Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
48ca0a6bef5157dc4690eb0b811df87cfbf8b4fc
breakpilot-compliance/admin-compliance/lib/sdk/tom-generator/controls/loader.ts
Benjamin Admin 4b1eede45b feat(tom): audit document, compliance checks, 25 controls, canonical control mapping 
Phase A: TOM document HTML generator (12 sections, inline CSS, A4 print)
Phase B: TOMDocumentTab component (org-header form, revisions, print/download)
Phase C: 11 compliance checks with severity-weighted scoring
Phase D: MkDocs documentation for TOM module
Phase E: 25 new controls (63 → 88) in 13 categories

Canonical Control Mapping (three-layer architecture):
- Migration 068: tom_control_mappings + tom_control_sync_state tables
- 6 API endpoints: sync, list, by-tom, stats, manual add, delete
- Category mapping: 13 TOM categories → 17 canonical categories
- Frontend: sync button + coverage card (Overview), drill-down (Editor),
  belegende Controls count (Document)
- 20 tests (unit + API with mocked DB)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-19 11:56:53 +01:00

3164 lines
110 KiB
TypeScript
Raw Blame History

// =============================================================================
// Control Library Loader
// Loads and parses the controls.yml file
// =============================================================================
import {
ControlLibraryEntry,
ControlCategory,
ControlApplicability,
ConditionOperator,
ReviewFrequency,
ControlPriority,
ControlComplexity,
LocalizedString,
FrameworkMapping,
ApplicabilityCondition,
} from '../types'
// =============================================================================
// RAW YAML TYPES
// =============================================================================
interface RawApplicabilityCondition {
field: string
operator: string
value: unknown
result: string
priority: number
}
interface RawMapping {
framework: string
reference: string
}
interface RawControl {
id: string
code: string
category: string
type: 'TECHNICAL' | 'ORGANIZATIONAL'
name: { de: string; en: string }
description: { de: string; en: string }
mappings: RawMapping[]
applicabilityConditions: RawApplicabilityCondition[]
defaultApplicability: string
evidenceRequirements: string[]
reviewFrequency: string
priority: string
complexity: string
tags: string[]
}
interface RawCategoryInfo {
name: { de: string; en: string }
gdprReference: string
}
interface RawControlsYaml {
metadata: {
version: string
lastUpdated: string
totalControls: number
}
categories: Record<string, RawCategoryInfo>
controls: RawControl[]
}
// =============================================================================
// PARSED CONTROL LIBRARY
// =============================================================================
export interface ControlLibrary {
metadata: {
version: string
lastUpdated: string
totalControls: number
}
categories: Map<
ControlCategory,
{ name: LocalizedString; gdprReference: string }
>
controls: ControlLibraryEntry[]
}
// =============================================================================
// EMBEDDED CONTROL DATA
// Since we can't dynamically load YAML in all environments, we embed the data
// =============================================================================
const CONTROL_LIBRARY_DATA: ControlLibrary = {
metadata: {
version: '1.1.0',
lastUpdated: '2026-03-19',
totalControls: 88,
},
categories: new Map([
[
'ACCESS_CONTROL',
{
name: { de: 'Zutrittskontrolle', en: 'Physical Access Control' },
gdprReference: 'Art. 32 Abs. 1 lit. b',
},
],
[
'ADMISSION_CONTROL',
{
name: { de: 'Zugangskontrolle', en: 'System Access Control' },
gdprReference: 'Art. 32 Abs. 1 lit. b',
},
],
[
'ACCESS_AUTHORIZATION',
{
name: { de: 'Zugriffskontrolle', en: 'Access Authorization' },
gdprReference: 'Art. 32 Abs. 1 lit. b',
},
],
[
'TRANSFER_CONTROL',
{
name: { de: 'Weitergabekontrolle', en: 'Transfer Control' },
gdprReference: 'Art. 32 Abs. 1 lit. b',
},
],
[
'INPUT_CONTROL',
{
name: { de: 'Eingabekontrolle', en: 'Input Control' },
gdprReference: 'Art. 32 Abs. 1 lit. b',
},
],
[
'ORDER_CONTROL',
{
name: { de: 'Auftragskontrolle', en: 'Order Control' },
gdprReference: 'Art. 28',
},
],
[
'AVAILABILITY',
{
name: { de: 'Verfügbarkeit', en: 'Availability' },
gdprReference: 'Art. 32 Abs. 1 lit. b, c',
},
],
[
'SEPARATION',
{
name: { de: 'Trennbarkeit', en: 'Separation' },
gdprReference: 'Art. 32 Abs. 1 lit. b',
},
],
[
'ENCRYPTION',
{
name: { de: 'Verschlüsselung', en: 'Encryption' },
gdprReference: 'Art. 32 Abs. 1 lit. a',
},
],
[
'PSEUDONYMIZATION',
{
name: { de: 'Pseudonymisierung', en: 'Pseudonymization' },
gdprReference: 'Art. 32 Abs. 1 lit. a',
},
],
[
'RESILIENCE',
{
name: { de: 'Belastbarkeit', en: 'Resilience' },
gdprReference: 'Art. 32 Abs. 1 lit. b',
},
],
[
'RECOVERY',
{
name: { de: 'Wiederherstellbarkeit', en: 'Recovery' },
gdprReference: 'Art. 32 Abs. 1 lit. c',
},
],
[
'REVIEW',
{
name: { de: 'Überprüfung & Bewertung', en: 'Review & Assessment' },
gdprReference: 'Art. 32 Abs. 1 lit. d',
},
],
]),
controls: [
// ACCESS CONTROL
{
id: 'TOM-AC-01',
code: 'TOM-AC-01',
category: 'ACCESS_CONTROL',
type: 'TECHNICAL',
name: {
de: 'Elektronische Zutrittskontrolle',
en: 'Electronic Access Control',
},
description: {
de: 'Implementierung elektronischer Zugangskontrollsysteme (Chipkarten, Biometrie) zur Kontrolle des physischen Zutritts zu Räumlichkeiten mit IT-Systemen.',
en: 'Implementation of electronic access control systems (chip cards, biometrics) to control physical access to premises with IT systems.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' },
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' },
],
applicabilityConditions: [
{
field: 'architectureProfile.hostingModel',
operator: 'IN',
value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'],
result: 'REQUIRED',
priority: 10,
},
{
field: 'architectureProfile.hostingModel',
operator: 'EQUALS',
value: 'PUBLIC_CLOUD',
result: 'NOT_APPLICABLE',
priority: 20,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Zutrittskontrollkonzept',
'Protokolle des Zutrittskontrollsystems',
'Besucherregelungen',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['physical-security', 'access'],
},
{
id: 'TOM-AC-02',
code: 'TOM-AC-02',
category: 'ACCESS_CONTROL',
type: 'ORGANIZATIONAL',
name: { de: 'Besuchermanagement', en: 'Visitor Management' },
description: {
de: 'Regelungen für den Empfang, die Begleitung und Registrierung von Besuchern in sicherheitsrelevanten Bereichen.',
en: 'Regulations for receiving, accompanying and registering visitors in security-relevant areas.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' },
],
applicabilityConditions: [
{
field: 'architectureProfile.hostingModel',
operator: 'IN',
value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'],
result: 'REQUIRED',
priority: 10,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Besucherrichtlinie', 'Besucherbuch/Protokolle'],
reviewFrequency: 'ANNUAL',
priority: 'MEDIUM',
complexity: 'LOW',
tags: ['physical-security', 'visitors'],
},
{
id: 'TOM-AC-03',
code: 'TOM-AC-03',
category: 'ACCESS_CONTROL',
type: 'TECHNICAL',
name: { de: 'Videoüberwachung', en: 'Video Surveillance' },
description: {
de: 'Installation von Videoüberwachungssystemen zur Kontrolle und Dokumentation des Zutritts zu sensiblen Bereichen.',
en: 'Installation of video surveillance systems to control and document access to sensitive areas.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.7.4' },
],
applicabilityConditions: [
{
field: 'riskProfile.protectionLevel',
operator: 'IN',
value: ['HIGH', 'VERY_HIGH'],
result: 'RECOMMENDED',
priority: 15,
},
{
field: 'dataProfile.hasSpecialCategories',
operator: 'EQUALS',
value: true,
result: 'RECOMMENDED',
priority: 20,
},
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: [
'Videoüberwachungskonzept',
'Datenschutz-Folgenabschätzung für Videoüberwachung',
],
reviewFrequency: 'ANNUAL',
priority: 'MEDIUM',
complexity: 'MEDIUM',
tags: ['physical-security', 'monitoring'],
},
{
id: 'TOM-AC-04',
code: 'TOM-AC-04',
category: 'ACCESS_CONTROL',
type: 'TECHNICAL',
name: { de: 'Alarmanlage', en: 'Alarm System' },
description: {
de: 'Einbruchmeldeanlage zum Schutz der Räumlichkeiten außerhalb der Betriebszeiten.',
en: 'Intrusion detection system to protect premises outside business hours.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'INF.1' },
],
applicabilityConditions: [
{
field: 'architectureProfile.hostingModel',
operator: 'IN',
value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'],
result: 'RECOMMENDED',
priority: 10,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Alarmkonzept', 'Wartungsprotokolle'],
reviewFrequency: 'ANNUAL',
priority: 'MEDIUM',
complexity: 'MEDIUM',
tags: ['physical-security', 'intrusion-detection'],
},
{
id: 'TOM-AC-05',
code: 'TOM-AC-05',
category: 'ACCESS_CONTROL',
type: 'ORGANIZATIONAL',
name: { de: 'Schlüsselmanagement', en: 'Key Management' },
description: {
de: 'Dokumentierte Verwaltung und Ausgabe von physischen Schlüsseln mit Nachverfolgbarkeit.',
en: 'Documented management and distribution of physical keys with traceability.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' },
],
applicabilityConditions: [
{
field: 'architectureProfile.hostingModel',
operator: 'IN',
value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'],
result: 'REQUIRED',
priority: 10,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Schlüsselausgabeprotokoll',
'Schlüsselverwaltungsrichtlinie',
],
reviewFrequency: 'ANNUAL',
priority: 'MEDIUM',
complexity: 'LOW',
tags: ['physical-security', 'keys'],
},
// ADMISSION CONTROL
{
id: 'TOM-ADM-01',
code: 'TOM-ADM-01',
category: 'ADMISSION_CONTROL',
type: 'TECHNICAL',
name: {
de: 'Multi-Faktor-Authentifizierung',
en: 'Multi-Factor Authentication',
},
description: {
de: 'Implementierung einer Zwei- oder Mehr-Faktor-Authentifizierung für den Systemzugang zu kritischen Systemen und Daten.',
en: 'Implementation of two- or multi-factor authentication for system access to critical systems and data.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.2' },
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' },
],
applicabilityConditions: [
{
field: 'dataProfile.hasSpecialCategories',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 30,
},
{
field: 'dataProfile.processesMinors',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 25,
},
{
field: 'riskProfile.protectionLevel',
operator: 'IN',
value: ['HIGH', 'VERY_HIGH'],
result: 'REQUIRED',
priority: 20,
},
{
field: 'companyProfile.role',
operator: 'EQUALS',
value: 'PROCESSOR',
result: 'REQUIRED',
priority: 15,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'MFA-Konfigurationsdokumentation',
