Skip to content

Project Roadmap

This roadmap translates the 10-week G.U.A.R.D. delivery plan into five dated milestones, each with defined sub-tasks and workload expectations.

Milestone Plan

Phase Activity and Sub-tasks Dates Workload
#1 Requirement Formalization Investigation of Legal-to-Technical Mapping
  • Literature review of NEN 7510 and ISO 27001.
  • Stakeholder interviews (ECC and DSTRCT).
  • Drafting the Traceability Matrix.
 April 20 to May 1 65-75 hours
#2 IR Design and Schema Development of the Source of Truth
  • Designing the YAML-based IR schema.
  • Defining schema validation rules.
  • Conceptual prototyping of control points.
 May 4 to May 15 70-80 hours
#3 Compliance Compiler Logic Engine Development
  • Building the IR parsing engine.
  • Developing translation logic for OPA/Rego.
  • Iterative unit testing of translation accuracy.
 May 18 to June 5 110-130 hours
#4 Integration and Enforcement Shift-Left Implementation
  • CI/CD pipeline configuration (GitHub Actions).
  • Implementation of the Compliance Gate.
  • Developer feedback loop setup.
 June 8 to June 12 35-40 hours
#5 Evaluation and Synthesis Validation and Final Documentation
  • Conducting Chaos Compliance tests.
  • Performance and accuracy evaluation.
  • Finalizing thesis.
 June 15 to June 26 75-85 hours

Notes

  • Phase sequencing intentionally leaves weekday transition gaps for milestone closeout and planning handoff.
  • Detailed execution status is maintained through linked GitLab milestone work items.

Research-Question Mapping

The roadmap phases contribute to one parent research question through supporting sub-questions.

Milestone Primary Question Contribution Deliverable Type
#1 Requirement Formalization SQ0 Existing Work, SQ1 Meta-Model Problem framing, baseline comparison, IR attribute requirements
#2 IR Design and Schema SQ1 Meta-Model, SQ2 Compiler Mapping IR schema structure and mapping design constraints
#3 Compliance Compiler SQ2 Compiler Mapping Prototype translation and validation evidence
#4 Integration and Enforcement SQ2 Compiler Mapping, SQ3 Impact Pipeline integration and feedback-loop evidence
#5 Evaluation and Synthesis Main Question synthesis from SQ0-SQ3 Final argumentation, limitations, and recommendations

Key Dependency Risk

If a high-impact clause cannot be made reliably machine-checkable, automation coverage can drop.

Mitigation strategy:

  1. Escalate interpretation to compliance/audit owners.
  2. Introduce compensating controls (manual gate, approval step, sampled audit evidence).
  3. Tag clause as human-in-the-loop and revisit formalization in subsequent iterations.

This risk is most sensitive to outputs from milestone #1 and milestone #2.