Benjamin_Boenisch/breakpilot-pwa
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2026-02-15. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
ci
breakpilot-pwa/admin-v2/lib/sdk/tom-generator/controls/controls.yml
BreakPilot Dev 19855efacc
Some checks failed
Tests / Go Tests (push) Has been cancelled
Details
Tests / Python Tests (push) Has been cancelled
Details
Tests / Integration Tests (push) Has been cancelled
Details
Tests / Go Lint (push) Has been cancelled
Details
Tests / Python Lint (push) Has been cancelled
Details
Tests / Security Scan (push) Has been cancelled
Details
Tests / All Checks Passed (push) Has been cancelled
Details
Security Scanning / Secret Scanning (push) Has been cancelled
Details
Security Scanning / Dependency Vulnerability Scan (push) Has been cancelled
Details
Security Scanning / Go Security Scan (push) Has been cancelled
Details
Security Scanning / Python Security Scan (push) Has been cancelled
Details
Security Scanning / Node.js Security Scan (push) Has been cancelled
Details
Security Scanning / Docker Image Security (push) Has been cancelled
Details
Security Scanning / Security Summary (push) Has been cancelled
Details
CI/CD Pipeline / Go Tests (push) Has been cancelled
Details
CI/CD Pipeline / Python Tests (push) Has been cancelled
Details
CI/CD Pipeline / Website Tests (push) Has been cancelled
Details
CI/CD Pipeline / Linting (push) Has been cancelled
Details
CI/CD Pipeline / Security Scan (push) Has been cancelled
Details
CI/CD Pipeline / Docker Build & Push (push) Has been cancelled
Details
CI/CD Pipeline / Integration Tests (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
Details
CI/CD Pipeline / CI Summary (push) Has been cancelled
Details
ci/woodpecker/manual/build-ci-image Pipeline was successful
Details
ci/woodpecker/manual/main Pipeline failed
Details
feat: BreakPilot PWA - Full codebase (clean push without large binaries) 
All services: admin-v2, studio-v2, website, ai-compliance-sdk,
consent-service, klausur-service, voice-service, and infrastructure.
Large PDFs and compiled binaries excluded via .gitignore.
2026-02-11 13:25:58 +01:00

1849 lines
58 KiB
YAML
Raw Permalink Blame History

metadata:
version: "1.0.0"
lastUpdated: "2026-02-04"
totalControls: 60
categories:
ACCESS_CONTROL:
name:
de: "Zutrittskontrolle"
en: "Physical Access Control"
gdprReference: "Art. 32 Abs. 1 lit. b"
ADMISSION_CONTROL:
name:
de: "Zugangskontrolle"
en: "System Access Control"
gdprReference: "Art. 32 Abs. 1 lit. b"
ACCESS_AUTHORIZATION:
name:
de: "Zugriffskontrolle"
en: "Access Authorization"
gdprReference: "Art. 32 Abs. 1 lit. b"
TRANSFER_CONTROL:
name:
de: "Weitergabekontrolle"
en: "Transfer Control"
gdprReference: "Art. 32 Abs. 1 lit. b"
INPUT_CONTROL:
name:
de: "Eingabekontrolle"
en: "Input Control"
gdprReference: "Art. 32 Abs. 1 lit. b"
ORDER_CONTROL:
name:
de: "Auftragskontrolle"
en: "Order Control"
gdprReference: "Art. 28"
AVAILABILITY:
name:
de: "Verfügbarkeit"
en: "Availability"
gdprReference: "Art. 32 Abs. 1 lit. b, c"
SEPARATION:
name:
de: "Trennbarkeit"
en: "Separation"
gdprReference: "Art. 32 Abs. 1 lit. b"
ENCRYPTION:
name:
de: "Verschlüsselung"
en: "Encryption"
gdprReference: "Art. 32 Abs. 1 lit. a"
PSEUDONYMIZATION:
name:
de: "Pseudonymisierung"
en: "Pseudonymization"
gdprReference: "Art. 32 Abs. 1 lit. a"
RESILIENCE:
name:
de: "Belastbarkeit"
en: "Resilience"
gdprReference: "Art. 32 Abs. 1 lit. b"
RECOVERY:
name:
de: "Wiederherstellbarkeit"
en: "Recovery"
gdprReference: "Art. 32 Abs. 1 lit. c"
REVIEW:
name:
de: "Überprüfung & Bewertung"
en: "Review & Assessment"
gdprReference: "Art. 32 Abs. 1 lit. d"
controls:
# =============================================================================
# ACCESS CONTROL (Zutrittskontrolle) - Physical Access
# =============================================================================
- id: "TOM-AC-01"
code: "TOM-AC-01"
category: ACCESS_CONTROL
type: TECHNICAL
name:
de: "Elektronische Zutrittskontrolle"
en: "Electronic Access Control"
description:
de: "Implementierung elektronischer Zugangskontrollsysteme (Chipkarten, Biometrie) zur Kontrolle des physischen Zutritts zu Räumlichkeiten mit IT-Systemen."
en: "Implementation of electronic access control systems (chip cards, biometrics) to control physical access to premises with IT systems."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.7.2"
- framework: BSI_IT_GRUNDSCHUTZ
reference: "ORP.4"
applicabilityConditions:
- field: "architectureProfile.hostingModel"
operator: IN
value: ["ON_PREMISE", "PRIVATE_CLOUD", "HYBRID"]
result: REQUIRED
priority: 10
- field: "architectureProfile.hostingModel"
operator: EQUALS
value: "PUBLIC_CLOUD"
result: NOT_APPLICABLE
priority: 20
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Zutrittskontrollkonzept"
- "Protokolle des Zutrittskontrollsystems"
- "Besucherregelungen"
reviewFrequency: ANNUAL
priority: HIGH
complexity: MEDIUM
tags: ["physical-security", "access"]
- id: "TOM-AC-02"
code: "TOM-AC-02"
category: ACCESS_CONTROL
type: ORGANIZATIONAL
name:
de: "Besuchermanagement"
en: "Visitor Management"
description:
de: "Regelungen für den Empfang, die Begleitung und Registrierung von Besuchern in sicherheitsrelevanten Bereichen."
en: "Regulations for receiving, accompanying and registering visitors in security-relevant areas."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.7.2"
applicabilityConditions:
- field: "architectureProfile.hostingModel"
operator: IN
value: ["ON_PREMISE", "PRIVATE_CLOUD", "HYBRID"]
result: REQUIRED
priority: 10
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Besucherrichtlinie"
- "Besucherbuch/Protokolle"
reviewFrequency: ANNUAL
priority: MEDIUM
complexity: LOW
tags: ["physical-security", "visitors"]
- id: "TOM-AC-03"
code: "TOM-AC-03"
category: ACCESS_CONTROL
type: TECHNICAL
name:
de: "Videoüberwachung"
en: "Video Surveillance"
description:
de: "Installation von Videoüberwachungssystemen zur Kontrolle und Dokumentation des Zutritts zu sensiblen Bereichen."