'Nutzerstatistiken zur MFA-Nutzung',
],
reviewFrequency: 'QUARTERLY',
priority: 'CRITICAL',
complexity: 'MEDIUM',
tags: ['authentication', 'mfa', 'identity'],
},
{
id: 'TOM-ADM-02',
code: 'TOM-ADM-02',
category: 'ADMISSION_CONTROL',
type: 'TECHNICAL',
name: { de: 'Passwortrichtlinien', en: 'Password Policies' },
description: {
de: 'Durchsetzung technischer Passwortrichtlinien (Mindestlänge, Komplexität, regelmäßiger Wechsel, Historie).',
en: 'Enforcement of technical password policies (minimum length, complexity, regular changes, history).',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.3' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Passwortrichtlinie', 'Technische Konfiguration'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['authentication', 'passwords'],
},
{
id: 'TOM-ADM-03',
code: 'TOM-ADM-03',
category: 'ADMISSION_CONTROL',
type: 'TECHNICAL',
name: { de: 'Single Sign-On (SSO)', en: 'Single Sign-On (SSO)' },
description: {
de: 'Zentralisierte Authentifizierung über SSO zur Verbesserung der Sicherheit und Benutzerfreundlichkeit.',
en: 'Centralized authentication via SSO to improve security and usability.',
},
mappings: [{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.4' }],
applicabilityConditions: [
{
field: 'companyProfile.size',
operator: 'IN',
value: ['MEDIUM', 'LARGE', 'ENTERPRISE'],
result: 'RECOMMENDED',
priority: 10,
},
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: [
'SSO-Konfigurationsdokumentation',
'Integrierte Anwendungsliste',
],
reviewFrequency: 'ANNUAL',
priority: 'MEDIUM',
complexity: 'HIGH',
tags: ['authentication', 'sso', 'identity'],
},
{
id: 'TOM-ADM-04',
code: 'TOM-ADM-04',
category: 'ADMISSION_CONTROL',
type: 'TECHNICAL',
name: { de: 'Automatische Bildschirmsperre', en: 'Automatic Screen Lock' },
description: {
de: 'Automatische Sperrung von Arbeitsplätzen nach Inaktivität mit erforderlicher Re-Authentifizierung.',
en: 'Automatic locking of workstations after inactivity with required re-authentication.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.11.2.8' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['GPO/MDM-Konfiguration', 'Richtliniendokumentation'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['workstation', 'security'],
},
{
id: 'TOM-ADM-05',
code: 'TOM-ADM-05',
category: 'ADMISSION_CONTROL',
type: 'TECHNICAL',
name: {
de: 'Kontosperrung nach Fehlversuchen',
en: 'Account Lockout After Failed Attempts',
},
description: {
de: 'Automatische temporäre Sperrung von Benutzerkonten nach mehreren fehlgeschlagenen Anmeldeversuchen.',
en: 'Automatic temporary locking of user accounts after multiple failed login attempts.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.2' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Konfigurationsdokumentation',
'Protokollierung der Sperrereignisse',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['authentication', 'brute-force-protection'],
},
// ACCESS AUTHORIZATION
{
id: 'TOM-AZ-01',
code: 'TOM-AZ-01',
category: 'ACCESS_AUTHORIZATION',
type: 'TECHNICAL',
name: {
de: 'Rollenbasierte Zugriffskontrolle (RBAC)',
en: 'Role-Based Access Control (RBAC)',
},
description: {
de: 'Implementierung eines rollenbasierten Berechtigungssystems zur Steuerung des Datenzugriffs nach dem Need-to-Know-Prinzip.',
en: 'Implementation of a role-based permission system to control data access according to the need-to-know principle.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.3' },
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'ORP.4' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Berechtigungskonzept',
'Rollenmatrix',
'Berechtigungsaudits',
],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'CRITICAL',
complexity: 'MEDIUM',
tags: ['authorization', 'rbac', 'access'],
},
{
id: 'TOM-AZ-02',
code: 'TOM-AZ-02',
category: 'ACCESS_AUTHORIZATION',
type: 'ORGANIZATIONAL',
name: {
de: 'Berechtigungsverwaltungsprozess',
en: 'Authorization Management Process',
},
description: {
de: 'Dokumentierter Prozess für Beantragung, Genehmigung und Entzug von Zugriffsberechtigungen.',
en: 'Documented process for requesting, approving and revoking access permissions.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.2' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Berechtigungsanträge',
'Genehmigungsprotokolle',
'Prozessdokumentation',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['authorization', 'process'],
},
{
id: 'TOM-AZ-03',
code: 'TOM-AZ-03',
category: 'ACCESS_AUTHORIZATION',
type: 'TECHNICAL',
name: {
de: 'Privileged Access Management (PAM)',
en: 'Privileged Access Management (PAM)',
},
description: {
de: 'Spezielle Kontrollen für privilegierte Konten (Admins) mit Aufzeichnung, zeitlicher Begrenzung und Genehmigungsworkflows.',
en: 'Special controls for privileged accounts (admins) with recording, time limits and approval workflows.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.3' },
],
applicabilityConditions: [
{
field: 'riskProfile.protectionLevel',
operator: 'IN',
value: ['HIGH', 'VERY_HIGH'],
result: 'REQUIRED',
priority: 20,
},
{
field: 'dataProfile.hasSpecialCategories',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 25,
},
{
field: 'companyProfile.size',
operator: 'IN',
value: ['LARGE', 'ENTERPRISE'],
result: 'RECOMMENDED',
priority: 10,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'PAM-Konfiguration',
'Sitzungsaufzeichnungen',
'Audit-Logs',
],
reviewFrequency: 'QUARTERLY',
priority: 'CRITICAL',
complexity: 'HIGH',
tags: ['authorization', 'pam', 'privileged'],
},
{
id: 'TOM-AZ-04',
code: 'TOM-AZ-04',
category: 'ACCESS_AUTHORIZATION',
type: 'ORGANIZATIONAL',
name: {
de: 'Regelmäßige Berechtigungsrezertifizierung',
en: 'Regular Authorization Recertification',
},
description: {
de: 'Periodische Überprüfung aller Zugriffsberechtigungen durch die jeweiligen Vorgesetzten.',
en: 'Periodic review of all access permissions by respective supervisors.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.5' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Rezertifizierungsprotokolle',
'Prozessdokumentation',
],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['authorization', 'review'],
},
{
id: 'TOM-AZ-05',
code: 'TOM-AZ-05',
category: 'ACCESS_AUTHORIZATION',
type: 'TECHNICAL',
name: {
de: 'Datenklassifizierung und Label',
en: 'Data Classification and Labeling',
},
description: {
de: 'Technische Umsetzung einer Datenklassifizierung mit entsprechenden Zugriffssteuerungen.',
en: 'Technical implementation of data classification with corresponding access controls.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.8.2' },
],
applicabilityConditions: [
{
field: 'dataProfile.hasSpecialCategories',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 25,
},
{
field: 'riskProfile.protectionLevel',
operator: 'IN',
value: ['HIGH', 'VERY_HIGH'],
result: 'RECOMMENDED',
priority: 15,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Klassifizierungsschema', 'Label-Konfiguration'],
reviewFrequency: 'ANNUAL',
priority: 'MEDIUM',
complexity: 'HIGH',
tags: ['classification', 'labeling'],
},
// TRANSFER CONTROL
{
id: 'TOM-TR-01',
code: 'TOM-TR-01',
category: 'TRANSFER_CONTROL',
type: 'TECHNICAL',
name: { de: 'Transportverschlüsselung (TLS)', en: 'Transport Encryption (TLS)' },
description: {
de: 'Verschlüsselung aller Datenübertragungen mittels TLS 1.2 oder höher.',
en: 'Encryption of all data transfers using TLS 1.2 or higher.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.1' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['TLS-Konfigurationsdokumentation', 'SSL/TLS-Scans'],
reviewFrequency: 'QUARTERLY',
priority: 'CRITICAL',
complexity: 'MEDIUM',
tags: ['encryption', 'transport', 'tls'],
},
{
id: 'TOM-TR-02',
code: 'TOM-TR-02',
category: 'TRANSFER_CONTROL',
type: 'TECHNICAL',
name: { de: 'VPN für Fernzugriff', en: 'VPN for Remote Access' },
description: {
de: 'Nutzung von VPN-Verbindungen für sicheren Fernzugriff auf Unternehmensnetzwerke.',
en: 'Use of VPN connections for secure remote access to corporate networks.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.1' },
],
applicabilityConditions: [
{
field: 'architectureProfile.hostingModel',
operator: 'IN',
value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'],
result: 'REQUIRED',
priority: 15,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['VPN-Konfiguration', 'Nutzungsstatistiken'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['vpn', 'remote-access'],
},
{
id: 'TOM-TR-03',
code: 'TOM-TR-03',
category: 'TRANSFER_CONTROL',
type: 'ORGANIZATIONAL',
name: { de: 'Richtlinie zur Datenübermittlung', en: 'Data Transfer Policy' },
description: {
de: 'Dokumentierte Richtlinie für die sichere Übermittlung personenbezogener Daten intern und extern.',
en: 'Documented policy for secure transfer of personal data internally and externally.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.2' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Datenübermittlungsrichtlinie', 'Schulungsnachweise'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['policy', 'transfer'],
},
{
id: 'TOM-TR-04',
code: 'TOM-TR-04',
category: 'TRANSFER_CONTROL',
type: 'TECHNICAL',
name: { de: 'E-Mail-Verschlüsselung', en: 'Email Encryption' },
description: {
de: 'Implementierung von E-Mail-Verschlüsselung (S/MIME, PGP) für vertrauliche Kommunikation.',
en: 'Implementation of email encryption (S/MIME, PGP) for confidential communication.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.3' },
],
applicabilityConditions: [
{
field: 'dataProfile.hasSpecialCategories',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 25,
},
{
field: 'riskProfile.protectionLevel',
operator: 'IN',
value: ['HIGH', 'VERY_HIGH'],
result: 'RECOMMENDED',
priority: 15,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'E-Mail-Verschlüsselungskonzept',
'Konfigurationsdokumentation',
],
reviewFrequency: 'ANNUAL',
priority: 'MEDIUM',
complexity: 'MEDIUM',
tags: ['encryption', 'email'],
},
{
id: 'TOM-TR-05',
code: 'TOM-TR-05',
category: 'TRANSFER_CONTROL',
type: 'TECHNICAL',
name: { de: 'Data Loss Prevention (DLP)', en: 'Data Loss Prevention (DLP)' },
description: {
de: 'Technische Maßnahmen zur Verhinderung unbeabsichtigter oder unbefugter Datenabflüsse.',
en: 'Technical measures to prevent unintentional or unauthorized data leakage.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.2' },
],
applicabilityConditions: [
{
field: 'dataProfile.hasSpecialCategories',
operator: 'EQUALS',
value: true,
result: 'RECOMMENDED',
priority: 25,
},
{
field: 'riskProfile.protectionLevel',
operator: 'EQUALS',
value: 'VERY_HIGH',
result: 'REQUIRED',
priority: 30,
},
{
field: 'companyProfile.size',
operator: 'IN',
