feat(isms): ISO 27001 Frontend, Proxy, Sidebar, Flow-Data, Architecture, MkDocs

ISMS-Modul mit 6 Tabs (Uebersicht, Policies, SoA, Ziele, Audits/Findings/CAPA, Management-Reviews) fuer alle 39 Backend-Endpoints. Readiness-Check identifiziert potenzielle Major/Minor-Findings vor externer Zertifizierung. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 14:53:31 +01:00
parent 1e84df9769
commit 9e65dff7d6
7 changed files with 1605 additions and 0 deletions
--- a/admin-compliance/app/api/sdk/v1/isms/[[...path]]/route.ts
+++ b/admin-compliance/app/api/sdk/v1/isms/[[...path]]/route.ts
@@ -0,0 +1,111 @@
+/**
+ * ISMS (ISO 27001) API Proxy - Catch-all route
+ * Proxies all /api/sdk/v1/isms/* requests to backend-compliance /api/isms/*
+ */
+
+import { NextRequest, NextResponse } from 'next/server'
+
+const BACKEND_URL = process.env.BACKEND_URL || 'http://backend-compliance:8002'
+
+async function proxyRequest(
+  request: NextRequest,
+  pathSegments: string[] | undefined,
+  method: string
+) {
+  const pathStr = pathSegments?.join('/') || ''
+  const searchParams = request.nextUrl.searchParams.toString()
+  const basePath = `${BACKEND_URL}/api/isms`
+  const url = pathStr
+    ? `${basePath}/${pathStr}${searchParams ? `?${searchParams}` : ''}`
+    : `${basePath}${searchParams ? `?${searchParams}` : ''}`
+
+  try {
+    const headers: HeadersInit = {
+      'Content-Type': 'application/json',
+    }
+
+    const headerNames = ['authorization', 'x-namespace-id', 'x-tenant-slug']
+    for (const name of headerNames) {
+      const value = request.headers.get(name)
+      if (value) {
+        headers[name] = value
+      }
+    }
+
+    const uuidRegex = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i
+    const clientUserId = request.headers.get('x-user-id')
+    const clientTenantId = request.headers.get('x-tenant-id')
+    headers['X-User-ID'] = (clientUserId && uuidRegex.test(clientUserId)) ? clientUserId : '00000000-0000-0000-0000-000000000001'
+    headers['X-Tenant-ID'] = (clientTenantId && uuidRegex.test(clientTenantId)) ? clientTenantId : (process.env.DEFAULT_TENANT_ID || '9282a473-5c95-4b3a-bf78-0ecc0ec71d3e')
+
+    const fetchOptions: RequestInit = {
+      method,
+      headers,
+      signal: AbortSignal.timeout(60000),
+    }
+
+    if (method === 'POST' || method === 'PUT' || method === 'PATCH') {
+      const body = await request.text()
+      if (body) {
+        fetchOptions.body = body
+      }
+    }
+
+    const response = await fetch(url, fetchOptions)
+
+    if (!response.ok) {
+      const errorText = await response.text()
+      let errorJson
+      try {
+        errorJson = JSON.parse(errorText)
+      } catch {
+        errorJson = { error: errorText }
+      }
+      return NextResponse.json(
+        { error: `Backend Error: ${response.status}`, ...errorJson },
+        { status: response.status }
+      )
+    }
+
+    const data = await response.json()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('ISMS API proxy error:', error)
+    return NextResponse.json(
+      { error: 'Verbindung zum Compliance Backend fehlgeschlagen' },
+      { status: 503 }
+    )
+  }
+}
+
+export async function GET(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'GET')