en: "Installation of video surveillance systems to control and document access to sensitive areas."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.7.4"
applicabilityConditions:
- field: "riskProfile.protectionLevel"
operator: IN
value: ["HIGH", "VERY_HIGH"]
result: RECOMMENDED
priority: 15
- field: "dataProfile.hasSpecialCategories"
operator: EQUALS
value: true
result: RECOMMENDED
priority: 20
defaultApplicability: OPTIONAL
evidenceRequirements:
- "Videoüberwachungskonzept"
- "Datenschutz-Folgenabschätzung für Videoüberwachung"
reviewFrequency: ANNUAL
priority: MEDIUM
complexity: MEDIUM
tags: ["physical-security", "monitoring"]
- id: "TOM-AC-04"
code: "TOM-AC-04"
category: ACCESS_CONTROL
type: TECHNICAL
name:
de: "Alarmanlage"
en: "Alarm System"
description:
de: "Einbruchmeldeanlage zum Schutz der Räumlichkeiten außerhalb der Betriebszeiten."
en: "Intrusion detection system to protect premises outside business hours."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: BSI_IT_GRUNDSCHUTZ
reference: "INF.1"
applicabilityConditions:
- field: "architectureProfile.hostingModel"
operator: IN
value: ["ON_PREMISE", "PRIVATE_CLOUD", "HYBRID"]
result: RECOMMENDED
priority: 10
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Alarmkonzept"
- "Wartungsprotokolle"
reviewFrequency: ANNUAL
priority: MEDIUM
complexity: MEDIUM
tags: ["physical-security", "intrusion-detection"]
- id: "TOM-AC-05"
code: "TOM-AC-05"
category: ACCESS_CONTROL
type: ORGANIZATIONAL
name:
de: "Schlüsselmanagement"
en: "Key Management"
description:
de: "Dokumentierte Verwaltung und Ausgabe von physischen Schlüsseln mit Nachverfolgbarkeit."
en: "Documented management and distribution of physical keys with traceability."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.7.2"
applicabilityConditions:
- field: "architectureProfile.hostingModel"
operator: IN
value: ["ON_PREMISE", "PRIVATE_CLOUD", "HYBRID"]
result: REQUIRED
priority: 10
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Schlüsselausgabeprotokoll"
- "Schlüsselverwaltungsrichtlinie"
reviewFrequency: ANNUAL
priority: MEDIUM
complexity: LOW
tags: ["physical-security", "keys"]
# =============================================================================
# ADMISSION CONTROL (Zugangskontrolle) - System Access
# =============================================================================
- id: "TOM-ADM-01"
code: "TOM-ADM-01"
category: ADMISSION_CONTROL
type: TECHNICAL
name:
de: "Multi-Faktor-Authentifizierung"
en: "Multi-Factor Authentication"
description:
de: "Implementierung einer Zwei- oder Mehr-Faktor-Authentifizierung für den Systemzugang zu kritischen Systemen und Daten."
en: "Implementation of two- or multi-factor authentication for system access to critical systems and data."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.9.4.2"
- framework: BSI_IT_GRUNDSCHUTZ
reference: "ORP.4"
applicabilityConditions:
- field: "dataProfile.hasSpecialCategories"
operator: EQUALS
value: true
result: REQUIRED
priority: 30
- field: "dataProfile.processesMinors"
operator: EQUALS
value: true
result: REQUIRED
priority: 25
- field: "riskProfile.protectionLevel"
operator: IN
value: ["HIGH", "VERY_HIGH"]
result: REQUIRED
priority: 20
- field: "companyProfile.role"
operator: EQUALS
value: "PROCESSOR"
result: REQUIRED
priority: 15
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "MFA-Konfigurationsdokumentation"
- "Nutzerstatistiken zur MFA-Nutzung"
reviewFrequency: QUARTERLY
priority: CRITICAL
complexity: MEDIUM
tags: ["authentication", "mfa", "identity"]
- id: "TOM-ADM-02"
code: "TOM-ADM-02"
category: ADMISSION_CONTROL
type: TECHNICAL
name:
de: "Passwortrichtlinien"
en: "Password Policies"
description:
de: "Durchsetzung technischer Passwortrichtlinien (Mindestlänge, Komplexität, regelmäßiger Wechsel, Historie)."
en: "Enforcement of technical password policies (minimum length, complexity, regular changes, history)."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.9.4.3"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Passwortrichtlinie"
- "Technische Konfiguration"
reviewFrequency: ANNUAL
priority: HIGH
complexity: LOW
tags: ["authentication", "passwords"]
- id: "TOM-ADM-03"
code: "TOM-ADM-03"
category: ADMISSION_CONTROL
type: TECHNICAL
name:
de: "Single Sign-On (SSO)"
en: "Single Sign-On (SSO)"
description:
de: "Zentralisierte Authentifizierung über SSO zur Verbesserung der Sicherheit und Benutzerfreundlichkeit."
en: "Centralized authentication via SSO to improve security and usability."
mappings:
- framework: ISO27001_ANNEX_A
reference: "A.9.2.4"
applicabilityConditions:
- field: "companyProfile.size"
operator: IN
value: ["MEDIUM", "LARGE", "ENTERPRISE"]
result: RECOMMENDED
priority: 10
defaultApplicability: OPTIONAL
evidenceRequirements:
- "SSO-Konfigurationsdokumentation"
- "Integrierte Anwendungsliste"
reviewFrequency: ANNUAL
priority: MEDIUM
complexity: HIGH
tags: ["authentication", "sso", "identity"]
- id: "TOM-ADM-04"
code: "TOM-ADM-04"
category: ADMISSION_CONTROL
type: TECHNICAL
name:
de: "Automatische Bildschirmsperre"
en: "Automatic Screen Lock"
description:
de: "Automatische Sperrung von Arbeitsplätzen nach Inaktivität mit erforderlicher Re-Authentifizierung."
en: "Automatic locking of workstations after inactivity with required re-authentication."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.11.2.8"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "GPO/MDM-Konfiguration"
- "Richtliniendokumentation"
reviewFrequency: ANNUAL
priority: HIGH
complexity: LOW
tags: ["workstation", "security"]
- id: "TOM-ADM-05"
code: "TOM-ADM-05"
category: ADMISSION_CONTROL
type: TECHNICAL
name:
de: "Kontosperrung nach Fehlversuchen"
en: "Account Lockout After Failed Attempts"
description:
de: "Automatische temporäre Sperrung von Benutzerkonten nach mehreren fehlgeschlagenen Anmeldeversuchen."