value: ['LARGE', 'ENTERPRISE'],
result: 'RECOMMENDED',
priority: 10,
},
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: ['DLP-Konfiguration', 'Vorfallsberichte'],
reviewFrequency: 'QUARTERLY',
priority: 'HIGH',
complexity: 'HIGH',
tags: ['dlp', 'data-protection'],
},
// INPUT CONTROL
{
id: 'TOM-IN-01',
code: 'TOM-IN-01',
category: 'INPUT_CONTROL',
type: 'TECHNICAL',
name: { de: 'Audit-Logging', en: 'Audit Logging' },
description: {
de: 'Umfassende Protokollierung aller Datenverarbeitungsvorgänge mit Zeitstempel und Benutzeridentifikation.',
en: 'Comprehensive logging of all data processing activities with timestamp and user identification.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Logging-Konzept', 'Log-Konfiguration', 'Beispiel-Logs'],
reviewFrequency: 'ANNUAL',
priority: 'CRITICAL',
complexity: 'MEDIUM',
tags: ['logging', 'audit'],
},
{
id: 'TOM-IN-02',
code: 'TOM-IN-02',
category: 'INPUT_CONTROL',
type: 'TECHNICAL',
name: { de: 'Änderungsprotokollierung (Change Log)', en: 'Change Logging' },
description: {
de: 'Automatische Protokollierung aller Änderungen an personenbezogenen Daten.',
en: 'Automatic logging of all changes to personal data.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Change-Log-Konfiguration', 'Beispielprotokolle'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['logging', 'change-tracking'],
},
{
id: 'TOM-IN-03',
code: 'TOM-IN-03',
category: 'INPUT_CONTROL',
type: 'TECHNICAL',
name: { de: 'Eingabevalidierung', en: 'Input Validation' },
description: {
de: 'Technische Validierung aller Eingaben zur Verhinderung von Datenmanipulation und Injection-Angriffen.',
en: 'Technical validation of all inputs to prevent data manipulation and injection attacks.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.14.2.5' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Validierungsregeln', 'Code-Reviews'],
reviewFrequency: 'QUARTERLY',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['security', 'validation'],
},
{
id: 'TOM-IN-04',
code: 'TOM-IN-04',
category: 'INPUT_CONTROL',
type: 'ORGANIZATIONAL',
name: {
de: 'Log-Aufbewahrung und -Auswertung',
en: 'Log Retention and Analysis',
},
description: {
de: 'Definierte Aufbewahrungsfristen für Protokolle und regelmäßige Auswertung zur Erkennung von Anomalien.',
en: 'Defined retention periods for logs and regular analysis to detect anomalies.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Log-Aufbewahrungsrichtlinie', 'Analyseberichte'],
reviewFrequency: 'QUARTERLY',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['logging', 'analysis', 'retention'],
},
// ORDER CONTROL
{
id: 'TOM-OR-01',
code: 'TOM-OR-01',
category: 'ORDER_CONTROL',
type: 'ORGANIZATIONAL',
name: {
de: 'Auftragsverarbeitungsverträge (AVV)',
en: 'Data Processing Agreements (DPA)',
},
description: {
de: 'Abschluss von Auftragsverarbeitungsverträgen gemäß Art. 28 DSGVO mit allen Auftragsverarbeitern.',
en: 'Conclusion of data processing agreements according to Art. 28 GDPR with all processors.',
},
mappings: [
{ framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.2' },
],
applicabilityConditions: [
{
field: 'architectureProfile.hasSubprocessors',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 30,
},
{
field: 'companyProfile.role',
operator: 'EQUALS',
value: 'CONTROLLER',
result: 'REQUIRED',
priority: 25,
},
],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Unterschriebene AVVs',
'Auftragsverarbeiter-Verzeichnis',
],
reviewFrequency: 'ANNUAL',
priority: 'CRITICAL',
complexity: 'LOW',
tags: ['contracts', 'avv', 'dpa'],
},
{
id: 'TOM-OR-02',
code: 'TOM-OR-02',
category: 'ORDER_CONTROL',
type: 'ORGANIZATIONAL',
name: { de: 'Auftragsverarbeiter-Prüfung', en: 'Processor Auditing' },
description: {
de: 'Regelmäßige Überprüfung der technischen und organisatorischen Maßnahmen bei Auftragsverarbeitern.',
en: 'Regular verification of technical and organizational measures at processors.',
},
mappings: [
{ framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. h' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.15.2.1' },
],
applicabilityConditions: [
{
field: 'architectureProfile.hasSubprocessors',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 25,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Audit-Berichte',
'Zertifikate der Auftragsverarbeiter',
'Prüfprotokolle',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['audit', 'processor'],
},
{
id: 'TOM-OR-03',
code: 'TOM-OR-03',
category: 'ORDER_CONTROL',
type: 'ORGANIZATIONAL',
name: {
de: 'Weisungsgebundenheit dokumentieren',
en: 'Document Instruction Compliance',
},
description: {
de: 'Dokumentation der Weisungsgebundenheit von Auftragsverarbeitern und Mitarbeitern.',
en: 'Documentation of instruction compliance by processors and employees.',
},
mappings: [
{ framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. a' },
{ framework: 'GDPR_ART29', reference: 'Art. 29' },
],
applicabilityConditions: [
{
field: 'companyProfile.role',
operator: 'EQUALS',
value: 'PROCESSOR',
result: 'REQUIRED',
priority: 30,
},
],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Weisungsdokumentation', 'Schulungsnachweise'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['processor', 'instructions'],
},
{
id: 'TOM-OR-04',
code: 'TOM-OR-04',
category: 'ORDER_CONTROL',
type: 'ORGANIZATIONAL',
name: {
de: 'Unterauftragsverarbeiter-Management',
en: 'Sub-processor Management',
},
description: {
de: 'Dokumentiertes Verfahren für die Genehmigung und Überwachung von Unterauftragsverarbeitern.',
en: 'Documented procedure for approval and monitoring of sub-processors.',
},
mappings: [
{ framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 2, 4' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.3' },
],
applicabilityConditions: [
{
field: 'architectureProfile.hasSubprocessors',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 30,
},
{
field: 'companyProfile.role',
operator: 'EQUALS',
value: 'PROCESSOR',
result: 'REQUIRED',
priority: 25,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Unterauftragsverarbeiter-Liste',
'Genehmigungsprotokolle',
'AVVs mit Unterauftragsverarbeitern',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['sub-processor', 'management'],
},
// AVAILABILITY
{
id: 'TOM-AV-01',
code: 'TOM-AV-01',
category: 'AVAILABILITY',
type: 'TECHNICAL',
name: { de: 'Backup-Strategie', en: 'Backup Strategy' },
description: {
de: 'Implementierung einer umfassenden Backup-Strategie mit regelmäßigen Sicherungen und Aufbewahrung.',
en: 'Implementation of a comprehensive backup strategy with regular backups and retention.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.3.1' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Backup-Konzept', 'Backup-Protokolle', 'Restore-Tests'],
reviewFrequency: 'QUARTERLY',
priority: 'CRITICAL',
complexity: 'MEDIUM',
tags: ['backup', 'recovery'],
},
{
id: 'TOM-AV-02',
code: 'TOM-AV-02',
category: 'AVAILABILITY',
type: 'TECHNICAL',
name: { de: 'Redundante Systeme', en: 'Redundant Systems' },
description: {
de: 'Implementierung von Redundanz für kritische Systeme zur Sicherstellung der Verfügbarkeit.',
en: 'Implementation of redundancy for critical systems to ensure availability.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' },
],
applicabilityConditions: [
{
field: 'riskProfile.ciaAssessment.availability',
operator: 'GREATER_THAN',
value: 3,
result: 'REQUIRED',
priority: 20,
},
{
field: 'riskProfile.protectionLevel',
operator: 'EQUALS',
value: 'VERY_HIGH',
result: 'REQUIRED',
priority: 25,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Redundanzkonzept', 'Architekturdokumentation'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'HIGH',
tags: ['redundancy', 'availability'],
},
{
id: 'TOM-AV-03',
code: 'TOM-AV-03',
category: 'AVAILABILITY',
type: 'TECHNICAL',
name: {
de: 'Unterbrechungsfreie Stromversorgung (USV)',
en: 'Uninterruptible Power Supply (UPS)',
},
description: {
de: 'Einsatz von USV-Anlagen zum Schutz kritischer Systeme vor Stromausfällen.',
en: 'Use of UPS systems to protect critical systems from power failures.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.11.2.2' },
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'INF.2' },
],
applicabilityConditions: [
{
field: 'architectureProfile.hostingModel',
operator: 'IN',
value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'],
result: 'REQUIRED',
priority: 15,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['USV-Dokumentation', 'Wartungsprotokolle'],
reviewFrequency: 'ANNUAL',
priority: 'MEDIUM',
complexity: 'MEDIUM',
tags: ['power', 'infrastructure'],
},
{
id: 'TOM-AV-04',
code: 'TOM-AV-04',
category: 'AVAILABILITY',
type: 'ORGANIZATIONAL',
name: {
de: 'Notfallvorsorge (Business Continuity)',
en: 'Business Continuity Planning',
},
description: {
de: 'Dokumentierte Notfallvorsorge zur Aufrechterhaltung kritischer Geschäftsprozesse.',
en: 'Documented emergency preparedness to maintain critical business processes.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.1' },
],
applicabilityConditions: [
{
field: 'riskProfile.ciaAssessment.availability',
operator: 'GREATER_THAN',
value: 2,
result: 'REQUIRED',
priority: 15,
},
],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Business-Continuity-Plan',
'Notfallkontakte',
'Übungsprotokolle',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['bcp', 'continuity'],
},
{
id: 'TOM-AV-05',
code: 'TOM-AV-05',
category: 'AVAILABILITY',
type: 'TECHNICAL',
name: { de: 'Monitoring und Alerting', en: 'Monitoring and Alerting' },
description: {
de: 'Kontinuierliche Überwachung der Systemverfügbarkeit mit automatischen Benachrichtigungen bei Ausfällen.',
en: 'Continuous monitoring of system availability with automatic notifications for outages.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Monitoring-Konfiguration',
'Alert-Regeln',
'Verfügbarkeitsberichte',
],
reviewFrequency: 'QUARTERLY',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['monitoring', 'alerting'],
},
// SEPARATION
{
id: 'TOM-SE-01',
code: 'TOM-SE-01',
category: 'SEPARATION',
type: 'TECHNICAL',
name: { de: 'Mandantentrennung', en: 'Multi-Tenant Separation' },
description: {
de: 'Technische Trennung von Daten verschiedener Kunden/Mandanten in mandantenfähigen Systemen.',
en: 'Technical separation of data from different customers/tenants in multi-tenant systems.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' },
],
applicabilityConditions: [
{
field: 'architectureProfile.multiTenancy',
operator: 'EQUALS',
value: 'MULTI_TENANT',
result: 'REQUIRED',
priority: 30,
},
{
field: 'companyProfile.role',
operator: 'EQUALS',
value: 'PROCESSOR',
result: 'REQUIRED',