+}
+
+export async function POST(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'POST')
+}
+
+export async function PUT(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'PUT')
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ path?: string[] }> }
+) {
+  const { path } = await params
+  return proxyRequest(request, path, 'DELETE')
+}
--- a/admin-compliance/app/sdk/architecture/architecture-data.ts
+++ b/admin-compliance/app/sdk/architecture/architecture-data.ts
@@ -160,6 +160,11 @@ export const ARCH_SERVICES: ArchService[] = [
      'security_backlog', 'quality_entries',
      'notfallplan_incidents', 'notfallplan_templates',
      'data_processing_agreement',
+      'compliance_isms_scope', 'compliance_isms_context', 'compliance_isms_policy',
+      'compliance_security_objectives', 'compliance_soa',
+      'compliance_audit_findings', 'compliance_corrective_actions',
+      'compliance_management_reviews', 'compliance_internal_audits',
+      'compliance_audit_trail', 'compliance_isms_readiness_checks',
    ],
    ragCollections: [],
    apiEndpoints: [
@@ -173,6 +178,16 @@ export const ARCH_SERVICES: ArchService[] = [
      'CRUD /api/compliance/vvt',
      'CRUD /api/compliance/loeschfristen',
      'CRUD /api/compliance/obligations',
+      'CRUD /api/isms/scope',
+      'CRUD /api/isms/policies',
+      'CRUD /api/isms/objectives',
+      'CRUD /api/isms/soa',
+      'CRUD /api/isms/findings',
+      'CRUD /api/isms/capa',
+      'CRUD /api/isms/management-reviews',
+      'CRUD /api/isms/internal-audits',
+      'GET /api/isms/overview',
+      'POST /api/isms/readiness-check',
      'CRUD /api/compliance/legal-documents',
      'CRUD /api/compliance/legal-templates',
    ],
--- a/admin-compliance/app/sdk/isms/page.tsx
+++ b/admin-compliance/app/sdk/isms/page.tsx
--- a/admin-compliance/app/sdk/sdk-flow/flow-data.ts
+++ b/admin-compliance/app/sdk/sdk-flow/flow-data.ts
@@ -864,6 +864,34 @@ export const SDK_FLOW_STEPS: SDKFlowStep[] = [
    url: '/sdk/quality',
    completion: 100,
  },
+  {
+    id: 'isms',
+    name: 'ISMS (ISO 27001)',
+    nameShort: 'ISMS',
+    package: 'betrieb',
+    seq: 5100,
+    checkpointId: 'CP-ISMS',
+    checkpointType: 'RECOMMENDED',
+    checkpointReviewer: 'DSB',
+    description: 'Informationssicherheits-Managementsystem: Scope, Policies, SoA, Audits, CAPA, Management-Reviews und Readiness-Check.',
+    descriptionLong: 'ISO 27001 Zertifizierungsvorbereitung. Verwaltet den ISMS-Scope (Kap. 4.3), Kontextanalyse (4.1/4.2), Sicherheitspolicies (5.2), Security Objectives mit SMART-KPIs (6.2), Statement of Applicability fuer alle 93 Annex-A-Controls, interne Audits (9.2), Management-Reviews (9.3), Audit-Findings mit CAPA-Workflow und einen automatischen Readiness-Check der potenzielle Major/Minor-Findings vor der externen Zertifizierung identifiziert.',
+    legalBasis: 'ISO/IEC 27001:2022, Art. 32 DSGVO (Sicherheit der Verarbeitung)',
+    inputs: ['risks', 'controls', 'requirements'],
+    outputs: ['ismsReadiness'],
+    prerequisiteSteps: ['quality'],
+    dbTables: [
+      'compliance_isms_scope', 'compliance_isms_context', 'compliance_isms_policy',
