HITGuard Release April 2025

Starting with this release, the submitter of a risk can themselves suggest the responsible and the advisor for the risk. The submitter is suggested as responsible as well as advisor when submitting a risk. They can, however, change this to another user. This option is available to them until the first time they click Save or they submit the risk, after which no more changes are possible.

Until the risk is submitted, it is in the new state “Submission pending” and is only visible for the responsible and the advisor. In this state it is also marked with a badge so it cannot be overlooked and forgotten.

Another innovation is that the responsible is also more involved in the entire process. If, for example, a review of a risk was requested, the responsible can at this time change the advisor. If they do so, the previous as well as the new advisor are informed of the change. They cannot dodge their own responsibility. Furthermore, the advisor cannot give away their responsibility themselves, the need to contact the responsible or an Expert/Professional for this.

The structural analysis in the risk management was expanded by the following comfort features:

• First, you can now also change the view by using the radio buttons next to the options of the main views. The trusted double click also still works.
• Second, link buttons were introduced, with which you can jump from the structural analysis to the index pages of the respective main views, meaning to organizational units, resources, data categories, and processes.

The following KPIs were expanded by options with which to configure whether they consider only risks, only opportunities, or both in their evaluations.

• Active risks/opportunities and their treatment
• Risks/opportunities by category
• Risks/opportunities by state
• Risk matrix
• Top risks/opportunities

For this, checkboxes were implemented in the filter which allow you to make that selection.

There is an additional, new evaluation option for risks and opportunities, where you can display their protection targets in the overview. You can also filter and sort by them. With this, it is now possible to compare risks and opportunities on the level of protection targets.

Another comfort function in the overview of risks and opportunities is the new option to filter and sort them by their monetary impact. Here, we additionally added a summation so you may have your eye on the entirety of the monetary impact at once.

The risk management report “Statement of applicability” which can be found under Risk management > Reports > Standards and norms > Statement of applicability was expanded by the report option “linked documents”. This option is only available if you have licensed and activated the Doc management Add-on for your user. It allows you to list the documents that are linked to the various standard chapters in the report. This is done in the form of file names next to the respective chapters.

For more ease and speed in the planning of audits and single reviews, it is now possible to copy or revaluate reviews at the click of a button. This new option is available in the audit management calendars, in the section Audit execution and in the Risk management in the Vulnerabilities area.

Reviews can be copied in any state. The master data are reused and the review objects from the original review are added to the copy as empty, unanswered objects (in the pattern of the old review). The thus created new reviews are then in the state “Draft”.

Closed reviews can be revaluated at the click of a button. Here, too the master data from the original review are reused and in addition the review objects are prepared for revaluation according to the already known configuration settings. This means that you can, for example, prefill the review objects with the positive answers from previous years in order to only answer negative findings and new questions from updated questionnaires.

Note: In both cases you have the option of using the current knowledge base for the creation of the review objects. This means that in this case the preferred version of the knowledge base is used as the source of the created review objects. Therefore, new review questions are added, significantly changed review questions are posed for new evaluation, and deleted review questions are removed. If you do not choose this option, the same version is used as in the original review.

We made the display of the direct (linked) and indirect (related) norm-mappings in review questions neater. Especially in questions with a large number of mappings this is very helpful. The name of the standards and norms is now underlined, and the individual chapters are listed alphabetically.

If a review is created as a self assessment, the end date now is called reply deadline. This makes it easier to keep an overview of where one has a pending task. This distinction is also made in overview tables and in reports.

For the purpose of accessibility, we have added additional help for the entrance to the whistleblower system. It is now possible to have the captcha read to you in German or English.

Find more on the captcha and what’s needed on the technical side of things here.

The submitter of a risk can now link measures and controls to the risk as well as directly submit them there. After the first saving and before submission, meaning in the state “Submission pending”, the submitter of a risk has access to the tab Measures and Controls. Two options are offered there:

On the one hand, they can link existing measures and controls with the risk. For this, all those measures and controls of the selected management system are available that they are personally involved in (as responsible, implementer, or examiner; directly, as team member, or as team leader). The evaluation of the ability to control, however, remains reserved for the Experts and Professionals of the management system.

On the other hand, they have the option to submit new measures for the treatment of the current risk directly out of the risk, which are then linked to it. The submission works the same as the submission via the “Submit measure” button under My tasks > Measures.