priority: 20,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Mandantentrennungskonzept',
'Architekturdokumentation',
'Penetrationstest-Ergebnisse',
],
reviewFrequency: 'ANNUAL',
priority: 'CRITICAL',
complexity: 'HIGH',
tags: ['multi-tenant', 'separation'],
},
{
id: 'TOM-SE-02',
code: 'TOM-SE-02',
category: 'SEPARATION',
type: 'TECHNICAL',
name: { de: 'Netzwerksegmentierung', en: 'Network Segmentation' },
description: {
de: 'Segmentierung des Netzwerks zur Trennung verschiedener Sicherheitszonen und Datenverarbeitungsbereiche.',
en: 'Network segmentation to separate different security zones and data processing areas.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' },
],
applicabilityConditions: [
{
field: 'architectureProfile.hostingModel',
operator: 'IN',
value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'],
result: 'REQUIRED',
priority: 15,
},
{
field: 'riskProfile.protectionLevel',
operator: 'IN',
value: ['HIGH', 'VERY_HIGH'],
result: 'REQUIRED',
priority: 20,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Netzwerkdiagramm', 'Firewall-Regeln'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['network', 'segmentation'],
},
{
id: 'TOM-SE-03',
code: 'TOM-SE-03',
category: 'SEPARATION',
type: 'TECHNICAL',
name: {
de: 'Umgebungstrennung (Dev/Test/Prod)',
en: 'Environment Separation (Dev/Test/Prod)',
},
description: {
de: 'Strikte Trennung von Entwicklungs-, Test- und Produktionsumgebungen.',
en: 'Strict separation of development, test and production environments.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.1.4' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Umgebungsdokumentation',
'Zugriffsrechte je Umgebung',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['environments', 'separation'],
},
{
id: 'TOM-SE-04',
code: 'TOM-SE-04',
category: 'SEPARATION',
type: 'ORGANIZATIONAL',
name: { de: 'Zweckbindung dokumentieren', en: 'Document Purpose Limitation' },
description: {
de: 'Dokumentation und technische Durchsetzung der Zweckbindung bei der Datenverarbeitung.',
en: 'Documentation and technical enforcement of purpose limitation in data processing.',
},
mappings: [
{ framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 1 lit. b' },
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Verarbeitungsverzeichnis', 'Zweckdokumentation'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['purpose-limitation', 'documentation'],
},
// ENCRYPTION
{
id: 'TOM-ENC-01',
code: 'TOM-ENC-01',
category: 'ENCRYPTION',
type: 'TECHNICAL',
name: { de: 'Verschlüsselung ruhender Daten', en: 'Encryption at Rest' },
description: {
de: 'Verschlüsselung aller gespeicherten personenbezogenen Daten mit modernen Verschlüsselungsalgorithmen.',
en: 'Encryption of all stored personal data using modern encryption algorithms.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.1' },
],
applicabilityConditions: [
{
field: 'dataProfile.hasSpecialCategories',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 30,
},
{
field: 'riskProfile.protectionLevel',
operator: 'IN',
value: ['HIGH', 'VERY_HIGH'],
result: 'REQUIRED',
priority: 20,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Verschlüsselungskonzept',
'Konfigurationsdokumentation',
],
reviewFrequency: 'ANNUAL',
priority: 'CRITICAL',
complexity: 'MEDIUM',
tags: ['encryption', 'at-rest'],
},
{
id: 'TOM-ENC-02',
code: 'TOM-ENC-02',
category: 'ENCRYPTION',
type: 'TECHNICAL',
name: { de: 'Schlüsselmanagement', en: 'Key Management' },
description: {
de: 'Sicheres Verfahren zur Erzeugung, Speicherung, Rotation und Vernichtung kryptografischer Schlüssel.',
en: 'Secure process for generation, storage, rotation and destruction of cryptographic keys.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.2' },
],
applicabilityConditions: [
{
field: 'architectureProfile.encryptionAtRest',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 30,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Schlüsselmanagement-Richtlinie',
'HSM/KMS-Dokumentation',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'HIGH',
tags: ['encryption', 'key-management'],
},
{
id: 'TOM-ENC-03',
code: 'TOM-ENC-03',
category: 'ENCRYPTION',
type: 'TECHNICAL',
name: { de: 'Datenbank-Verschlüsselung', en: 'Database Encryption' },
description: {
de: 'Verschlüsselung von Datenbanken auf Ebene der Datenbank oder einzelner Felder.',
en: 'Encryption of databases at database level or individual field level.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.1' },
],
applicabilityConditions: [
{
field: 'dataProfile.hasSpecialCategories',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 30,
},
{
field: 'dataProfile.dataVolume',
operator: 'IN',
value: ['HIGH', 'VERY_HIGH'],
result: 'RECOMMENDED',
priority: 15,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Datenbank-Verschlüsselungskonfiguration',
'Feldverschlüsselungsmatrix',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['encryption', 'database'],
},
// PSEUDONYMIZATION
{
id: 'TOM-PS-01',
code: 'TOM-PS-01',
category: 'PSEUDONYMIZATION',
type: 'TECHNICAL',
name: { de: 'Pseudonymisierungsverfahren', en: 'Pseudonymization Procedures' },
description: {
de: 'Implementierung von Pseudonymisierungsverfahren zur Reduzierung des Personenbezugs von Daten.',
en: 'Implementation of pseudonymization procedures to reduce the personal reference of data.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
{ framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' },
],
applicabilityConditions: [
{
field: 'dataProfile.hasSpecialCategories',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 25,
},
{
field: 'dataProfile.dataVolume',
operator: 'IN',
value: ['HIGH', 'VERY_HIGH'],
result: 'RECOMMENDED',
priority: 15,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Pseudonymisierungskonzept',
'Mapping-Tabellen-Sicherheit',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'HIGH',
tags: ['pseudonymization', 'data-minimization'],
},
{
id: 'TOM-PS-02',
code: 'TOM-PS-02',
category: 'PSEUDONYMIZATION',
type: 'ORGANIZATIONAL',
name: {
de: 'Datenanonymisierung für Analysen',
en: 'Data Anonymization for Analytics',
},
description: {
de: 'Verfahren zur Anonymisierung von Daten für Analyse- und Statistikzwecke.',
en: 'Procedures for anonymizing data for analysis and statistical purposes.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
{ framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' },
],
applicabilityConditions: [
{
field: 'dataProfile.dataVolume',
operator: 'IN',
value: ['HIGH', 'VERY_HIGH'],
result: 'RECOMMENDED',
priority: 15,
},
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: [
'Anonymisierungskonzept',
'Risikoanalyse zur Re-Identifizierung',
],
reviewFrequency: 'ANNUAL',
priority: 'MEDIUM',
complexity: 'HIGH',
tags: ['anonymization', 'analytics'],
},
// RESILIENCE
{
id: 'TOM-RE-01',
code: 'TOM-RE-01',
category: 'RESILIENCE',
type: 'TECHNICAL',
name: { de: 'Load Balancing', en: 'Load Balancing' },
description: {
de: 'Implementierung von Lastverteilung zur Sicherstellung der Systemstabilität bei hoher Last.',
en: 'Implementation of load balancing to ensure system stability under high load.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' },
],
applicabilityConditions: [
{
field: 'riskProfile.ciaAssessment.availability',
operator: 'GREATER_THAN',
value: 3,
result: 'REQUIRED',
priority: 20,
},
{
field: 'dataProfile.dataVolume',
operator: 'IN',
value: ['HIGH', 'VERY_HIGH'],
result: 'RECOMMENDED',
priority: 15,
},
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: ['Load-Balancer-Konfiguration', 'Kapazitätsplanung'],
reviewFrequency: 'QUARTERLY',
priority: 'MEDIUM',
complexity: 'MEDIUM',
tags: ['resilience', 'load-balancing'],
},
{
id: 'TOM-RE-02',
code: 'TOM-RE-02',
category: 'RESILIENCE',
type: 'TECHNICAL',
name: { de: 'DDoS-Schutz', en: 'DDoS Protection' },
description: {
de: 'Maßnahmen zum Schutz vor Distributed Denial of Service Angriffen.',
en: 'Measures to protect against Distributed Denial of Service attacks.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.1' },
],
applicabilityConditions: [
{
field: 'architectureProfile.hostingModel',
operator: 'IN',
value: ['PUBLIC_CLOUD', 'HYBRID'],
result: 'RECOMMENDED',
priority: 15,
},
{
field: 'riskProfile.protectionLevel',
operator: 'EQUALS',
value: 'VERY_HIGH',
result: 'REQUIRED',
priority: 25,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['DDoS-Schutzkonzept', 'WAF-Konfiguration'],
reviewFrequency: 'QUARTERLY',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['security', 'ddos'],
},
{
id: 'TOM-RE-03',
code: 'TOM-RE-03',
category: 'RESILIENCE',
type: 'TECHNICAL',
name: { de: 'Auto-Scaling', en: 'Auto-Scaling' },
description: {
de: 'Automatische Skalierung von Ressourcen basierend auf der tatsächlichen Last.',
en: 'Automatic scaling of resources based on actual load.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.1.3' },
],
applicabilityConditions: [
{
field: 'architectureProfile.hostingModel',
operator: 'IN',
value: ['PUBLIC_CLOUD', 'HYBRID'],
result: 'RECOMMENDED',
priority: 15,
},
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: ['Auto-Scaling-Konfiguration', 'Kapazitätsmetriken'],
reviewFrequency: 'QUARTERLY',
priority: 'MEDIUM',
complexity: 'MEDIUM',
tags: ['cloud', 'scaling'],
},
// RECOVERY
{
id: 'TOM-RC-01',
code: 'TOM-RC-01',
category: 'RECOVERY',
type: 'TECHNICAL',
name: { de: 'Disaster Recovery Plan', en: 'Disaster Recovery Plan' },
description: {
de: 'Dokumentierter und getesteter Plan zur Wiederherstellung von IT-Systemen nach einem Katastrophenfall.',
en: 'Documented and tested plan for restoring IT systems after a disaster.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.2' },
],
applicabilityConditions: [
{
field: 'riskProfile.ciaAssessment.availability',
operator: 'GREATER_THAN',
value: 2,
result: 'REQUIRED',
priority: 20,
},
],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Disaster-Recovery-Plan',
'Test-Protokolle',
'RTO/RPO-Definitionen',
],
reviewFrequency: 'ANNUAL',
priority: 'CRITICAL',
complexity: 'HIGH',
tags: ['disaster-recovery', 'bcp'],
},
{
id: 'TOM-RC-02',
code: 'TOM-RC-02',
category: 'RECOVERY',
type: 'TECHNICAL',
name: { de: 'Geo-Redundanz', en: 'Geo-Redundancy' },
description: {
de: 'Geografisch verteilte Datenhaltung zur Sicherstellung der Verfügbarkeit bei regionalen Ausfällen.',
en: 'Geographically distributed data storage to ensure availability during regional outages.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.17.2.1' },
],
applicabilityConditions: [
{
field: 'riskProfile.protectionLevel',
operator: 'EQUALS',
value: 'VERY_HIGH',
result: 'REQUIRED',
priority: 30,
},
{
field: 'riskProfile.ciaAssessment.availability',
operator: 'GREATER_THAN',
value: 4,
