feat(admin-v2): Major SDK/Compliance overhaul and new modules

SDK modules added/enhanced: - compliance-hub, compliance-scope, consent-management, notfallplan - audit-report, workflow, source-policy, dsms - advisory-board documentation section - TOM dashboard components, TOM generator SDM mapping - DSFA: mitigation library, risk catalog, threshold analysis, source attribution - VVT: baseline catalog, profiling engine, types - Loeschfristen: baseline catalog, compliance engine, export, profiling, types - Compliance scope: engine, profiling, golden tests, types Existing SDK pages updated: - dsfa/[id], tom, vvt, loeschfristen, advisory-board — expanded functionality - SDKSidebar, StepHeader — new navigation items and layout - SDK layout, context, types — expanded type system Other admin-v2 changes: - AI agents page, RAG pipeline DSFA integration - GridOverlay component updates - Companion feature (development + education) - Compliance advisor SOUL definition Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-10 00:01:04 +01:00
parent 53219e3eaf
commit dff2ef796b
94 changed files with 29706 additions and 1039 deletions
--- a/admin-v2/lib/sdk/tom-generator/context.tsx
+++ b/admin-v2/lib/sdk/tom-generator/context.tsx
@@ -63,6 +63,7 @@ type TOMGeneratorAction =
  | { type: 'UPDATE_DERIVED_TOM'; payload: { id: string; data: Partial<DerivedTOM> } }
  | { type: 'SET_GAP_ANALYSIS'; payload: GapAnalysisResult }
  | { type: 'ADD_EXPORT'; payload: ExportRecord }
+  | { type: 'BULK_UPDATE_TOMS'; payload: { updates: Array<{ id: string; data: Partial<DerivedTOM> }> } }
  | { type: 'LOAD_STATE'; payload: TOMGeneratorState }

 // =============================================================================
@@ -236,6 +237,16 @@ function tomGeneratorReducer(
      })
    }

+    case 'BULK_UPDATE_TOMS': {
+      let updatedTOMs = [...state.derivedTOMs]
+      for (const update of action.payload.updates) {
+        updatedTOMs = updatedTOMs.map((tom) =>
+          tom.id === update.id ? { ...tom, ...update.data } : tom
+        )
+      }
+      return updateState({ derivedTOMs: updatedTOMs })
+    }
+
    case 'LOAD_STATE': {
      return action.payload
    }
@@ -283,6 +294,7 @@ interface TOMGeneratorContextValue {
  // TOM derivation
  deriveTOMs: () => void
  updateDerivedTOM: (id: string, data: Partial<DerivedTOM>) => void
+  bulkUpdateTOMs: (updates: Array<{ id: string; data: Partial<DerivedTOM> }>) => void

  // Gap analysis
  runGapAnalysis: () => void
--- a/admin-v2/lib/sdk/tom-generator/controls/loader.ts
+++ b/admin-v2/lib/sdk/tom-generator/controls/loader.ts
@@ -2072,6 +2072,287 @@ const CONTROL_LIBRARY_DATA: ControlLibrary = {
      complexity: 'HIGH',
      tags: ['dpia', 'dsfa', 'risk-assessment'],
    },
+
+    // =========================================================================
+    // DELETION / VERNICHTUNG — Sichere Datenloeschung & Datentraegervernichtung
+    // =========================================================================
+    {
+      id: 'TOM-DL-01',
+      code: 'TOM-DL-01',
+      category: 'SEPARATION',
+      type: 'TECHNICAL',
+      name: {
+        de: 'Sichere Datenloeschung',