en: "Automatic temporary locking of user accounts after multiple failed login attempts."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.9.4.2"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Konfigurationsdokumentation"
- "Protokollierung der Sperrereignisse"
reviewFrequency: ANNUAL
priority: HIGH
complexity: LOW
tags: ["authentication", "brute-force-protection"]
# =============================================================================
# ACCESS AUTHORIZATION (Zugriffskontrolle)
# =============================================================================
- id: "TOM-AZ-01"
code: "TOM-AZ-01"
category: ACCESS_AUTHORIZATION
type: TECHNICAL
name:
de: "Rollenbasierte Zugriffskontrolle (RBAC)"
en: "Role-Based Access Control (RBAC)"
description:
de: "Implementierung eines rollenbasierten Berechtigungssystems zur Steuerung des Datenzugriffs nach dem Need-to-Know-Prinzip."
en: "Implementation of a role-based permission system to control data access according to the need-to-know principle."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.9.2.3"
- framework: BSI_IT_GRUNDSCHUTZ
reference: "ORP.4"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Berechtigungskonzept"
- "Rollenmatrix"
- "Berechtigungsaudits"
reviewFrequency: SEMI_ANNUAL
priority: CRITICAL
complexity: MEDIUM
tags: ["authorization", "rbac", "access"]
- id: "TOM-AZ-02"
code: "TOM-AZ-02"
category: ACCESS_AUTHORIZATION
type: ORGANIZATIONAL
name:
de: "Berechtigungsverwaltungsprozess"
en: "Authorization Management Process"
description:
de: "Dokumentierter Prozess für Beantragung, Genehmigung und Entzug von Zugriffsberechtigungen."
en: "Documented process for requesting, approving and revoking access permissions."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.9.2.2"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Berechtigungsanträge"
- "Genehmigungsprotokolle"
- "Prozessdokumentation"
reviewFrequency: ANNUAL
priority: HIGH
complexity: LOW
tags: ["authorization", "process"]
- id: "TOM-AZ-03"
code: "TOM-AZ-03"
category: ACCESS_AUTHORIZATION
type: TECHNICAL
name:
de: "Privileged Access Management (PAM)"
en: "Privileged Access Management (PAM)"
description:
de: "Spezielle Kontrollen für privilegierte Konten (Admins) mit Aufzeichnung, zeitlicher Begrenzung und Genehmigungsworkflows."
en: "Special controls for privileged accounts (admins) with recording, time limits and approval workflows."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.9.2.3"
applicabilityConditions:
- field: "riskProfile.protectionLevel"
operator: IN
value: ["HIGH", "VERY_HIGH"]
result: REQUIRED
priority: 20
- field: "dataProfile.hasSpecialCategories"
operator: EQUALS
value: true
result: REQUIRED
priority: 25
- field: "companyProfile.size"
operator: IN
value: ["LARGE", "ENTERPRISE"]
result: RECOMMENDED
priority: 10
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "PAM-Konfiguration"
- "Sitzungsaufzeichnungen"
- "Audit-Logs"
reviewFrequency: QUARTERLY
priority: CRITICAL
complexity: HIGH
tags: ["authorization", "pam", "privileged"]
- id: "TOM-AZ-04"
code: "TOM-AZ-04"
category: ACCESS_AUTHORIZATION
type: ORGANIZATIONAL
name:
de: "Regelmäßige Berechtigungsrezertifizierung"
en: "Regular Authorization Recertification"
description:
de: "Periodische Überprüfung aller Zugriffsberechtigungen durch die jeweiligen Vorgesetzten."
en: "Periodic review of all access permissions by respective supervisors."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. d"
- framework: ISO27001_ANNEX_A
reference: "A.9.2.5"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Rezertifizierungsprotokolle"
- "Prozessdokumentation"
reviewFrequency: SEMI_ANNUAL
priority: HIGH
complexity: MEDIUM
tags: ["authorization", "review"]
- id: "TOM-AZ-05"
code: "TOM-AZ-05"
category: ACCESS_AUTHORIZATION
type: TECHNICAL
name:
de: "Datenklassifizierung und Label"
en: "Data Classification and Labeling"
description:
de: "Technische Umsetzung einer Datenklassifizierung mit entsprechenden Zugriffssteuerungen."
en: "Technical implementation of data classification with corresponding access controls."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.8.2"
applicabilityConditions:
- field: "dataProfile.hasSpecialCategories"
operator: EQUALS
value: true
result: REQUIRED
priority: 25
- field: "riskProfile.protectionLevel"
operator: IN
value: ["HIGH", "VERY_HIGH"]
result: RECOMMENDED
priority: 15
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Klassifizierungsschema"
- "Label-Konfiguration"
reviewFrequency: ANNUAL
priority: MEDIUM
complexity: HIGH
tags: ["classification", "labeling"]
# =============================================================================
# TRANSFER CONTROL (Weitergabekontrolle)
# =============================================================================
- id: "TOM-TR-01"
code: "TOM-TR-01"
category: TRANSFER_CONTROL
type: TECHNICAL
name:
de: "Transportverschlüsselung (TLS)"
en: "Transport Encryption (TLS)"
description:
de: "Verschlüsselung aller Datenübertragungen mittels TLS 1.2 oder höher."
en: "Encryption of all data transfers using TLS 1.2 or higher."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. a"
- framework: ISO27001_ANNEX_A
reference: "A.13.2.1"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "TLS-Konfigurationsdokumentation"
- "SSL/TLS-Scans"
reviewFrequency: QUARTERLY
priority: CRITICAL
complexity: MEDIUM
tags: ["encryption", "transport", "tls"]
- id: "TOM-TR-02"
code: "TOM-TR-02"
category: TRANSFER_CONTROL
type: TECHNICAL
name:
de: "VPN für Fernzugriff"
en: "VPN for Remote Access"
description:
de: "Nutzung von VPN-Verbindungen für sicheren Fernzugriff auf Unternehmensnetzwerke."
en: "Use of VPN connections for secure remote access to corporate networks."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.13.2.1"
applicabilityConditions:
- field: "architectureProfile.hostingModel"
operator: IN
value: ["ON_PREMISE", "PRIVATE_CLOUD", "HYBRID"]
result: REQUIRED
priority: 15
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "VPN-Konfiguration"
- "Nutzungsstatistiken"
reviewFrequency: ANNUAL
priority: HIGH
complexity: MEDIUM
tags: ["vpn", "remote-access"]
- id: "TOM-TR-03"
code: "TOM-TR-03"
category: TRANSFER_CONTROL
type: ORGANIZATIONAL
name:
de: "Richtlinie zur Datenübermittlung"
en: "Data Transfer Policy"
description:
de: "Dokumentierte Richtlinie für die sichere Übermittlung personenbezogener Daten intern und extern."
en: "Documented policy for secure transfer of personal data internally and externally."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.13.2.2"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Datenübermittlungsrichtlinie"
- "Schulungsnachweise"
reviewFrequency: ANNUAL
priority: HIGH
complexity: LOW
tags: ["policy", "transfer"]
- id: "TOM-TR-04"
code: "TOM-TR-04"
category: TRANSFER_CONTROL
type: TECHNICAL
name:
de: "E-Mail-Verschlüsselung"
en: "Email Encryption"
description:
de: "Implementierung von E-Mail-Verschlüsselung (S/MIME, PGP) für vertrauliche Kommunikation."