result: 'REQUIRED',
priority: 25,
},
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: ['Geo-Redundanz-Konzept', 'Standort-Dokumentation'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'HIGH',
tags: ['geo-redundancy', 'availability'],
},
{
id: 'TOM-RC-03',
code: 'TOM-RC-03',
category: 'RECOVERY',
type: 'ORGANIZATIONAL',
name: { de: 'Wiederherstellungstests', en: 'Recovery Testing' },
description: {
de: 'Regelmäßige Tests der Wiederherstellungsverfahren zur Validierung der Backup- und DR-Strategie.',
en: 'Regular testing of recovery procedures to validate backup and DR strategy.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.3' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Test-Protokolle',
'Wiederherstellungszeiten',
'Maßnahmenplan bei Fehlern',
],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['testing', 'recovery'],
},
// REVIEW
{
id: 'TOM-RV-01',
code: 'TOM-RV-01',
category: 'REVIEW',
type: 'ORGANIZATIONAL',
name: { de: 'Regelmäßige TOM-Überprüfung', en: 'Regular TOM Review' },
description: {
de: 'Periodische Überprüfung und Aktualisierung der technischen und organisatorischen Maßnahmen.',
en: 'Periodic review and update of technical and organizational measures.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Überprüfungsprotokolle', 'Maßnahmenplan'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['review', 'compliance'],
},
{
id: 'TOM-RV-02',
code: 'TOM-RV-02',
category: 'REVIEW',
type: 'TECHNICAL',
name: { de: 'Penetrationstests', en: 'Penetration Testing' },
description: {
de: 'Regelmäßige Durchführung von Penetrationstests durch qualifizierte Prüfer.',
en: 'Regular penetration testing by qualified testers.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.3' },
],
applicabilityConditions: [
{
field: 'riskProfile.protectionLevel',
operator: 'IN',
value: ['HIGH', 'VERY_HIGH'],
result: 'REQUIRED',
priority: 20,
},
{
field: 'dataProfile.hasSpecialCategories',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 25,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Penetrationstest-Berichte', 'Maßnahmenplan'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'HIGH',
tags: ['security-testing', 'pentest'],
},
{
id: 'TOM-RV-03',
code: 'TOM-RV-03',
category: 'REVIEW',
type: 'TECHNICAL',
name: { de: 'Schwachstellenscanning', en: 'Vulnerability Scanning' },
description: {
de: 'Regelmäßiges automatisiertes Scanning nach bekannten Schwachstellen in Systemen und Anwendungen.',
en: 'Regular automated scanning for known vulnerabilities in systems and applications.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.6.1' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Scan-Berichte', 'Behebungsnachweis'],
reviewFrequency: 'MONTHLY',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['security-testing', 'vulnerability'],
},
{
id: 'TOM-RV-04',
code: 'TOM-RV-04',
category: 'REVIEW',
type: 'ORGANIZATIONAL',
name: { de: 'Sicherheitsaudits', en: 'Security Audits' },
description: {
de: 'Durchführung regelmäßiger interner oder externer Sicherheitsaudits.',
en: 'Conducting regular internal or external security audits.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' },
],
applicabilityConditions: [
{
field: 'riskProfile.protectionLevel',
operator: 'IN',
value: ['HIGH', 'VERY_HIGH'],
result: 'REQUIRED',
priority: 20,
},
{
field: 'companyProfile.role',
operator: 'EQUALS',
value: 'PROCESSOR',
result: 'REQUIRED',
priority: 15,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Audit-Berichte', 'Zertifikate', 'Maßnahmenplan'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['audit', 'compliance'],
},
{
id: 'TOM-RV-05',
code: 'TOM-RV-05',
category: 'REVIEW',
type: 'ORGANIZATIONAL',
name: { de: 'Datenschutzschulung', en: 'Data Protection Training' },
description: {
de: 'Regelmäßige Schulung aller Mitarbeiter zu Datenschutz und IT-Sicherheit.',
en: 'Regular training of all employees on data protection and IT security.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.7.2.2' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Schulungskonzept',
'Teilnehmerlisten',
'Schulungsnachweise',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['training', 'awareness'],
},
{
id: 'TOM-RV-06',
code: 'TOM-RV-06',
category: 'REVIEW',
type: 'ORGANIZATIONAL',
name: { de: 'Incident Response Plan', en: 'Incident Response Plan' },
description: {
de: 'Dokumentiertes Verfahren zur Erkennung, Meldung und Behandlung von Sicherheitsvorfällen.',
en: 'Documented procedure for detection, reporting and handling of security incidents.',
},
mappings: [
{ framework: 'GDPR_ART33', reference: 'Art. 33' },
{ framework: 'GDPR_ART34', reference: 'Art. 34' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.16.1.1' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Incident-Response-Plan',
'Kontaktliste',
'Meldeformulare',
'Übungsprotokolle',
],
reviewFrequency: 'ANNUAL',
priority: 'CRITICAL',
complexity: 'MEDIUM',
tags: ['incident-response', 'breach'],
},
{
id: 'TOM-RV-07',
code: 'TOM-RV-07',
category: 'REVIEW',
type: 'TECHNICAL',
name: {
de: 'Security Information and Event Management (SIEM)',
en: 'Security Information and Event Management (SIEM)',
},
description: {
de: 'Zentralisierte Sammlung und Analyse von Sicherheitsereignissen zur Erkennung von Angriffen.',
en: 'Centralized collection and analysis of security events to detect attacks.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' },
],
applicabilityConditions: [
{
field: 'riskProfile.protectionLevel',
operator: 'EQUALS',
value: 'VERY_HIGH',
result: 'REQUIRED',
priority: 30,
},
{
field: 'companyProfile.size',
operator: 'IN',
value: ['LARGE', 'ENTERPRISE'],
result: 'RECOMMENDED',
priority: 15,
},
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: [
'SIEM-Konfiguration',
'Korrelationsregeln',
'Alert-Berichte',
],
reviewFrequency: 'QUARTERLY',
priority: 'HIGH',
complexity: 'HIGH',
tags: ['siem', 'monitoring', 'detection'],
},
{
id: 'TOM-RV-08',
code: 'TOM-RV-08',
category: 'REVIEW',
type: 'ORGANIZATIONAL',
name: {
de: 'Datenschutz-Folgenabschätzung (DSFA)',
en: 'Data Protection Impact Assessment (DPIA)',
},
description: {
de: 'Durchführung von Datenschutz-Folgenabschätzungen für risikoreiche Verarbeitungen.',
en: 'Conducting data protection impact assessments for high-risk processing.',
},
mappings: [
{ framework: 'GDPR_ART35', reference: 'Art. 35' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.18.1.4' },
],
applicabilityConditions: [
{
field: 'riskProfile.dsfaRequired',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 30,
},
{
field: 'dataProfile.hasSpecialCategories',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 25,
},
{
field: 'dataProfile.processesMinors',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 25,
},
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: [
'DSFA-Dokumentation',
'Risikobewertung',
'Maßnahmenplan',
],
reviewFrequency: 'ANNUAL',
priority: 'CRITICAL',
complexity: 'HIGH',
tags: ['dpia', 'dsfa', 'risk-assessment'],
},
// =========================================================================
// DELETION / VERNICHTUNG — Sichere Datenloeschung & Datentraegervernichtung
// =========================================================================
{
id: 'TOM-DL-01',
code: 'TOM-DL-01',
category: 'SEPARATION',
type: 'TECHNICAL',
name: {
de: 'Sichere Datenloeschung',
en: 'Secure Data Deletion',
},
description: {
de: 'Implementierung sicherer Loeschverfahren, die personenbezogene Daten unwiederbringlich entfernen (z.B. nach DIN 66399).',
en: 'Implementation of secure deletion procedures that irrecoverably remove personal data (e.g. per DIN 66399).',
},
mappings: [
{ framework: 'GDPR_ART17', reference: 'Art. 17' },
{ framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 1 lit. e' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.8.10' },
{ framework: 'BSI_C5', reference: 'SY-09' },
],
applicabilityConditions: [
{
field: 'dataProfile.dataVolume',
operator: 'NOT_EQUALS',
value: 'NONE',
result: 'REQUIRED',
priority: 30,
},
],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Loeschkonzept / Loeschrichtlinie',
'Loeschprotokolle mit Zeitstempeln',
'DIN 66399 Konformitaetsnachweis',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['deletion', 'loeschung', 'data-lifecycle', 'din-66399'],
},
{
id: 'TOM-DL-02',
code: 'TOM-DL-02',
category: 'SEPARATION',
type: 'TECHNICAL',
name: {
de: 'Datentraegervernichtung',
en: 'Media Destruction',
},
description: {
de: 'Physische Vernichtung von Datentraegern (Festplatten, SSDs, USB-Sticks, Papier) gemaess DIN 66399 Schutzklassen.',
en: 'Physical destruction of storage media (hard drives, SSDs, USB sticks, paper) per DIN 66399 protection classes.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.7.14' },
{ framework: 'BSI_C5', reference: 'AM-08' },
],
applicabilityConditions: [
{
field: 'dataProfile.dataVolume',
operator: 'NOT_EQUALS',
value: 'NONE',
result: 'RECOMMENDED',
priority: 20,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Vernichtungsprotokoll mit Seriennummern',
'Zertifikat des Vernichtungsdienstleisters',
'DIN 66399 Sicherheitsstufe-Nachweis',
],
reviewFrequency: 'ANNUAL',
priority: 'MEDIUM',
complexity: 'LOW',
tags: ['deletion', 'media-destruction', 'physical-security', 'din-66399'],
},
{
id: 'TOM-DL-03',
code: 'TOM-DL-03',
category: 'SEPARATION',
type: 'ORGANIZATIONAL',
name: {
de: 'Loeschprotokollierung',
en: 'Deletion Logging',
},
description: {
de: 'Systematische Protokollierung aller Loeschvorgaenge mit Zeitstempel, Verantwortlichem, Datenobjekt und Loeschmethode.',
en: 'Systematic logging of all deletion operations with timestamp, responsible person, data object, and deletion method.',
},
mappings: [
{ framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 2 (Rechenschaftspflicht)' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.8.10' },
],
applicabilityConditions: [
{
field: 'dataProfile.dataVolume',
operator: 'NOT_EQUALS',
value: 'NONE',
result: 'REQUIRED',
priority: 25,
},
],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Loeschprotokoll-Template',
'Archivierte Loeschprotokolle (Stichprobe)',
'Automatisierungsnachweis (bei automatischen Loeschungen)',
],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['deletion', 'logging', 'accountability', 'documentation'],
},
{
id: 'TOM-DL-04',
code: 'TOM-DL-04',
category: 'SEPARATION',
type: 'TECHNICAL',
name: {
de: 'Backup-Bereinigung',
en: 'Backup Sanitization',
},
description: {
de: 'Sicherstellung, dass personenbezogene Daten auch in Backup-Systemen nach Ablauf der Loeschfrist entfernt werden.',
en: 'Ensuring that personal data is also removed from backup systems after the retention period expires.',
},
mappings: [
