// ============================================================================= // Control Library Loader // Loads and parses the controls.yml file // ============================================================================= import { ControlLibraryEntry, ControlCategory, ControlApplicability, ConditionOperator, ReviewFrequency, ControlPriority, ControlComplexity, LocalizedString, FrameworkMapping, ApplicabilityCondition, } from '../types' // ============================================================================= // RAW YAML TYPES // ============================================================================= interface RawApplicabilityCondition { field: string operator: string value: unknown result: string priority: number } interface RawMapping { framework: string reference: string } interface RawControl { id: string code: string category: string type: 'TECHNICAL' | 'ORGANIZATIONAL' name: { de: string; en: string } description: { de: string; en: string } mappings: RawMapping[] applicabilityConditions: RawApplicabilityCondition[] defaultApplicability: string evidenceRequirements: string[] reviewFrequency: string priority: string complexity: string tags: string[] } interface RawCategoryInfo { name: { de: string; en: string } gdprReference: string } interface RawControlsYaml { metadata: { version: string lastUpdated: string totalControls: number } categories: Record controls: RawControl[] } // ============================================================================= // PARSED CONTROL LIBRARY // ============================================================================= export interface ControlLibrary { metadata: { version: string lastUpdated: string totalControls: number } categories: Map< ControlCategory, { name: LocalizedString; gdprReference: string } > controls: ControlLibraryEntry[] } // ============================================================================= // EMBEDDED CONTROL DATA // Since we can't dynamically load YAML in all environments, we embed the data // ============================================================================= const CONTROL_LIBRARY_DATA: ControlLibrary = { metadata: { version: '1.0.0', lastUpdated: '2026-02-04', totalControls: 60, }, categories: new Map([ [ 'ACCESS_CONTROL', { name: { de: 'Zutrittskontrolle', en: 'Physical Access Control' }, gdprReference: 'Art. 32 Abs. 1 lit. b', }, ], [ 'ADMISSION_CONTROL', { name: { de: 'Zugangskontrolle', en: 'System Access Control' }, gdprReference: 'Art. 32 Abs. 1 lit. b', }, ], [ 'ACCESS_AUTHORIZATION', { name: { de: 'Zugriffskontrolle', en: 'Access Authorization' }, gdprReference: 'Art. 32 Abs. 1 lit. b', }, ], [ 'TRANSFER_CONTROL', { name: { de: 'Weitergabekontrolle', en: 'Transfer Control' }, gdprReference: 'Art. 32 Abs. 1 lit. b', }, ], [ 'INPUT_CONTROL', { name: { de: 'Eingabekontrolle', en: 'Input Control' }, gdprReference: 'Art. 32 Abs. 1 lit. b', }, ], [ 'ORDER_CONTROL', { name: { de: 'Auftragskontrolle', en: 'Order Control' }, gdprReference: 'Art. 28', }, ], [ 'AVAILABILITY', { name: { de: 'Verfügbarkeit', en: 'Availability' }, gdprReference: 'Art. 32 Abs. 1 lit. b, c', }, ], [ 'SEPARATION', { name: { de: 'Trennbarkeit', en: 'Separation' }, gdprReference: 'Art. 32 Abs. 1 lit. b', }, ], [ 'ENCRYPTION', { name: { de: 'Verschlüsselung', en: 'Encryption' }, gdprReference: 'Art. 32 Abs. 1 lit. a', }, ], [ 'PSEUDONYMIZATION', { name: { de: 'Pseudonymisierung', en: 'Pseudonymization' }, gdprReference: 'Art. 32 Abs. 1 lit. a', }, ], [ 'RESILIENCE', { name: { de: 'Belastbarkeit', en: 'Resilience' }, gdprReference: 'Art. 32 Abs. 1 lit. b', }, ], [ 'RECOVERY', { name: { de: 'Wiederherstellbarkeit', en: 'Recovery' }, gdprReference: 'Art. 32 Abs. 1 lit. c', }, ], [ 'REVIEW', { name: { de: 'Überprüfung & Bewertung', en: 'Review & Assessment' }, gdprReference: 'Art. 32 Abs. 1 lit. d', }, ], ]), controls: [ // ACCESS CONTROL { id: 'TOM-AC-01', code: 'TOM-AC-01', category: 'ACCESS_CONTROL', type: 'TECHNICAL', name: { de: 'Elektronische Zutrittskontrolle', en: 'Electronic Access Control', }, description: { de: 'Implementierung elektronischer Zugangskontrollsysteme (Chipkarten, Biometrie) zur Kontrolle des physischen Zutritts zu Räumlichkeiten mit IT-Systemen.', en: 'Implementation of electronic access control systems (chip cards, biometrics) to control physical access to premises with IT systems.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' }, { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' }, ], applicabilityConditions: [ { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 10, }, { field: 'architectureProfile.hostingModel', operator: 'EQUALS', value: 'PUBLIC_CLOUD', result: 'NOT_APPLICABLE', priority: 20, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'Zutrittskontrollkonzept', 'Protokolle des Zutrittskontrollsystems', 'Besucherregelungen', ], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'MEDIUM', tags: ['physical-security', 'access'], }, { id: 'TOM-AC-02', code: 'TOM-AC-02', category: 'ACCESS_CONTROL', type: 'ORGANIZATIONAL', name: { de: 'Besuchermanagement', en: 'Visitor Management' }, description: { de: 'Regelungen für den Empfang, die Begleitung und Registrierung von Besuchern in sicherheitsrelevanten Bereichen.', en: 'Regulations for receiving, accompanying and registering visitors in security-relevant areas.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' }, ], applicabilityConditions: [ { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 10, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: ['Besucherrichtlinie', 'Besucherbuch/Protokolle'], reviewFrequency: 'ANNUAL', priority: 'MEDIUM', complexity: 'LOW', tags: ['physical-security', 'visitors'], }, { id: 'TOM-AC-03', code: 'TOM-AC-03', category: 'ACCESS_CONTROL', type: 'TECHNICAL', name: { de: 'Videoüberwachung', en: 'Video Surveillance' }, description: { de: 'Installation von Videoüberwachungssystemen zur Kontrolle und Dokumentation des Zutritts zu sensiblen Bereichen.', en: 'Installation of video surveillance systems to control and document access to sensitive areas.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.7.4' }, ], applicabilityConditions: [ { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15, }, { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'RECOMMENDED', priority: 20, }, ], defaultApplicability: 'OPTIONAL', evidenceRequirements: [ 'Videoüberwachungskonzept', 'Datenschutz-Folgenabschätzung für Videoüberwachung', ], reviewFrequency: 'ANNUAL', priority: 'MEDIUM', complexity: 'MEDIUM', tags: ['physical-security', 'monitoring'], }, { id: 'TOM-AC-04', code: 'TOM-AC-04', category: 'ACCESS_CONTROL', type: 'TECHNICAL', name: { de: 'Alarmanlage', en: 'Alarm System' }, description: { de: 'Einbruchmeldeanlage zum Schutz der Räumlichkeiten außerhalb der Betriebszeiten.', en: 'Intrusion detection system to protect premises outside business hours.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'INF.1' }, ], applicabilityConditions: [ { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'RECOMMENDED', priority: 10, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: ['Alarmkonzept', 'Wartungsprotokolle'], reviewFrequency: 'ANNUAL', priority: 'MEDIUM', complexity: 'MEDIUM', tags: ['physical-security', 'intrusion-detection'], }, { id: 'TOM-AC-05', code: 'TOM-AC-05', category: 'ACCESS_CONTROL', type: 'ORGANIZATIONAL', name: { de: 'Schlüsselmanagement', en: 'Key Management' }, description: { de: 'Dokumentierte Verwaltung und Ausgabe von physischen Schlüsseln mit Nachverfolgbarkeit.', en: 'Documented management and distribution of physical keys with traceability.