+      'compliance_security_objectives', 'compliance_soa',
+      'compliance_audit_findings', 'compliance_corrective_actions',
+      'compliance_management_reviews', 'compliance_internal_audits',
+      'compliance_audit_trail', 'compliance_isms_readiness_checks',
+    ],
+    dbMode: 'read/write',
+    ragCollections: [],
+    isOptional: true,
+    url: '/sdk/isms',
+    completion: 100,
+  },
 ]

 // =============================================================================
--- a/admin-compliance/components/sdk/Sidebar/SDKSidebar.tsx
+++ b/admin-compliance/components/sdk/Sidebar/SDKSidebar.tsx
@@ -678,6 +678,18 @@ export function SDKSidebar({ collapsed = false, onCollapsedChange }: SDKSidebarP
            isActive={pathname === '/sdk/roadmap'}
            collapsed={collapsed}
          />
+          <AdditionalModuleItem
+            href="/sdk/isms"
+            icon={
+              <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2}
+                  d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z" />
+              </svg>
+            }
+            label="ISMS (ISO 27001)"
+            isActive={pathname === '/sdk/isms'}
+            collapsed={collapsed}
+          />
          <AdditionalModuleItem
            href="/sdk/audit-llm"
            icon={
--- a/docs-src/services/sdk-modules/isms.md
+++ b/docs-src/services/sdk-modules/isms.md
@@ -0,0 +1,171 @@
+# ISMS — ISO 27001 Managementsystem
+
+## Uebersicht
+
+Das ISMS-Modul (Informationssicherheits-Managementsystem) unterstuetzt die vollstaendige
+ISO 27001:2022 Zertifizierungsvorbereitung. Es deckt alle relevanten Kapitel der Norm ab
+und bietet einen automatischen Readiness-Check, der potenzielle Major- und Minor-Findings
+**vor** der externen Zertifizierung identifiziert.
+
+**Frontend:** `https://macmini:3007/sdk/isms`
+
+**Backend:** `backend-compliance` (Python/FastAPI), Prefix `/api/isms/`
+
+## Abgedeckte ISO 27001 Kapitel
+
+| Kapitel | Titel | Funktionen |
+|---------|-------|------------|
+| 4.1/4.2 | Kontext der Organisation | Interne/externe Themen, Stakeholder-Analyse, SWOT |
+| 4.3 | Geltungsbereich | Scope-Definition, Standorte, Prozesse, Ausschlüsse |
+| 5.2 | Informationssicherheitspolitik | Policy-Verwaltung mit Versioning und Genehmigung |
+| 6.2 | Sicherheitsziele | SMART-Ziele mit KPI-Tracking und Fortschrittsmessung |
+| Annex A | Statement of Applicability (SoA) | 93 Controls, Applicability, Implementierungsstatus |
+| 9.2 | Internes Audit | Audit-Planung, Durchfuehrung, Abschluss |
+| 9.3 | Managementbewertung | Review-Protokolle, Action Items, Genehmigung |
+| 10.1 | Nichtkonformitaet & Korrekturmassnahmen | Findings (Major/Minor/OFI) und CAPA-Workflow |
+
+## API-Endpunkte (39 Endpoints)
+
+### ISMS Scope (Kap. 4.3)
+
+| Methode | Pfad | Beschreibung |
+|---------|------|--------------|
+| `GET` | `/isms/scope` | Aktuellen Scope abrufen |
+| `POST` | `/isms/scope` | Neuen Scope erstellen (ersetzt bestehenden) |
+| `PUT` | `/isms/scope/{id}` | Scope aktualisieren (nur im Draft-Status) |
+| `POST` | `/isms/scope/{id}/approve` | Scope genehmigen (Top-Management-Signatur) |
+
+### Kontext (Kap. 4.1, 4.2)
+
+| Methode | Pfad | Beschreibung |