en: "Implementation of email encryption (S/MIME, PGP) for confidential communication."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. a"
- framework: ISO27001_ANNEX_A
reference: "A.13.2.3"
applicabilityConditions:
- field: "dataProfile.hasSpecialCategories"
operator: EQUALS
value: true
result: REQUIRED
priority: 25
- field: "riskProfile.protectionLevel"
operator: IN
value: ["HIGH", "VERY_HIGH"]
result: RECOMMENDED
priority: 15
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "E-Mail-Verschlüsselungskonzept"
- "Konfigurationsdokumentation"
reviewFrequency: ANNUAL
priority: MEDIUM
complexity: MEDIUM
tags: ["encryption", "email"]
- id: "TOM-TR-05"
code: "TOM-TR-05"
category: TRANSFER_CONTROL
type: TECHNICAL
name:
de: "Data Loss Prevention (DLP)"
en: "Data Loss Prevention (DLP)"
description:
de: "Technische Maßnahmen zur Verhinderung unbeabsichtigter oder unbefugter Datenabflüsse."
en: "Technical measures to prevent unintentional or unauthorized data leakage."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.13.2.2"
applicabilityConditions:
- field: "dataProfile.hasSpecialCategories"
operator: EQUALS
value: true
result: RECOMMENDED
priority: 25
- field: "riskProfile.protectionLevel"
operator: EQUALS
value: "VERY_HIGH"
result: REQUIRED
priority: 30
- field: "companyProfile.size"
operator: IN
value: ["LARGE", "ENTERPRISE"]
result: RECOMMENDED
priority: 10
defaultApplicability: OPTIONAL
evidenceRequirements:
- "DLP-Konfiguration"
- "Vorfallsberichte"
reviewFrequency: QUARTERLY
priority: HIGH
complexity: HIGH
tags: ["dlp", "data-protection"]
# =============================================================================
# INPUT CONTROL (Eingabekontrolle)
# =============================================================================
- id: "TOM-IN-01"
code: "TOM-IN-01"
category: INPUT_CONTROL
type: TECHNICAL
name:
de: "Audit-Logging"
en: "Audit Logging"
description:
de: "Umfassende Protokollierung aller Datenverarbeitungsvorgänge mit Zeitstempel und Benutzeridentifikation."
en: "Comprehensive logging of all data processing activities with timestamp and user identification."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.12.4.1"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Logging-Konzept"
- "Log-Konfiguration"
- "Beispiel-Logs"
reviewFrequency: ANNUAL
priority: CRITICAL
complexity: MEDIUM
tags: ["logging", "audit"]
- id: "TOM-IN-02"
code: "TOM-IN-02"
category: INPUT_CONTROL
type: TECHNICAL
name:
de: "Änderungsprotokollierung (Change Log)"
en: "Change Logging"
description:
de: "Automatische Protokollierung aller Änderungen an personenbezogenen Daten."
en: "Automatic logging of all changes to personal data."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.12.4.1"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Change-Log-Konfiguration"
- "Beispielprotokolle"
reviewFrequency: ANNUAL
priority: HIGH
complexity: MEDIUM
tags: ["logging", "change-tracking"]
- id: "TOM-IN-03"
code: "TOM-IN-03"
category: INPUT_CONTROL
type: TECHNICAL
name:
de: "Eingabevalidierung"
en: "Input Validation"
description:
de: "Technische Validierung aller Eingaben zur Verhinderung von Datenmanipulation und Injection-Angriffen."
en: "Technical validation of all inputs to prevent data manipulation and injection attacks."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.14.2.5"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Validierungsregeln"
- "Code-Reviews"
reviewFrequency: QUARTERLY
priority: HIGH
complexity: MEDIUM
tags: ["security", "validation"]
- id: "TOM-IN-04"
code: "TOM-IN-04"
category: INPUT_CONTROL
type: ORGANIZATIONAL
name:
de: "Log-Aufbewahrung und -Auswertung"
en: "Log Retention and Analysis"
description:
de: "Definierte Aufbewahrungsfristen für Protokolle und regelmäßige Auswertung zur Erkennung von Anomalien."
en: "Defined retention periods for logs and regular analysis to detect anomalies."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.12.4.1"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Log-Aufbewahrungsrichtlinie"
- "Analyseberichte"
reviewFrequency: QUARTERLY
priority: HIGH
complexity: MEDIUM
tags: ["logging", "analysis", "retention"]
# =============================================================================
# ORDER CONTROL (Auftragskontrolle)
# =============================================================================
- id: "TOM-OR-01"
code: "TOM-OR-01"
category: ORDER_CONTROL
type: ORGANIZATIONAL
name:
de: "Auftragsverarbeitungsverträge (AVV)"
en: "Data Processing Agreements (DPA)"
description:
de: "Abschluss von Auftragsverarbeitungsverträgen gemäß Art. 28 DSGVO mit allen Auftragsverarbeitern."
en: "Conclusion of data processing agreements according to Art. 28 GDPR with all processors."
mappings:
- framework: GDPR_ART28
reference: "Art. 28 Abs. 3"
- framework: ISO27001_ANNEX_A
reference: "A.15.1.2"
applicabilityConditions:
- field: "architectureProfile.hasSubprocessors"
operator: EQUALS
value: true
result: REQUIRED
priority: 30
- field: "companyProfile.role"
operator: EQUALS
value: "CONTROLLER"
result: REQUIRED
priority: 25
defaultApplicability: REQUIRED
evidenceRequirements:
- "Unterschriebene AVVs"
- "Auftragsverarbeiter-Verzeichnis"
reviewFrequency: ANNUAL
priority: CRITICAL
complexity: LOW
tags: ["contracts", "avv", "dpa"]
- id: "TOM-OR-02"
code: "TOM-OR-02"
category: ORDER_CONTROL
type: ORGANIZATIONAL
name:
de: "Auftragsverarbeiter-Prüfung"
en: "Processor Auditing"
description:
de: "Regelmäßige Überprüfung der technischen und organisatorischen Maßnahmen bei Auftragsverarbeitern."
en: "Regular verification of technical and organizational measures at processors."
mappings:
- framework: GDPR_ART28
reference: "Art. 28 Abs. 3 lit. h"
- framework: ISO27001_ANNEX_A
reference: "A.15.2.1"
applicabilityConditions:
- field: "architectureProfile.hasSubprocessors"
operator: EQUALS
value: true
result: REQUIRED
priority: 25
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Audit-Berichte"
- "Zertifikate der Auftragsverarbeiter"
- "Prüfprotokolle"
reviewFrequency: ANNUAL
priority: HIGH
complexity: MEDIUM
tags: ["audit", "processor"]
- id: "TOM-OR-03"
code: "TOM-OR-03"
category: ORDER_CONTROL
type: ORGANIZATIONAL
name:
de: "Weisungsgebundenheit dokumentieren"
en: "Document Instruction Compliance"
description:
de: "Dokumentation der Weisungsgebundenheit von Auftragsverarbeitern und Mitarbeitern."