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' }, ], applicabilityConditions: [ { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 10, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'Schlüsselausgabeprotokoll', 'Schlüsselverwaltungsrichtlinie', ], reviewFrequency: 'ANNUAL', priority: 'MEDIUM', complexity: 'LOW', tags: ['physical-security', 'keys'], }, // ADMISSION CONTROL { id: 'TOM-ADM-01', code: 'TOM-ADM-01', category: 'ADMISSION_CONTROL', type: 'TECHNICAL', name: { de: 'Multi-Faktor-Authentifizierung', en: 'Multi-Factor Authentication', }, description: { de: 'Implementierung einer Zwei- oder Mehr-Faktor-Authentifizierung für den Systemzugang zu kritischen Systemen und Daten.', en: 'Implementation of two- or multi-factor authentication for system access to critical systems and data.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.2' }, { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' }, ], applicabilityConditions: [ { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30, }, { field: 'dataProfile.processesMinors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25, }, { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20, }, { field: 'companyProfile.role', operator: 'EQUALS', value: 'PROCESSOR', result: 'REQUIRED', priority: 15, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'MFA-Konfigurationsdokumentation', 'Nutzerstatistiken zur MFA-Nutzung', ], reviewFrequency: 'QUARTERLY', priority: 'CRITICAL', complexity: 'MEDIUM', tags: ['authentication', 'mfa', 'identity'], }, { id: 'TOM-ADM-02', code: 'TOM-ADM-02', category: 'ADMISSION_CONTROL', type: 'TECHNICAL', name: { de: 'Passwortrichtlinien', en: 'Password Policies' }, description: { de: 'Durchsetzung technischer Passwortrichtlinien (Mindestlänge, Komplexität, regelmäßiger Wechsel, Historie).', en: 'Enforcement of technical password policies (minimum length, complexity, regular changes, history).', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.3' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: ['Passwortrichtlinie', 'Technische Konfiguration'], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'LOW', tags: ['authentication', 'passwords'], }, { id: 'TOM-ADM-03', code: 'TOM-ADM-03', category: 'ADMISSION_CONTROL', type: 'TECHNICAL', name: { de: 'Single Sign-On (SSO)', en: 'Single Sign-On (SSO)' }, description: { de: 'Zentralisierte Authentifizierung über SSO zur Verbesserung der Sicherheit und Benutzerfreundlichkeit.', en: 'Centralized authentication via SSO to improve security and usability.', }, mappings: [{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.4' }], applicabilityConditions: [ { field: 'companyProfile.size', operator: 'IN', value: ['MEDIUM', 'LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 10, }, ], defaultApplicability: 'OPTIONAL', evidenceRequirements: [ 'SSO-Konfigurationsdokumentation', 'Integrierte Anwendungsliste', ], reviewFrequency: 'ANNUAL', priority: 'MEDIUM', complexity: 'HIGH', tags: ['authentication', 'sso', 'identity'], }, { id: 'TOM-ADM-04', code: 'TOM-ADM-04', category: 'ADMISSION_CONTROL', type: 'TECHNICAL', name: { de: 'Automatische Bildschirmsperre', en: 'Automatic Screen Lock' }, description: { de: 'Automatische Sperrung von Arbeitsplätzen nach Inaktivität mit erforderlicher Re-Authentifizierung.', en: 'Automatic locking of workstations after inactivity with required re-authentication.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.11.2.8' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: ['GPO/MDM-Konfiguration', 'Richtliniendokumentation'], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'LOW', tags: ['workstation', 'security'], }, { id: 'TOM-ADM-05', code: 'TOM-ADM-05', category: 'ADMISSION_CONTROL', type: 'TECHNICAL', name: { de: 'Kontosperrung nach Fehlversuchen', en: 'Account Lockout After Failed Attempts', }, description: { de: 'Automatische temporäre Sperrung von Benutzerkonten nach mehreren fehlgeschlagenen Anmeldeversuchen.', en: 'Automatic temporary locking of user accounts after multiple failed login attempts.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.2' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Konfigurationsdokumentation', 'Protokollierung der Sperrereignisse', ], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'LOW', tags: ['authentication', 'brute-force-protection'], }, // ACCESS AUTHORIZATION { id: 'TOM-AZ-01', code: 'TOM-AZ-01', category: 'ACCESS_AUTHORIZATION', type: 'TECHNICAL', name: { de: 'Rollenbasierte Zugriffskontrolle (RBAC)', en: 'Role-Based Access Control (RBAC)', }, description: { de: 'Implementierung eines rollenbasierten Berechtigungssystems zur Steuerung des Datenzugriffs nach dem Need-to-Know-Prinzip.', en: 'Implementation of a role-based permission system to control data access according to the need-to-know principle.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.3' }, { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Berechtigungskonzept', 'Rollenmatrix', 'Berechtigungsaudits', ], reviewFrequency: 'SEMI_ANNUAL', priority: 'CRITICAL', complexity: 'MEDIUM', tags: ['authorization', 'rbac', 'access'], }, { id: 'TOM-AZ-02', code: 'TOM-AZ-02', category: 'ACCESS_AUTHORIZATION', type: 'ORGANIZATIONAL', name: { de: 'Berechtigungsverwaltungsprozess', en: 'Authorization Management Process', }, description: { de: 'Dokumentierter Prozess für Beantragung, Genehmigung und Entzug von Zugriffsberechtigungen.', en: 'Documented process for requesting, approving and revoking access permissions.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.2' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Berechtigungsanträge', 'Genehmigungsprotokolle', 'Prozessdokumentation', ], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'LOW', tags: ['authorization', 'process'], }, { id: 'TOM-AZ-03', code: 'TOM-AZ-03', category: 'ACCESS_AUTHORIZATION', type: 'TECHNICAL', name: { de: 'Privileged Access Management (PAM)', en: 'Privileged Access Management (PAM)', }, description: { de: 'Spezielle Kontrollen für privilegierte Konten (Admins) mit Aufzeichnung, zeitlicher Begrenzung und Genehmigungsworkflows.', en: 'Special controls for privileged accounts (admins) with recording, time limits and approval workflows.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.3' }, ], applicabilityConditions: [ { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20, }, { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25, }, { field: 'companyProfile.size', operator: 'IN', value: ['LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 10, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'PAM-Konfiguration', 'Sitzungsaufzeichnungen', 'Audit-Logs', ], reviewFrequency: 'QUARTERLY', priority: 'CRITICAL', complexity: 'HIGH', tags: ['authorization', 'pam', 'privileged'], }, { id: 'TOM-AZ-04', code: 'TOM-AZ-04', category: 'ACCESS_AUTHORIZATION', type: 'ORGANIZATIONAL', name: { de: 'Regelmäßige Berechtigungsrezertifizierung', en: 'Regular Authorization Recertification', }, description: { de: 'Periodische Überprüfung aller Zugriffsberechtigungen durch die jeweiligen Vorgesetzten.', en: 'Periodic review of all access permissions by respective supervisors.