OrgUnits - Organizational units

A company consists of organizational units that participate in the individual processing procedures. These, in turn, take place in one or several organizational units. The creation and processing of data taking place in these organizational units during the individual process steps is predominantly IT-supported and with the use of IT systems. The more vital the organizational unit, the greater the potential damage, and the greater the requirements for availability, confidentiality and integrity of the data or systems.

The structure of the organizational units should be hierarchical.

Important: To be able to use OrgUnits in a management system, they need to be activated for the active analysis period! When a new OrgUnit is created, it is automatically assigned to all active (current) analysis periods and thereby activated, if the OrgUnit has been subordinated to another one and this superordinate OrgUnit is already activated in the respective management system. If there is no parent OrgUnit, the newly created OrgUnit will not be automatically activated in all management systems. This needs to then be done manually. For more information, see "Administration → Management System → Analysis Periods".

OrgUnits can be created or edited by administrators and experts via "Administration → OrgUnits".

To create a new OrgUnit, click the "Plus" button.

To edit an existing OrgUnit, double-click into the corresponding OrgUnit's row.

Code and name:

• For the code, enter how the OrgUnit should be abbreviated.
• For the name, enter the name of the OrgUnit.

Sort order: This defines how the OrgUnits are listed in linear lists (e.g. in a report).

Superordinate OrgUn: Here, you state how the OrgUnit fits into the hierarchy. For example, which company a department belongs to.

Type: Here, you specify what type of organizational unit it is: Group, Company, Department, Entity, Branch

Division: Here, you define in which divisions the OrgUnit is active.

Responsible: The person entered here is responsible for the OrgUnit. For example, a department head.

Description: Here, you describe the OrgUnit.

Closed: If an OrgUnit is closed, it will only be displayed on this page. It can no longer be selected for new audits, reviews, processing activities and so on. Deactivating it has no effect on current assignments. Merely for reports, the OrgUnit can still be selected.

Active from/to Here you define the time period in which the OrgUnit should be active in HITGuard. If the OrgUnit is no longer active, but not closed, it can still be selected anywhere, but is displayed in italics to signal that it is inactive.

ID in third-party systems: This field is used to synchronize an OrgUnit with a third-party system. Synchronization requires a data import, in which the same ID is set.

Risks: All risks of the OrgUnit are listed here. It is not possible to assign risks here. More about risks can be found here.

Address: Here, you enter the address of the OrgUnit and tick whether the organizational unit is outside of the EU.

Delete OrgUnit: To delete an OrgUnit, click on the red trash can in the edit screen. In order for an OrgUnit to be deletable, nothing can be linked to it. This means that, for example, all assigned measures, control definitions and processing messages have to be linked to a different OrgUnit or be themselves deleted. The OrgUnit must also not be linked to any active or closed analysis period.

If the active management system is the data protection management system, it is possible to record appropriate safeguards (underneath the address) as well as the contact data of the data protection officer of the OrgUnit. These are required for evaluation in data protection management.

If no data protection officer is found during evaluations for an OrgUnit, the officer of the higher-level OrgUnit is used. This means that if there is only one officer in the organizational structure, this officer's information only needs to be entered in the top-level OrgUnit.

The behavior is the same as for resources. More about this here.

In the tab "Audit information", you record additional information relevant in the context of audits.

• Number of employees: The number of employees can be recorded here.
• Local Management Representative: This is the audit coordinator and contact person that should be defined for every OrgUnit of the type company.
• "Proposal to audit this OrgUnit in each audit program": These OrgUnits are proposed when the corresponding filtering checkmark is set in the detailed planning in the audit calendar or in the audit creation form.
• Certifications: Here, any standards (from standards and norms) in which the organizational unit is certified can be selected and assigned. A reg. no. and a location number can then be entered for each of these standards.

OrgUnits can be assigned several divisions, depending on their field of activity.

Under "Administration → Edit organizational units | Divisions", these divisions can be managed.

A new division can be created by clicking the "Plus" button.

By double-clicking on a division, it can be edited.

Topic responsibilities are used for the bulk creation of measures in the context of dossiers in the case management. In them, you can designate responsibilities for certain topics by organizational units.

To be able to use topic responsibilities, the checkbox "Topic responsibilities" must first be selected under "Measures → Settings → General". This displays the tab under "Administration → OrgUnits".

A new topic responsibility can be created by clicking the "Plus" button.

By double-clicking on a topic responsibility, it can be edited.

For the topic responsibility, select the desired organizational units for the respective topic.

Note: OrgUnits that are activated in the current analysis period are available for selection; the others are not selectable.

A responsible person or a responsible team must be entered for every selected organizational unit. They will received the measures for implementation when those are created in bulk.

For each selected organizational unit, the responsible person (from Administration → OrgUnits → Organizational units) is pre-filled. If no responsible person is defined there, this field is empty. If no OU-responsible is available, a topic responsible must be entered so the organizational unit can be selected.

If an OU-responsible is pre-filled, the responsible person for the specific topic can be replaced manually by another user or a team (manually set topic responsibles are displayed as bold).

Note: This does not change the responsible in the organizational unit itself. A change within "Administration → OrgUnits → Organizational units" also does not overwrite the topic responsibles set manually here.

Topic responsibilities are used for the bulk creation of measures in dossiers.