+        en: 'Secure Data Deletion',
+      },
+      description: {
+        de: 'Implementierung sicherer Loeschverfahren, die personenbezogene Daten unwiederbringlich entfernen (z.B. nach DIN 66399).',
+        en: 'Implementation of secure deletion procedures that irrecoverably remove personal data (e.g. per DIN 66399).',
+      },
+      mappings: [
+        { framework: 'GDPR_ART17', reference: 'Art. 17' },
+        { framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 1 lit. e' },
+        { framework: 'ISO27001_ANNEX_A', reference: 'A.8.10' },
+        { framework: 'BSI_C5', reference: 'SY-09' },
+      ],
+      applicabilityConditions: [
+        {
+          field: 'dataProfile.dataVolume',
+          operator: 'NOT_EQUALS',
+          value: 'NONE',
+          result: 'REQUIRED',
+          priority: 30,
+        },
+      ],
+      defaultApplicability: 'REQUIRED',
+      evidenceRequirements: [
+        'Loeschkonzept / Loeschrichtlinie',
+        'Loeschprotokolle mit Zeitstempeln',
+        'DIN 66399 Konformitaetsnachweis',
+      ],
+      reviewFrequency: 'ANNUAL',
+      priority: 'HIGH',
+      complexity: 'MEDIUM',
+      tags: ['deletion', 'loeschung', 'data-lifecycle', 'din-66399'],
+    },
+    {
+      id: 'TOM-DL-02',
+      code: 'TOM-DL-02',
+      category: 'SEPARATION',
+      type: 'TECHNICAL',
+      name: {
+        de: 'Datentraegervernichtung',
+        en: 'Media Destruction',
+      },
+      description: {
+        de: 'Physische Vernichtung von Datentraegern (Festplatten, SSDs, USB-Sticks, Papier) gemaess DIN 66399 Schutzklassen.',
+        en: 'Physical destruction of storage media (hard drives, SSDs, USB sticks, paper) per DIN 66399 protection classes.',
+      },
+      mappings: [
+        { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1' },
+        { framework: 'ISO27001_ANNEX_A', reference: 'A.7.14' },
+        { framework: 'BSI_C5', reference: 'AM-08' },
+      ],
+      applicabilityConditions: [
+        {
+          field: 'dataProfile.dataVolume',
+          operator: 'NOT_EQUALS',
+          value: 'NONE',
+          result: 'RECOMMENDED',
+          priority: 20,
+        },
+      ],
+      defaultApplicability: 'RECOMMENDED',
+      evidenceRequirements: [
+        'Vernichtungsprotokoll mit Seriennummern',
+        'Zertifikat des Vernichtungsdienstleisters',
+        'DIN 66399 Sicherheitsstufe-Nachweis',
+      ],
+      reviewFrequency: 'ANNUAL',
+      priority: 'MEDIUM',
+      complexity: 'LOW',
+      tags: ['deletion', 'media-destruction', 'physical-security', 'din-66399'],
+    },
+    {
+      id: 'TOM-DL-03',
+      code: 'TOM-DL-03',
+      category: 'SEPARATION',
+      type: 'ORGANIZATIONAL',
+      name: {
+        de: 'Loeschprotokollierung',
+        en: 'Deletion Logging',
+      },
+      description: {
+        de: 'Systematische Protokollierung aller Loeschvorgaenge mit Zeitstempel, Verantwortlichem, Datenobjekt und Loeschmethode.',
+        en: 'Systematic logging of all deletion operations with timestamp, responsible person, data object, and deletion method.',
+      },
+      mappings: [
+        { framework: 'GDPR_ART5', reference: 'Art. 5 Abs. 2 (Rechenschaftspflicht)' },