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.5' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Rezertifizierungsprotokolle', 'Prozessdokumentation', ], reviewFrequency: 'SEMI_ANNUAL', priority: 'HIGH', complexity: 'MEDIUM', tags: ['authorization', 'review'], }, { id: 'TOM-AZ-05', code: 'TOM-AZ-05', category: 'ACCESS_AUTHORIZATION', type: 'TECHNICAL', name: { de: 'Datenklassifizierung und Label', en: 'Data Classification and Labeling', }, description: { de: 'Technische Umsetzung einer Datenklassifizierung mit entsprechenden Zugriffssteuerungen.', en: 'Technical implementation of data classification with corresponding access controls.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.8.2' }, ], applicabilityConditions: [ { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25, }, { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: ['Klassifizierungsschema', 'Label-Konfiguration'], reviewFrequency: 'ANNUAL', priority: 'MEDIUM', complexity: 'HIGH', tags: ['classification', 'labeling'], }, // TRANSFER CONTROL { id: 'TOM-TR-01', code: 'TOM-TR-01', category: 'TRANSFER_CONTROL', type: 'TECHNICAL', name: { de: 'Transportverschlüsselung (TLS)', en: 'Transport Encryption (TLS)' }, description: { de: 'Verschlüsselung aller Datenübertragungen mittels TLS 1.2 oder höher.', en: 'Encryption of all data transfers using TLS 1.2 or higher.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.1' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: ['TLS-Konfigurationsdokumentation', 'SSL/TLS-Scans'], reviewFrequency: 'QUARTERLY', priority: 'CRITICAL', complexity: 'MEDIUM', tags: ['encryption', 'transport', 'tls'], }, { id: 'TOM-TR-02', code: 'TOM-TR-02', category: 'TRANSFER_CONTROL', type: 'TECHNICAL', name: { de: 'VPN für Fernzugriff', en: 'VPN for Remote Access' }, description: { de: 'Nutzung von VPN-Verbindungen für sicheren Fernzugriff auf Unternehmensnetzwerke.', en: 'Use of VPN connections for secure remote access to corporate networks.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.1' }, ], applicabilityConditions: [ { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 15, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: ['VPN-Konfiguration', 'Nutzungsstatistiken'], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'MEDIUM', tags: ['vpn', 'remote-access'], }, { id: 'TOM-TR-03', code: 'TOM-TR-03', category: 'TRANSFER_CONTROL', type: 'ORGANIZATIONAL', name: { de: 'Richtlinie zur Datenübermittlung', en: 'Data Transfer Policy' }, description: { de: 'Dokumentierte Richtlinie für die sichere Übermittlung personenbezogener Daten intern und extern.', en: 'Documented policy for secure transfer of personal data internally and externally.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.2' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: ['Datenübermittlungsrichtlinie', 'Schulungsnachweise'], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'LOW', tags: ['policy', 'transfer'], }, { id: 'TOM-TR-04', code: 'TOM-TR-04', category: 'TRANSFER_CONTROL', type: 'TECHNICAL', name: { de: 'E-Mail-Verschlüsselung', en: 'Email Encryption' }, description: { de: 'Implementierung von E-Mail-Verschlüsselung (S/MIME, PGP) für vertrauliche Kommunikation.', en: 'Implementation of email encryption (S/MIME, PGP) for confidential communication.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.3' }, ], applicabilityConditions: [ { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25, }, { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'E-Mail-Verschlüsselungskonzept', 'Konfigurationsdokumentation', ], reviewFrequency: 'ANNUAL', priority: 'MEDIUM', complexity: 'MEDIUM', tags: ['encryption', 'email'], }, { id: 'TOM-TR-05', code: 'TOM-TR-05', category: 'TRANSFER_CONTROL', type: 'TECHNICAL', name: { de: 'Data Loss Prevention (DLP)', en: 'Data Loss Prevention (DLP)' }, description: { de: 'Technische Maßnahmen zur Verhinderung unbeabsichtigter oder unbefugter Datenabflüsse.', en: 'Technical measures to prevent unintentional or unauthorized data leakage.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.2' }, ], applicabilityConditions: [ { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'RECOMMENDED', priority: 25, }, { field: 'riskProfile.protectionLevel', operator: 'EQUALS', value: 'VERY_HIGH', result: 'REQUIRED', priority: 30, }, { field: 'companyProfile.size', operator: 'IN', value: ['LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 10, }, ], defaultApplicability: 'OPTIONAL', evidenceRequirements: ['DLP-Konfiguration', 'Vorfallsberichte'], reviewFrequency: 'QUARTERLY', priority: 'HIGH', complexity: 'HIGH', tags: ['dlp', 'data-protection'], }, // INPUT CONTROL { id: 'TOM-IN-01', code: 'TOM-IN-01', category: 'INPUT_CONTROL', type: 'TECHNICAL', name: { de: 'Audit-Logging', en: 'Audit Logging' }, description: { de: 'Umfassende Protokollierung aller Datenverarbeitungsvorgänge mit Zeitstempel und Benutzeridentifikation.', en: 'Comprehensive logging of all data processing activities with timestamp and user identification.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: ['Logging-Konzept', 'Log-Konfiguration', 'Beispiel-Logs'], reviewFrequency: 'ANNUAL', priority: 'CRITICAL', complexity: 'MEDIUM', tags: ['logging', 'audit'], }, { id: 'TOM-IN-02', code: 'TOM-IN-02', category: 'INPUT_CONTROL', type: 'TECHNICAL', name: { de: 'Änderungsprotokollierung (Change Log)', en: 'Change Logging' }, description: { de: 'Automatische Protokollierung aller Änderungen an personenbezogenen Daten.', en: 'Automatic logging of all changes to personal data.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: ['Change-Log-Konfiguration', 'Beispielprotokolle'], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'MEDIUM', tags: ['logging', 'change-tracking'], }, { id: 'TOM-IN-03', code: 'TOM-IN-03', category: 'INPUT_CONTROL', type: 'TECHNICAL', name: { de: 'Eingabevalidierung', en: 'Input Validation' }, description: { de: 'Technische Validierung aller Eingaben zur Verhinderung von Datenmanipulation und Injection-Angriffen.', en: 'Technical validation of all inputs to prevent data manipulation and injection attacks.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.14.2.5' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: ['Validierungsregeln', 'Code-Reviews'], reviewFrequency: 'QUARTERLY', priority: 'HIGH', complexity: 'MEDIUM', tags: ['security', 'validation'], }, { id: 'TOM-IN-04', code: 'TOM-IN-04', category: 'INPUT_CONTROL', type: 'ORGANIZATIONAL', name: { de: 'Log-Aufbewahrung und -Auswertung', en: 'Log Retention and Analysis', }, description: { de: 'Definierte Aufbewahrungsfristen für Protokolle und regelmäßige Auswertung zur Erkennung von Anomalien.', en: 'Defined retention periods for logs and regular analysis to detect anomalies.