Standards and norms

There are most different standards with whose contents knowledge bases can be related, regarding review questions or threats, measures or controls. Examples of standards: BSI, ISO 27001, EU-GDPR, etc.

Standards and norms are divided into chapters, which in turn may contain sub-chapters. These chapters (or sub-chapters) can reference other chapters (and sub-chapters), and in principle a reference is unidirectional (bidirectional references can be created). Similarly, chapters can reference chapters and sub-chapters of other standards. This makes it possible to derive one standard from another. Furthermore, this means that, for example, a test question that references such a standard chapter is automatically also related to the chapter of another standard.

Knowledge bases can map audit questions, controls, threats or measures to standards and norms. This mapping means that certain evaluations can be made against standards and norms, e.g., about measures and controls that have already been implemented. This makes it clear in which areas of the standard a company is particularly active. This allows statements to be made about the degree of compliance with the standard and the score of the management system in this area.

The norms and standards provided by TogetherSecure cannot be modified by users. Referencing of these "vendor chapters" of specially created norms and standards is allowed.

However, a "definition of the scope" for each management system can be recorded for each standard or norm. In the course of this, it can be additionally selected for each standard chapter justified whether it is applicable for the current management system or not. This information can be used to generate a "Statement of Applicability" report under "Risk Management → Reports → Standards and Norms".

HITGuard provides the following standards and norms as standard:

• B3S Gesundheit V1.2
• BDSG
• CSC_V6.1
• DSG Österreich
• DSG Schweiz
• DSG-EKD
• DSGVO
• EN IEC 62443-2-1:2024
• ISO 9000-2015
• ISO 9001-2015
• ISO 14001-2015
• ISO 27001-2013
• ISO 27001-2022
• ISO 27002-2013
• ISO 27002-2022
• ISO 50001-2018
• IT-Grundschutz-Kompendium 2019
• IT-Grundschutz-Kompendium 2020
• IT-Grundschutz-Kompendium 2021
• IT-Grundschutz-Kompendium 2022
• IT-Grundschutz-Kompendium 2023
• NIS-2 Richtlinie
• PCI DSS v3.2.1
• PCI DSS v4.0

But these are not installed automatically!

However, the desired standards or norms can be easily imported under "Administration → Standards and norms". To do this, simply click on the "Import standard" button and select the desired standard or norm.

Standards and norms can be entered and edited by experts under "Administration → Standards and norms". The goal when entering a standard or norm is to capture the structure of the standard without content.

The header data of the standard or norm is recorded here.

Short name: The short name of the standard or standard e.g. ISO/IEC 27001:2017.

Long name: The long name of the standard or standard e.g. Information technology - Security techniques - Information security management systems - Requirements.

Description: Description of the standard.

State: Effective date of the standard.

Scope definition: A "Scope definition" can be entered here for the current management system. This is configurable per management system.

The chapter structure of the standard is recorded here. On the left side, the structure is displayed hierarchically. The plus button is used to create new chapters. On the right side you enter the header data, parent chapters and outgoing mappings.

Superordinate chapter: If it is a subchapter, the parent chapter must be specified here. Hereby the structure of the standard is reproduced.

Outline: Here, an outline for the chapters is assigned. The outline normally corresponds to that of the standard e.g. 01 Ch. I, 02 Ch. II, etc.

Short name: The name of the chapter according to the norm or standard.

Description: The description of the chapter according to the standard.

Not applicable: Here you can enter whether a chapter is applicable for the current management system or not. (Configurable per management system). Please also note the behavior regarding the parent chapters. If a superordinate chapter is set to "not applicable", then the system takes over this setting automatically also for the subchapters assigned to this chapter. In addition, a question appears asking whether the justification text should also be adopted. If a parent chapter is changed to "applicable", then this does NOT automatically overwrite the settings of the assigned subchapters. Here you have to check yourself whether each of the subchapters is actually applicable.

Rationale: A rationale for applicability can be recorded here. (Configurable per management system)

Incoming Mappings: Any standard or norm chapters that map to this chapter are listed here.
 ::Caution: Only mappings from other standards/norms are shown here. All other incoming mappings such as from a measure, risk or knowledge base are not displayed here.

Outgoing Mappings: Here the norm/standard chapter can be mapped to a chapter of other norms/standards. It can only be mapped to other norm or standard chapters.

For both incoming and outgoing mappings in addition to the numbering and name of the chapter, the name of the standard itself is also displayed.

The links of the chapters of individual standards and norms can be viewed on this page.

Every chapter level shows the number of its links as well as the links of subordinate chapter levels in the column "#". Expanding the levels shows the individual linked elements in the following column.

Available links:

• risks (red)
• measures (green)
• control definitions (purple)
• documents (blue)

Moving the cursor onto one of the elements reveals a tooltip showing some of the its content. Every element also has a link button for opening it. You can either open the documents directly or, if the license is there, view it in the doc management. Links can be viewed but not edited on this page.

The checkbox "Include mapped standard chapters allows you to expand the list of linked elements. It adds those elements that are linked to related standard or norm chapters.

The documents displayed here are the ones that have been uploaded via Doc management → Documents.

You can reference further norms: for example, when updating a standard you should map from the current to the previous version. This enables an overview of the norm chapters already treated and any gaps created by new requirements before the first analysis with the new norm or standard is done. Those gaps can then be addressed first.