metadata: version: "1.0.0" lastUpdated: "2026-02-04" totalControls: 60 categories: ACCESS_CONTROL: name: de: "Zutrittskontrolle" en: "Physical Access Control" gdprReference: "Art. 32 Abs. 1 lit. b" ADMISSION_CONTROL: name: de: "Zugangskontrolle" en: "System Access Control" gdprReference: "Art. 32 Abs. 1 lit. b" ACCESS_AUTHORIZATION: name: de: "Zugriffskontrolle" en: "Access Authorization" gdprReference: "Art. 32 Abs. 1 lit. b" TRANSFER_CONTROL: name: de: "Weitergabekontrolle" en: "Transfer Control" gdprReference: "Art. 32 Abs. 1 lit. b" INPUT_CONTROL: name: de: "Eingabekontrolle" en: "Input Control" gdprReference: "Art. 32 Abs. 1 lit. b" ORDER_CONTROL: name: de: "Auftragskontrolle" en: "Order Control" gdprReference: "Art. 28" AVAILABILITY: name: de: "Verfügbarkeit" en: "Availability" gdprReference: "Art. 32 Abs. 1 lit. b, c" SEPARATION: name: de: "Trennbarkeit" en: "Separation" gdprReference: "Art. 32 Abs. 1 lit. b" ENCRYPTION: name: de: "Verschlüsselung" en: "Encryption" gdprReference: "Art. 32 Abs. 1 lit. a" PSEUDONYMIZATION: name: de: "Pseudonymisierung" en: "Pseudonymization" gdprReference: "Art. 32 Abs. 1 lit. a" RESILIENCE: name: de: "Belastbarkeit" en: "Resilience" gdprReference: "Art. 32 Abs. 1 lit. b" RECOVERY: name: de: "Wiederherstellbarkeit" en: "Recovery" gdprReference: "Art. 32 Abs. 1 lit. c" REVIEW: name: de: "Überprüfung & Bewertung" en: "Review & Assessment" gdprReference: "Art. 32 Abs. 1 lit. d" controls: # ============================================================================= # ACCESS CONTROL (Zutrittskontrolle) - Physical Access # ============================================================================= - id: "TOM-AC-01" code: "TOM-AC-01" category: ACCESS_CONTROL type: TECHNICAL name: de: "Elektronische Zutrittskontrolle" en: "Electronic Access Control" description: de: "Implementierung elektronischer Zugangskontrollsysteme (Chipkarten, Biometrie) zur Kontrolle des physischen Zutritts zu Räumlichkeiten mit IT-Systemen." en: "Implementation of electronic access control systems (chip cards, biometrics) to control physical access to premises with IT systems." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.7.2" - framework: BSI_IT_GRUNDSCHUTZ reference: "ORP.4" applicabilityConditions: - field: "architectureProfile.hostingModel" operator: IN value: ["ON_PREMISE", "PRIVATE_CLOUD", "HYBRID"] result: REQUIRED priority: 10 - field: "architectureProfile.hostingModel" operator: EQUALS value: "PUBLIC_CLOUD" result: NOT_APPLICABLE priority: 20 defaultApplicability: RECOMMENDED evidenceRequirements: - "Zutrittskontrollkonzept" - "Protokolle des Zutrittskontrollsystems" - "Besucherregelungen" reviewFrequency: ANNUAL priority: HIGH complexity: MEDIUM tags: ["physical-security", "access"] - id: "TOM-AC-02" code: "TOM-AC-02" category: ACCESS_CONTROL type: ORGANIZATIONAL name: de: "Besuchermanagement" en: "Visitor Management" description: de: "Regelungen für den Empfang, die Begleitung und Registrierung von Besuchern in sicherheitsrelevanten Bereichen." en: "Regulations for receiving, accompanying and registering visitors in security-relevant areas." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.7.2" applicabilityConditions: - field: "architectureProfile.hostingModel" operator: IN value: ["ON_PREMISE", "PRIVATE_CLOUD", "HYBRID"] result: REQUIRED priority: 10 defaultApplicability: RECOMMENDED evidenceRequirements: - "Besucherrichtlinie" - "Besucherbuch/Protokolle" reviewFrequency: ANNUAL priority: MEDIUM complexity: LOW tags: ["physical-security", "visitors"] - id: "TOM-AC-03" code: "TOM-AC-03" category: ACCESS_CONTROL type: TECHNICAL name: de: "Videoüberwachung" en: "Video Surveillance" description: de: "Installation von Videoüberwachungssystemen zur Kontrolle und Dokumentation des Zutritts zu sensiblen Bereichen." en: "Installation of video surveillance systems to control and document access to sensitive areas." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.7.4" applicabilityConditions: - field: "riskProfile.protectionLevel" operator: IN value: ["HIGH", "VERY_HIGH"] result: RECOMMENDED priority: 15 - field: "dataProfile.hasSpecialCategories" operator: EQUALS value: true result: RECOMMENDED priority: 20 defaultApplicability: OPTIONAL evidenceRequirements: - "Videoüberwachungskonzept" - "Datenschutz-Folgenabschätzung für Videoüberwachung" reviewFrequency: ANNUAL priority: MEDIUM complexity: MEDIUM tags: ["physical-security", "monitoring"] - id: "TOM-AC-04" code: "TOM-AC-04" category: ACCESS_CONTROL type: TECHNICAL name: de: "Alarmanlage" en: "Alarm System" description: de: "Einbruchmeldeanlage zum Schutz der Räumlichkeiten außerhalb der Betriebszeiten." en: "Intrusion detection system to protect premises outside business hours." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: BSI_IT_GRUNDSCHUTZ reference: "INF.1" applicabilityConditions: - field: "architectureProfile.hostingModel" operator: IN value: ["ON_PREMISE", "PRIVATE_CLOUD", "HYBRID"] result: RECOMMENDED priority: 10 defaultApplicability: RECOMMENDED evidenceRequirements: - "Alarmkonzept" - "Wartungsprotokolle" reviewFrequency: ANNUAL priority: MEDIUM complexity: MEDIUM tags: ["physical-security", "intrusion-detection"] - id: "TOM-AC-05" code: "TOM-AC-05" category: ACCESS_CONTROL type: ORGANIZATIONAL name: de: "Schlüsselmanagement" en: "Key Management" description: de: "Dokumentierte Verwaltung und Ausgabe von physischen Schlüsseln mit Nachverfolgbarkeit." en: "Documented management and distribution of physical keys with traceability." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.7.2" applicabilityConditions: - field: "architectureProfile.hostingModel" operator: IN value: ["ON_PREMISE", "PRIVATE_CLOUD", "HYBRID"] result: REQUIRED priority: 10 defaultApplicability: RECOMMENDED evidenceRequirements: - "Schlüsselausgabeprotokoll" - "Schlüsselverwaltungsrichtlinie" reviewFrequency: ANNUAL priority: MEDIUM complexity: LOW tags: ["physical-security", "keys"] # ============================================================================= # ADMISSION CONTROL (Zugangskontrolle) - System Access # ============================================================================= - id: "TOM-ADM-01" code: "TOM-ADM-01" category: ADMISSION_CONTROL type: TECHNICAL name: de: "Multi-Faktor-Authentifizierung" en: "Multi-Factor Authentication" description: de: "Implementierung einer Zwei- oder Mehr-Faktor-Authentifizierung für den Systemzugang zu kritischen Systemen und Daten." en: "Implementation of two- or multi-factor authentication for system access to critical systems and data." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.9.4.2" - framework: BSI_IT_GRUNDSCHUTZ reference: "ORP.4" applicabilityConditions: - field: "dataProfile.hasSpecialCategories" operator: EQUALS value: true result: REQUIRED priority: 30 - field: "dataProfile.processesMinors" operator: EQUALS value: true result: REQUIRED priority: 25 - field: "riskProfile.protectionLevel" operator: IN value: ["HIGH", "VERY_HIGH"] result: REQUIRED priority: 20 - field: "companyProfile.role" operator: EQUALS value: "PROCESSOR" result: REQUIRED priority: 15 defaultApplicability: RECOMMENDED evidenceRequirements: - "MFA-Konfigurationsdokumentation" - "Nutzerstatistiken zur MFA-Nutzung" reviewFrequency: QUARTERLY priority: CRITICAL complexity: MEDIUM tags: ["authentication", "mfa", "identity"] - id: "TOM-ADM-02" code: "TOM-ADM-02" category: ADMISSION_CONTROL type: TECHNICAL name: de: "Passwortrichtlinien" en: "Password Policies" description: de: "Durchsetzung technischer Passwortrichtlinien (Mindestlänge, Komplexität, regelmäßiger Wechsel, Historie)." en: "Enforcement of technical password policies (minimum length, complexity, regular changes, history)." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.9.4.3" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Passwortrichtlinie" - "Technische Konfiguration" reviewFrequency: ANNUAL priority: HIGH complexity: LOW tags: ["authentication", "passwords"] - id: "TOM-ADM-03" code: "TOM-ADM-03" category: ADMISSION_CONTROL type: TECHNICAL name: de: "Single Sign-On (SSO)" en: "Single Sign-On (SSO)" description: de: "Zentralisierte Authentifizierung über SSO zur Verbesserung der Sicherheit und Benutzerfreundlichkeit." en: "Centralized authentication via SSO to improve security and usability." mappings: - framework: ISO27001_ANNEX_A reference: "A.9.2.4" applicabilityConditions: - field: "companyProfile.size" operator: IN value: ["MEDIUM", "LARGE", "ENTERPRISE"] result: RECOMMENDED priority: 10 defaultApplicability: OPTIONAL evidenceRequirements: - "SSO-Konfigurationsdokumentation" - "Integrierte Anwendungsliste" reviewFrequency: ANNUAL priority: MEDIUM complexity: HIGH tags: ["authentication", "sso", "identity"] - id: "TOM-ADM-04" code: "TOM-ADM-04" category: ADMISSION_CONTROL type: TECHNICAL name: de: "Automatische Bildschirmsperre" en: "Automatic Screen Lock" description: de: "Automatische Sperrung von Arbeitsplätzen nach Inaktivität mit erforderlicher Re-Authentifizierung." en: "Automatic locking of workstations after inactivity with required re-authentication." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.11.2.8" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "GPO/MDM-Konfiguration" - "Richtliniendokumentation" reviewFrequency: ANNUAL priority: HIGH complexity: LOW tags: ["workstation", "security"] - id: "TOM-ADM-05" code: "TOM-ADM-05" category: ADMISSION_CONTROL type: TECHNICAL name: de: "Kontosperrung nach Fehlversuchen" en: "Account Lockout After Failed Attempts" description: de: "Automatische temporäre Sperrung von Benutzerkonten nach mehreren fehlgeschlagenen Anmeldeversuchen." en: "Automatic temporary locking of user accounts after multiple failed login attempts." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.9.4.2" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Konfigurationsdokumentation" - "Protokollierung der Sperrereignisse" reviewFrequency: ANNUAL priority: HIGH complexity: LOW tags: ["authentication", "brute-force-protection"] # ============================================================================= # ACCESS AUTHORIZATION (Zugriffskontrolle) # ============================================================================= - id: "TOM-AZ-01" code: "TOM-AZ-01" category: ACCESS_AUTHORIZATION type: TECHNICAL name: de: "Rollenbasierte Zugriffskontrolle (RBAC)" en: "Role-Based Access Control (RBAC)" description: de: "Implementierung eines rollenbasierten Berechtigungssystems zur Steuerung des Datenzugriffs nach dem Need-to-Know-Prinzip." en: "Implementation of a role-based permission system to control data access according to the need-to-know principle." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.9.2.3" - framework: BSI_IT_GRUNDSCHUTZ reference: "ORP.4" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Berechtigungskonzept" - "Rollenmatrix" - "Berechtigungsaudits" reviewFrequency: SEMI_ANNUAL priority: CRITICAL complexity: MEDIUM tags: ["authorization", "rbac", "access"] - id: "TOM-AZ-02" code: "TOM-AZ-02" category: ACCESS_AUTHORIZATION type: ORGANIZATIONAL name: de: "Berechtigungsverwaltungsprozess" en: "Authorization Management Process" description: de: "Dokumentierter Prozess für Beantragung, Genehmigung und Entzug von Zugriffsberechtigungen." en: "Documented process for requesting, approving and revoking access permissions." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.9.2.2" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Berechtigungsanträge" - "Genehmigungsprotokolle" - "Prozessdokumentation" reviewFrequency: ANNUAL priority: HIGH complexity: LOW tags: ["authorization", "process"] - id: "TOM-AZ-03" code: "TOM-AZ-03" category: ACCESS_AUTHORIZATION type: TECHNICAL name: de: "Privileged Access Management (PAM)" en: "Privileged Access Management (PAM)" description: de: "Spezielle Kontrollen für privilegierte Konten (Admins) mit Aufzeichnung, zeitlicher Begrenzung und Genehmigungsworkflows." en: "Special controls for privileged accounts (admins) with recording, time limits and approval workflows." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.9.2.3" applicabilityConditions: - field: "riskProfile.protectionLevel" operator: IN value: ["HIGH", "VERY_HIGH"] result: REQUIRED priority: 20 - field: "dataProfile.hasSpecialCategories" operator: EQUALS value: true result: REQUIRED priority: 25 - field: "companyProfile.size" operator: IN value: ["LARGE", "ENTERPRISE"] result: RECOMMENDED priority: 10 defaultApplicability: RECOMMENDED evidenceRequirements: - "PAM-Konfiguration" - "Sitzungsaufzeichnungen" - "Audit-Logs" reviewFrequency: QUARTERLY priority: CRITICAL complexity: HIGH tags: ["authorization", "pam", "privileged"] - id: "TOM-AZ-04" code: "TOM-AZ-04" category: ACCESS_AUTHORIZATION type: ORGANIZATIONAL name: de: "Regelmäßige Berechtigungsrezertifizierung" en: "Regular Authorization Recertification" description: de: "Periodische Überprüfung aller Zugriffsberechtigungen durch die jeweiligen Vorgesetzten." en: "Periodic review of all access permissions by respective supervisors." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. d" - framework: ISO27001_ANNEX_A reference: "A.9.2.5" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Rezertifizierungsprotokolle" - "Prozessdokumentation" reviewFrequency: SEMI_ANNUAL priority: HIGH complexity: MEDIUM tags: ["authorization", "review"] - id: "TOM-AZ-05" code: "TOM-AZ-05" category: ACCESS_AUTHORIZATION type: TECHNICAL name: de: "Datenklassifizierung und Label" en: "Data Classification and Labeling" description: de: "Technische Umsetzung einer Datenklassifizierung mit entsprechenden Zugriffssteuerungen." en: "Technical implementation of data classification with corresponding access controls." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.8.2" applicabilityConditions: - field: "dataProfile.hasSpecialCategories" operator: EQUALS value: true result: REQUIRED priority: 25 - field: "riskProfile.protectionLevel" operator: IN value: ["HIGH", "VERY_HIGH"] result: RECOMMENDED priority: 15 defaultApplicability: RECOMMENDED evidenceRequirements: - "Klassifizierungsschema" - "Label-Konfiguration" reviewFrequency: ANNUAL priority: MEDIUM complexity: HIGH tags: ["classification", "labeling"] # ============================================================================= # TRANSFER CONTROL (Weitergabekontrolle) # ============================================================================= - id: "TOM-TR-01" code: "TOM-TR-01" category: TRANSFER_CONTROL type: TECHNICAL name: de: "Transportverschlüsselung (TLS)" en: "Transport Encryption (TLS)" description: de: "Verschlüsselung aller Datenübertragungen mittels TLS 1.2 oder höher." en: "Encryption of all data transfers using TLS 1.2 or higher." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. a" - framework: ISO27001_ANNEX_A reference: "A.13.2.1" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "TLS-Konfigurationsdokumentation" - "SSL/TLS-Scans" reviewFrequency: QUARTERLY priority: CRITICAL complexity: MEDIUM tags: ["encryption", "transport", "tls"] - id: "TOM-TR-02" code: "TOM-TR-02" category: TRANSFER_CONTROL type: TECHNICAL name: de: "VPN für Fernzugriff" en: "VPN for Remote Access" description: de: "Nutzung von VPN-Verbindungen für sicheren Fernzugriff auf Unternehmensnetzwerke." en: "Use of VPN connections for secure remote access to corporate networks." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.13.2.1" applicabilityConditions: - field: "architectureProfile.hostingModel" operator: IN value: ["ON_PREMISE", "PRIVATE_CLOUD", "HYBRID"] result: REQUIRED priority: 15 defaultApplicability: RECOMMENDED evidenceRequirements: - "VPN-Konfiguration" - "Nutzungsstatistiken" reviewFrequency: ANNUAL priority: HIGH complexity: MEDIUM tags: ["vpn", "remote-access"] - id: "TOM-TR-03" code: "TOM-TR-03" category: TRANSFER_CONTROL type: ORGANIZATIONAL name: de: "Richtlinie zur Datenübermittlung" en: "Data Transfer Policy" description: de: "Dokumentierte Richtlinie für die sichere Übermittlung personenbezogener Daten intern und extern." en: "Documented policy for secure transfer of personal data internally and externally." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.13.2.2" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Datenübermittlungsrichtlinie" - "Schulungsnachweise" reviewFrequency: ANNUAL priority: HIGH complexity: LOW tags: ["policy", "transfer"] - id: "TOM-TR-04" code: "TOM-TR-04" category: TRANSFER_CONTROL type: TECHNICAL name: de: "E-Mail-Verschlüsselung" en: "Email Encryption" description: de: "Implementierung von E-Mail-Verschlüsselung (S/MIME, PGP) für vertrauliche Kommunikation." en: "Implementation of email encryption (S/MIME, PGP) for confidential communication." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. a" - framework: ISO27001_ANNEX_A reference: "A.13.2.3" applicabilityConditions: - field: "dataProfile.hasSpecialCategories" operator: EQUALS value: true result: REQUIRED priority: 25 - field: "riskProfile.protectionLevel" operator: IN value: ["HIGH", "VERY_HIGH"] result: RECOMMENDED priority: 15 defaultApplicability: RECOMMENDED evidenceRequirements: - "E-Mail-Verschlüsselungskonzept" - "Konfigurationsdokumentation" reviewFrequency: ANNUAL priority: MEDIUM complexity: MEDIUM tags: ["encryption", "email"] - id: "TOM-TR-05" code: "TOM-TR-05" category: TRANSFER_CONTROL type: TECHNICAL name: de: "Data Loss Prevention (DLP)" en: "Data Loss Prevention (DLP)" description: de: "Technische Maßnahmen zur Verhinderung unbeabsichtigter oder unbefugter Datenabflüsse." en: "Technical measures to prevent unintentional or unauthorized data leakage." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.13.2.2" applicabilityConditions: - field: "dataProfile.hasSpecialCategories" operator: EQUALS value: true result: RECOMMENDED priority: 25 - field: "riskProfile.protectionLevel" operator: EQUALS value: "VERY_HIGH" result: REQUIRED priority: 30 - field: "companyProfile.size" operator: IN value: ["LARGE", "ENTERPRISE"] result: RECOMMENDED priority: 10 defaultApplicability: OPTIONAL evidenceRequirements: - "DLP-Konfiguration" - "Vorfallsberichte" reviewFrequency: QUARTERLY priority: HIGH complexity: HIGH tags: ["dlp", "data-protection"] # ============================================================================= # INPUT CONTROL (Eingabekontrolle) # ============================================================================= - id: "TOM-IN-01" code: "TOM-IN-01" category: INPUT_CONTROL type: TECHNICAL name: de: "Audit-Logging" en: "Audit Logging" description: de: "Umfassende Protokollierung aller Datenverarbeitungsvorgänge mit Zeitstempel und Benutzeridentifikation." en: "Comprehensive logging of all data processing activities with timestamp and user identification." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.12.4.1" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Logging-Konzept" - "Log-Konfiguration" - "Beispiel-Logs" reviewFrequency: ANNUAL priority: CRITICAL complexity: MEDIUM tags: ["logging", "audit"] - id: "TOM-IN-02" code: "TOM-IN-02" category: INPUT_CONTROL type: TECHNICAL name: de: "Änderungsprotokollierung (Change Log)" en: "Change Logging" description: de: "Automatische Protokollierung aller Änderungen an personenbezogenen Daten." en: "Automatic logging of all changes to personal data." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.12.4.1" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Change-Log-Konfiguration" - "Beispielprotokolle" reviewFrequency: ANNUAL priority: HIGH complexity: MEDIUM tags: ["logging", "change-tracking"] - id: "TOM-IN-03" code: "TOM-IN-03" category: INPUT_CONTROL type: TECHNICAL name: de: "Eingabevalidierung" en: "Input Validation" description: de: "Technische Validierung aller Eingaben zur Verhinderung von Datenmanipulation und Injection-Angriffen." en: "Technical validation of all inputs to prevent data manipulation and injection attacks." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.14.2.5" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Validierungsregeln" - "Code-Reviews" reviewFrequency: QUARTERLY priority: HIGH complexity: MEDIUM tags: ["security", "validation"] - id: "TOM-IN-04" code: "TOM-IN-04" category: INPUT_CONTROL type: ORGANIZATIONAL name: de: "Log-Aufbewahrung und -Auswertung" en: "Log Retention and Analysis" description: de: "Definierte Aufbewahrungsfristen für Protokolle und regelmäßige Auswertung zur Erkennung von Anomalien." en: "Defined retention periods for logs and regular analysis to detect anomalies." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.12.4.1" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Log-Aufbewahrungsrichtlinie" - "Analyseberichte" reviewFrequency: QUARTERLY priority: HIGH complexity: MEDIUM tags: ["logging", "analysis", "retention"] # ============================================================================= # ORDER CONTROL (Auftragskontrolle) # ============================================================================= - id: "TOM-OR-01" code: "TOM-OR-01" category: ORDER_CONTROL type: ORGANIZATIONAL name: de: "Auftragsverarbeitungsverträge (AVV)" en: "Data Processing Agreements (DPA)" description: de: "Abschluss von Auftragsverarbeitungsverträgen gemäß Art. 28 DSGVO mit allen Auftragsverarbeitern." en: "Conclusion of data processing agreements according to Art. 28 GDPR with all processors." mappings: - framework: GDPR_ART28 reference: "Art. 28 Abs. 3" - framework: ISO27001_ANNEX_A reference: "A.15.1.2" applicabilityConditions: - field: "architectureProfile.hasSubprocessors" operator: EQUALS value: true result: REQUIRED priority: 30 - field: "companyProfile.role" operator: EQUALS value: "CONTROLLER" result: REQUIRED priority: 25 defaultApplicability: REQUIRED evidenceRequirements: - "Unterschriebene AVVs" - "Auftragsverarbeiter-Verzeichnis" reviewFrequency: ANNUAL priority: CRITICAL complexity: LOW tags: ["contracts", "avv", "dpa"] - id: "TOM-OR-02" code: "TOM-OR-02" category: ORDER_CONTROL type: ORGANIZATIONAL name: de: "Auftragsverarbeiter-Prüfung" en: "Processor Auditing" description: de: "Regelmäßige Überprüfung der technischen und organisatorischen Maßnahmen bei Auftragsverarbeitern." en: "Regular verification of technical and organizational measures at processors." mappings: - framework: GDPR_ART28 reference: "Art. 28 Abs. 3 lit. h" - framework: ISO27001_ANNEX_A reference: "A.15.2.1" applicabilityConditions: - field: "architectureProfile.hasSubprocessors" operator: EQUALS value: true result: REQUIRED priority: 25 defaultApplicability: RECOMMENDED evidenceRequirements: - "Audit-Berichte" - "Zertifikate der Auftragsverarbeiter" - "Prüfprotokolle" reviewFrequency: ANNUAL priority: HIGH complexity: MEDIUM tags: ["audit", "processor"] - id: "TOM-OR-03" code: "TOM-OR-03" category: ORDER_CONTROL type: ORGANIZATIONAL name: de: "Weisungsgebundenheit dokumentieren" en: "Document Instruction Compliance" description: de: "Dokumentation der Weisungsgebundenheit von Auftragsverarbeitern und Mitarbeitern." en: "Documentation of instruction compliance by processors and employees." mappings: - framework: GDPR_ART28 reference: "Art. 28 Abs. 3 lit. a" - framework: GDPR_ART29 reference: "Art. 29" applicabilityConditions: - field: "companyProfile.role" operator: EQUALS value: "PROCESSOR" result: REQUIRED priority: 30 defaultApplicability: REQUIRED evidenceRequirements: - "Weisungsdokumentation" - "Schulungsnachweise" reviewFrequency: ANNUAL priority: HIGH complexity: LOW tags: ["processor", "instructions"] - id: "TOM-OR-04" code: "TOM-OR-04" category: ORDER_CONTROL type: ORGANIZATIONAL name: de: "Unterauftragsverarbeiter-Management" en: "Sub-processor Management" description: de: "Dokumentiertes Verfahren für die Genehmigung und Überwachung von