{ framework: 'GDPR_ART17', reference: 'Art. 17 Abs. 2' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.8.13' },
],
applicabilityConditions: [
{
field: 'techProfile.hasBackups',
operator: 'EQUALS',
value: true,
result: 'REQUIRED',
priority: 25,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Backup-Loeschkonzept',
'Backup-Rotationsplan',
'Nachweis der Backup-Bereinigung',
],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'MEDIUM',
complexity: 'HIGH',
tags: ['deletion', 'backup', 'data-lifecycle', 'retention'],
},
// =========================================================================
// SCHULUNG / VERTRAULICHKEIT — Training & Awareness
// =========================================================================
{
id: 'TOM-TR-01',
code: 'TOM-TR-01',
category: 'REVIEW',
type: 'ORGANIZATIONAL',
name: {
de: 'Datenschutzschulung',
en: 'Data Protection Training',
},
description: {
de: 'Regelmaessige Schulung aller Mitarbeiter zu Datenschutzgrundlagen, DSGVO-Anforderungen und betrieblichen Datenschutzrichtlinien.',
en: 'Regular training of all employees on data protection fundamentals, GDPR requirements, and organizational data protection policies.',
},
mappings: [
{ framework: 'GDPR_ART39', reference: 'Art. 39 Abs. 1 lit. b' },
{ framework: 'GDPR_ART47', reference: 'Art. 47 Abs. 2 lit. n' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.6.3' },
],
applicabilityConditions: [
{
field: 'orgProfile.employeeCount',
operator: 'GREATER_THAN',
value: 0,
result: 'REQUIRED',
priority: 30,
},
],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Schulungsplan (jaehrlich)',
'Teilnahmelisten / Schulungsnachweise',
'Schulungsmaterialien / Praesentation',
'Wissenstest-Ergebnisse (optional)',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['training', 'schulung', 'awareness', 'organizational'],
},
{
id: 'TOM-TR-02',
code: 'TOM-TR-02',
category: 'REVIEW',
type: 'ORGANIZATIONAL',
name: {
de: 'Verpflichtung auf Datengeheimnis',
en: 'Confidentiality Obligation',
},
description: {
de: 'Schriftliche Verpflichtung aller Mitarbeiter und externen Dienstleister auf die Vertraulichkeit personenbezogener Daten.',
en: 'Written obligation of all employees and external service providers to maintain confidentiality of personal data.',
},
mappings: [
{ framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. b' },
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 4' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.6.6' },
],
applicabilityConditions: [
{
field: 'orgProfile.employeeCount',
operator: 'GREATER_THAN',
value: 0,
result: 'REQUIRED',
priority: 30,
},
],
defaultApplicability: 'REQUIRED',
evidenceRequirements: [
'Muster-Verpflichtungserklaerung',
'Unterschriebene Verpflichtungserklaerungen',
'Register der verpflichteten Personen',
],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['training', 'confidentiality', 'vertraulichkeit', 'obligation'],
},
{
id: 'TOM-TR-03',
code: 'TOM-TR-03',
category: 'REVIEW',
type: 'ORGANIZATIONAL',
name: {
de: 'Security Awareness Programm',
en: 'Security Awareness Program',
},
description: {
de: 'Fortlaufendes Awareness-Programm zu IT-Sicherheit, Phishing-Erkennung, Social Engineering und sicherem Umgang mit Daten.',
en: 'Ongoing awareness program on IT security, phishing detection, social engineering, and safe data handling.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.6.3' },
{ framework: 'BSI_C5', reference: 'ORP.3' },
],
applicabilityConditions: [
{
field: 'orgProfile.employeeCount',
operator: 'GREATER_THAN',
value: 10,
result: 'REQUIRED',
priority: 20,
},
{
field: 'orgProfile.employeeCount',
operator: 'GREATER_THAN',
value: 0,
result: 'RECOMMENDED',
priority: 15,
},
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: [
'Awareness-Programm-Dokumentation',
'Phishing-Simulationsergebnisse',
'Teilnahmenachweise',
],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'MEDIUM',
complexity: 'MEDIUM',
tags: ['training', 'security-awareness', 'phishing', 'social-engineering'],
},
// =========================================================================
// NEW CONTROLS (v1.1.0) — 25 additional measures
// =========================================================================
// ENCRYPTION — 2 new
{
id: 'TOM-ENC-04',
code: 'TOM-ENC-04',
category: 'ENCRYPTION',
type: 'TECHNICAL',
name: { de: 'Zertifikatsmanagement (TLS/SSL)', en: 'Certificate Management (TLS/SSL)' },
description: {
de: 'Systematische Verwaltung, Ueberwachung und rechtzeitige Erneuerung aller TLS/SSL-Zertifikate zur Vermeidung von Sicherheitsluecken durch abgelaufene Zertifikate.',
en: 'Systematic management, monitoring and timely renewal of all TLS/SSL certificates to prevent security gaps from expired certificates.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.2' },
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'CON.1' },
],
applicabilityConditions: [
{ field: 'architectureProfile.encryptionInTransit', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 },
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Zertifikatsinventar', 'Monitoring-Konfiguration', 'Erneuerungsprotokolle'],
reviewFrequency: 'QUARTERLY',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['encryption', 'certificates', 'tls'],
},
{
id: 'TOM-ENC-05',
code: 'TOM-ENC-05',
category: 'ENCRYPTION',
type: 'ORGANIZATIONAL',
name: { de: 'Schluesselmanagement-Policy', en: 'Key Management Policy' },
description: {
de: 'Dokumentierte Richtlinie fuer den gesamten Lebenszyklus kryptografischer Schluessel inkl. Erzeugung, Verteilung, Speicherung, Rotation und Vernichtung.',
en: 'Documented policy for the full lifecycle of cryptographic keys including generation, distribution, storage, rotation and destruction.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.10.1.2' },
],
applicabilityConditions: [
{ field: 'architectureProfile.encryptionAtRest', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 },
{ field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30 },
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Schluesselmanagement-Richtlinie', 'Schluesselrotationsplan'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['encryption', 'key-management', 'policy'],
},
// PSEUDONYMIZATION — 2 new
{
id: 'TOM-PS-03',
code: 'TOM-PS-03',
category: 'PSEUDONYMIZATION',
type: 'TECHNICAL',
name: { de: 'Anonymisierung fuer Analysezwecke', en: 'Anonymization for Analytics' },
description: {
de: 'Technische Verfahren zur irreversiblen Anonymisierung personenbezogener Daten fuer statistische Auswertungen und Analysen.',
en: 'Technical procedures for irreversible anonymization of personal data for statistical evaluations and analyses.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
{ framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' },
],
applicabilityConditions: [
{ field: 'dataProfile.dataVolume', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 },
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: ['Anonymisierungsverfahren-Dokumentation', 'Re-Identifizierungs-Risikoanalyse'],
reviewFrequency: 'ANNUAL',
priority: 'MEDIUM',
complexity: 'HIGH',
tags: ['pseudonymization', 'anonymization', 'analytics'],
},
{
id: 'TOM-PS-04',
code: 'TOM-PS-04',
category: 'PSEUDONYMIZATION',
type: 'ORGANIZATIONAL',
name: { de: 'Pseudonymisierungskonzept', en: 'Pseudonymization Concept' },
description: {
de: 'Dokumentiertes Konzept fuer die Pseudonymisierung personenbezogener Daten mit Definition der Verfahren, Zustaendigkeiten und Zuordnungsregeln.',
en: 'Documented concept for pseudonymization of personal data with definition of procedures, responsibilities and mapping rules.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
{ framework: 'GDPR_ART25', reference: 'Art. 25 Abs. 1' },
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'CON.2' },
],
applicabilityConditions: [
{ field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 },
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Pseudonymisierungskonzept', 'Verfahrensdokumentation'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['pseudonymization', 'concept', 'documentation'],
},
// INPUT_CONTROL — 1 new
{
id: 'TOM-IN-05',
code: 'TOM-IN-05',
category: 'INPUT_CONTROL',
type: 'TECHNICAL',
name: { de: 'Automatisierte Eingabevalidierung', en: 'Automated Input Validation' },
description: {
de: 'Technische Validierung aller Benutzereingaben zur Verhinderung von Injection-Angriffen und Sicherstellung der Datenintegritaet.',
en: 'Technical validation of all user inputs to prevent injection attacks and ensure data integrity.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.14.2.5' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Validierungsregeln-Dokumentation', 'Penetrationstest-Berichte'],
reviewFrequency: 'QUARTERLY',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['input-validation', 'security', 'injection-prevention'],
},
// ORDER_CONTROL — 2 new
{
id: 'TOM-OR-05',
code: 'TOM-OR-05',
category: 'ORDER_CONTROL',
type: 'ORGANIZATIONAL',
name: { de: 'Auftragsverarbeiter-Monitoring', en: 'Processor Monitoring' },
description: {
de: 'Regelmaessige Ueberpruefung und Bewertung der Datenschutz-Massnahmen bei Auftragsverarbeitern gemaess Art. 28 Abs. 3 lit. h DSGVO.',
en: 'Regular review and assessment of data protection measures at processors according to Art. 28(3)(h) GDPR.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 28 Abs. 3 lit. h' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.15.2.1' },
],
applicabilityConditions: [
{ field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 },
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Audit-Berichte der Auftragsverarbeiter', 'Monitoring-Checklisten'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['order-control', 'processor', 'monitoring'],
},
{
id: 'TOM-OR-06',
code: 'TOM-OR-06',
category: 'ORDER_CONTROL',
type: 'ORGANIZATIONAL',
name: { de: 'Sub-Processor Management', en: 'Sub-Processor Management' },
description: {
de: 'Dokumentiertes Verfahren zur Genehmigung, Ueberwachung und Dokumentation von Unterauftragsverarbeitern.',
en: 'Documented process for approval, monitoring and documentation of sub-processors.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 28 Abs. 2, 4' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.2' },
],
applicabilityConditions: [
{ field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 },
{ field: 'architectureProfile.subprocessorCount', operator: 'GREATER_THAN', value: 3, result: 'REQUIRED', priority: 20 },
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Sub-Processor-Register', 'Genehmigungsverfahren', 'Vertragsdokumentation'],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['order-control', 'sub-processor'],
