Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity

docs(knowledge): TP-ISO27001->CRA gold standard + reference scenario (RS-005 regression)

Browse Source 
(1) Harden the first Transition Pattern to the gold-standard template per quality checklist:
versioned transition_goal (ISO27001:2022 -> CRA, applies 2027-12-11), source_state_variants
(certified/isms_introduced/expired/limited_scope), each likely_covered assumption with a typed
relationship (supports|partially_supports, never equivalent) + verification + rationale (the Warum)
+ an auditor-checkable reviewable_claim, delta as missing-capability + needed-info, an explicit
rejected_assumptions section, and a determinism_goal. README schema updated to match.

(2) New Reference-Suite scenario 4 (Transition): the generator READS the pattern YAML and runs it
through the RS-005 Planning Engine + Company 2A -> coverage + question requests. Proves the
architecture fully carries the pattern (17 caps -> 17 coverage + 17 requests; 9 HIGH delta = the
real CRA gaps, 8 probably-covered from the ISMS). Now a living regression test: every future pattern
runs through the same engine.

Non-runtime knowledge + reference harness -> no deploy (ADR-001). Next: ISMS->TISAX once approved.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-06-27 08:11:42 +02:00
parent cb18eac7ec
commit 4bfd552da7
4 changed files with 244 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend-compliance/knowledge/transition_patterns/README.md
+14 -4
View File
@@ -20,11 +20,21 @@ not designed up front (the same identity-machine discipline as Master Controls/O
## File schema (per `transition_pattern_<from>_to_<to>_v<n>.yaml`)
`id` · `from_state` · `to_state` · `version` · `status` (draft → reviewed → approved) ·
`id` · `status` (draft → reviewed → approved) · `version` ·
`transition_goal` ({from: standard/edition/nature, to: regulation/reference/applies_from/nature, one_line}) ·
`provenance` (author/basis/reviewed_by/reviewed_at) · `disclaimer` ·
`likely_covered_org_level[]` ({capability, source_basis, target_relevance, reuse_caveat,
confirm_question_intent, priority}) · `delta_requirements[]` ({capability, target_basis, why_delta,
question_intent, expected_evidence, priority}) · `ask_order_rationale` · `review_required[]`.
`source_state_variants` (certified / isms_introduced / expired / limited_scope — how the start changes assumption strength) ·
`likely_covered[]` ({capability, source_basis, target, **relationship** (supports|partially_supports, never equivalent),
**verification** (required), expected_evidence, **rationale** (the *Warum* — why this relationship), **reviewable_claim**
(an auditor can agree/disagree)}) ·
`delta_requirements[]` ({capability, target_basis, **missing_because**, needed_information (intent),
expected_evidence, priority, **reviewable_claim**}) ·
`rejected_assumptions[]` (explicit "does NOT establish …") · `determinism_goal` · `review_checklist[]`.
**Gold-standard bar:** every line is auditor-checkable (agree/disagree, not "probably"); each assumption
carries a typed `relationship` + a `rationale`; each delta maps to a missing capability + needed info;
explicit `rejected_assumptions` keep the source certificate from being over-read; two auditors should
arrive at the same delta questions (`determinism_goal`).
## Hard rules