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: ['Log-Aufbewahrungsrichtlinie', 'Analyseberichte'], reviewFrequency: 'QUARTERLY', priority: 'HIGH', complexity: 'MEDIUM', tags: ['logging', 'analysis', 'retention'], }, // ORDER CONTROL { id: 'TOM-OR-01', code: 'TOM-OR-01', category: 'ORDER_CONTROL', type: 'ORGANIZATIONAL', name: { de: 'Auftragsverarbeitungsverträge (AVV)', en: 'Data Processing Agreements (DPA)', }, description: { de: 'Abschluss von Auftragsverarbeitungsverträgen gemäß Art. 28 DSGVO mit allen Auftragsverarbeitern.', en: 'Conclusion of data processing agreements according to Art. 28 GDPR with all processors.', }, mappings: [ { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.2' }, ], applicabilityConditions: [ { field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30, }, { field: 'companyProfile.role', operator: 'EQUALS', value: 'CONTROLLER', result: 'REQUIRED', priority: 25, }, ], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Unterschriebene AVVs', 'Auftragsverarbeiter-Verzeichnis', ], reviewFrequency: 'ANNUAL', priority: 'CRITICAL', complexity: 'LOW', tags: ['contracts', 'avv', 'dpa'], }, { id: 'TOM-OR-02', code: 'TOM-OR-02', category: 'ORDER_CONTROL', type: 'ORGANIZATIONAL', name: { de: 'Auftragsverarbeiter-Prüfung', en: 'Processor Auditing' }, description: { de: 'Regelmäßige Überprüfung der technischen und organisatorischen Maßnahmen bei Auftragsverarbeitern.', en: 'Regular verification of technical and organizational measures at processors.', }, mappings: [ { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. h' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.15.2.1' }, ], applicabilityConditions: [ { field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'Audit-Berichte', 'Zertifikate der Auftragsverarbeiter', 'Prüfprotokolle', ], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'MEDIUM', tags: ['audit', 'processor'], }, { id: 'TOM-OR-03', code: 'TOM-OR-03', category: 'ORDER_CONTROL', type: 'ORGANIZATIONAL', name: { de: 'Weisungsgebundenheit dokumentieren', en: 'Document Instruction Compliance', }, description: { de: 'Dokumentation der Weisungsgebundenheit von Auftragsverarbeitern und Mitarbeitern.', en: 'Documentation of instruction compliance by processors and employees.', }, mappings: [ { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. a' }, { framework: 'GDPR_ART29', reference: 'Art. 29' }, ], applicabilityConditions: [ { field: 'companyProfile.role', operator: 'EQUALS', value: 'PROCESSOR', result: 'REQUIRED', priority: 30, }, ], defaultApplicability: 'REQUIRED', evidenceRequirements: ['Weisungsdokumentation', 'Schulungsnachweise'], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'LOW', tags: ['processor', 'instructions'], }, { id: 'TOM-OR-04', code: 'TOM-OR-04', category: 'ORDER_CONTROL', type: 'ORGANIZATIONAL', name: { de: 'Unterauftragsverarbeiter-Management', en: 'Sub-processor Management', }, description: { de: 'Dokumentiertes Verfahren für die Genehmigung und Überwachung von Unterauftragsverarbeitern.', en: 'Documented procedure for approval and monitoring of sub-processors.', }, mappings: [ { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 2, 4' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.3' }, ], applicabilityConditions: [ { field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30, }, { field: 'companyProfile.role', operator: 'EQUALS', value: 'PROCESSOR', result: 'REQUIRED', priority: 25, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'Unterauftragsverarbeiter-Liste', 'Genehmigungsprotokolle', 'AVVs mit Unterauftragsverarbeitern', ], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'MEDIUM', tags: ['sub-processor', 'management'], }, // AVAILABILITY { id: 'TOM-AV-01', code: 'TOM-AV-01', category: 'AVAILABILITY', type: 'TECHNICAL', name: { de: 'Backup-Strategie', en: 'Backup Strategy' }, description: { de: 'Implementierung einer umfassenden Backup-Strategie mit regelmäßigen Sicherungen und Aufbewahrung.', en: 'Implementation of a comprehensive backup strategy with regular backups and retention.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.12.3.1' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: ['Backup-Konzept', 'Backup-Protokolle', 'Restore-Tests'], reviewFrequency: 'QUARTERLY', priority: 'CRITICAL', complexity: 'MEDIUM', tags: ['backup', 'recovery'], }, { id: 'TOM-AV-02', code: 'TOM-AV-02', category: 'AVAILABILITY', type: 'TECHNICAL', name: { de: 'Redundante Systeme', en: 'Redundant Systems' }, description: { de: 'Implementierung von Redundanz für kritische Systeme zur Sicherstellung der Verfügbarkeit.', en: 'Implementation of redundancy for critical systems to ensure availability.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' }, ], applicabilityConditions: [ { field: 'riskProfile.ciaAssessment.availability', operator: 'GREATER_THAN', value: 3, result: 'REQUIRED', priority: 20, }, { field: 'riskProfile.protectionLevel', operator: 'EQUALS', value: 'VERY_HIGH', result: 'REQUIRED', priority: 25, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: ['Redundanzkonzept', 'Architekturdokumentation'], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'HIGH', tags: ['redundancy', 'availability'], }, { id: 'TOM-AV-03', code: 'TOM-AV-03', category: 'AVAILABILITY', type: 'TECHNICAL', name: { de: 'Unterbrechungsfreie Stromversorgung (USV)', en: 'Uninterruptible Power Supply (UPS)', }, description: { de: 'Einsatz von USV-Anlagen zum Schutz kritischer Systeme vor Stromausfällen.', en: 'Use of UPS systems to protect critical systems from power failures.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.11.2.2' }, { framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'INF.2' }, ], applicabilityConditions: [ { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 15, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: ['USV-Dokumentation', 'Wartungsprotokolle'], reviewFrequency: 'ANNUAL', priority: 'MEDIUM', complexity: 'MEDIUM', tags: ['power', 'infrastructure'], }, { id: 'TOM-AV-04', code: 'TOM-AV-04', category: 'AVAILABILITY', type: 'ORGANIZATIONAL', name: { de: 'Notfallvorsorge (Business Continuity)', en: 'Business Continuity Planning', }, description: { de: 'Dokumentierte Notfallvorsorge zur Aufrechterhaltung kritischer Geschäftsprozesse.', en: 'Documented emergency preparedness to maintain critical business processes.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.1' }, ], applicabilityConditions: [ { field: 'riskProfile.ciaAssessment.availability', operator: 'GREATER_THAN', value: 2, result: 'REQUIRED', priority: 15, }, ], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Business-Continuity-Plan', 'Notfallkontakte', 'Übungsprotokolle', ], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'MEDIUM', tags: ['bcp', 'continuity'], }, { id: 'TOM-AV-05', code: 'TOM-AV-05', category: 'AVAILABILITY', type: 'TECHNICAL', name: { de: 'Monitoring und Alerting', en: 'Monitoring and Alerting' }, description: { de: 'Kontinuierliche Überwachung der Systemverfügbarkeit mit automatischen Benachrichtigungen bei Ausfällen.', en: 'Continuous monitoring of system availability with automatic notifications for outages.