+        { framework: 'ISO27001_ANNEX_A', reference: 'A.8.10' },
+      ],
+      applicabilityConditions: [
+        {
+          field: 'dataProfile.dataVolume',
+          operator: 'NOT_EQUALS',
+          value: 'NONE',
+          result: 'REQUIRED',
+          priority: 25,
+        },
+      ],
+      defaultApplicability: 'REQUIRED',
+      evidenceRequirements: [
+        'Loeschprotokoll-Template',
+        'Archivierte Loeschprotokolle (Stichprobe)',
+        'Automatisierungsnachweis (bei automatischen Loeschungen)',
+      ],
+      reviewFrequency: 'SEMI_ANNUAL',
+      priority: 'HIGH',
+      complexity: 'LOW',
+      tags: ['deletion', 'logging', 'accountability', 'documentation'],
+    },
+    {
+      id: 'TOM-DL-04',
+      code: 'TOM-DL-04',
+      category: 'SEPARATION',
+      type: 'TECHNICAL',
+      name: {
+        de: 'Backup-Bereinigung',
+        en: 'Backup Sanitization',
+      },
+      description: {
+        de: 'Sicherstellung, dass personenbezogene Daten auch in Backup-Systemen nach Ablauf der Loeschfrist entfernt werden.',
+        en: 'Ensuring that personal data is also removed from backup systems after the retention period expires.',
+      },
+      mappings: [
+        { framework: 'GDPR_ART17', reference: 'Art. 17 Abs. 2' },
+        { framework: 'ISO27001_ANNEX_A', reference: 'A.8.13' },
+      ],
+      applicabilityConditions: [
+        {
+          field: 'techProfile.hasBackups',
+          operator: 'EQUALS',
+          value: true,
+          result: 'REQUIRED',
+          priority: 25,
+        },
+      ],
+      defaultApplicability: 'RECOMMENDED',
+      evidenceRequirements: [
+        'Backup-Loeschkonzept',
+        'Backup-Rotationsplan',
+        'Nachweis der Backup-Bereinigung',
+      ],
+      reviewFrequency: 'SEMI_ANNUAL',
+      priority: 'MEDIUM',
+      complexity: 'HIGH',
+      tags: ['deletion', 'backup', 'data-lifecycle', 'retention'],
+    },
+
+    // =========================================================================
+    // SCHULUNG / VERTRAULICHKEIT — Training & Awareness
+    // =========================================================================
+    {
+      id: 'TOM-TR-01',
+      code: 'TOM-TR-01',
+      category: 'REVIEW',
+      type: 'ORGANIZATIONAL',
+      name: {
+        de: 'Datenschutzschulung',
+        en: 'Data Protection Training',
+      },
+      description: {
+        de: 'Regelmaessige Schulung aller Mitarbeiter zu Datenschutzgrundlagen, DSGVO-Anforderungen und betrieblichen Datenschutzrichtlinien.',
+        en: 'Regular training of all employees on data protection fundamentals, GDPR requirements, and organizational data protection policies.',
+      },
+      mappings: [
+        { framework: 'GDPR_ART39', reference: 'Art. 39 Abs. 1 lit. b' },
+        { framework: 'GDPR_ART47', reference: 'Art. 47 Abs. 2 lit. n' },
+        { framework: 'ISO27001_ANNEX_A', reference: 'A.6.3' },
+      ],
+      applicabilityConditions: [
+        {
+          field: 'orgProfile.employeeCount',
+          operator: 'GREATER_THAN',
+          value: 0,
+          result: 'REQUIRED',
+          priority: 30,