Reports containing measure progress now distinguish as follows for more ease of understanding:

• the progress in the measure overview is now called Accepted progress
• the progress in the statistic is now called Reported progress

If no progress report is available, the progress in the report is 0%. If, however, the measure is in the state “Completed”, meaning its implementation is finished, the progress in the report is shown as 100%. This is independent of any progress report (meaning no matter what was or wasn’t reported, completed measures are shown with 100% in the report).

Example: In the screenshot you can see that the accepted and reported progress are not the same. That is because there is a not yet accepted progress report with a progress of 90% - the reported progress. The last accepted progress report – and thus the last accepted progress – previously were at 60%. This innovation is found in the following reports

• Measures > Measure
• Measures > Measures by standard/norm
• Audit management > Audit
• Case management > Dossier
• Risk management > Gap analysis
• Risk management > Conformity by reviews
• Risk management > Risks & opportunities > General
• Risk management > Risks & opportunities > Gross-net
• Risk management > ESG

The involved users now have more participation opportunities when creating new processing activities as well as when editing existing ones. When creating a PA the creator can change the responsible and the advisor. They are first suggested for both fields but can change this and input another user. Only with the click on “Create processing activity” does the field responsible become read-only for them. If an edit is requested, the responsible in turn has the option of changing the advisor, if that is necessary.

With a licensed Doc management, uploaded attachments are (e.g., evidences of measures or control executions) are not only shown in their own menu item. They additionally exist in a dedicated folder in the directory of the menu item Documents. From there, they can be moved to other folders in order to integrate them into the doc management.

If these attachments have linked standard or norm chapters (for example because the measure or control definition for which the document was uploaded has a mapping), these mappings are applied when moving the document. They can then always be edited and adapted.

With this version we offer a new standard for import:

• NIS-2-Richtlinie: Richtlinie (EU) 2022/2555 des Europäischen Parlaments und des Rates

vom 14. Dezember 2022 über Maßnahmen für ein hohes gemeinsames Cybersicherheitsniveau in der Union Standards can be imported under Administration > Standards & norms.

These norms were already available for import; maybe you are already actively using them. You do not need to make any changes here; the update happens automatically for you.

• EN IEC 62443-2-1:2019 Draft becomes EN IEC 62443-2-1:2024
• NIS Anforderungskatalog becomes KRITIS Maßnahmenkatalog (renaming) and contains the addition of the new chapter 13

Note: Should you have already imported a previous version, then this standard is automatically updated to the newer version

As of right now, the ISO 27001:2022 as well as the ISO 27002:2022 are available entirely in German. Contents and structure are not affected by this change. Should you still want to employ an entirely English version, please contact us under support@togethersecure.at.

The mappings of the standard 27001:2022 were expanded to the new standards (NIS-2 Richtlinie) and their new chapters (KRITIS Maßnahmenkatalog chapter 13), respectively.

The VDA VDA (Verband der Automobilindustrie e.V.) has changed their procedure in that the VDA ISA catalog will be developed in the primary language English first from now on. Therefore, HITGuard continues to offer the standard in English by default. Should you want an entirely German version, please contact us under support@togethersecure.at.

In Administration > Standards and norms | Linked elements you can view all elements that are linked with individual standard chapters: that is documents from the doc management, risks/opportunities, measures, and controls. A new checkbox allows you to also view all elements that are linked with related chapters (subsequent mappings).

Example: The screenshot shows that a risk and a measure are linked directly to the NIS-2-Richtlinie. As the directive maps onto some chapters of the ISO 27001:2022, further elements show up when mapped norm chapters are included.

Documents found under Administration > Standards and norms | Linked elements (only possible with a licensed Doc management) can now be opened for viewing in a new tab by clicking on them. Or you use the link button, which takes you to where the document is embedded in the folders structure of the Doc management.

In My tasks you find the dashboards with the individual blocks of tasks, e.g., measures or controls. Tasks to be performed are not only shown in bold there now, but also listed first, so you never lose sight of them.

The entire tool now offers the possibility of heightening the contrast to better recognize e.g., tables, menu items, or buttons and badges.

To make profile settings easier for you, we have repositioned the various buttons and options on the profile page and added detailed explanations.

To further improve security when using username and password, the minimum password length has been changed from ten to twelve characters.

Another new safety feature is that Experts in HITGuard can configure that 2-factor-authentication must be used when logging in with username and password. Users who use username and password can then not access HITGuard until they have configured a second factor.

The same option is available for the supplier portal, for which 2FA can also be enforced.

Caution: The option for the enforcing of 2-factor-authentication is automatically set with the update but can be deactivated by an Administrator or Expert upon their first login.