Finnaly managed to parse the YAML. Need to aadd the rest and then whip it into a database when we create a CAF for a company.

app/views/home/index.html.erb

@@ -39,7 +39,19 @@ Not Signed in.
                     <% sub_principles.each do |sub_principle| %>
                         <% sub_principle_info = sub_principle["sub-principle"] %>
                         <p><%= sub_principle_info["name"]%><br/><%= sub_principle_info["description"]%></p>
+                            <% sub_principle_item_groups = sub_principle_info["subprincipleitemgroups"] %>
+                            <% sub_principle_item_groups.each do |key,value| %>
+                                <% header =  key["subprincipleitemgroup"] %>
+                                <%= header["type"] %> - <%= header["condition"] %><br/>
+                                <% subprincipleitem = header["subprincipleitem"] %>
+                                <% subprincipleitem.each do |subprinciple| %>
+                                    <%= subprinciple %><br/>
+                                <% end %>
+                            <% end %>
 
+                            <%# sub_principle_item_group_info =  sub_principle_item_groups["subprincipleitemgroup"] %>                       <%# sub_prinicple_item_group_info.each do |sub_principle_item_group| %>
+                                <%#= sub_principle_item_group["type"] %> <%#= sub_principle_item_group["condition"] %>
+                            <%# end %>
                     <% end %>
                 <% end %>
             <% end %>

config/caf_text.yml

@@ -74,7 +74,7 @@ objectives:
                         name: A2.a Risk Management Process
                         description: Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of essential functions and communicating associated activities.
                         subprincipleitemgroups:
-                            - subprincipalitemgroup:
+                            - subprincipleitemgroup:
                                 type: Not
                                 condition: At least one
                                 subprincipleitem:
@@ -86,7 +86,7 @@ objectives:
                                     - Systems are assessed in isolation, without consideration of dependencies and interactions with other systems. (e.g. interactions between IT and OT environments).
                                     - Security requirements and mitigation's are arbitrary or are applied from a control catalogue without consideration of how they contribute to the security of the essential function.
                                     - Risks remain unresolved on a register for prolonged periods of time awaiting senior decision-making or resource allocation to resolve.
-                            - subprincipalitemgroup:
+                            - subprincipleitemgroup:
                                 type: Partially
                                 condition: All
                                 subprincipleitem:
@@ -116,7 +116,7 @@ objectives:
                             - subprincipleitemgroup:
                                 type: Not
                                 condition: At least one
-                                subprincipalitem:
+                                subprincipleitem:
                                 - A particular product or service is seen as a "silver bullet" and vendor claims are taken at face value.
                                 - Assurance methods are applied without appreciation of their strengths and limitations, such as the risks of penetration testing in operational environments.
                                 - Assurance is assumed because there have been no known problems to date.