Donde esto se encuentra con lo que ya usa
En correspondencia con los marcos que sus auditores ya conocen.
Esto no es un reemplazo de ISO, NIST o el Reglamento Europeo de IA. Los complementa — añadiendo las especificidades del desarrollo de software agentic que no cubren y mapeando de vuelta a los controles y cláusulas que sí cubren.
Una fila por marco
La tabla siguiente nombra dónde cada marco externo toca el modelo. Es una ayuda de navegación; la trazabilidad por item vive en la referencia canónica.
| Marco | Referencia | Dimensiones de HiveCraft | Notas |
|---|---|---|---|
| ISO 27001:2022 | A.5 / A.6 / A.8 |
| Annex A controls for security policy, organisation, and asset management map across HCSM operational and risk groups. |
| NIST CSF 2.0 | GOVERN / IDENTIFY / DETECT / RESPOND |
| GOVERN function aligns with D11 disclosure and D9 jurisdiction; DETECT.CM aligns with D2 telemetry. |
| NIST AI RMF 1.0 | GOVERN / MAP / MEASURE / MANAGE |
| AI-specific risk-management functions map to retrieval-grounding (D6), compliance (D9), and disclosure (D11). |
| EU AI Act | Art. 9 / 15 / 16 / 26 / 50 |
| Risk-management system (Art. 9), accuracy/robustness (Art. 15), QMS (Art. 16), deployer obligations (Art. 26), transparency (Art. 50). |
| GDPR | Art. 6 / 7 / 13 / 14 / 30 / 32 |
| Lawful basis, consent versioning (Art. 7 mirrors HCSM consent_versions), records of processing, security of processing. |
| CMMI | CM / PR / VV / OT / OPP |
| Configuration Management, Process Quality, Verification and Validation, Organisational Training, Organisational Performance. |
| SPACE framework | Satisfaction / Performance / Activity / Communication / Efficiency |
| Developer-productivity framing complements HCSM telemetry and outcome groups. |
| MLOps maturity | MS / Google / AWS levels |
| Industry MLOps level-2 capabilities are necessary (not sufficient) for HCSM Group A at L4. |
| ISO 42001 | AI Management System |
| AI-specific management-system standard; HCSM Group C carries ISO 42001 obligations for REG-typed practices. |
| ISO/IEC 25010 | Quality model |
| Functional suitability, reliability, security characteristics inform retrieval/grounding evaluation. |
| ISO 9001 | Clauses 7.1.6 / 7.2 / 8.6 |
| Organisational knowledge, competence, release of products and services map to KB curation and acceptance. |
| ISO 31000 | Risk management |
| Generic risk-management process underpins HCSM risk-register expectations. |
| SOC 2 | Trust Services Criteria (CC) |
| Security and availability TSCs map to HCSM hardening and stakeholder-outcome groups. |
| PCI DSS | Latest standard |
| Payment-card environments contribute Class-S statutory blockers when in scope. |
| CIS Benchmarks | OS / Cloud / Container |
| Benchmark-derived hardening drift contributes to D8 evidence. |
| COBIT 2019 | BAI08 / EDM |
| Knowledge management governance objective complements HCSM KB curation discipline. |
| ISO/IEC 17021-1 | Conformity-assessment / certification bodies |
| Aggregator / publisher obligations under §15-A6 inherit ISO/IEC 17021-1 precedent for comparative claims. |
| Microsoft RAI MM | Responsible AI Maturity Model |
| Vendor-published RAI MM level mappings indicate D9/D11 coverage but do not substitute for HCSM evidence. |
¿Por qué estos marcos?
Cada uno ya lleva expectativas de evidencia auditables relevantes para la práctica de desarrollo de software agentic. Cuando un marco se solapa parcialmente, este modelo no duplica — referencia y añade los items específicos de agentic que faltan en el estándar fuente.
- ISO 27001:2022 + ISO 27701 — security and privacy management systems.
- NIST CSF 2.0 + SP 800-53 + SSDF — cybersecurity and secure-development functions.
- NIST AI RMF 1.0 + ISO 42001 — AI-specific risk management and management-system requirements.
- EU AI Act + GDPR + EU Data Act — EU regulatory regimes for AI, personal data, and data-sharing.
- CMMI + ISO 9001 + ISO/IEC 25010 — process maturity and software-quality models.
- SPACE + MLOps maturity — developer productivity and ML-operations practice baselines.
¿Necesita ayuda para mapear esto a sus controles existentes?
La página "Acerca de" indica cómo contactarnos; la página de contacto es la ruta más simple.