en: "Documentation of instruction compliance by processors and employees."
mappings:
- framework: GDPR_ART28
reference: "Art. 28 Abs. 3 lit. a"
- framework: GDPR_ART29
reference: "Art. 29"
applicabilityConditions:
- field: "companyProfile.role"
operator: EQUALS
value: "PROCESSOR"
result: REQUIRED
priority: 30
defaultApplicability: REQUIRED
evidenceRequirements:
- "Weisungsdokumentation"
- "Schulungsnachweise"
reviewFrequency: ANNUAL
priority: HIGH
complexity: LOW
tags: ["processor", "instructions"]
- id: "TOM-OR-04"
code: "TOM-OR-04"
category: ORDER_CONTROL
type: ORGANIZATIONAL
name:
de: "Unterauftragsverarbeiter-Management"
en: "Sub-processor Management"
description:
de: "Dokumentiertes Verfahren für die Genehmigung und Überwachung von Unterauftragsverarbeitern."
en: "Documented procedure for approval and monitoring of sub-processors."
mappings:
- framework: GDPR_ART28
reference: "Art. 28 Abs. 2, 4"
- framework: ISO27001_ANNEX_A
reference: "A.15.1.3"
applicabilityConditions:
- field: "architectureProfile.hasSubprocessors"
operator: EQUALS
value: true
result: REQUIRED
priority: 30
- field: "companyProfile.role"
operator: EQUALS
value: "PROCESSOR"
result: REQUIRED
priority: 25
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Unterauftragsverarbeiter-Liste"
- "Genehmigungsprotokolle"
- "AVVs mit Unterauftragsverarbeitern"
reviewFrequency: ANNUAL
priority: HIGH
complexity: MEDIUM
tags: ["sub-processor", "management"]
# =============================================================================
# AVAILABILITY (Verfügbarkeit)
# =============================================================================
- id: "TOM-AV-01"
code: "TOM-AV-01"
category: AVAILABILITY
type: TECHNICAL
name:
de: "Backup-Strategie"
en: "Backup Strategy"
description:
de: "Implementierung einer umfassenden Backup-Strategie mit regelmäßigen Sicherungen und Aufbewahrung."
en: "Implementation of a comprehensive backup strategy with regular backups and retention."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. c"
- framework: ISO27001_ANNEX_A
reference: "A.12.3.1"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Backup-Konzept"
- "Backup-Protokolle"
- "Restore-Tests"
reviewFrequency: QUARTERLY
priority: CRITICAL
complexity: MEDIUM
tags: ["backup", "recovery"]
- id: "TOM-AV-02"
code: "TOM-AV-02"
category: AVAILABILITY
type: TECHNICAL
name:
de: "Redundante Systeme"
en: "Redundant Systems"
description:
de: "Implementierung von Redundanz für kritische Systeme zur Sicherstellung der Verfügbarkeit."
en: "Implementation of redundancy for critical systems to ensure availability."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.17.2.1"
applicabilityConditions:
- field: "riskProfile.ciaAssessment.availability"
operator: GREATER_THAN
value: 3
result: REQUIRED
priority: 20
- field: "riskProfile.protectionLevel"
operator: EQUALS
value: "VERY_HIGH"
result: REQUIRED
priority: 25
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Redundanzkonzept"
- "Architekturdokumentation"
reviewFrequency: ANNUAL
priority: HIGH
complexity: HIGH
tags: ["redundancy", "availability"]
- id: "TOM-AV-03"
code: "TOM-AV-03"
category: AVAILABILITY
type: TECHNICAL
name:
de: "Unterbrechungsfreie Stromversorgung (USV)"
en: "Uninterruptible Power Supply (UPS)"
description:
de: "Einsatz von USV-Anlagen zum Schutz kritischer Systeme vor Stromausfällen."
en: "Use of UPS systems to protect critical systems from power failures."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.11.2.2"
- framework: BSI_IT_GRUNDSCHUTZ
reference: "INF.2"
applicabilityConditions:
- field: "architectureProfile.hostingModel"
operator: IN
value: ["ON_PREMISE", "PRIVATE_CLOUD", "HYBRID"]
result: REQUIRED
priority: 15
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "USV-Dokumentation"
- "Wartungsprotokolle"
reviewFrequency: ANNUAL
priority: MEDIUM
complexity: MEDIUM
tags: ["power", "infrastructure"]
- id: "TOM-AV-04"
code: "TOM-AV-04"
category: AVAILABILITY
type: ORGANIZATIONAL
name:
de: "Notfallvorsorge (Business Continuity)"
en: "Business Continuity Planning"
description:
de: "Dokumentierte Notfallvorsorge zur Aufrechterhaltung kritischer Geschäftsprozesse."
en: "Documented emergency preparedness to maintain critical business processes."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. c"
- framework: ISO27001_ANNEX_A
reference: "A.17.1.1"
applicabilityConditions:
- field: "riskProfile.ciaAssessment.availability"
operator: GREATER_THAN
value: 2
result: REQUIRED
priority: 15
defaultApplicability: REQUIRED
evidenceRequirements:
- "Business-Continuity-Plan"
- "Notfallkontakte"
- "Übungsprotokolle"
reviewFrequency: ANNUAL
priority: HIGH
complexity: MEDIUM
tags: ["bcp", "continuity"]
- id: "TOM-AV-05"
code: "TOM-AV-05"
category: AVAILABILITY
type: TECHNICAL
name:
de: "Monitoring und Alerting"
en: "Monitoring and Alerting"
description:
de: "Kontinuierliche Überwachung der Systemverfügbarkeit mit automatischen Benachrichtigungen bei Ausfällen."
en: "Continuous monitoring of system availability with automatic notifications for outages."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.12.4.1"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Monitoring-Konfiguration"
- "Alert-Regeln"
- "Verfügbarkeitsberichte"
reviewFrequency: QUARTERLY
priority: HIGH
complexity: MEDIUM
tags: ["monitoring", "alerting"]
# =============================================================================
# SEPARATION (Trennbarkeit)
# =============================================================================
- id: "TOM-SE-01"
code: "TOM-SE-01"
category: SEPARATION
type: TECHNICAL
name:
de: "Mandantentrennung"
en: "Multi-Tenant Separation"
description:
de: "Technische Trennung von Daten verschiedener Kunden/Mandanten in mandantenfähigen Systemen."