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Monitoring-Konfiguration', 'Alert-Regeln', 'Verfügbarkeitsberichte', ], reviewFrequency: 'QUARTERLY', priority: 'HIGH', complexity: 'MEDIUM', tags: ['monitoring', 'alerting'], }, // SEPARATION { id: 'TOM-SE-01', code: 'TOM-SE-01', category: 'SEPARATION', type: 'TECHNICAL', name: { de: 'Mandantentrennung', en: 'Multi-Tenant Separation' }, description: { de: 'Technische Trennung von Daten verschiedener Kunden/Mandanten in mandantenfähigen Systemen.', en: 'Technical separation of data from different customers/tenants in multi-tenant systems.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' }, ], applicabilityConditions: [ { field: 'architectureProfile.multiTenancy', operator: 'EQUALS', value: 'MULTI_TENANT', result: 'REQUIRED', priority: 30, }, { field: 'companyProfile.role', operator: 'EQUALS', value: 'PROCESSOR', result: 'REQUIRED', priority: 20, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'Mandantentrennungskonzept', 'Architekturdokumentation', 'Penetrationstest-Ergebnisse', ], reviewFrequency: 'ANNUAL', priority: 'CRITICAL', complexity: 'HIGH', tags: ['multi-tenant', 'separation'], }, { id: 'TOM-SE-02', code: 'TOM-SE-02', category: 'SEPARATION', type: 'TECHNICAL', name: { de: 'Netzwerksegmentierung', en: 'Network Segmentation' }, description: { de: 'Segmentierung des Netzwerks zur Trennung verschiedener Sicherheitszonen und Datenverarbeitungsbereiche.', en: 'Network segmentation to separate different security zones and data processing areas.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' }, ], applicabilityConditions: [ { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 15, }, { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: ['Netzwerkdiagramm', 'Firewall-Regeln'], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'MEDIUM', tags: ['network', 'segmentation'], }, { id: 'TOM-SE-03', code: 'TOM-SE-03', category: 'SEPARATION', type: 'TECHNICAL', name: { de: 'Umgebungstrennung (Dev/Test/Prod)', en: 'Environment Separation (Dev/Test/Prod)', }, description: { de: 'Strikte Trennung von Entwicklungs-, Test- und Produktionsumgebungen.', en: 'Strict separation of development, test and production environments.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.12.1.4' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Umgebungsdokumentation', 'Zugriffsrechte je Umgebung', ], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'MEDIUM', tags: ['environments', 'separation'], }, { id: 'TOM-SE-04', code: 'TOM-SE-04', category: 'SEPARATION', type: 'ORGANIZATIONAL', name: { de: 'Zweckbindung dokumentieren', en: 'Document Purpose Limitation' }, description: { de: 'Dokumentation und technische Durchsetzung der Zweckbindung bei der Datenverarbeitung.', en: 'Documentation and technical enforcement of purpose limitation in data processing.', }, mappings: [ { framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 1 lit. b' }, { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: ['Verarbeitungsverzeichnis', 'Zweckdokumentation'], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'LOW', tags: ['purpose-limitation', 'documentation'], }, // ENCRYPTION { id: 'TOM-ENC-01', code: 'TOM-ENC-01', category: 'ENCRYPTION', type: 'TECHNICAL', name: { de: 'Verschlüsselung ruhender Daten', en: 'Encryption at Rest' }, description: { de: 'Verschlüsselung aller gespeicherten personenbezogenen Daten mit modernen Verschlüsselungsalgorithmen.', en: 'Encryption of all stored personal data using modern encryption algorithms.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.1' }, ], applicabilityConditions: [ { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30, }, { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'Verschlüsselungskonzept', 'Konfigurationsdokumentation', ], reviewFrequency: 'ANNUAL', priority: 'CRITICAL', complexity: 'MEDIUM', tags: ['encryption', 'at-rest'], }, { id: 'TOM-ENC-02', code: 'TOM-ENC-02', category: 'ENCRYPTION', type: 'TECHNICAL', name: { de: 'Schlüsselmanagement', en: 'Key Management' }, description: { de: 'Sicheres Verfahren zur Erzeugung, Speicherung, Rotation und Vernichtung kryptografischer Schlüssel.', en: 'Secure process for generation, storage, rotation and destruction of cryptographic keys.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.2' }, ], applicabilityConditions: [ { field: 'architectureProfile.encryptionAtRest', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'Schlüsselmanagement-Richtlinie', 'HSM/KMS-Dokumentation', ], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'HIGH', tags: ['encryption', 'key-management'], }, { id: 'TOM-ENC-03', code: 'TOM-ENC-03', category: 'ENCRYPTION', type: 'TECHNICAL', name: { de: 'Datenbank-Verschlüsselung', en: 'Database Encryption' }, description: { de: 'Verschlüsselung von Datenbanken auf Ebene der Datenbank oder einzelner Felder.', en: 'Encryption of databases at database level or individual field level.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.1' }, ], applicabilityConditions: [ { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30, }, { field: 'dataProfile.dataVolume', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'Datenbank-Verschlüsselungskonfiguration', 'Feldverschlüsselungsmatrix', ], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'MEDIUM', tags: ['encryption', 'database'], }, // PSEUDONYMIZATION { id: 'TOM-PS-01', code: 'TOM-PS-01', category: 'PSEUDONYMIZATION', type: 'TECHNICAL', name: { de: 'Pseudonymisierungsverfahren', en: 'Pseudonymization Procedures' }, description: { de: 'Implementierung von Pseudonymisierungsverfahren zur Reduzierung des Personenbezugs von Daten.', en: 'Implementation of pseudonymization procedures to reduce the personal reference of data.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, { framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' }, ], applicabilityConditions: [ { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25, }, { field: 'dataProfile.dataVolume', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'Pseudonymisierungskonzept', 'Mapping-Tabellen-Sicherheit', ], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'HIGH', tags: ['pseudonymization', 'data-minimization'], }, { id: 'TOM-PS-02', code: 'TOM-PS-02', category: 'PSEUDONYMIZATION', type: 'ORGANIZATIONAL', name: { de: 'Datenanonymisierung für Analysen', en: 'Data Anonymization for Analytics', }, description: { de: 'Verfahren zur Anonymisierung von Daten für Analyse- und Statistikzwecke.', en: 'Procedures for anonymizing data for analysis and statistical purposes.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' }, { framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' }, ], applicabilityConditions: [ { field: 'dataProfile.dataVolume', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15, }, ], defaultApplicability: 'OPTIONAL', evidenceRequirements: [ 'Anonymisierungskonzept', 'Risikoanalyse zur Re-Identifizierung', ], reviewFrequency: 'ANNUAL', priority: 'MEDIUM', complexity: 'HIGH', tags: ['anonymization', 'analytics'], }, // RESILIENCE { id: 'TOM-RE-01', code: 'TOM-RE-01', category: 'RESILIENCE', type: 'TECHNICAL', name: { de: 'Load Balancing', en: 'Load Balancing' }, description: { de: 'Implementierung von Lastverteilung zur Sicherstellung der Systemstabilität bei hoher Last.', en: 'Implementation of load balancing to ensure system stability under high load.