+        },
+      ],
+      defaultApplicability: 'REQUIRED',
+      evidenceRequirements: [
+        'Schulungsplan (jaehrlich)',
+        'Teilnahmelisten / Schulungsnachweise',
+        'Schulungsmaterialien / Praesentation',
+        'Wissenstest-Ergebnisse (optional)',
+      ],
+      reviewFrequency: 'ANNUAL',
+      priority: 'HIGH',
+      complexity: 'LOW',
+      tags: ['training', 'schulung', 'awareness', 'organizational'],
+    },
+    {
+      id: 'TOM-TR-02',
+      code: 'TOM-TR-02',
+      category: 'REVIEW',
+      type: 'ORGANIZATIONAL',
+      name: {
+        de: 'Verpflichtung auf Datengeheimnis',
+        en: 'Confidentiality Obligation',
+      },
+      description: {
+        de: 'Schriftliche Verpflichtung aller Mitarbeiter und externen Dienstleister auf die Vertraulichkeit personenbezogener Daten.',
+        en: 'Written obligation of all employees and external service providers to maintain confidentiality of personal data.',
+      },
+      mappings: [
+        { framework: 'GDPR_ART28', reference: 'Art. 28 Abs. 3 lit. b' },
+        { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 4' },
+        { framework: 'ISO27001_ANNEX_A', reference: 'A.6.6' },
+      ],
+      applicabilityConditions: [
+        {
+          field: 'orgProfile.employeeCount',
+          operator: 'GREATER_THAN',
+          value: 0,
+          result: 'REQUIRED',
+          priority: 30,
+        },
+      ],
+      defaultApplicability: 'REQUIRED',
+      evidenceRequirements: [
+        'Muster-Verpflichtungserklaerung',
+        'Unterschriebene Verpflichtungserklaerungen',
+        'Register der verpflichteten Personen',
+      ],
+      reviewFrequency: 'ANNUAL',
+      priority: 'HIGH',
+      complexity: 'LOW',
+      tags: ['training', 'confidentiality', 'vertraulichkeit', 'obligation'],
+    },
+    {
+      id: 'TOM-TR-03',
+      code: 'TOM-TR-03',
+      category: 'REVIEW',
+      type: 'ORGANIZATIONAL',
+      name: {
+        de: 'Security Awareness Programm',
+        en: 'Security Awareness Program',
+      },
+      description: {
+        de: 'Fortlaufendes Awareness-Programm zu IT-Sicherheit, Phishing-Erkennung, Social Engineering und sicherem Umgang mit Daten.',
+        en: 'Ongoing awareness program on IT security, phishing detection, social engineering, and safe data handling.',
+      },
+      mappings: [
+        { framework: 'GDPR_ART32', reference: 'Art. 32 Abs. 1 lit. d' },
+        { framework: 'ISO27001_ANNEX_A', reference: 'A.6.3' },
+        { framework: 'BSI_C5', reference: 'ORP.3' },
+      ],
+      applicabilityConditions: [
+        {
+          field: 'orgProfile.employeeCount',
+          operator: 'GREATER_THAN',
+          value: 10,
+          result: 'REQUIRED',
+          priority: 20,
+        },
+        {
+          field: 'orgProfile.employeeCount',
+          operator: 'GREATER_THAN',
+          value: 0,
+          result: 'RECOMMENDED',
+          priority: 15,
+        },
+      ],
+      defaultApplicability: 'RECOMMENDED',
+      evidenceRequirements: [
+        'Awareness-Programm-Dokumentation',
+        'Phishing-Simulationsergebnisse',