},
// RESILIENCE — 2 new
{
id: 'TOM-RE-04',
code: 'TOM-RE-04',
category: 'RESILIENCE',
type: 'TECHNICAL',
name: { de: 'DDoS-Abwehr (erweitert)', en: 'DDoS Mitigation (Advanced)' },
description: {
de: 'Erweiterte DDoS-Schutzmassnahmen inkl. Traffic-Analyse, automatischer Mitigation und Incident-Response-Integration.',
en: 'Advanced DDoS protection measures including traffic analysis, automatic mitigation and incident response integration.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.1' },
],
applicabilityConditions: [
{ field: 'riskProfile.protectionLevel', operator: 'EQUALS', value: 'VERY_HIGH', result: 'REQUIRED', priority: 25 },
{ field: 'architectureProfile.hostingModel', operator: 'IN', value: ['PUBLIC_CLOUD', 'HYBRID'], result: 'RECOMMENDED', priority: 15 },
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: ['DDoS-Schutzkonzept (erweitert)', 'Mitigation-Berichte', 'Incident-Playbooks'],
reviewFrequency: 'QUARTERLY',
priority: 'HIGH',
complexity: 'HIGH',
tags: ['resilience', 'ddos', 'advanced'],
},
{
id: 'TOM-RE-05',
code: 'TOM-RE-05',
category: 'RESILIENCE',
type: 'ORGANIZATIONAL',
name: { de: 'Kapazitaetsplanung', en: 'Capacity Planning' },
description: {
de: 'Systematische Planung und Ueberwachung von IT-Kapazitaeten zur Sicherstellung der Systemverfuegbarkeit bei wachsender Nutzung.',
en: 'Systematic planning and monitoring of IT capacities to ensure system availability with growing usage.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.1.3' },
],
applicabilityConditions: [
{ field: 'dataProfile.dataVolume', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20 },
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Kapazitaetsplan', 'Trend-Analysen', 'Skalierungskonzept'],
reviewFrequency: 'QUARTERLY',
priority: 'MEDIUM',
complexity: 'MEDIUM',
tags: ['resilience', 'capacity', 'planning'],
},
// RECOVERY — 2 new
{
id: 'TOM-RC-04',
code: 'TOM-RC-04',
category: 'RECOVERY',
type: 'TECHNICAL',
name: { de: 'Georedundantes Backup', en: 'Geo-Redundant Backup' },
description: {
de: 'Speicherung von Backup-Kopien an geografisch getrennten Standorten zum Schutz vor standortbezogenen Katastrophen.',
en: 'Storage of backup copies at geographically separated locations to protect against site-specific disasters.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.3.1' },
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'CON.3' },
],
applicabilityConditions: [
{ field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 25 },
{ field: 'riskProfile.ciaAssessment.availability', operator: 'GREATER_THAN', value: 3, result: 'REQUIRED', priority: 20 },
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Georedundanz-Konzept', 'Backup-Standort-Dokumentation', 'Wiederherstellungstests'],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'HIGH',
complexity: 'HIGH',
tags: ['recovery', 'backup', 'geo-redundancy'],
},
{
id: 'TOM-RC-05',
code: 'TOM-RC-05',
category: 'RECOVERY',
type: 'ORGANIZATIONAL',
name: { de: 'Notfallwiederherstellungs-Tests', en: 'Disaster Recovery Testing' },
description: {
de: 'Regelmaessige Durchfuehrung und Dokumentation von Notfallwiederherstellungstests zur Validierung der RTO/RPO-Ziele.',
en: 'Regular execution and documentation of disaster recovery tests to validate RTO/RPO targets.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. c, d' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.17.1.3' },
],
applicabilityConditions: [
{ field: 'securityProfile.hasDRPlan', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 },
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['DR-Testberichte', 'RTO/RPO-Messungen', 'Verbesserungsmassnahmen'],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['recovery', 'dr-testing', 'rto', 'rpo'],
},
// SEPARATION — 2 new
{
id: 'TOM-SE-05',
code: 'TOM-SE-05',
category: 'SEPARATION',
type: 'TECHNICAL',
name: { de: 'Netzwerksegmentierung', en: 'Network Segmentation' },
description: {
de: 'Aufteilung des Netzwerks in separate Sicherheitszonen mit kontrollierten Uebergaengen zur Begrenzung der Ausbreitung von Sicherheitsvorfaellen.',
en: 'Division of the network into separate security zones with controlled transitions to limit the spread of security incidents.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' },
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'NET.1.1' },
],
applicabilityConditions: [
{ field: 'architectureProfile.hostingModel', operator: 'IN', value: ['ON_PREMISE', 'PRIVATE_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 20 },
{ field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 25 },
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Netzwerkplan', 'Firewall-Regeln', 'Segmentierungskonzept'],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'HIGH',
complexity: 'HIGH',
tags: ['separation', 'network', 'segmentation'],
},
{
id: 'TOM-SE-06',
code: 'TOM-SE-06',
category: 'SEPARATION',
type: 'TECHNICAL',
name: { de: 'Mandantenisolierung in Cloud', en: 'Tenant Isolation in Cloud' },
description: {
de: 'Technische Sicherstellung der vollstaendigen Datentrennung zwischen verschiedenen Mandanten in Multi-Tenant-Cloud-Umgebungen.',
en: 'Technical assurance of complete data separation between different tenants in multi-tenant cloud environments.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.1.3' },
],
applicabilityConditions: [
{ field: 'architectureProfile.multiTenancy', operator: 'EQUALS', value: 'MULTI_TENANT', result: 'REQUIRED', priority: 30 },
{ field: 'architectureProfile.hostingModel', operator: 'IN', value: ['PUBLIC_CLOUD', 'HYBRID'], result: 'RECOMMENDED', priority: 15 },
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: ['Mandantentrennungskonzept', 'Isolierungstests', 'Cloud-Security-Assessment'],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'CRITICAL',
complexity: 'HIGH',
tags: ['separation', 'multi-tenant', 'cloud'],
},
// ACCESS_CONTROL — 1 new
{
id: 'TOM-AC-06',
code: 'TOM-AC-06',
category: 'ACCESS_CONTROL',
type: 'ORGANIZATIONAL',
name: { de: 'Besuchermanagement (erweitert)', en: 'Visitor Management (Extended)' },
description: {
de: 'Erweitertes Besuchermanagement mit Voranmeldung, Identitaetspruefung, Begleitpflicht und zeitlich begrenztem Zugang zu sicherheitsrelevanten Bereichen.',
en: 'Extended visitor management with pre-registration, identity verification, escort requirement and time-limited access to security-relevant areas.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.7.2' },
],
applicabilityConditions: [
{ field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 20 },
{ field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'RECOMMENDED', priority: 15 },
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: ['Besuchermanagement-Richtlinie', 'Besucherprotokolle', 'Zonenkonzept'],
reviewFrequency: 'ANNUAL',
priority: 'MEDIUM',
complexity: 'LOW',
tags: ['physical-security', 'visitors', 'extended'],
},
// ADMISSION_CONTROL — 1 new
{
id: 'TOM-ADM-06',
code: 'TOM-ADM-06',
category: 'ADMISSION_CONTROL',
type: 'TECHNICAL',
name: { de: 'Endpoint Detection & Response (EDR)', en: 'Endpoint Detection & Response (EDR)' },
description: {
de: 'Einsatz von EDR-Loesungen zur Erkennung und Abwehr von Bedrohungen auf Endgeraeten in Echtzeit.',
en: 'Deployment of EDR solutions for real-time threat detection and response on endpoints.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.2.1' },
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'OPS.1.1.4' },
],
applicabilityConditions: [
{ field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'REQUIRED', priority: 25 },
{ field: 'companyProfile.size', operator: 'IN', value: ['LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 10 },
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['EDR-Konfiguration', 'Bedrohungsberichte', 'Incident-Response-Statistiken'],
reviewFrequency: 'QUARTERLY',
priority: 'HIGH',
complexity: 'HIGH',
tags: ['endpoint', 'edr', 'threat-detection'],
},
// ACCESS_AUTHORIZATION — 2 new
{
id: 'TOM-AZ-06',
code: 'TOM-AZ-06',
category: 'ACCESS_AUTHORIZATION',
type: 'TECHNICAL',
name: { de: 'API-Zugriffskontrolle', en: 'API Access Control' },
description: {
de: 'Implementierung von Authentifizierungs- und Autorisierungsmechanismen fuer APIs (OAuth 2.0, API-Keys, Rate Limiting).',
en: 'Implementation of authentication and authorization mechanisms for APIs (OAuth 2.0, API keys, rate limiting).',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.4.1' },
],
applicabilityConditions: [
{ field: 'architectureProfile.hostingModel', operator: 'IN', value: ['PUBLIC_CLOUD', 'HYBRID'], result: 'REQUIRED', priority: 20 },
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['API-Security-Konzept', 'OAuth-Konfiguration', 'Rate-Limiting-Regeln'],
reviewFrequency: 'QUARTERLY',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['authorization', 'api', 'oauth'],
},
{
id: 'TOM-AZ-07',
code: 'TOM-AZ-07',
category: 'ACCESS_AUTHORIZATION',
type: 'ORGANIZATIONAL',
name: { de: 'Regelmaessiger Berechtigungsreview', en: 'Regular Permission Review' },
description: {
de: 'Systematische Ueberpruefung und Bereinigung von Zugriffsberechtigungen in regelmaessigen Abstaenden durch die jeweiligen Fachverantwortlichen.',
en: 'Systematic review and cleanup of access permissions at regular intervals by the respective department heads.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.9.2.5' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Review-Protokolle', 'Berechtigungsaenderungslog', 'Freigabedokumentation'],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['authorization', 'review', 'permissions'],
},
// TRANSFER_CONTROL — 2 new
{
id: 'TOM-TR-06',
code: 'TOM-TR-06',
category: 'TRANSFER_CONTROL',
type: 'TECHNICAL',
name: { de: 'E-Mail-Verschluesselung (erweitert)', en: 'Email Encryption (Extended)' },
description: {
de: 'Erweiterte E-Mail-Verschluesselung mit automatischer Erkennung sensibler Inhalte und erzwungener Gateway-Verschluesselung.',
en: 'Extended email encryption with automatic detection of sensitive content and enforced gateway encryption.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. a' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.13.2.3' },
],
applicabilityConditions: [
{ field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 },
{ field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 },
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: ['E-Mail-Verschluesselungs-Policy', 'Gateway-Konfiguration', 'DLP-Regeln'],
reviewFrequency: 'SEMI_ANNUAL',
priority: 'MEDIUM',
complexity: 'MEDIUM',
tags: ['transfer', 'email', 'encryption'],
},
{
id: 'TOM-TR-07',
code: 'TOM-TR-07',
category: 'TRANSFER_CONTROL',