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' }, ], applicabilityConditions: [ { field: 'riskProfile.ciaAssessment.availability', operator: 'GREATER_THAN', value: 3, result: 'REQUIRED', priority: 20, }, { field: 'dataProfile.dataVolume', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15, }, ], defaultApplicability: 'OPTIONAL', evidenceRequirements: ['Load-Balancer-Konfiguration', 'Kapazitätsplanung'], reviewFrequency: 'QUARTERLY', priority: 'MEDIUM', complexity: 'MEDIUM', tags: ['resilience', 'load-balancing'], }, { id: 'TOM-RE-02', code: 'TOM-RE-02', category: 'RESILIENCE', type: 'TECHNICAL', name: { de: 'DDoS-Schutz', en: 'DDoS Protection' }, description: { de: 'Maßnahmen zum Schutz vor Distributed Denial of Service Angriffen.', en: 'Measures to protect against Distributed Denial of Service attacks.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.1' }, ], applicabilityConditions: [ { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['PUBLIC_CLOUD', 'HYBRID'], result: 'RECOMMENDED', priority: 15, }, { field: 'riskProfile.protectionLevel', operator: 'EQUALS', value: 'VERY_HIGH', result: 'REQUIRED', priority: 25, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: ['DDoS-Schutzkonzept', 'WAF-Konfiguration'], reviewFrequency: 'QUARTERLY', priority: 'HIGH', complexity: 'MEDIUM', tags: ['security', 'ddos'], }, { id: 'TOM-RE-03', code: 'TOM-RE-03', category: 'RESILIENCE', type: 'TECHNICAL', name: { de: 'Auto-Scaling', en: 'Auto-Scaling' }, description: { de: 'Automatische Skalierung von Ressourcen basierend auf der tatsächlichen Last.', en: 'Automatic scaling of resources based on actual load.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.12.1.3' }, ], applicabilityConditions: [ { field: 'architectureProfile.hostingModel', operator: 'IN', value: ['PUBLIC_CLOUD', 'HYBRID'], result: 'RECOMMENDED', priority: 15, }, ], defaultApplicability: 'OPTIONAL', evidenceRequirements: ['Auto-Scaling-Konfiguration', 'Kapazitätsmetriken'], reviewFrequency: 'QUARTERLY', priority: 'MEDIUM', complexity: 'MEDIUM', tags: ['cloud', 'scaling'], }, // RECOVERY { id: 'TOM-RC-01', code: 'TOM-RC-01', category: 'RECOVERY', type: 'TECHNICAL', name: { de: 'Disaster Recovery Plan', en: 'Disaster Recovery Plan' }, description: { de: 'Dokumentierter und getesteter Plan zur Wiederherstellung von IT-Systemen nach einem Katastrophenfall.', en: 'Documented and tested plan for restoring IT systems after a disaster.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.2' }, ], applicabilityConditions: [ { field: 'riskProfile.ciaAssessment.availability', operator: 'GREATER_THAN', value: 2, result: 'REQUIRED', priority: 20, }, ], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Disaster-Recovery-Plan', 'Test-Protokolle', 'RTO/RPO-Definitionen', ], reviewFrequency: 'ANNUAL', priority: 'CRITICAL', complexity: 'HIGH', tags: ['disaster-recovery', 'bcp'], }, { id: 'TOM-RC-02', code: 'TOM-RC-02', category: 'RECOVERY', type: 'TECHNICAL', name: { de: 'Geo-Redundanz', en: 'Geo-Redundancy' }, description: { de: 'Geografisch verteilte Datenhaltung zur Sicherstellung der Verfügbarkeit bei regionalen Ausfällen.', en: 'Geographically distributed data storage to ensure availability during regional outages.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' }, ], applicabilityConditions: [ { field: 'riskProfile.protectionLevel', operator: 'EQUALS', value: 'VERY_HIGH', result: 'REQUIRED', priority: 30, }, { field: 'riskProfile.ciaAssessment.availability', operator: 'GREATER_THAN', value: 4, result: 'REQUIRED', priority: 25, }, ], defaultApplicability: 'OPTIONAL', evidenceRequirements: ['Geo-Redundanz-Konzept', 'Standort-Dokumentation'], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'HIGH', tags: ['geo-redundancy', 'availability'], }, { id: 'TOM-RC-03', code: 'TOM-RC-03', category: 'RECOVERY', type: 'ORGANIZATIONAL', name: { de: 'Wiederherstellungstests', en: 'Recovery Testing' }, description: { de: 'Regelmäßige Tests der Wiederherstellungsverfahren zur Validierung der Backup- und DR-Strategie.', en: 'Regular testing of recovery procedures to validate backup and DR strategy.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.3' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Test-Protokolle', 'Wiederherstellungszeiten', 'Maßnahmenplan bei Fehlern', ], reviewFrequency: 'SEMI_ANNUAL', priority: 'HIGH', complexity: 'MEDIUM', tags: ['testing', 'recovery'], }, // REVIEW { id: 'TOM-RV-01', code: 'TOM-RV-01', category: 'REVIEW', type: 'ORGANIZATIONAL', name: { de: 'Regelmäßige TOM-Überprüfung', en: 'Regular TOM Review' }, description: { de: 'Periodische Überprüfung und Aktualisierung der technischen und organisatorischen Maßnahmen.', en: 'Periodic review and update of technical and organizational measures.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: ['Überprüfungsprotokolle', 'Maßnahmenplan'], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'LOW', tags: ['review', 'compliance'], }, { id: 'TOM-RV-02', code: 'TOM-RV-02', category: 'REVIEW', type: 'TECHNICAL', name: { de: 'Penetrationstests', en: 'Penetration Testing' }, description: { de: 'Regelmäßige Durchführung von Penetrationstests durch qualifizierte Prüfer.', en: 'Regular penetration testing by qualified testers.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.3' }, ], applicabilityConditions: [ { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20, }, { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: ['Penetrationstest-Berichte', 'Maßnahmenplan'], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'HIGH', tags: ['security-testing', 'pentest'], }, { id: 'TOM-RV-03', code: 'TOM-RV-03', category: 'REVIEW', type: 'TECHNICAL', name: { de: 'Schwachstellenscanning', en: 'Vulnerability Scanning' }, description: { de: 'Regelmäßiges automatisiertes Scanning nach bekannten Schwachstellen in Systemen und Anwendungen.', en: 'Regular automated scanning for known vulnerabilities in systems and applications.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.12.6.1' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: ['Scan-Berichte', 'Behebungsnachweis'], reviewFrequency: 'MONTHLY', priority: 'HIGH', complexity: 'MEDIUM', tags: ['security-testing', 'vulnerability'], }, { id: 'TOM-RV-04', code: 'TOM-RV-04', category: 'REVIEW', type: 'ORGANIZATIONAL', name: { de: 'Sicherheitsaudits', en: 'Security Audits' }, description: { de: 'Durchführung regelmäßiger interner oder externer Sicherheitsaudits.', en: 'Conducting regular internal or external security audits.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' }, ], applicabilityConditions: [ { field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20, }, { field: 'companyProfile.role', operator: 'EQUALS', value: 'PROCESSOR', result: 'REQUIRED', priority: 15, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: ['Audit-Berichte', 'Zertifikate', 'Maßnahmenplan'], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'MEDIUM', tags: ['audit', 'compliance'], }, { id: 'TOM-RV-05', code: 'TOM-RV-05', category: 'REVIEW', type: 'ORGANIZATIONAL', name: { de: 'Datenschutzschulung', en: 'Data Protection Training' }, description: { de: 'Regelmäßige Schulung aller Mitarbeiter zu Datenschutz und IT-Sicherheit.', en: 'Regular training of all employees on data protection and IT security.