+        'Teilnahmenachweise',
+      ],
+      reviewFrequency: 'SEMI_ANNUAL',
+      priority: 'MEDIUM',
+      complexity: 'MEDIUM',
+      tags: ['training', 'security-awareness', 'phishing', 'social-engineering'],
+    },
  ],
 }

--- a/admin-v2/lib/sdk/tom-generator/sdm-mapping.ts
+++ b/admin-v2/lib/sdk/tom-generator/sdm-mapping.ts
@@ -0,0 +1,192 @@
+// =============================================================================
+// SDM (Standard-Datenschutzmodell) Mapping
+// Maps ControlCategories to SDM Gewaehrleistungsziele and Spec Modules
+// =============================================================================
+
+import { ControlCategory } from './types'
+
+// =============================================================================
+// TYPES
+// =============================================================================
+
+export type SDMGewaehrleistungsziel =
+  | 'Verfuegbarkeit'
+  | 'Integritaet'
+  | 'Vertraulichkeit'
+  | 'Nichtverkettung'
+  | 'Intervenierbarkeit'
+  | 'Transparenz'
+  | 'Datenminimierung'
+
+export type TOMModuleCategory =
+  | 'IDENTITY_AUTH'
+  | 'LOGGING'
+  | 'DOCUMENTATION'
+  | 'SEPARATION'
+  | 'RETENTION'
+  | 'DELETION'
+  | 'TRAINING'
+  | 'REVIEW'
+
+export const SDM_GOAL_LABELS: Record<SDMGewaehrleistungsziel, string> = {
+  Verfuegbarkeit: 'Verfuegbarkeit',
+  Integritaet: 'Integritaet',
+  Vertraulichkeit: 'Vertraulichkeit',
+  Nichtverkettung: 'Nichtverkettung',
+  Intervenierbarkeit: 'Intervenierbarkeit',
+  Transparenz: 'Transparenz',
+  Datenminimierung: 'Datenminimierung',
+}
+
+export const SDM_GOAL_DESCRIPTIONS: Record<SDMGewaehrleistungsziel, string> = {
+  Verfuegbarkeit: 'Personenbezogene Daten muessen zeitgerecht zur Verfuegung stehen und ordnungsgemaess verarbeitet werden koennen.',
+  Integritaet: 'Personenbezogene Daten muessen unversehrt, vollstaendig und aktuell bleiben.',
+  Vertraulichkeit: 'Nur Befugte duerfen personenbezogene Daten zur Kenntnis nehmen.',
+  Nichtverkettung: 'Daten duerfen nicht ohne Weiteres fuer andere Zwecke zusammengefuehrt werden.',
+  Intervenierbarkeit: 'Betroffene muessen ihre Rechte wahrnehmen koennen (Auskunft, Berichtigung, Loeschung).',
+  Transparenz: 'Verarbeitungsvorgaenge muessen nachvollziehbar dokumentiert sein.',
+  Datenminimierung: 'Nur die fuer den Zweck erforderlichen Daten duerfen verarbeitet werden.',
+}
+
+export const MODULE_LABELS: Record<TOMModuleCategory, string> = {
+  IDENTITY_AUTH: 'Identitaet & Authentifizierung',
+  LOGGING: 'Protokollierung',
+  DOCUMENTATION: 'Dokumentation',
+  SEPARATION: 'Trennung',
+  RETENTION: 'Aufbewahrung',
+  DELETION: 'Loeschung & Vernichtung',
+  TRAINING: 'Schulung & Vertraulichkeit',
+  REVIEW: 'Ueberpruefung & Bewertung',
+}
+
+// =============================================================================
+// MAPPINGS
+// =============================================================================
+
+/**
+ * Maps ControlCategory to its primary SDM Gewaehrleistungsziele
+ */
+export const SDM_CATEGORY_MAPPING: Record<ControlCategory, SDMGewaehrleistungsziel[]> = {
+  ACCESS_CONTROL: ['Vertraulichkeit'],
+  ADMISSION_CONTROL: ['Vertraulichkeit', 'Integritaet'],