+|---------|------|--------------|
+| `GET` | `/isms/context` | Kontextanalyse abrufen |
+| `POST` | `/isms/context` | Neue Kontextanalyse erstellen |
+
+### Policies (Kap. 5.2)
+
+| Methode | Pfad | Beschreibung |
+|---------|------|--------------|
+| `GET` | `/isms/policies` | Alle Policies auflisten (Filter: `policy_type`, `status`) |
+| `POST` | `/isms/policies` | Neue Policy erstellen |
+| `GET` | `/isms/policies/{id}` | Einzelne Policy abrufen |
+| `PUT` | `/isms/policies/{id}` | Policy aktualisieren (neue Version bei genehmigter Policy) |
+| `POST` | `/isms/policies/{id}/approve` | Policy genehmigen |
+
+### Sicherheitsziele (Kap. 6.2)
+
+| Methode | Pfad | Beschreibung |
+|---------|------|--------------|
+| `GET` | `/isms/objectives` | Alle Ziele auflisten (Filter: `category`, `status`) |
+| `POST` | `/isms/objectives` | Neues Ziel erstellen |
+| `PUT` | `/isms/objectives/{id}` | Ziel-Fortschritt aktualisieren |
+
+### Statement of Applicability (SoA)
+
+| Methode | Pfad | Beschreibung |
+|---------|------|--------------|
+| `GET` | `/isms/soa` | SoA-Eintraege auflisten (Filter: `is_applicable`, `implementation_status`, `category`) |
+| `POST` | `/isms/soa` | Neuen SoA-Eintrag erstellen |
+| `PUT` | `/isms/soa/{id}` | SoA-Eintrag aktualisieren |
+| `POST` | `/isms/soa/{id}/approve` | SoA-Eintrag genehmigen |
+
+### Audit Findings
+
+| Methode | Pfad | Beschreibung |
+|---------|------|--------------|
+| `GET` | `/isms/findings` | Findings auflisten (Filter: `finding_type`, `status`, `internal_audit_id`) |
+| `POST` | `/isms/findings` | Neues Finding erstellen (auto-generierte ID: FIND-YYYY-NNN) |
+| `PUT` | `/isms/findings/{id}` | Finding aktualisieren |
+| `POST` | `/isms/findings/{id}/close` | Finding schliessen (alle CAPAs muessen verifiziert sein) |
+
+### Corrective Actions (CAPA)
+
+| Methode | Pfad | Beschreibung |
+|---------|------|--------------|
+| `GET` | `/isms/capa` | CAPAs auflisten (Filter: `finding_id`, `status`, `assigned_to`) |
+| `POST` | `/isms/capa` | Neue CAPA erstellen (auto-generierte ID: CAPA-YYYY-NNN) |
+| `PUT` | `/isms/capa/{id}` | CAPA-Fortschritt aktualisieren |
+| `POST` | `/isms/capa/{id}/verify` | CAPA-Wirksamkeit verifizieren |
+
+### Management Reviews (Kap. 9.3)
+
+| Methode | Pfad | Beschreibung |
+|---------|------|--------------|
+| `GET` | `/isms/management-reviews` | Reviews auflisten |
+| `POST` | `/isms/management-reviews` | Neue Review erstellen |
+| `GET` | `/isms/management-reviews/{id}` | Einzelne Review abrufen |
+| `PUT` | `/isms/management-reviews/{id}` | Review aktualisieren |
+| `POST` | `/isms/management-reviews/{id}/approve` | Review genehmigen |
+
+### Interne Audits (Kap. 9.2)
+
+| Methode | Pfad | Beschreibung |
+|---------|------|--------------|
+| `GET` | `/isms/internal-audits` | Audits auflisten |
+| `POST` | `/isms/internal-audits` | Neues Audit planen |
+| `PUT` | `/isms/internal-audits/{id}` | Audit aktualisieren |
+| `POST` | `/isms/internal-audits/{id}/complete` | Audit abschliessen |
+
+### Readiness-Check
+
+| Methode | Pfad | Beschreibung |
+|---------|------|--------------|
+| `POST` | `/isms/readiness-check` | Readiness-Check durchfuehren |
+| `GET` | `/isms/readiness-check/latest` | Letztes Ergebnis abrufen |