Unterauftragsverarbeitern." en: "Documented procedure for approval and monitoring of sub-processors." mappings: - framework: GDPR_ART28 reference: "Art. 28 Abs. 2, 4" - framework: ISO27001_ANNEX_A reference: "A.15.1.3" applicabilityConditions: - field: "architectureProfile.hasSubprocessors" operator: EQUALS value: true result: REQUIRED priority: 30 - field: "companyProfile.role" operator: EQUALS value: "PROCESSOR" result: REQUIRED priority: 25 defaultApplicability: RECOMMENDED evidenceRequirements: - "Unterauftragsverarbeiter-Liste" - "Genehmigungsprotokolle" - "AVVs mit Unterauftragsverarbeitern" reviewFrequency: ANNUAL priority: HIGH complexity: MEDIUM tags: ["sub-processor", "management"] # ============================================================================= # AVAILABILITY (Verfügbarkeit) # ============================================================================= - id: "TOM-AV-01" code: "TOM-AV-01" category: AVAILABILITY type: TECHNICAL name: de: "Backup-Strategie" en: "Backup Strategy" description: de: "Implementierung einer umfassenden Backup-Strategie mit regelmäßigen Sicherungen und Aufbewahrung." en: "Implementation of a comprehensive backup strategy with regular backups and retention." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. c" - framework: ISO27001_ANNEX_A reference: "A.12.3.1" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Backup-Konzept" - "Backup-Protokolle" - "Restore-Tests" reviewFrequency: QUARTERLY priority: CRITICAL complexity: MEDIUM tags: ["backup", "recovery"] - id: "TOM-AV-02" code: "TOM-AV-02" category: AVAILABILITY type: TECHNICAL name: de: "Redundante Systeme" en: "Redundant Systems" description: de: "Implementierung von Redundanz für kritische Systeme zur Sicherstellung der Verfügbarkeit." en: "Implementation of redundancy for critical systems to ensure availability." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.17.2.1" applicabilityConditions: - field: "riskProfile.ciaAssessment.availability" operator: GREATER_THAN value: 3 result: REQUIRED priority: 20 - field: "riskProfile.protectionLevel" operator: EQUALS value: "VERY_HIGH" result: REQUIRED priority: 25 defaultApplicability: RECOMMENDED evidenceRequirements: - "Redundanzkonzept" - "Architekturdokumentation" reviewFrequency: ANNUAL priority: HIGH complexity: HIGH tags: ["redundancy", "availability"] - id: "TOM-AV-03" code: "TOM-AV-03" category: AVAILABILITY type: TECHNICAL name: de: "Unterbrechungsfreie Stromversorgung (USV)" en: "Uninterruptible Power Supply (UPS)" description: de: "Einsatz von USV-Anlagen zum Schutz kritischer Systeme vor Stromausfällen." en: "Use of UPS systems to protect critical systems from power failures." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.11.2.2" - framework: BSI_IT_GRUNDSCHUTZ reference: "INF.2" applicabilityConditions: - field: "architectureProfile.hostingModel" operator: IN value: ["ON_PREMISE", "PRIVATE_CLOUD", "HYBRID"] result: REQUIRED priority: 15 defaultApplicability: RECOMMENDED evidenceRequirements: - "USV-Dokumentation" - "Wartungsprotokolle" reviewFrequency: ANNUAL priority: MEDIUM complexity: MEDIUM tags: ["power", "infrastructure"] - id: "TOM-AV-04" code: "TOM-AV-04" category: AVAILABILITY type: ORGANIZATIONAL name: de: "Notfallvorsorge (Business Continuity)" en: "Business Continuity Planning" description: de: "Dokumentierte Notfallvorsorge zur Aufrechterhaltung kritischer Geschäftsprozesse." en: "Documented emergency preparedness to maintain critical business processes." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. c" - framework: ISO27001_ANNEX_A reference: "A.17.1.1" applicabilityConditions: - field: "riskProfile.ciaAssessment.availability" operator: GREATER_THAN value: 2 result: REQUIRED priority: 15 defaultApplicability: REQUIRED evidenceRequirements: - "Business-Continuity-Plan" - "Notfallkontakte" - "Übungsprotokolle" reviewFrequency: ANNUAL priority: HIGH complexity: MEDIUM tags: ["bcp", "continuity"] - id: "TOM-AV-05" code: "TOM-AV-05" category: AVAILABILITY type: TECHNICAL name: de: "Monitoring und Alerting" en: "Monitoring and Alerting" description: de: "Kontinuierliche Überwachung der Systemverfügbarkeit mit automatischen Benachrichtigungen bei Ausfällen." en: "Continuous monitoring of system availability with automatic notifications for outages." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.12.4.1" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Monitoring-Konfiguration" - "Alert-Regeln" - "Verfügbarkeitsberichte" reviewFrequency: QUARTERLY priority: HIGH complexity: MEDIUM tags: ["monitoring", "alerting"] # ============================================================================= # SEPARATION (Trennbarkeit) # ============================================================================= - id: "TOM-SE-01" code: "TOM-SE-01" category: SEPARATION type: TECHNICAL name: de: "Mandantentrennung" en: "Multi-Tenant Separation" description: de: "Technische Trennung von Daten verschiedener Kunden/Mandanten in mandantenfähigen Systemen." en: "Technical separation of data from different customers/tenants in multi-tenant systems." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.13.1.3" applicabilityConditions: - field: "architectureProfile.multiTenancy" operator: EQUALS value: "MULTI_TENANT" result: REQUIRED priority: 30 - field: "companyProfile.role" operator: EQUALS value: "PROCESSOR" result: REQUIRED priority: 20 defaultApplicability: RECOMMENDED evidenceRequirements: - "Mandantentrennungskonzept" - "Architekturdokumentation" - "Penetrationstest-Ergebnisse" reviewFrequency: ANNUAL priority: CRITICAL complexity: HIGH tags: ["multi-tenant", "separation"] - id: "TOM-SE-02" code: "TOM-SE-02" category: SEPARATION type: TECHNICAL name: de: "Netzwerksegmentierung" en: "Network Segmentation" description: de: "Segmentierung des Netzwerks zur Trennung verschiedener Sicherheitszonen und Datenverarbeitungsbereiche." en: "Network segmentation to separate different security zones and data processing areas." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.13.1.3" applicabilityConditions: - field: "architectureProfile.hostingModel" operator: IN value: ["ON_PREMISE", "PRIVATE_CLOUD", "HYBRID"] result: REQUIRED priority: 15 - field: "riskProfile.protectionLevel" operator: IN value: ["HIGH", "VERY_HIGH"] result: REQUIRED priority: 20 defaultApplicability: RECOMMENDED evidenceRequirements: - "Netzwerkdiagramm" - "Firewall-Regeln" reviewFrequency: ANNUAL priority: HIGH complexity: MEDIUM tags: ["network", "segmentation"] - id: "TOM-SE-03" code: "TOM-SE-03" category: SEPARATION type: TECHNICAL name: de: "Umgebungstrennung (Dev/Test/Prod)" en: "Environment Separation (Dev/Test/Prod)" description: de: "Strikte Trennung von Entwicklungs-, Test- und Produktionsumgebungen." en: "Strict separation of development, test and production environments." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.12.1.4" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Umgebungsdokumentation" - "Zugriffsrechte je Umgebung" reviewFrequency: ANNUAL priority: HIGH complexity: MEDIUM tags: ["environments", "separation"] - id: "TOM-SE-04" code: "TOM-SE-04" category: SEPARATION type: ORGANIZATIONAL name: de: "Zweckbindung dokumentieren" en: "Document Purpose Limitation" description: de: "Dokumentation und technische Durchsetzung der Zweckbindung bei der Datenverarbeitung." en: "Documentation and technical enforcement of purpose limitation in data processing." mappings: - framework: GDPR_ART5 reference: "Art. 5 Abs. 1 lit. b" - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Verarbeitungsverzeichnis" - "Zweckdokumentation" reviewFrequency: ANNUAL priority: HIGH complexity: LOW tags: ["purpose-limitation", "documentation"] # ============================================================================= # ENCRYPTION (Verschlüsselung) # ============================================================================= - id: "TOM-ENC-01" code: "TOM-ENC-01" category: ENCRYPTION type: TECHNICAL name: de: "Verschlüsselung ruhender Daten" en: "Encryption at Rest" description: de: "Verschlüsselung aller gespeicherten personenbezogenen Daten mit modernen Verschlüsselungsalgorithmen." en: "Encryption of all stored personal data using modern encryption algorithms." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. a" - framework: ISO27001_ANNEX_A reference: "A.10.1.1" applicabilityConditions: - field: "dataProfile.hasSpecialCategories" operator: EQUALS value: true result: REQUIRED priority: 30 - field: "riskProfile.protectionLevel" operator: IN value: ["HIGH", "VERY_HIGH"] result: REQUIRED priority: 20 defaultApplicability: RECOMMENDED evidenceRequirements: - "Verschlüsselungskonzept" - "Konfigurationsdokumentation" reviewFrequency: ANNUAL priority: CRITICAL complexity: MEDIUM tags: ["encryption", "at-rest"] - id: "TOM-ENC-02" code: "TOM-ENC-02" category: ENCRYPTION type: TECHNICAL name: de: "Schlüsselmanagement" en: "Key Management" description: de: "Sicheres Verfahren zur Erzeugung, Speicherung, Rotation und Vernichtung kryptografischer Schlüssel." en: "Secure process for generation, storage, rotation and destruction of cryptographic keys." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. a" - framework: ISO27001_ANNEX_A reference: "A.10.1.2" applicabilityConditions: - field: "architectureProfile.encryptionAtRest" operator: EQUALS value: true result: REQUIRED priority: 30 defaultApplicability: RECOMMENDED evidenceRequirements: - "Schlüsselmanagement-Richtlinie" - "HSM/KMS-Dokumentation" reviewFrequency: ANNUAL priority: HIGH complexity: HIGH tags: ["encryption", "key-management"] - id: "TOM-ENC-03" code: "TOM-ENC-03" category: ENCRYPTION type: TECHNICAL name: de: "Datenbank-Verschlüsselung" en: "Database Encryption" description: de: "Verschlüsselung von Datenbanken auf Ebene der Datenbank oder einzelner Felder." en: "Encryption of databases at database level or individual field level." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. a" - framework: ISO27001_ANNEX_A reference: "A.10.1.1" applicabilityConditions: - field: "dataProfile.hasSpecialCategories" operator: EQUALS value: true result: REQUIRED priority: 30 - field: "dataProfile.dataVolume" operator: IN value: ["HIGH", "VERY_HIGH"] result: RECOMMENDED priority: 15 defaultApplicability: RECOMMENDED evidenceRequirements: - "Datenbank-Verschlüsselungskonfiguration" - "Feldverschlüsselungsmatrix" reviewFrequency: ANNUAL priority: HIGH complexity: MEDIUM tags: ["encryption", "database"] # ============================================================================= # PSEUDONYMIZATION (Pseudonymisierung) # ============================================================================= - id: "TOM-PS-01" code: "TOM-PS-01" category: PSEUDONYMIZATION type: TECHNICAL name: de: "Pseudonymisierungsverfahren" en: "Pseudonymization Procedures" description: de: "Implementierung von Pseudonymisierungsverfahren zur Reduzierung des Personenbezugs von Daten." en: "Implementation of pseudonymization procedures to reduce the personal reference of data." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. a" - framework: GDPR_ART25 reference: "Art. 25 Abs. 1" applicabilityConditions: - field: "dataProfile.hasSpecialCategories" operator: EQUALS value: true result: REQUIRED priority: 25 - field: "dataProfile.dataVolume" operator: IN value: ["HIGH", "VERY_HIGH"] result: RECOMMENDED priority: 15 defaultApplicability: RECOMMENDED evidenceRequirements: - "Pseudonymisierungskonzept" - "Mapping-Tabellen-Sicherheit" reviewFrequency: ANNUAL priority: HIGH complexity: HIGH tags: ["pseudonymization", "data-minimization"] - id: "TOM-PS-02" code: "TOM-PS-02" category: PSEUDONYMIZATION type: ORGANIZATIONAL name: de: "Datenanonmisierung für Analysen" en: "Data Anonymization for Analytics" description: de: "Verfahren zur Anonymisierung von Daten für Analyse- und Statistikzwecke." en: "Procedures for anonymizing data for analysis and statistical purposes." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. a" - framework: GDPR_ART25 reference: "Art. 25 Abs. 1" applicabilityConditions: - field: "dataProfile.dataVolume" operator: IN value: ["HIGH", "VERY_HIGH"] result: RECOMMENDED priority: 15 defaultApplicability: OPTIONAL evidenceRequirements: - "Anonymisierungskonzept" - "Risikoanalyse zur Re-Identifizierung" reviewFrequency: ANNUAL priority: MEDIUM complexity: HIGH tags: ["anonymization", "analytics"] # ============================================================================= # RESILIENCE (Belastbarkeit) # ============================================================================= - id: "TOM-RE-01" code: "TOM-RE-01" category: RESILIENCE type: TECHNICAL name: de: "Load Balancing" en: "Load Balancing" description: de: "Implementierung von Lastverteilung zur Sicherstellung der Systemstabilität bei hoher Last." en: "Implementation of load balancing to ensure system stability under high load." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.17.2.1" applicabilityConditions: - field: "riskProfile.ciaAssessment.availability" operator: GREATER_THAN value: 3 result: REQUIRED priority: 20 - field: "dataProfile.dataVolume" operator: IN value: ["HIGH", "VERY_HIGH"] result: RECOMMENDED priority: 15 defaultApplicability: OPTIONAL evidenceRequirements: - "Load-Balancer-Konfiguration" - "Kapazitätsplanung" reviewFrequency: QUARTERLY priority: MEDIUM complexity: MEDIUM tags: ["resilience", "load-balancing"] - id: "TOM-RE-02" code: "TOM-RE-02" category: RESILIENCE type: TECHNICAL name: de: "DDoS-Schutz" en: "DDoS Protection" description: de: "Maßnahmen zum Schutz vor Distributed Denial of Service Angriffen." en: "Measures to protect against Distributed Denial of Service attacks." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.13.1.1" applicabilityConditions: - field: "architectureProfile.hostingModel" operator: IN value: ["PUBLIC_CLOUD", "HYBRID"] result: RECOMMENDED priority: 15 - field: "riskProfile.protectionLevel" operator: EQUALS value: "VERY_HIGH" result: REQUIRED priority: 25 defaultApplicability: RECOMMENDED evidenceRequirements: - "DDoS-Schutzkonzept" - "WAF-Konfiguration" reviewFrequency: QUARTERLY priority: HIGH complexity: MEDIUM tags: ["security", "ddos"] - id: "TOM-RE-03" code: "TOM-RE-03" category: RESILIENCE type: TECHNICAL name: de: "Auto-Scaling" en: "Auto-Scaling" description: de: "Automatische Skalierung von Ressourcen basierend auf der tatsächlichen Last." en: "Automatic scaling of resources based on actual load." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.12.1.3" applicabilityConditions: - field: "architectureProfile.hostingModel" operator: IN value: ["PUBLIC_CLOUD", "HYBRID"] result: RECOMMENDED priority: 15 defaultApplicability: OPTIONAL evidenceRequirements: - "Auto-Scaling-Konfiguration" - "Kapazitätsmetriken" reviewFrequency: QUARTERLY priority: MEDIUM complexity: MEDIUM tags: ["cloud", "scaling"] # ============================================================================= # RECOVERY (Wiederherstellbarkeit) # ============================================================================= - id: "TOM-RC-01" code: "TOM-RC-01" category: RECOVERY type: TECHNICAL name: de: "Disaster Recovery Plan" en: "Disaster Recovery Plan" description: de: "Dokumentierter und getesteter Plan zur Wiederherstellung von IT-Systemen nach einem Katastrophenfall." en: "Documented and tested plan for restoring IT systems after a disaster." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. c" - framework: ISO27001_ANNEX_A reference: "A.17.1.2" applicabilityConditions: - field: "riskProfile.ciaAssessment.availability" operator: GREATER_THAN value: 2 result: REQUIRED priority: 20 defaultApplicability: REQUIRED evidenceRequirements: - "Disaster-Recovery-Plan" - "Test-Protokolle" - "RTO/RPO-Definitionen" reviewFrequency: ANNUAL priority: CRITICAL complexity: HIGH tags: ["disaster-recovery", "bcp"] - id: "TOM-RC-02" code: "TOM-RC-02" category: RECOVERY type: TECHNICAL name: de: "Geo-Redundanz" en: "Geo-Redundancy" description: de: "Geografisch verteilte Datenhaltung zur Sicherstellung der Verfügbarkeit bei regionalen Ausfällen." en: "Geographically distributed data storage to ensure availability during regional outages." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. c" - framework: ISO27001_ANNEX_A reference: "A.17.2.1" applicabilityConditions: - field: "riskProfile.protectionLevel" operator: EQUALS value: "VERY_HIGH" result: REQUIRED priority: 30 - field: "riskProfile.ciaAssessment.availability" operator: GREATER_THAN value: 4 result: REQUIRED priority: 25 defaultApplicability: OPTIONAL evidenceRequirements: - "Geo-Redundanz-Konzept" - "Standort-Dokumentation" reviewFrequency: ANNUAL priority: HIGH complexity: HIGH tags: ["geo-redundancy", "availability"] - id: "TOM-RC-03" code: "TOM-RC-03" category: RECOVERY type: ORGANIZATIONAL name: de: "Wiederherstellungstests" en: "Recovery Testing" description: de: "Regelmäßige Tests der Wiederherstellungsverfahren zur Validierung der Backup- und DR-Strategie." en: "Regular testing of recovery procedures to validate backup and DR strategy." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. d" - framework: ISO27001_ANNEX_A reference: "A.17.1.3" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Test-Protokolle" - "Wiederherstellungszeiten" - "Maßnahmenplan bei Fehlern" reviewFrequency: SEMI_ANNUAL priority: HIGH complexity: MEDIUM tags: ["testing", "recovery"] # ============================================================================= # REVIEW (Überprüfung & Bewertung) # ============================================================================= - id: "TOM-RV-01" code: "TOM-RV-01" category: REVIEW type: ORGANIZATIONAL name: de: "Regelmäßige TOM-Überprüfung" en: "Regular TOM Review" description: de: "Periodische Überprüfung und Aktualisierung der technischen und organisatorischen Maßnahmen." en: "Periodic review and update of technical and organizational measures." