fix(mock-data): Fake-Daten bei leerer DB entfernt — ISMS 0%, Dashboard keine simulierten Trends, Compliance-Hub keine Fallback-Zahlen

- ISMS Overview: 14% → 0% bei leerer DB, "not_started" Status, alle Kapitel 0%
- Dashboard: 12-Monate simulierte Trend-Historie entfernt
- Compliance-Hub: Hardcoded Fallback-Statistiken (474/180/95/120/79/44/558/19) → 0
- SQLAlchemy Bug: `is not None` → `.isnot(None)` in SoA-Query
- Hardcoded chapter_7/8_status="pass" → berechnet aus Findings

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend-compliance/compliance/api/isms_routes.py

@@ -1399,8 +1399,14 @@ async def run_readiness_check(
         chapter_4_status=get_chapter_status(chapter_4_majors, False),
         chapter_5_status=get_chapter_status(chapter_5_majors, False),
         chapter_6_status=get_chapter_status(chapter_6_majors, False),
-        chapter_7_status="pass",  # Support - typically ok
-        chapter_8_status="pass",  # Operation - checked via controls
+        chapter_7_status=get_chapter_status(
+            any("7." in (f.iso_reference or "") for f in potential_majors),
+            any("7." in (f.iso_reference or "") for f in potential_minors)
+        ),
+        chapter_8_status=get_chapter_status(
+            any("8." in (f.iso_reference or "") for f in potential_majors),
+            any("8." in (f.iso_reference or "") for f in potential_minors)
+        ),
         chapter_9_status=get_chapter_status(chapter_9_majors, False),
         chapter_10_status=get_chapter_status(chapter_10_majors, False),
         potential_majors=[f.model_dump() for f in potential_majors],
@@ -1517,7 +1523,7 @@ async def get_iso27001_overview(db: Session = Depends(get_db)):
 
     soa_total = db.query(StatementOfApplicabilityDB).count()
     soa_approved = db.query(StatementOfApplicabilityDB).filter(
-        StatementOfApplicabilityDB.approved_at is not None
+        StatementOfApplicabilityDB.approved_at.isnot(None)
     ).count()
     soa_all_approved = soa_total > 0 and soa_approved == soa_total
 
@@ -1555,32 +1561,58 @@ async def get_iso27001_overview(db: Session = Depends(get_db)):
         SecurityObjectiveDB.status == "achieved"
     ).count()
 
-    # Calculate readiness
-    readiness_factors = [
-        scope_approved,
-        soa_all_approved,
-        last_mgmt_review is not None and last_mgmt_review.review_date >= last_year,
-        last_internal_audit is not None and (last_internal_audit.actual_end_date or date.min) >= last_year,
-        open_majors == 0,
-        policies_total > 0 and policies_approved >= policies_total * 0.8,
-        objectives_total > 0
-    ]
-    certification_readiness = sum(readiness_factors) / len(readiness_factors) * 100
+    # Calculate readiness — empty DB must yield 0%
+    # Each factor requires positive evidence (not just absence of problems)
+    has_any_data = any([
+        scope_approved, soa_total > 0, policies_total > 0,
+        objectives_total > 0, last_mgmt_review is not None,
+        last_internal_audit is not None
+    ])
+
+    if not has_any_data:
+        certification_readiness = 0.0
+    else:
+        readiness_factors = [
+            scope_approved,
+            soa_all_approved,
+            last_mgmt_review is not None and last_mgmt_review.review_date >= last_year,
+            last_internal_audit is not None and (last_internal_audit.actual_end_date or date.min) >= last_year,
+            open_majors == 0 and (soa_total > 0 or policies_total > 0),  # Only counts if there's actual data
+            policies_total > 0 and policies_approved >= policies_total * 0.8,
+            objectives_total > 0
+        ]
+        certification_readiness = sum(readiness_factors) / len(readiness_factors) * 100
 
     # Overall status
-    if open_majors > 0:
+    if not has_any_data:
+        overall_status = "not_started"
+    elif open_majors > 0:
         overall_status = "not_ready"
     elif certification_readiness >= 80:
         overall_status = "ready"
     else:
         overall_status = "at_risk"
 