en: "Technical separation of data from different customers/tenants in multi-tenant systems."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.13.1.3"
applicabilityConditions:
- field: "architectureProfile.multiTenancy"
operator: EQUALS
value: "MULTI_TENANT"
result: REQUIRED
priority: 30
- field: "companyProfile.role"
operator: EQUALS
value: "PROCESSOR"
result: REQUIRED
priority: 20
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Mandantentrennungskonzept"
- "Architekturdokumentation"
- "Penetrationstest-Ergebnisse"
reviewFrequency: ANNUAL
priority: CRITICAL
complexity: HIGH
tags: ["multi-tenant", "separation"]
- id: "TOM-SE-02"
code: "TOM-SE-02"
category: SEPARATION
type: TECHNICAL
name:
de: "Netzwerksegmentierung"
en: "Network Segmentation"
description:
de: "Segmentierung des Netzwerks zur Trennung verschiedener Sicherheitszonen und Datenverarbeitungsbereiche."
en: "Network segmentation to separate different security zones and data processing areas."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.13.1.3"
applicabilityConditions:
- field: "architectureProfile.hostingModel"
operator: IN
value: ["ON_PREMISE", "PRIVATE_CLOUD", "HYBRID"]
result: REQUIRED
priority: 15
- field: "riskProfile.protectionLevel"
operator: IN
value: ["HIGH", "VERY_HIGH"]
result: REQUIRED
priority: 20
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Netzwerkdiagramm"
- "Firewall-Regeln"
reviewFrequency: ANNUAL
priority: HIGH
complexity: MEDIUM
tags: ["network", "segmentation"]
- id: "TOM-SE-03"
code: "TOM-SE-03"
category: SEPARATION
type: TECHNICAL
name:
de: "Umgebungstrennung (Dev/Test/Prod)"
en: "Environment Separation (Dev/Test/Prod)"
description:
de: "Strikte Trennung von Entwicklungs-, Test- und Produktionsumgebungen."
en: "Strict separation of development, test and production environments."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.12.1.4"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Umgebungsdokumentation"
- "Zugriffsrechte je Umgebung"
reviewFrequency: ANNUAL
priority: HIGH
complexity: MEDIUM
tags: ["environments", "separation"]
- id: "TOM-SE-04"
code: "TOM-SE-04"
category: SEPARATION
type: ORGANIZATIONAL
name:
de: "Zweckbindung dokumentieren"
en: "Document Purpose Limitation"
description:
de: "Dokumentation und technische Durchsetzung der Zweckbindung bei der Datenverarbeitung."
en: "Documentation and technical enforcement of purpose limitation in data processing."
mappings:
- framework: GDPR_ART5
reference: "Art. 5 Abs. 1 lit. b"
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Verarbeitungsverzeichnis"
- "Zweckdokumentation"
reviewFrequency: ANNUAL
priority: HIGH
complexity: LOW
tags: ["purpose-limitation", "documentation"]
# =============================================================================
# ENCRYPTION (Verschlüsselung)
# =============================================================================
- id: "TOM-ENC-01"
code: "TOM-ENC-01"
category: ENCRYPTION
type: TECHNICAL
name:
de: "Verschlüsselung ruhender Daten"
en: "Encryption at Rest"
description:
de: "Verschlüsselung aller gespeicherten personenbezogenen Daten mit modernen Verschlüsselungsalgorithmen."
en: "Encryption of all stored personal data using modern encryption algorithms."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. a"
- framework: ISO27001_ANNEX_A
reference: "A.10.1.1"
applicabilityConditions:
- field: "dataProfile.hasSpecialCategories"
operator: EQUALS
value: true
result: REQUIRED
priority: 30
- field: "riskProfile.protectionLevel"
operator: IN
value: ["HIGH", "VERY_HIGH"]
result: REQUIRED
priority: 20
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Verschlüsselungskonzept"
- "Konfigurationsdokumentation"
reviewFrequency: ANNUAL
priority: CRITICAL
complexity: MEDIUM
tags: ["encryption", "at-rest"]
- id: "TOM-ENC-02"
code: "TOM-ENC-02"
category: ENCRYPTION
type: TECHNICAL
name:
de: "Schlüsselmanagement"
en: "Key Management"
description:
de: "Sicheres Verfahren zur Erzeugung, Speicherung, Rotation und Vernichtung kryptografischer Schlüssel."
en: "Secure process for generation, storage, rotation and destruction of cryptographic keys."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. a"
- framework: ISO27001_ANNEX_A
reference: "A.10.1.2"
applicabilityConditions:
- field: "architectureProfile.encryptionAtRest"
operator: EQUALS
value: true
result: REQUIRED
priority: 30
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Schlüsselmanagement-Richtlinie"
- "HSM/KMS-Dokumentation"
reviewFrequency: ANNUAL
priority: HIGH
complexity: HIGH
tags: ["encryption", "key-management"]
- id: "TOM-ENC-03"
code: "TOM-ENC-03"
category: ENCRYPTION
type: TECHNICAL
name:
de: "Datenbank-Verschlüsselung"
en: "Database Encryption"
description:
de: "Verschlüsselung von Datenbanken auf Ebene der Datenbank oder einzelner Felder."
en: "Encryption of databases at database level or individual field level."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. a"
- framework: ISO27001_ANNEX_A
reference: "A.10.1.1"
applicabilityConditions:
- field: "dataProfile.hasSpecialCategories"
operator: EQUALS
value: true
result: REQUIRED
priority: 30
- field: "dataProfile.dataVolume"
operator: IN
value: ["HIGH", "VERY_HIGH"]
result: RECOMMENDED
priority: 15
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Datenbank-Verschlüsselungskonfiguration"
- "Feldverschlüsselungsmatrix"
reviewFrequency: ANNUAL
priority: HIGH
complexity: MEDIUM
tags: ["encryption", "database"]
# =============================================================================
# PSEUDONYMIZATION (Pseudonymisierung)
# =============================================================================
- id: "TOM-PS-01"
code: "TOM-PS-01"
category: PSEUDONYMIZATION
type: TECHNICAL
name:
de: "Pseudonymisierungsverfahren"
en: "Pseudonymization Procedures"
description:
de: "Implementierung von Pseudonymisierungsverfahren zur Reduzierung des Personenbezugs von Daten."
en: "Implementation of pseudonymization procedures to reduce the personal reference of data."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. a"
- framework: GDPR_ART25
reference: "Art. 25 Abs. 1"
applicabilityConditions:
- field: "dataProfile.hasSpecialCategories"
operator: EQUALS
value: true
result: REQUIRED
priority: 25
- field: "dataProfile.dataVolume"
operator: IN
value: ["HIGH", "VERY_HIGH"]
result: RECOMMENDED
priority: 15
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Pseudonymisierungskonzept"
- "Mapping-Tabellen-Sicherheit"
reviewFrequency: ANNUAL
priority: HIGH
complexity: HIGH
tags: ["pseudonymization", "data-minimization"]
- id: "TOM-PS-02"
code: "TOM-PS-02"
category: PSEUDONYMIZATION
type: ORGANIZATIONAL
name:
de: "Datenanonmisierung für Analysen"
en: "Data Anonymization for Analytics"
description:
de: "Verfahren zur Anonymisierung von Daten für Analyse- und Statistikzwecke."