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.7.2.2' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Schulungskonzept', 'Teilnehmerlisten', 'Schulungsnachweise', ], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'LOW', tags: ['training', 'awareness'], }, { id: 'TOM-RV-06', code: 'TOM-RV-06', category: 'REVIEW', type: 'ORGANIZATIONAL', name: { de: 'Incident Response Plan', en: 'Incident Response Plan' }, description: { de: 'Dokumentiertes Verfahren zur Erkennung, Meldung und Behandlung von Sicherheitsvorfällen.', en: 'Documented procedure for detection, reporting and handling of security incidents.', }, mappings: [ { framework: 'GDPR_ART33', reference: 'Art. 33' }, { framework: 'GDPR_ART34', reference: 'Art. 34' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.16.1.1' }, ], applicabilityConditions: [], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Incident-Response-Plan', 'Kontaktliste', 'Meldeformulare', 'Übungsprotokolle', ], reviewFrequency: 'ANNUAL', priority: 'CRITICAL', complexity: 'MEDIUM', tags: ['incident-response', 'breach'], }, { id: 'TOM-RV-07', code: 'TOM-RV-07', category: 'REVIEW', type: 'TECHNICAL', name: { de: 'Security Information and Event Management (SIEM)', en: 'Security Information and Event Management (SIEM)', }, description: { de: 'Zentralisierte Sammlung und Analyse von Sicherheitsereignissen zur Erkennung von Angriffen.', en: 'Centralized collection and analysis of security events to detect attacks.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' }, ], applicabilityConditions: [ { field: 'riskProfile.protectionLevel', operator: 'EQUALS', value: 'VERY_HIGH', result: 'REQUIRED', priority: 30, }, { field: 'companyProfile.size', operator: 'IN', value: ['LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 15, }, ], defaultApplicability: 'OPTIONAL', evidenceRequirements: [ 'SIEM-Konfiguration', 'Korrelationsregeln', 'Alert-Berichte', ], reviewFrequency: 'QUARTERLY', priority: 'HIGH', complexity: 'HIGH', tags: ['siem', 'monitoring', 'detection'], }, { id: 'TOM-RV-08', code: 'TOM-RV-08', category: 'REVIEW', type: 'ORGANIZATIONAL', name: { de: 'Datenschutz-Folgenabschätzung (DSFA)', en: 'Data Protection Impact Assessment (DPIA)', }, description: { de: 'Durchführung von Datenschutz-Folgenabschätzungen für risikoreiche Verarbeitungen.', en: 'Conducting data protection impact assessments for high-risk processing.', }, mappings: [ { framework: 'GDPR_ART35', reference: 'Art. 35' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.18.1.4' }, ], applicabilityConditions: [ { field: 'riskProfile.dsfaRequired', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30, }, { field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25, }, { field: 'dataProfile.processesMinors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25, }, ], defaultApplicability: 'OPTIONAL', evidenceRequirements: [ 'DSFA-Dokumentation', 'Risikobewertung', 'Maßnahmenplan', ], reviewFrequency: 'ANNUAL', priority: 'CRITICAL', complexity: 'HIGH', tags: ['dpia', 'dsfa', 'risk-assessment'], }, // ========================================================================= // DELETION / VERNICHTUNG — Sichere Datenloeschung & Datentraegervernichtung // ========================================================================= { id: 'TOM-DL-01', code: 'TOM-DL-01', category: 'SEPARATION', type: 'TECHNICAL', name: { de: 'Sichere Datenloeschung', en: 'Secure Data Deletion', }, description: { de: 'Implementierung sicherer Loeschverfahren, die personenbezogene Daten unwiederbringlich entfernen (z.B. nach DIN 66399).', en: 'Implementation of secure deletion procedures that irrecoverably remove personal data (e.g. per DIN 66399).', }, mappings: [ { framework: 'GDPR_ART17', reference: 'Art. 17' }, { framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 1 lit. e' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.8.10' }, { framework: 'BSI_C5', reference: 'SY-09' }, ], applicabilityConditions: [ { field: 'dataProfile.dataVolume', operator: 'NOT_EQUALS', value: 'NONE', result: 'REQUIRED', priority: 30, }, ], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Loeschkonzept / Loeschrichtlinie', 'Loeschprotokolle mit Zeitstempeln', 'DIN 66399 Konformitaetsnachweis', ], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'MEDIUM', tags: ['deletion', 'loeschung', 'data-lifecycle', 'din-66399'], }, { id: 'TOM-DL-02', code: 'TOM-DL-02', category: 'SEPARATION', type: 'TECHNICAL', name: { de: 'Datentraegervernichtung', en: 'Media Destruction', }, description: { de: 'Physische Vernichtung von Datentraegern (Festplatten, SSDs, USB-Sticks, Papier) gemaess DIN 66399 Schutzklassen.', en: 'Physical destruction of storage media (hard drives, SSDs, USB sticks, paper) per DIN 66399 protection classes.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.7.14' }, { framework: 'BSI_C5', reference: 'AM-08' }, ], applicabilityConditions: [ { field: 'dataProfile.dataVolume', operator: 'NOT_EQUALS', value: 'NONE', result: 'RECOMMENDED', priority: 20, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'Vernichtungsprotokoll mit Seriennummern', 'Zertifikat des Vernichtungsdienstleisters', 'DIN 66399 Sicherheitsstufe-Nachweis', ], reviewFrequency: 'ANNUAL', priority: 'MEDIUM', complexity: 'LOW', tags: ['deletion', 'media-destruction', 'physical-security', 'din-66399'], }, { id: 'TOM-DL-03', code: 'TOM-DL-03', category: 'SEPARATION', type: 'ORGANIZATIONAL', name: { de: 'Loeschprotokollierung', en: 'Deletion Logging', }, description: { de: 'Systematische Protokollierung aller Loeschvorgaenge mit Zeitstempel, Verantwortlichem, Datenobjekt und Loeschmethode.', en: 'Systematic logging of all deletion operations with timestamp, responsible person, data object, and deletion method.', }, mappings: [ { framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 2 (Rechenschaftspflicht)' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.8.10' }, ], applicabilityConditions: [ { field: 'dataProfile.dataVolume', operator: 'NOT_EQUALS', value: 'NONE', result: 'REQUIRED', priority: 25, }, ], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Loeschprotokoll-Template', 'Archivierte Loeschprotokolle (Stichprobe)', 'Automatisierungsnachweis (bei automatischen Loeschungen)', ], reviewFrequency: 'SEMI_ANNUAL', priority: 'HIGH', complexity: 'LOW', tags: ['deletion', 'logging', 'accountability', 'documentation'], }, { id: 'TOM-DL-04', code: 'TOM-DL-04', category: 'SEPARATION', type: 'TECHNICAL', name: { de: 'Backup-Bereinigung', en: 'Backup Sanitization', }, description: { de: 'Sicherstellung, dass personenbezogene Daten auch in Backup-Systemen nach Ablauf der Loeschfrist entfernt werden.', en: 'Ensuring that personal data is also removed from backup systems after the retention period expires.', }, mappings: [ { framework: 'GDPR_ART17', reference: 'Art. 17 Abs. 2' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.8.13' }, ], applicabilityConditions: [ { field: 'techProfile.hasBackups', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'Backup-Loeschkonzept', 'Backup-Rotationsplan', 'Nachweis der Backup-Bereinigung', ], reviewFrequency: 'SEMI_ANNUAL', priority: 'MEDIUM', complexity: 'HIGH', tags: ['deletion', 'backup', 'data-lifecycle', 'retention'], }, // ========================================================================= // SCHULUNG / VERTRAULICHKEIT — Training & Awareness // ========================================================================= { id: 'TOM-TR-01', code: 'TOM-TR-01', category: 'REVIEW', type: 'ORGANIZATIONAL', name: { de: 'Datenschutzschulung', en: 'Data Protection Training', }, description: { de: 'Regelmaessige Schulung aller Mitarbeiter zu Datenschutzgrundlagen, DSGVO-Anforderungen und betrieblichen Datenschutzrichtlinien.', en: 'Regular training of all employees on data protection fundamentals, GDPR requirements, and organizational data protection policies.', }, mappings: [ { framework: 'GDPR_ART39', reference: 'Art. 39 Abs. 1 lit. b' }, { framework: 'GDPR_ART47', reference: 'Art. 47 Abs. 2 lit. n' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.6.3' }, ], applicabilityConditions: [ { field: 'orgProfile.employeeCount', operator: 'GREATER_THAN', value: 0, result: 'REQUIRED', priority: 30, }, ], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Schulungsplan (jaehrlich)', 'Teilnahmelisten / Schulungsnachweise', 'Schulungsmaterialien / Praesentation', 'Wissenstest-Ergebnisse (optional)', ], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'LOW', tags: ['training', 'schulung', 'awareness', 'organizational'], }, { id: 'TOM-TR-02', code: 'TOM-TR-02', category: 'REVIEW', type: 'ORGANIZATIONAL', name: { de: 'Verpflichtung auf Datengeheimnis', en: 'Confidentiality Obligation', }, description: { de: 'Schriftliche Verpflichtung aller Mitarbeiter und externen Dienstleister auf die Vertraulichkeit personenbezogener Daten.', en: 'Written obligation of all employees and external service providers to maintain confidentiality of personal data.', }, mappings: [ { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. b' }, { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 4' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.6.6' }, ], applicabilityConditions: [ { field: 'orgProfile.employeeCount', operator: 'GREATER_THAN', value: 0, result: 'REQUIRED', priority: 30, }, ], defaultApplicability: 'REQUIRED', evidenceRequirements: [ 'Muster-Verpflichtungserklaerung', 'Unterschriebene Verpflichtungserklaerungen', 'Register der verpflichteten Personen', ], reviewFrequency: 'ANNUAL', priority: 'HIGH', complexity: 'LOW', tags: ['training', 'confidentiality', 'vertraulichkeit', 'obligation'], }, { id: 'TOM-TR-03', code: 'TOM-TR-03', category: 'REVIEW', type: 'ORGANIZATIONAL', name: { de: 'Security Awareness Programm', en: 'Security Awareness Program', }, description: { de: 'Fortlaufendes Awareness-Programm zu IT-Sicherheit, Phishing-Erkennung, Social Engineering und sicherem Umgang mit Daten.', en: 'Ongoing awareness program on IT security, phishing detection, social engineering, and safe data handling.', }, mappings: [ { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' }, { framework: 'ISO27001_ANNEX_A', reference: 'A.6.3' }, { framework: 'BSI_C5', reference: 'ORP.3' }, ], applicabilityConditions: [ { field: 'orgProfile.employeeCount', operator: 'GREATER_THAN', value: 10, result: 'REQUIRED', priority: 20, }, { field: 'orgProfile.employeeCount', operator: 'GREATER_THAN', value: 0, result: 'RECOMMENDED', priority: 15, }, ], defaultApplicability: 'RECOMMENDED', evidenceRequirements: [ 'Awareness-Programm-Dokumentation', 'Phishing-Simulationsergebnisse', 'Teilnahmenachweise', ], reviewFrequency: 'SEMI_ANNUAL', priority: 'MEDIUM', complexity: 'MEDIUM', tags: ['training', 'security-awareness', 'phishing', 'social-engineering'], }, ], } // ============================================================================= // LOADER FUNCTIONS // ============================================================================= let cachedLibrary: ControlLibrary | null = null /** * Get the control library (singleton with embedded data) */ export function getControlLibrary(): ControlLibrary { if (!cachedLibrary) { cachedLibrary = CONTROL_LIBRARY_DATA } return cachedLibrary } /** * Get all controls from the library */ export function getAllControls(): ControlLibraryEntry[] { return getControlLibrary().controls } /** * Get a control by ID */ export function getControlById(id: string): ControlLibraryEntry | undefined { return getAllControls().find((control) => control.id === id) } /** * Get controls by category */ export function getControlsByCategory( category: ControlCategory ): ControlLibraryEntry[] { return getAllControls().filter((control) => control.category === category) } /** * Get controls by type (TECHNICAL or ORGANIZATIONAL) */ export function getControlsByType( type: 'TECHNICAL' | 'ORGANIZATIONAL' ): ControlLibraryEntry[] { return getAllControls().filter((control) => control.type === type) } /** * Get controls by priority */ export function getControlsByPriority( priority: ControlPriority ): ControlLibraryEntry[] { return getAllControls().filter((control) => control.priority === priority) } /** * Get controls by tag */ export function getControlsByTag(tag: string): ControlLibraryEntry[] { return getAllControls().filter((control) => control.tags.includes(tag)) } /** * Get all unique tags from controls */ export function getAllTags(): string[] { const tags = new Set() getAllControls().forEach((control) => { control.tags.forEach((tag) => tags.add(tag)) }) return Array.from(tags).sort() } /** * Get category metadata */ export function getCategoryMetadata( category: ControlCategory ): { name: LocalizedString; gdprReference: string } | undefined { return getControlLibrary().categories.get(category) } /** * Get all categories */ export function getAllCategories(): ControlCategory[] { return Array.from(getControlLibrary().categories.keys()) } /** * Get categories with metadata (alias for API compatibility) */ export function getCategories(): Array<{ id: ControlCategory name: LocalizedString gdprReference: string }> { const library = getControlLibrary() const result: Array<{ id: ControlCategory; name: LocalizedString; gdprReference: string }> = [] library.categories.forEach((metadata, id) => { result.push({ id, name: metadata.name, gdprReference: metadata.gdprReference, }) }) return result } /** * Get library metadata */ export function getLibraryMetadata(): { version: string lastUpdated: string totalControls: number } { return getControlLibrary().metadata } /** * Search controls by text (searches name and description in both languages) */ export function searchControls( query: string, language: 'de' | 'en' = 'de' ): ControlLibraryEntry[] { const lowerQuery = query.toLowerCase() return getAllControls().filter((control) => { const name = control.name[language].toLowerCase() const description = control.description[language].toLowerCase() const code = control.code.toLowerCase() return ( name.includes(lowerQuery) || description.includes(lowerQuery) || code.includes(lowerQuery) ) }) } /** * Get controls by framework mapping */ export function getControlsByFramework( framework: string ): ControlLibraryEntry[] { return getAllControls().filter((control) => control.mappings.some((m) => m.framework === framework) ) } /** * Get controls count by category */ export function getControlsCountByCategory(): Map { const counts = new Map() getAllCategories().forEach((category) => { counts.set(category, getControlsByCategory(category).length) }) return counts }