-    # Build chapter status list
+    # Build chapter status list — empty DB must show 0% / "not_started"
+    def _chapter_status(has_positive_evidence: bool, has_issues: bool) -> str:
+        if not has_positive_evidence:
+            return "not_started"
+        return "compliant" if not has_issues else "non_compliant"
+
+    # Chapter 9: count sub-components for percentage
+    ch9_parts = sum([last_mgmt_review is not None, last_internal_audit is not None])
+    ch9_pct = (ch9_parts / 2) * 100
+
+    # Chapter 10: only show 100% if there's actual CAPA activity, not just empty
+    capa_total = db.query(AuditFindingDB).count()
+    ch10_has_data = capa_total > 0
+    ch10_pct = 100.0 if (ch10_has_data and open_majors == 0) else (50.0 if ch10_has_data else 0.0)
+
     chapters = [
         ISO27001ChapterStatus(
             chapter="4",
             title="Kontext der Organisation",
-            status="compliant" if scope_approved else "non_compliant",
+            status=_chapter_status(scope_approved, False),
             completion_percentage=100.0 if scope_approved else 0.0,
             open_findings=0,
             key_documents=["ISMS Scope", "Context Analysis"] if scope_approved else [],
@@ -1589,37 +1621,40 @@ async def get_iso27001_overview(db: Session = Depends(get_db)):
         ISO27001ChapterStatus(
             chapter="5",
             title="Führung",
-            status="compliant" if policies_approved > 0 else "non_compliant",
-            completion_percentage=(policies_approved / max(policies_total, 1)) * 100,
+            status=_chapter_status(policies_total > 0, policies_approved < policies_total),
+            completion_percentage=(policies_approved / max(policies_total, 1)) * 100 if policies_total > 0 else 0.0,
             open_findings=0,
-            key_documents=[f"Policy {i+1}" for i in range(min(policies_approved, 3))],
+            key_documents=[f"Policy {i+1}" for i in range(min(policies_approved, 3))] if policies_approved > 0 else [],
             last_reviewed=None
         ),
         ISO27001ChapterStatus(
             chapter="6",
             title="Planung",
-            status="compliant" if objectives_total > 0 else "partial",
-            completion_percentage=75.0 if objectives_total > 0 else 25.0,
+            status=_chapter_status(objectives_total > 0, False),
+            completion_percentage=75.0 if objectives_total > 0 else 0.0,
             open_findings=0,
-            key_documents=["Risk Register", "Security Objectives"],
+            key_documents=["Risk Register", "Security Objectives"] if objectives_total > 0 else [],
             last_reviewed=None
         ),
         ISO27001ChapterStatus(
             chapter="9",
             title="Bewertung der Leistung",
-            status="compliant" if (last_mgmt_review and last_internal_audit) else "non_compliant",
-            completion_percentage=100.0 if (last_mgmt_review and last_internal_audit) else 50.0,
+            status=_chapter_status(ch9_parts > 0, open_majors + open_minors > 0),
+            completion_percentage=ch9_pct,
             open_findings=open_majors + open_minors,
-            key_documents=["Internal Audit Report", "Management Review Minutes"],
+            key_documents=(
+                (["Internal Audit Report"] if last_internal_audit else []) +
+                (["Management Review Minutes"] if last_mgmt_review else [])
+            ),
             last_reviewed=last_mgmt_review.approved_at if last_mgmt_review else None
         ),
         ISO27001ChapterStatus(
             chapter="10",
             title="Verbesserung",
-            status="compliant" if open_majors == 0 else "non_compliant",
-            completion_percentage=100.0 if open_majors == 0 else 50.0,
+            status=_chapter_status(ch10_has_data, open_majors > 0),
+            completion_percentage=ch10_pct,
             open_findings=open_majors,
-            key_documents=["CAPA Register"],
+            key_documents=["CAPA Register"] if ch10_has_data else [],
             last_reviewed=None
         )
     ]