en: "Procedures for anonymizing data for analysis and statistical purposes."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. a"
- framework: GDPR_ART25
reference: "Art. 25 Abs. 1"
applicabilityConditions:
- field: "dataProfile.dataVolume"
operator: IN
value: ["HIGH", "VERY_HIGH"]
result: RECOMMENDED
priority: 15
defaultApplicability: OPTIONAL
evidenceRequirements:
- "Anonymisierungskonzept"
- "Risikoanalyse zur Re-Identifizierung"
reviewFrequency: ANNUAL
priority: MEDIUM
complexity: HIGH
tags: ["anonymization", "analytics"]
# =============================================================================
# RESILIENCE (Belastbarkeit)
# =============================================================================
- id: "TOM-RE-01"
code: "TOM-RE-01"
category: RESILIENCE
type: TECHNICAL
name:
de: "Load Balancing"
en: "Load Balancing"
description:
de: "Implementierung von Lastverteilung zur Sicherstellung der Systemstabilität bei hoher Last."
en: "Implementation of load balancing to ensure system stability under high load."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.17.2.1"
applicabilityConditions:
- field: "riskProfile.ciaAssessment.availability"
operator: GREATER_THAN
value: 3
result: REQUIRED
priority: 20
- field: "dataProfile.dataVolume"
operator: IN
value: ["HIGH", "VERY_HIGH"]
result: RECOMMENDED
priority: 15
defaultApplicability: OPTIONAL
evidenceRequirements:
- "Load-Balancer-Konfiguration"
- "Kapazitätsplanung"
reviewFrequency: QUARTERLY
priority: MEDIUM
complexity: MEDIUM
tags: ["resilience", "load-balancing"]
- id: "TOM-RE-02"
code: "TOM-RE-02"
category: RESILIENCE
type: TECHNICAL
name:
de: "DDoS-Schutz"
en: "DDoS Protection"
description:
de: "Maßnahmen zum Schutz vor Distributed Denial of Service Angriffen."
en: "Measures to protect against Distributed Denial of Service attacks."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.13.1.1"
applicabilityConditions:
- field: "architectureProfile.hostingModel"
operator: IN
value: ["PUBLIC_CLOUD", "HYBRID"]
result: RECOMMENDED
priority: 15
- field: "riskProfile.protectionLevel"
operator: EQUALS
value: "VERY_HIGH"
result: REQUIRED
priority: 25
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "DDoS-Schutzkonzept"
- "WAF-Konfiguration"
reviewFrequency: QUARTERLY
priority: HIGH
complexity: MEDIUM
tags: ["security", "ddos"]
- id: "TOM-RE-03"
code: "TOM-RE-03"
category: RESILIENCE
type: TECHNICAL
name:
de: "Auto-Scaling"
en: "Auto-Scaling"
description:
de: "Automatische Skalierung von Ressourcen basierend auf der tatsächlichen Last."
en: "Automatic scaling of resources based on actual load."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.12.1.3"
applicabilityConditions:
- field: "architectureProfile.hostingModel"
operator: IN
value: ["PUBLIC_CLOUD", "HYBRID"]
result: RECOMMENDED
priority: 15
defaultApplicability: OPTIONAL
evidenceRequirements:
- "Auto-Scaling-Konfiguration"
- "Kapazitätsmetriken"
reviewFrequency: QUARTERLY
priority: MEDIUM
complexity: MEDIUM
tags: ["cloud", "scaling"]
# =============================================================================
# RECOVERY (Wiederherstellbarkeit)
# =============================================================================
- id: "TOM-RC-01"
code: "TOM-RC-01"
category: RECOVERY
type: TECHNICAL
name:
de: "Disaster Recovery Plan"
en: "Disaster Recovery Plan"
description:
de: "Dokumentierter und getesteter Plan zur Wiederherstellung von IT-Systemen nach einem Katastrophenfall."
en: "Documented and tested plan for restoring IT systems after a disaster."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. c"
- framework: ISO27001_ANNEX_A
reference: "A.17.1.2"
applicabilityConditions:
- field: "riskProfile.ciaAssessment.availability"
operator: GREATER_THAN
value: 2
result: REQUIRED
priority: 20
defaultApplicability: REQUIRED
evidenceRequirements:
- "Disaster-Recovery-Plan"
- "Test-Protokolle"
- "RTO/RPO-Definitionen"
reviewFrequency: ANNUAL
priority: CRITICAL
complexity: HIGH
tags: ["disaster-recovery", "bcp"]
- id: "TOM-RC-02"
code: "TOM-RC-02"
category: RECOVERY
type: TECHNICAL
name:
de: "Geo-Redundanz"
en: "Geo-Redundancy"
description:
de: "Geografisch verteilte Datenhaltung zur Sicherstellung der Verfügbarkeit bei regionalen Ausfällen."
en: "Geographically distributed data storage to ensure availability during regional outages."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. c"
- framework: ISO27001_ANNEX_A
reference: "A.17.2.1"
applicabilityConditions:
- field: "riskProfile.protectionLevel"
operator: EQUALS
value: "VERY_HIGH"
result: REQUIRED
priority: 30
- field: "riskProfile.ciaAssessment.availability"
operator: GREATER_THAN
value: 4
result: REQUIRED
priority: 25
defaultApplicability: OPTIONAL
evidenceRequirements:
- "Geo-Redundanz-Konzept"
- "Standort-Dokumentation"
reviewFrequency: ANNUAL
priority: HIGH
complexity: HIGH
tags: ["geo-redundancy", "availability"]
- id: "TOM-RC-03"
code: "TOM-RC-03"
category: RECOVERY
type: ORGANIZATIONAL
name:
de: "Wiederherstellungstests"
en: "Recovery Testing"
description:
de: "Regelmäßige Tests der Wiederherstellungsverfahren zur Validierung der Backup- und DR-Strategie."
en: "Regular testing of recovery procedures to validate backup and DR strategy."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. d"
- framework: ISO27001_ANNEX_A
reference: "A.17.1.3"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Test-Protokolle"
- "Wiederherstellungszeiten"
- "Maßnahmenplan bei Fehlern"
reviewFrequency: SEMI_ANNUAL
priority: HIGH
complexity: MEDIUM
tags: ["testing", "recovery"]
# =============================================================================
# REVIEW (Überprüfung & Bewertung)
# =============================================================================
- id: "TOM-RV-01"
code: "TOM-RV-01"
category: REVIEW
type: ORGANIZATIONAL
name:
de: "Regelmäßige TOM-Überprüfung"
en: "Regular TOM Review"
description:
de: "Periodische Überprüfung und Aktualisierung der technischen und organisatorischen Maßnahmen."
