{"id":1968,"date":"2026-02-19T10:39:18","date_gmt":"2026-02-19T09:39:18","guid":{"rendered":"https:\/\/regulated-devsecops.com\/uncategorized\/gobernanza-de-proveedores-y-controles-ci-cd-version-estricta-para-auditores\/"},"modified":"2026-03-26T09:27:59","modified_gmt":"2026-03-26T08:27:59","slug":"supplier-governance-ci-cd-controls-strict-auditor-version","status":"publish","type":"post","link":"https:\/\/regulated-devsecops.com\/es\/regulatory-frameworks-es\/supplier-governance-ci-cd-controls-strict-auditor-version\/","title":{"rendered":"Gobernanza de Proveedores y Controles CI\/CD \u2014 Versi\u00f3n Estricta para Auditores"},"content":{"rendered":"\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Secci\u00f3n A \u2014 Gobernanza e Inventario<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Control<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>S\u00ed<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>No<\/strong><\/th><th><strong>Referencia de Evidencia<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Existe inventario completo de proveedores relacionados con CI\/CD<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Clasificaci\u00f3n de criticidad del proveedor definida<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Propietario de negocio formalmente asignado<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Propietario t\u00e9cnico formalmente asignado<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Evaluaci\u00f3n de riesgo anual realizada<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Lista de subprocesadores documentada<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Secci\u00f3n B \u2014 Controles Contractuales y Regulatorios<\/strong><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Control<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>S\u00ed<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>No<\/strong><\/th><th><strong>Referencia de Evidencia<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Obligaciones de seguridad incluidas en el contrato<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>SLA de notificaci\u00f3n de incidentes definido<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Cl\u00e1usula de derechos de auditor\u00eda presente<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Transparencia de ubicaci\u00f3n de datos incluida<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Cl\u00e1usula de estrategia de salida definida contractualmente<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Secci\u00f3n C \u2014 Aplicaci\u00f3n T\u00e9cnica de CI\/CD<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Control<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>S\u00ed<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>No<\/strong><\/th><th><strong>Referencia de Evidencia<\/strong><\/th><\/tr><\/thead><tbody><tr><td>SSO aplicado en cuentas de administraci\u00f3n CI\/CD<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>MFA obligatorio para roles privilegiados<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Acceso basado en roles con m\u00ednimo privilegio<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Ramas protegidas aplicadas<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Aprobaciones de producci\u00f3n obligatorias configuradas<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Puertas de pol\u00edtica bloquean hallazgos cr\u00edticos<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Firma de artefactos aplicada<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Generaci\u00f3n de SBOM automatizada<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Aislamiento de runners implementado<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Secci\u00f3n D \u2014 Evidencia y Retenci\u00f3n<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Control<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>S\u00ed<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>No<\/strong><\/th><th><strong>Referencia de Evidencia<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Registros CI\/CD conservados seg\u00fan pol\u00edtica<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Registros de aprobaci\u00f3n exportables<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Resultados de an\u00e1lisis de seguridad archivados centralmente<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Trazabilidad completa commit \u2192 artefacto \u2192 producci\u00f3n<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Per\u00edodo de retenci\u00f3n de evidencia documentado<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Secci\u00f3n E \u2014 Estrategia de Salida y Pruebas DR<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th><strong>Control<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>S\u00ed<\/strong><\/th><th class=\"has-text-align-center\" data-align=\"center\"><strong>No<\/strong><\/th><th><strong>Referencia de Evidencia<\/strong><\/th><\/tr><\/thead><tbody><tr><td>Existe plan de salida documentado<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Exportaci\u00f3n de c\u00f3digo probada<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Exportaci\u00f3n de configuraci\u00f3n de pipeline probada<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Exportaci\u00f3n de artefactos probada<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><tr><td>Ejercicio DR \/ migraci\u00f3n realizado<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td class=\"has-text-align-center\" data-align=\"center\">\u2610<\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Bloque de Decisi\u00f3n del Auditor<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Calificaci\u00f3n de riesgo general: ___<\/li>\n\n\n\n<li>Hallazgos cr\u00edticos: ___<\/li>\n\n\n\n<li>Remediaci\u00f3n requerida antes de: ___<\/li>\n\n\n\n<li>Fecha de auditor\u00eda de seguimiento: ___<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lista de verificaci\u00f3n formal de auditor\u00eda para la gobernanza de proveedores y los controles CI\/CD en entornos regulados. Cubre inventario, clasificaci\u00f3n de riesgo, contratos, aplicaci\u00f3n t\u00e9cnica, retenci\u00f3n de evidencia y pruebas de estrategia de salida \u2014 dise\u00f1ada para uso directo por auditores.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[135,131],"tags":[],"post_folder":[],"class_list":["post-1968","post","type-post","status-publish","format-standard","hentry","category-regulatory-frameworks-es","category-audit-evidence-es"],"_links":{"self":[{"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/posts\/1968","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/comments?post=1968"}],"version-history":[{"count":0,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/posts\/1968\/revisions"}],"wp:attachment":[{"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/media?parent=1968"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/categories?post=1968"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/tags?post=1968"},{"taxonomy":"post_folder","embeddable":true,"href":"https:\/\/regulated-devsecops.com\/es\/wp-json\/wp\/v2\/post_folder?post=1968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}