type: 'ORGANIZATIONAL',
name: { de: 'Drittstaat-Transferbewertung', en: 'Third Country Transfer Assessment' },
description: {
de: 'Dokumentierte Bewertung und Absicherung von Datenuebermittlungen in Drittstaaten gemaess Art. 44-49 DSGVO (Standardvertragsklauseln, TIA).',
en: 'Documented assessment and safeguarding of data transfers to third countries according to Art. 44-49 GDPR (Standard Contractual Clauses, TIA).',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 44-49' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.15.1.2' },
],
applicabilityConditions: [
{ field: 'dataProfile.thirdCountryTransfers', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 30 },
{ field: 'architectureProfile.hostingLocation', operator: 'IN', value: ['THIRD_COUNTRY_ADEQUATE', 'THIRD_COUNTRY'], result: 'REQUIRED', priority: 25 },
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: ['Transfer Impact Assessment', 'Standardvertragsklauseln', 'Angemessenheitsbeschluss-Pruefung'],
reviewFrequency: 'ANNUAL',
priority: 'CRITICAL',
complexity: 'MEDIUM',
tags: ['transfer', 'third-country', 'schrems-ii'],
},
// AVAILABILITY — 2 new
{
id: 'TOM-AV-06',
code: 'TOM-AV-06',
category: 'AVAILABILITY',
type: 'TECHNICAL',
name: { de: 'Monitoring und Alerting', en: 'Monitoring and Alerting' },
description: {
de: 'Implementierung einer umfassenden Ueberwachung aller IT-Systeme mit automatischen Benachrichtigungen bei Stoerungen oder Schwellenwert-Ueberschreitungen.',
en: 'Implementation of comprehensive monitoring of all IT systems with automatic notifications for disruptions or threshold violations.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.12.4.1' },
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'OPS.1.1.2' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Monitoring-Konzept', 'Alerting-Konfiguration', 'Eskalationsmatrix'],
reviewFrequency: 'QUARTERLY',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['availability', 'monitoring', 'alerting'],
},
{
id: 'TOM-AV-07',
code: 'TOM-AV-07',
category: 'AVAILABILITY',
type: 'ORGANIZATIONAL',
name: { de: 'Service Level Management', en: 'Service Level Management' },
description: {
de: 'Definition und Ueberwachung von Service Level Agreements (SLAs) fuer alle kritischen IT-Services mit klaren Verfuegbarkeitszielen.',
en: 'Definition and monitoring of Service Level Agreements (SLAs) for all critical IT services with clear availability targets.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. b' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.15.2.1' },
],
applicabilityConditions: [
{ field: 'companyProfile.size', operator: 'IN', value: ['MEDIUM', 'LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 10 },
{ field: 'architectureProfile.hasSubprocessors', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 20 },
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['SLA-Dokumentation', 'Verfuegbarkeitsberichte', 'Eskalationsverfahren'],
reviewFrequency: 'QUARTERLY',
priority: 'MEDIUM',
complexity: 'LOW',
tags: ['availability', 'sla', 'service-management'],
},
// SEPARATION — 1 more new (TOM-DL-05)
{
id: 'TOM-DL-05',
code: 'TOM-DL-05',
category: 'SEPARATION',
type: 'ORGANIZATIONAL',
name: { de: 'Datenloesch-Audit', en: 'Data Deletion Audit' },
description: {
de: 'Regelmaessige Ueberpruefung der Wirksamkeit und Vollstaendigkeit von Datenloeschvorgaengen durch unabhaengige Stellen.',
en: 'Regular review of the effectiveness and completeness of data deletion processes by independent parties.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 5 Abs. 1 lit. e' },
{ framework: 'GDPR_ART32', reference: 'Art. 17' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.8.3.2' },
],
applicabilityConditions: [
{ field: 'dataProfile.hasSpecialCategories', operator: 'EQUALS', value: true, result: 'REQUIRED', priority: 25 },
],
defaultApplicability: 'RECOMMENDED',
evidenceRequirements: ['Audit-Berichte', 'Loeschprotokolle', 'Stichproben-Ergebnisse'],
reviewFrequency: 'ANNUAL',
priority: 'MEDIUM',
complexity: 'MEDIUM',
tags: ['separation', 'deletion', 'audit'],
},
// REVIEW — 3 new
{
id: 'TOM-RV-09',
code: 'TOM-RV-09',
category: 'REVIEW',
type: 'ORGANIZATIONAL',
name: { de: 'Datenschutz-Audit-Programm', en: 'Data Protection Audit Program' },
description: {
de: 'Systematisches Programm zur regelmaessigen internen Ueberpruefung aller Datenschutzmassnahmen mit dokumentierten Ergebnissen und Massnahmenverfolgung.',
en: 'Systematic program for regular internal review of all data protection measures with documented results and action tracking.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' },
{ framework: 'BSI_IT_GRUNDSCHUTZ', reference: 'DER.3.1' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Audit-Programm', 'Audit-Berichte', 'Massnahmenplan'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'MEDIUM',
tags: ['review', 'audit', 'data-protection'],
},
{
id: 'TOM-RV-10',
code: 'TOM-RV-10',
category: 'REVIEW',
type: 'TECHNICAL',
name: { de: 'Automatisierte Compliance-Pruefung', en: 'Automated Compliance Checking' },
description: {
de: 'Einsatz automatisierter Tools zur kontinuierlichen Ueberpruefung der Einhaltung von Sicherheits- und Datenschutzrichtlinien.',
en: 'Use of automated tools for continuous monitoring of compliance with security and data protection policies.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.2' },
],
applicabilityConditions: [
{ field: 'companyProfile.size', operator: 'IN', value: ['MEDIUM', 'LARGE', 'ENTERPRISE'], result: 'RECOMMENDED', priority: 10 },
{ field: 'riskProfile.protectionLevel', operator: 'IN', value: ['HIGH', 'VERY_HIGH'], result: 'RECOMMENDED', priority: 15 },
],
defaultApplicability: 'OPTIONAL',
evidenceRequirements: ['Tool-Konfiguration', 'Compliance-Dashboard', 'Automatisierte Berichte'],
reviewFrequency: 'QUARTERLY',
priority: 'MEDIUM',
complexity: 'HIGH',
tags: ['review', 'automation', 'compliance'],
},
{
id: 'TOM-RV-11',
code: 'TOM-RV-11',
category: 'REVIEW',
type: 'ORGANIZATIONAL',
name: { de: 'Management Review (Art. 32 Abs. 1 lit. d)', en: 'Management Review (Art. 32(1)(d))' },
description: {
de: 'Regelmaessige Ueberpruefung der Wirksamkeit aller technischen und organisatorischen Massnahmen durch die Geschaeftsfuehrung mit dokumentierten Ergebnissen.',
en: 'Regular review of the effectiveness of all technical and organizational measures by management with documented results.',
},
mappings: [
{ framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
{ framework: 'ISO27001_ANNEX_A', reference: 'A.18.2.1' },
],
applicabilityConditions: [],
defaultApplicability: 'REQUIRED',
evidenceRequirements: ['Management-Review-Protokolle', 'Massnahmenplan', 'Wirksamkeitsbewertung'],
reviewFrequency: 'ANNUAL',
priority: 'HIGH',
complexity: 'LOW',
tags: ['review', 'management', 'effectiveness'],
},
],
}
// =============================================================================
// LOADER FUNCTIONS
// =============================================================================
let cachedLibrary: ControlLibrary | null = null
/**
* Get the control library (singleton with embedded data)
*/
export function getControlLibrary(): ControlLibrary {
if (!cachedLibrary) {
cachedLibrary = CONTROL_LIBRARY_DATA
}
return cachedLibrary
}
/**
* Get all controls from the library
*/
export function getAllControls(): ControlLibraryEntry[] {
return getControlLibrary().controls
}
/**
* Get a control by ID
*/
export function getControlById(id: string): ControlLibraryEntry | undefined {
return getAllControls().find((control) => control.id === id)
}
/**
* Get controls by category
*/
export function getControlsByCategory(
category: ControlCategory
): ControlLibraryEntry[] {
return getAllControls().filter((control) => control.category === category)
}
/**
* Get controls by type (TECHNICAL or ORGANIZATIONAL)
*/
export function getControlsByType(
type: 'TECHNICAL' | 'ORGANIZATIONAL'
): ControlLibraryEntry[] {
return getAllControls().filter((control) => control.type === type)
}
/**
* Get controls by priority
*/
export function getControlsByPriority(
priority: ControlPriority
): ControlLibraryEntry[] {
return getAllControls().filter((control) => control.priority === priority)
}
/**
* Get controls by tag
*/
export function getControlsByTag(tag: string): ControlLibraryEntry[] {
return getAllControls().filter((control) => control.tags.includes(tag))
}
/**
* Get all unique tags from controls
*/
export function getAllTags(): string[] {
const tags = new Set<string>()
getAllControls().forEach((control) => {
control.tags.forEach((tag) => tags.add(tag))
})
return Array.from(tags).sort()
}
/**
* Get category metadata
*/
export function getCategoryMetadata(
category: ControlCategory
): { name: LocalizedString; gdprReference: string } | undefined {
return getControlLibrary().categories.get(category)
}
/**
* Get all categories
*/
export function getAllCategories(): ControlCategory[] {
return Array.from(getControlLibrary().categories.keys())
}
/**
* Get categories with metadata (alias for API compatibility)
*/
export function getCategories(): Array<{
id: ControlCategory
name: LocalizedString
gdprReference: string
}> {
const library = getControlLibrary()
const result: Array<{ id: ControlCategory; name: LocalizedString; gdprReference: string }> = []
library.categories.forEach((metadata, id) => {
result.push({
id,
name: metadata.name,
gdprReference: metadata.gdprReference,
})
})
return result
}
/**
* Get library metadata
*/
export function getLibraryMetadata(): {
version: string
lastUpdated: string
totalControls: number
} {
return getControlLibrary().metadata
}
/**
* Search controls by text (searches name and description in both languages)
*/
export function searchControls(
query: string,
language: 'de' | 'en' = 'de'
): ControlLibraryEntry[] {
const lowerQuery = query.toLowerCase()
return getAllControls().filter((control) => {
const name = control.name[language].toLowerCase()
const description = control.description[language].toLowerCase()
const code = control.code.toLowerCase()
return (
name.includes(lowerQuery) ||
description.includes(lowerQuery) ||
code.includes(lowerQuery)
)
})
}
/**
* Get controls by framework mapping
*/
export function getControlsByFramework(
framework: string
): ControlLibraryEntry[] {
return getAllControls().filter((control) =>
control.mappings.some((m) => m.framework === framework)
)
}
/**
* Get controls count by category
*/
export function getControlsCountByCategory(): Map<ControlCategory, number> {
const counts = new Map<ControlCategory, number>()
getAllCategories().forEach((category) => {
counts.set(category, getControlsByCategory(category).length)
})
return counts
}
Reference in New Issue View Git Blame Copy Permalink