 — Ali AlEnezi 🇰🇼}