+  ACCESS_AUTHORIZATION: ['Vertraulichkeit', 'Nichtverkettung'],
+  TRANSFER_CONTROL: ['Vertraulichkeit', 'Integritaet'],
+  INPUT_CONTROL: ['Integritaet', 'Transparenz'],
+  ORDER_CONTROL: ['Transparenz', 'Intervenierbarkeit'],
+  AVAILABILITY: ['Verfuegbarkeit'],
+  SEPARATION: ['Nichtverkettung', 'Datenminimierung'],
+  ENCRYPTION: ['Vertraulichkeit', 'Integritaet'],
+  PSEUDONYMIZATION: ['Datenminimierung', 'Nichtverkettung'],
+  RESILIENCE: ['Verfuegbarkeit'],
+  RECOVERY: ['Verfuegbarkeit', 'Integritaet'],
+  REVIEW: ['Transparenz', 'Intervenierbarkeit'],
+}
+
+/**
+ * Maps ControlCategory to Spec Module Categories
+ */
+export const MODULE_CATEGORY_MAPPING: Record<ControlCategory, TOMModuleCategory[]> = {
+  ACCESS_CONTROL: ['IDENTITY_AUTH'],
+  ADMISSION_CONTROL: ['IDENTITY_AUTH'],
+  ACCESS_AUTHORIZATION: ['IDENTITY_AUTH', 'DOCUMENTATION'],
+  TRANSFER_CONTROL: ['DOCUMENTATION'],
+  INPUT_CONTROL: ['LOGGING'],
+  ORDER_CONTROL: ['DOCUMENTATION'],
+  AVAILABILITY: ['REVIEW'],
+  SEPARATION: ['SEPARATION'],
+  ENCRYPTION: ['IDENTITY_AUTH'],
+  PSEUDONYMIZATION: ['SEPARATION', 'DELETION'],
+  RESILIENCE: ['REVIEW'],
+  RECOVERY: ['REVIEW'],
+  REVIEW: ['REVIEW', 'TRAINING'],
+}
+
+// =============================================================================
+// HELPER FUNCTIONS
+// =============================================================================
+
+import type { DerivedTOM, ControlLibraryEntry } from './types'
+import { getControlById } from './controls/loader'
+
+/**
+ * Get SDM goals for a given control (by looking up its category)
+ */
+export function getSDMGoalsForControl(controlId: string): SDMGewaehrleistungsziel[] {
+  const control = getControlById(controlId)
+  if (!control) return []
+  return SDM_CATEGORY_MAPPING[control.category] || []
+}
+
+/**
+ * Get derived TOMs that map to a specific SDM goal
+ */
+export function getTOMsBySDMGoal(
+  toms: DerivedTOM[],
+  goal: SDMGewaehrleistungsziel
+): DerivedTOM[] {
+  return toms.filter(tom => {
+    const goals = getSDMGoalsForControl(tom.controlId)
+    return goals.includes(goal)
+  })
+}
+
+/**
+ * Get derived TOMs belonging to a specific module
+ */
+export function getTOMsByModule(
+  toms: DerivedTOM[],
+  module: TOMModuleCategory
+): DerivedTOM[] {
+  return toms.filter(tom => {
+    const control = getControlById(tom.controlId)
+    if (!control) return false
+    const modules = MODULE_CATEGORY_MAPPING[control.category] || []
+    return modules.includes(module)
+  })
+}
+
+/**
+ * Get SDM goal coverage statistics
+ */
+export function getSDMCoverageStats(toms: DerivedTOM[]): Record<SDMGewaehrleistungsziel, {
+  total: number
+  implemented: number
+  partial: number
+  missing: number
+}> {
+  const goals = Object.keys(SDM_GOAL_LABELS) as SDMGewaehrleistungsziel[]
+  const stats = {} as Record<SDMGewaehrleistungsziel, { total: number; implemented: number; partial: number; missing: number }>
+
+  for (const goal of goals) {
+    const goalTOMs = getTOMsBySDMGoal(toms, goal)
+    stats[goal] = {
+      total: goalTOMs.length,
+      implemented: goalTOMs.filter(t => t.implementationStatus === 'IMPLEMENTED').length,