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. d" - framework: ISO27001_ANNEX_A reference: "A.18.2.1" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Überprüfungsprotokolle" - "Maßnahmenplan" reviewFrequency: ANNUAL priority: HIGH complexity: LOW tags: ["review", "compliance"] - id: "TOM-RV-02" code: "TOM-RV-02" category: REVIEW type: TECHNICAL name: de: "Penetrationstests" en: "Penetration Testing" description: de: "Regelmäßige Durchführung von Penetrationstests durch qualifizierte Prüfer." en: "Regular penetration testing by qualified testers." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. d" - framework: ISO27001_ANNEX_A reference: "A.18.2.3" applicabilityConditions: - field: "riskProfile.protectionLevel" operator: IN value: ["HIGH", "VERY_HIGH"] result: REQUIRED priority: 20 - field: "dataProfile.hasSpecialCategories" operator: EQUALS value: true result: REQUIRED priority: 25 defaultApplicability: RECOMMENDED evidenceRequirements: - "Penetrationstest-Berichte" - "Maßnahmenplan" reviewFrequency: ANNUAL priority: HIGH complexity: HIGH tags: ["security-testing", "pentest"] - id: "TOM-RV-03" code: "TOM-RV-03" category: REVIEW type: TECHNICAL name: de: "Schwachstellenscanning" en: "Vulnerability Scanning" description: de: "Regelmäßiges automatisiertes Scanning nach bekannten Schwachstellen in Systemen und Anwendungen." en: "Regular automated scanning for known vulnerabilities in systems and applications." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. d" - framework: ISO27001_ANNEX_A reference: "A.12.6.1" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Scan-Berichte" - "Behebungsnachweis" reviewFrequency: MONTHLY priority: HIGH complexity: MEDIUM tags: ["security-testing", "vulnerability"] - id: "TOM-RV-04" code: "TOM-RV-04" category: REVIEW type: ORGANIZATIONAL name: de: "Sicherheitsaudits" en: "Security Audits" description: de: "Durchführung regelmäßiger interner oder externer Sicherheitsaudits." en: "Conducting regular internal or external security audits." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. d" - framework: ISO27001_ANNEX_A reference: "A.18.2.1" applicabilityConditions: - field: "riskProfile.protectionLevel" operator: IN value: ["HIGH", "VERY_HIGH"] result: REQUIRED priority: 20 - field: "companyProfile.role" operator: EQUALS value: "PROCESSOR" result: REQUIRED priority: 15 defaultApplicability: RECOMMENDED evidenceRequirements: - "Audit-Berichte" - "Zertifikate" - "Maßnahmenplan" reviewFrequency: ANNUAL priority: HIGH complexity: MEDIUM tags: ["audit", "compliance"] - id: "TOM-RV-05" code: "TOM-RV-05" category: REVIEW type: ORGANIZATIONAL name: de: "Datenschutzschulung" en: "Data Protection Training" description: de: "Regelmäßige Schulung aller Mitarbeiter zu Datenschutz und IT-Sicherheit." en: "Regular training of all employees on data protection and IT security." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.7.2.2" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Schulungskonzept" - "Teilnehmerlisten" - "Schulungsnachweise" reviewFrequency: ANNUAL priority: HIGH complexity: LOW tags: ["training", "awareness"] - id: "TOM-RV-06" code: "TOM-RV-06" category: REVIEW type: ORGANIZATIONAL name: de: "Incident Response Plan" en: "Incident Response Plan" description: de: "Dokumentiertes Verfahren zur Erkennung, Meldung und Behandlung von Sicherheitsvorfällen." en: "Documented procedure for detection, reporting and handling of security incidents." mappings: - framework: GDPR_ART33 reference: "Art. 33" - framework: GDPR_ART34 reference: "Art. 34" - framework: ISO27001_ANNEX_A reference: "A.16.1.1" applicabilityConditions: [] defaultApplicability: REQUIRED evidenceRequirements: - "Incident-Response-Plan" - "Kontaktliste" - "Meldeformulare" - "Übungsprotokolle" reviewFrequency: ANNUAL priority: CRITICAL complexity: MEDIUM tags: ["incident-response", "breach"] - id: "TOM-RV-07" code: "TOM-RV-07" category: REVIEW type: TECHNICAL name: de: "Security Information and Event Management (SIEM)" en: "Security Information and Event Management (SIEM)" description: de: "Zentralisierte Sammlung und Analyse von Sicherheitsereignissen zur Erkennung von Angriffen." en: "Centralized collection and analysis of security events to detect attacks." mappings: - framework: GDPR_ART32 reference: "Art. 32 Abs. 1 lit. b" - framework: ISO27001_ANNEX_A reference: "A.12.4.1" applicabilityConditions: - field: "riskProfile.protectionLevel" operator: EQUALS value: "VERY_HIGH" result: REQUIRED priority: 30 - field: "companyProfile.size" operator: IN value: ["LARGE", "ENTERPRISE"] result: RECOMMENDED priority: 15 defaultApplicability: OPTIONAL evidenceRequirements: - "SIEM-Konfiguration" - "Korrelationsregeln" - "Alert-Berichte" reviewFrequency: QUARTERLY priority: HIGH complexity: HIGH tags: ["siem", "monitoring", "detection"] - id: "TOM-RV-08" code: "TOM-RV-08" category: REVIEW type: ORGANIZATIONAL name: de: "Datenschutz-Folgenabschätzung (DSFA)" en: "Data Protection Impact Assessment (DPIA)" description: de: "Durchführung von Datenschutz-Folgenabschätzungen für risikoreiche Verarbeitungen." en: "Conducting data protection impact assessments for high-risk processing." mappings: - framework: GDPR_ART35 reference: "Art. 35" - framework: ISO27001_ANNEX_A reference: "A.18.1.4" applicabilityConditions: - field: "riskProfile.dsfaRequired" operator: EQUALS value: true result: REQUIRED priority: 30 - field: "dataProfile.hasSpecialCategories" operator: EQUALS value: true result: REQUIRED priority: 25 - field: "dataProfile.processesMinors" operator: EQUALS value: true result: REQUIRED priority: 25 defaultApplicability: OPTIONAL evidenceRequirements: - "DSFA-Dokumentation" - "Risikobewertung" - "Maßnahmenplan" reviewFrequency: ANNUAL priority: CRITICAL complexity: HIGH tags: ["dpia", "dsfa", "risk-assessment"]