Benjamin_Boenisch/breakpilot-compliance
1
1
Fork 0
Code Issues 24 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
caa9b8b609c31a5a8650a9c7cd2290fb08041736
breakpilot-compliance/backend-compliance/knowledge/reference_transition_scenarios/RTS-001.yaml
T
Benjamin Admin f78e03bd0a docs(knowledge): Reference Transition Scenarios (RTS-001..003) + ISO9001->CRA pattern 
Three ANONYMIZED reference transition scenarios (no real company names stored) = canonical
regression scenarios that test the KNOWLEDGE, not just the engine. Each pins an Expected
Outcome (expected_likely_covered + expected_delta); every commit must reproduce it (identical
or better).

- RTS-001 automotive supplier (TISAX+ISO27001) -> CRA: mature ISMS, standard CRA delta.
- RTS-002 classic machine builder (ISO9001) -> CRA: only process discipline -> MUCH larger delta
  (10 missing vs 3 covered). New TP-ISO9001-CRA-v1 pattern (different shape).
- RTS-003 networked machine builder (ISMS) -> CRA: highlights the Data Act.

Data Act is modelled as UNCERTAIN (a hypothesis), never a fixed gilt/gilt-nicht: the generator
checks the engine SURFACES the uncertainty + the deciding question (generates_usage_data) and
never wrongly ASSERTS applicability. All three RTS PASS.

Non-runtime knowledge + reference harness -> no deploy (ADR-001). Names deliberately absent.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-27 08:46:20 +02:00

54 lines
2.2 KiB
YAML
Raw Blame History

# Reference Transition Scenario — canonical regression scenario (NOT a test fixture).
# ANONYMIZED ARCHETYPE ONLY — no real company names are stored in the system; illustrative.
# Each RTS pins an Expected Outcome so every commit must reproduce it (identical or better).
id: RTS-001
archetype: "Automotive supplier with a mature ISMS — embedded electronics + software, CE products, OEM supply chain"
note: "Anonymized typical starting situation; illustrative only."
reference_company:
sector: automotive_supply
known_certifications: [TISAX, ISO27001]
product_traits:
is_machine: false # component / embedded supplier
is_component: true
has_embedded_software: true
connected_to_internet: true
has_remote_access: true
generates_usage_data: null # UNKNOWN -> a deciding question, not an assertion
market: [EU]
transition_goal:
from: [TISAX, ISO27001]
to:
- target: CRA
pattern: TP-ISO27001-CRA-v1 # executed through RS-005 below
- target: MaschinenVO
pattern: null
note: pattern_pending # no MaschinenVO pattern yet
expected_outcome:
cra:
pattern: TP-ISO27001-CRA-v1
# The mature ISMS reduces effort here (most info-security capabilities probably covered).
expected_likely_covered_at_least:
- incident_management
- supplier_security
- secure_development_lifecycle
- asset_and_configuration_management
- security_logging_and_monitoring
- access_control_and_authentication
# ... but the CRA product-cyber delta remains.
expected_delta_at_least:
- sbom_creation
- coordinated_vulnerability_disclosure
- security_update_support_period
- secure_signed_update_distribution
- exploited_vuln_and_incident_reporting
- product_cyber_risk_assessment
- ce_conformity_assessment_and_technical_documentation
data_act:
expectation: uncertain # NEVER a fixed gilt/gilt-nicht
deciding_questions: [generates_usage_data, connected_product, data_act_scope]
rationale: "A connected component MAY fall under the Data Act; applicability depends on usage-data generation + scope. The engine must SURFACE this uncertainty and ask, not assert."
Reference in New Issue View Git Blame Copy Permalink