en: "Periodic review and update of technical and organizational measures."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. d"
- framework: ISO27001_ANNEX_A
reference: "A.18.2.1"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Überprüfungsprotokolle"
- "Maßnahmenplan"
reviewFrequency: ANNUAL
priority: HIGH
complexity: LOW
tags: ["review", "compliance"]
- id: "TOM-RV-02"
code: "TOM-RV-02"
category: REVIEW
type: TECHNICAL
name:
de: "Penetrationstests"
en: "Penetration Testing"
description:
de: "Regelmäßige Durchführung von Penetrationstests durch qualifizierte Prüfer."
en: "Regular penetration testing by qualified testers."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. d"
- framework: ISO27001_ANNEX_A
reference: "A.18.2.3"
applicabilityConditions:
- field: "riskProfile.protectionLevel"
operator: IN
value: ["HIGH", "VERY_HIGH"]
result: REQUIRED
priority: 20
- field: "dataProfile.hasSpecialCategories"
operator: EQUALS
value: true
result: REQUIRED
priority: 25
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Penetrationstest-Berichte"
- "Maßnahmenplan"
reviewFrequency: ANNUAL
priority: HIGH
complexity: HIGH
tags: ["security-testing", "pentest"]
- id: "TOM-RV-03"
code: "TOM-RV-03"
category: REVIEW
type: TECHNICAL
name:
de: "Schwachstellenscanning"
en: "Vulnerability Scanning"
description:
de: "Regelmäßiges automatisiertes Scanning nach bekannten Schwachstellen in Systemen und Anwendungen."
en: "Regular automated scanning for known vulnerabilities in systems and applications."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. d"
- framework: ISO27001_ANNEX_A
reference: "A.12.6.1"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Scan-Berichte"
- "Behebungsnachweis"
reviewFrequency: MONTHLY
priority: HIGH
complexity: MEDIUM
tags: ["security-testing", "vulnerability"]
- id: "TOM-RV-04"
code: "TOM-RV-04"
category: REVIEW
type: ORGANIZATIONAL
name:
de: "Sicherheitsaudits"
en: "Security Audits"
description:
de: "Durchführung regelmäßiger interner oder externer Sicherheitsaudits."
en: "Conducting regular internal or external security audits."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. d"
- framework: ISO27001_ANNEX_A
reference: "A.18.2.1"
applicabilityConditions:
- field: "riskProfile.protectionLevel"
operator: IN
value: ["HIGH", "VERY_HIGH"]
result: REQUIRED
priority: 20
- field: "companyProfile.role"
operator: EQUALS
value: "PROCESSOR"
result: REQUIRED
priority: 15
defaultApplicability: RECOMMENDED
evidenceRequirements:
- "Audit-Berichte"
- "Zertifikate"
- "Maßnahmenplan"
reviewFrequency: ANNUAL
priority: HIGH
complexity: MEDIUM
tags: ["audit", "compliance"]
- id: "TOM-RV-05"
code: "TOM-RV-05"
category: REVIEW
type: ORGANIZATIONAL
name:
de: "Datenschutzschulung"
en: "Data Protection Training"
description:
de: "Regelmäßige Schulung aller Mitarbeiter zu Datenschutz und IT-Sicherheit."
en: "Regular training of all employees on data protection and IT security."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.7.2.2"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Schulungskonzept"
- "Teilnehmerlisten"
- "Schulungsnachweise"
reviewFrequency: ANNUAL
priority: HIGH
complexity: LOW
tags: ["training", "awareness"]
- id: "TOM-RV-06"
code: "TOM-RV-06"
category: REVIEW
type: ORGANIZATIONAL
name:
de: "Incident Response Plan"
en: "Incident Response Plan"
description:
de: "Dokumentiertes Verfahren zur Erkennung, Meldung und Behandlung von Sicherheitsvorfällen."
en: "Documented procedure for detection, reporting and handling of security incidents."
mappings:
- framework: GDPR_ART33
reference: "Art. 33"
- framework: GDPR_ART34
reference: "Art. 34"
- framework: ISO27001_ANNEX_A
reference: "A.16.1.1"
applicabilityConditions: []
defaultApplicability: REQUIRED
evidenceRequirements:
- "Incident-Response-Plan"
- "Kontaktliste"
- "Meldeformulare"
- "Übungsprotokolle"
reviewFrequency: ANNUAL
priority: CRITICAL
complexity: MEDIUM
tags: ["incident-response", "breach"]
- id: "TOM-RV-07"
code: "TOM-RV-07"
category: REVIEW
type: TECHNICAL
name:
de: "Security Information and Event Management (SIEM)"
en: "Security Information and Event Management (SIEM)"
description:
de: "Zentralisierte Sammlung und Analyse von Sicherheitsereignissen zur Erkennung von Angriffen."
en: "Centralized collection and analysis of security events to detect attacks."
mappings:
- framework: GDPR_ART32
reference: "Art. 32 Abs. 1 lit. b"
- framework: ISO27001_ANNEX_A
reference: "A.12.4.1"
applicabilityConditions:
- field: "riskProfile.protectionLevel"
operator: EQUALS
value: "VERY_HIGH"
result: REQUIRED
priority: 30
- field: "companyProfile.size"
operator: IN
value: ["LARGE", "ENTERPRISE"]
result: RECOMMENDED
priority: 15
defaultApplicability: OPTIONAL
evidenceRequirements:
- "SIEM-Konfiguration"
- "Korrelationsregeln"
- "Alert-Berichte"
reviewFrequency: QUARTERLY
priority: HIGH
complexity: HIGH
tags: ["siem", "monitoring", "detection"]
- id: "TOM-RV-08"
code: "TOM-RV-08"
category: REVIEW
type: ORGANIZATIONAL
name:
de: "Datenschutz-Folgenabschätzung (DSFA)"
en: "Data Protection Impact Assessment (DPIA)"
description:
de: "Durchführung von Datenschutz-Folgenabschätzungen für risikoreiche Verarbeitungen."
en: "Conducting data protection impact assessments for high-risk processing."
mappings:
- framework: GDPR_ART35
reference: "Art. 35"
- framework: ISO27001_ANNEX_A
reference: "A.18.1.4"
applicabilityConditions:
- field: "riskProfile.dsfaRequired"
operator: EQUALS
value: true
result: REQUIRED
priority: 30
- field: "dataProfile.hasSpecialCategories"
operator: EQUALS
value: true
result: REQUIRED
priority: 25
- field: "dataProfile.processesMinors"
operator: EQUALS
value: true
result: REQUIRED
priority: 25
defaultApplicability: OPTIONAL
evidenceRequirements:
- "DSFA-Dokumentation"
- "Risikobewertung"
- "Maßnahmenplan"
reviewFrequency: ANNUAL
priority: CRITICAL
complexity: HIGH
tags: ["dpia", "dsfa", "risk-assessment"]
Reference in New Issue View Git Blame Copy Permalink