+      partial: goalTOMs.filter(t => t.implementationStatus === 'PARTIAL').length,
+      missing: goalTOMs.filter(t => t.implementationStatus === 'NOT_IMPLEMENTED').length,
+    }
+  }
+
+  return stats
+}
+
+/**
+ * Get module coverage statistics
+ */
+export function getModuleCoverageStats(toms: DerivedTOM[]): Record<TOMModuleCategory, {
+  total: number
+  implemented: number
+}> {
+  const modules = Object.keys(MODULE_LABELS) as TOMModuleCategory[]
+  const stats = {} as Record<TOMModuleCategory, { total: number; implemented: number }>
+
+  for (const mod of modules) {
+    const modTOMs = getTOMsByModule(toms, mod)
+    stats[mod] = {
+      total: modTOMs.length,
+      implemented: modTOMs.filter(t => t.implementationStatus === 'IMPLEMENTED').length,
+    }
+  }
+
+  return stats
+}
--- a/admin-v2/lib/sdk/tom-generator/types.ts
+++ b/admin-v2/lib/sdk/tom-generator/types.ts
@@ -899,3 +899,65 @@ export function createInitialTOMGeneratorState(
 * Alias for createInitialTOMGeneratorState (for API compatibility)
 */
 export const createEmptyTOMGeneratorState = createInitialTOMGeneratorState
+
+// =============================================================================
+// SDM TYPES (Standard-Datenschutzmodell)
+// =============================================================================
+
+export type SDMGewaehrleistungsziel =
+  | 'Verfuegbarkeit'
+  | 'Integritaet'
+  | 'Vertraulichkeit'
+  | 'Nichtverkettung'
+  | 'Intervenierbarkeit'
+  | 'Transparenz'
+  | 'Datenminimierung'
+
+export type TOMModuleCategory =
+  | 'IDENTITY_AUTH'
+  | 'LOGGING'
+  | 'DOCUMENTATION'
+  | 'SEPARATION'
+  | 'RETENTION'
+  | 'DELETION'
+  | 'TRAINING'
+  | 'REVIEW'
+
+/**
+ * Maps ControlCategory to SDM Gewaehrleistungsziele.
+ * Used by the TOM Dashboard to display SDM coverage.
+ */
+export const SDM_CATEGORY_MAPPING: Record<ControlCategory, SDMGewaehrleistungsziel[]> = {
+  ACCESS_CONTROL: ['Vertraulichkeit'],
+  ADMISSION_CONTROL: ['Vertraulichkeit', 'Integritaet'],
+  ACCESS_AUTHORIZATION: ['Vertraulichkeit', 'Nichtverkettung'],
+  TRANSFER_CONTROL: ['Vertraulichkeit', 'Integritaet'],
+  INPUT_CONTROL: ['Integritaet', 'Transparenz'],
+  ORDER_CONTROL: ['Transparenz', 'Intervenierbarkeit'],
+  AVAILABILITY: ['Verfuegbarkeit'],
+  SEPARATION: ['Nichtverkettung', 'Datenminimierung'],
+  ENCRYPTION: ['Vertraulichkeit', 'Integritaet'],
+  PSEUDONYMIZATION: ['Datenminimierung', 'Nichtverkettung'],
+  RESILIENCE: ['Verfuegbarkeit'],
+  RECOVERY: ['Verfuegbarkeit', 'Integritaet'],
+  REVIEW: ['Transparenz', 'Intervenierbarkeit'],
+}
+
+/**
+ * Maps ControlCategory to Spec Module Categories.
+ */
+export const MODULE_CATEGORY_MAPPING: Record<ControlCategory, TOMModuleCategory[]> = {
+  ACCESS_CONTROL: ['IDENTITY_AUTH'],
+  ADMISSION_CONTROL: ['IDENTITY_AUTH'],
+  ACCESS_AUTHORIZATION: ['IDENTITY_AUTH', 'DOCUMENTATION'],
+  TRANSFER_CONTROL: ['DOCUMENTATION'],
+  INPUT_CONTROL: ['LOGGING'],
+  ORDER_CONTROL: ['DOCUMENTATION'],
+  AVAILABILITY: ['REVIEW'],
+  SEPARATION: ['SEPARATION'],
+  ENCRYPTION: ['IDENTITY_AUTH'],
+  PSEUDONYMIZATION: ['SEPARATION', 'DELETION'],
+  RESILIENCE: ['REVIEW'],
+  RECOVERY: ['REVIEW'],
+  REVIEW: ['REVIEW', 'TRAINING'],
+}