generated from coulomb/repo-seed
Add challenge and exclusion review handling
This commit is contained in:
@@ -8,8 +8,8 @@ Created: 2026-05-07
|
||||
Compliance evidence packs cover frameworks where guide-board cannot rely on an
|
||||
official executable harness. They help prepare and perform assessments by
|
||||
organizing evidence requests, expected artifacts, reviewer workflow, waivers,
|
||||
and run reports. They do not replace auditors, accredited certification bodies,
|
||||
legal counsel, or official standard text.
|
||||
challenges, authority exclusions, and run reports. They do not replace auditors,
|
||||
accredited certification bodies, legal counsel, or official standard text.
|
||||
|
||||
Examples include GDPR, SOC 2, HIPAA, NF Z 42-013, NF 461, ISO 14641, ISO 15489,
|
||||
and similar procedural or control-oriented frameworks.
|
||||
@@ -83,7 +83,7 @@ Each request should include:
|
||||
|
||||
Requests should be phrased as collection guidance, not as legal conclusions.
|
||||
|
||||
## Waivers And Expected Gaps
|
||||
## Review Policy Records
|
||||
|
||||
Evidence packs use the same expectation and waiver model as executable
|
||||
extensions.
|
||||
@@ -103,6 +103,16 @@ Use waivers for:
|
||||
|
||||
Every waiver should include owner, reason, approval status, and expiry.
|
||||
|
||||
Use challenges for disputed checks, disputed mappings, imported native result
|
||||
questions, or evidence that needs a reviewer decision before it can be treated
|
||||
as a defect. Use authority exclusions only when a program, standard, or
|
||||
authorized reviewer excludes a requirement or check from the assessment scope.
|
||||
Both records should cite stable requirement refs, check refs, evidence refs, or
|
||||
authority source refs rather than reproducing restricted standard text.
|
||||
|
||||
Challenges and exclusions make review state visible; they do not by themselves
|
||||
claim compliance or remove default gate-visible unexpected findings.
|
||||
|
||||
## Framework Notes
|
||||
|
||||
GDPR packs should emphasize processing inventory, lawful basis records, data
|
||||
@@ -129,6 +139,7 @@ extensions:
|
||||
|
||||
- normalized evidence,
|
||||
- findings,
|
||||
- review annotations for expectations, waivers, challenges, and exclusions,
|
||||
- mapping records,
|
||||
- assessment packages,
|
||||
- retention summaries,
|
||||
|
||||
Reference in New Issue
Block a user