Waar dit raakt aan wat je al gebruikt
Cross-walked aan de frameworks die je auditors al kennen.
Dit is geen vervanging van ISO, NIST of de EU AI Act. Het vult ze aan — door de specifieke aspecten van agentic-software-development toe te voegen die zij niet dekken en terug te koppelen aan de controls en clausules die zij wel dekken.
Eén rij per framework
De tabel hieronder noemt waar elk extern framework het model raakt. Het is een navigatiehulp; traceerbaarheid per item leeft in de canonieke referentie.
| Framework | Referentie | HiveCraft-dimensies | Opmerkingen |
|---|---|---|---|
| ISO 27001:2022 | A.5 / A.6 / A.8 |
| Annex A controls for security policy, organisation, and asset management map across HCSM operational and risk groups. |
| NIST CSF 2.0 | GOVERN / IDENTIFY / DETECT / RESPOND |
| GOVERN function aligns with D11 disclosure and D9 jurisdiction; DETECT.CM aligns with D2 telemetry. |
| NIST AI RMF 1.0 | GOVERN / MAP / MEASURE / MANAGE |
| AI-specific risk-management functions map to retrieval-grounding (D6), compliance (D9), and disclosure (D11). |
| EU AI Act | Art. 9 / 15 / 16 / 26 / 50 |
| Risk-management system (Art. 9), accuracy/robustness (Art. 15), QMS (Art. 16), deployer obligations (Art. 26), transparency (Art. 50). |
| GDPR | Art. 6 / 7 / 13 / 14 / 30 / 32 |
| Lawful basis, consent versioning (Art. 7 mirrors HCSM consent_versions), records of processing, security of processing. |
| CMMI | CM / PR / VV / OT / OPP |
| Configuration Management, Process Quality, Verification and Validation, Organisational Training, Organisational Performance. |
| SPACE framework | Satisfaction / Performance / Activity / Communication / Efficiency |
| Developer-productivity framing complements HCSM telemetry and outcome groups. |
| MLOps maturity | MS / Google / AWS levels |
| Industry MLOps level-2 capabilities are necessary (not sufficient) for HCSM Group A at L4. |
| ISO 42001 | AI Management System |
| AI-specific management-system standard; HCSM Group C carries ISO 42001 obligations for REG-typed practices. |
| ISO/IEC 25010 | Quality model |
| Functional suitability, reliability, security characteristics inform retrieval/grounding evaluation. |
| ISO 9001 | Clauses 7.1.6 / 7.2 / 8.6 |
| Organisational knowledge, competence, release of products and services map to KB curation and acceptance. |
| ISO 31000 | Risk management |
| Generic risk-management process underpins HCSM risk-register expectations. |
| SOC 2 | Trust Services Criteria (CC) |
| Security and availability TSCs map to HCSM hardening and stakeholder-outcome groups. |
| PCI DSS | Latest standard |
| Payment-card environments contribute Class-S statutory blockers when in scope. |
| CIS Benchmarks | OS / Cloud / Container |
| Benchmark-derived hardening drift contributes to D8 evidence. |
| COBIT 2019 | BAI08 / EDM |
| Knowledge management governance objective complements HCSM KB curation discipline. |
| ISO/IEC 17021-1 | Conformity-assessment / certification bodies |
| Aggregator / publisher obligations under §15-A6 inherit ISO/IEC 17021-1 precedent for comparative claims. |
| Microsoft RAI MM | Responsible AI Maturity Model |
| Vendor-published RAI MM level mappings indicate D9/D11 coverage but do not substitute for HCSM evidence. |
Waarom deze frameworks?
Elk dragen ze al auditeerbare bewijsverwachtingen die relevant zijn voor agentic-software-development-praktijk. Waar een framework gedeeltelijk overlapt, dupliceert dit model niet — het verwijst en voegt de agentic-specifieke items toe die ontbreken in de bronstandaard.
- ISO 27001:2022 + ISO 27701 — security and privacy management systems.
- NIST CSF 2.0 + SP 800-53 + SSDF — cybersecurity and secure-development functions.
- NIST AI RMF 1.0 + ISO 42001 — AI-specific risk management and management-system requirements.
- EU AI Act + GDPR + EU Data Act — EU regulatory regimes for AI, personal data, and data-sharing.
- CMMI + ISO 9001 + ISO/IEC 25010 — process maturity and software-quality models.
- SPACE + MLOps maturity — developer productivity and ML-operations practice baselines.
Hulp nodig om dit in je bestaande controls te mappen?
De over-pagina noemt hoe je ons kunt bereiken; de contactpagina is de simpelste route.