Standards und Normen/en: Unterschied zwischen den Versionen

There are most different standards with whose contents knowledge bases can be related, regarding test questions or threats, measures or controls. Examples of standards: BSI, ISO 27001, ISO 80001, EU-GDPR, etc.

Standards and norms are divided into chapters, which in turn may contain sub-chapters. These chapters (or sub-chapters) can reference other chapters (and sub-chapters), and in principle a reference is unidirectional (bidirectional references can be created). Similarly, chapters can reference chapters and sub-chapters of other standards. This makes it possible to derive one standard from another. Furthermore, this means that, for example, a test question that references such a standard chapter is automatically also related to the chapter of another standard.

Knowledge bases can map audit questions, controls, threats or measures to standards and norms. This mapping means that certain evaluations can be made against standards and norms, e.g., about measures and controls that have already been implemented. This makes it clear in which areas of the standard a company is particularly active. This allows statements to be made about the degree of compliance with the standard and the maturity of the management system in this area.

The norms and standards provided by TogetherSecure cannot be modified by users. Referencing of these "vendor chapters" of specially created norms and standards is allowed.

However, a "definition of the scope" for each management system can be recorded for each standard or norm. In the course of this, it can be additionally selected for each standard chapter justified whether it is applicable for the current management system or not. This information can be used to generate a "Statement of Applicability" report under "Risk Management → Reports → Standards and Norms".

HITGuard provides the following standards and norms as standard:

• ISO 27001-2013
• ISO 27002-2013
• ISO 9000-2015
• ISO 9001-2015
• IT-basic protection-Compendium 2019
• IT-basic protectionz-Compendium 2020
• GDPR
• CSC_V6.1

But these are not installed automatically!

However, the desired standards or norms can be easily imported under "Administration → Standards and norms". To do this, simply click on the "Import standard" button and select the desired standard or norm.

Standards and norms can be entered and edited by administrators and experts under "Administration → Standards and norms". The goal when capturing a standard or norm is to capture the structure of the standard without content.

The header data of the standard or norm is recorded here.

Short name:.

• The short name of the standard or standard e.g. ISO/IEC 27001:2017.

Long name:

• The long name of the standard or standard e.g. Information technology - Security techniques - Information security management systems - Requirements.

Description:

• Description of the standard.

State:

• State of the standard.

Scope definition:

• A "Scope definition" can be entered here for the current management system. This is configurable per management system.

The chapter structure of the standard is recorded here. On the left side, the structure is displayed hierarchically. The plus button is used to create new chapters. On the right side you enter the header data, parent chapters and outgoing mappings.

Superordinate chapter:

• If it is a subchapter, the parent chapter must be specified here. Hereby the structure of the standard is reproduced.

Outline:

• Here an outline for the chapters is assigned. The outline normally corresponds to that of the standard e.g. 01 Ch. I, 02 Ch. II,etc..

Kurzbezeichnung:

• Die Bezeichnung des Kapitels laut Norm oder Standard.

Beschreibung:

• Die Beschreibung des Kapitels laut Norm.

Nicht anwendbar:

• Hier kann erfasst werden ob ein Kapitel für das aktuelle Managementsystem anwendbar ist oder nicht. (Konfigurierbar pro Managementsystem)

Begründung:

• Hier kann eine Begründung für die Anwendbarkeit erfasst werden. (Konfigurierbar pro Managementsystem)

Eingehende Mappings:

• Hier werden alle Normen oder Standard-Kapitel angeführt, die auf dieses Kapitel mappen.

Eingehende Mappings:

• Hier kann das Norm/Standard Kapitel auf ein Norm/Standard Kapitel anderer Normen/Standards gemappt werden.