+
+### Audit Trail & Uebersicht
+
+| Methode | Pfad | Beschreibung |
+|---------|------|--------------|
+| `GET` | `/isms/audit-trail` | Audit-Trail abfragen (paginiert) |
+| `GET` | `/isms/overview` | ISO 27001 Gesamtuebersicht |
+
+## Datenbank-Tabellen
+
+| Tabelle | Beschreibung |
+|---------|--------------|
+| `compliance_isms_scope` | ISMS-Geltungsbereich |
+| `compliance_isms_context` | Kontextanalyse (4.1/4.2) |
+| `compliance_isms_policy` | Sicherheitspolicies |
+| `compliance_security_objectives` | Sicherheitsziele mit KPIs |
+| `compliance_soa` | Statement of Applicability (93 Annex-A-Controls) |
+| `compliance_audit_findings` | Audit-Findings (Major/Minor/OFI/Positive) |
+| `compliance_corrective_actions` | CAPA (Corrective/Preventive Actions) |
+| `compliance_management_reviews` | Management-Reviews |
+| `compliance_internal_audits` | Interne Audits |
+| `compliance_audit_trail` | Audit-Trail (alle ISMS-Aenderungen) |
+| `compliance_isms_readiness_checks` | Readiness-Check-Ergebnisse |
+
+## Readiness-Check
+
+Der Readiness-Check prueft automatisch alle Zertifizierungsvoraussetzungen:
+
+- **Scope genehmigt?** (Kap. 4.3) → Major wenn nein
+- **Kontextanalyse vorhanden?** (Kap. 4.1/4.2) → Major wenn nein
+- **Master-Policy genehmigt?** (Kap. 5.2) → Major wenn nein
+- **Risiken mit Behandlungsplan?** (Kap. 6.1.2) → Major wenn Risiken ohne Plan
+- **Sicherheitsziele definiert?** (Kap. 6.2) → Major wenn keine
+- **SoA erstellt und genehmigt?** (Annex A) → Major/Minor
+- **Internes Audit in letzten 12 Monaten?** (Kap. 9.2) → Major wenn nein
+- **Management-Review in letzten 12 Monaten?** (Kap. 9.3) → Major wenn nein
+- **Offene Major-Findings?** (Kap. 10.1) → Major wenn ja
+- **Offene Minor-Findings?** (Kap. 10.1) → Minor wenn ja
+
+Das Ergebnis zeigt einen Readiness-Score (0-100%) und ob eine Zertifizierung moeglich ist.
+
+## Frontend-Tabs
+
+| Tab | Inhalt |
+|-----|--------|
+| **Uebersicht** | Readiness-Score, Kapitel-Status, Scope-Zusammenfassung, Readiness-Check |
+| **Policies** | Policy-Liste mit Filter, Versionierung, Genehmigungsworkflow |
+| **SoA (Annex A)** | 93 Controls-Tabelle, Applicability, Implementierungsstatus |
+| **Ziele** | Sicherheitsziele mit KPI-Fortschrittsbalken |
+| **Audits & Findings** | Interne Audits, Findings (Major/Minor/OFI), CAPA-Workflow |
+| **Management Reviews** | Review-Protokolle, Genehmigung, naechste Review-Planung |
+
+## Rechtliche Grundlagen
+
+- **ISO/IEC 27001:2022** — Informationssicherheits-Managementsysteme
+- **Art. 32 DSGVO** — Sicherheit der Verarbeitung
+- **Art. 5 Abs. 1f DSGVO** — Integritaet und Vertraulichkeit
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -91,6 +91,7 @@ nav:
      - Industry Compliance Ingestion: services/sdk-modules/industry-compliance-ingestion.md
      - IACE (CE-Risikobeurteilung): services/sdk-modules/iace.md
      - Obligations v2 (CP-OBL): services/sdk-modules/obligations.md
+      - ISMS (ISO 27001): services/sdk-modules/isms.md
      - Training Engine (CP-TRAIN): services/sdk-modules/training.md
      - SDK Workflow & Seq-Nummern: services/sdk-modules/sdk-workflow.md
      - Multi-Tenancy: services/sdk-modules/multi-tenancy.md