HITGuard Release April 2026

From this release onwards, risks and opportunities can be proactively updated by the risk owners or advisors in their role as Practitioner users. The new ‘Update risk/opportunity’ button is available for this purpose under My Tasks.

Expert and Professional users of a management system still have the option of requesting that an advisor update a risk. To do this, there is now a ‘Request update’ button at the bottom of the risk maintenance form (next to ‘Save’ and ‘Close’). This replaces the ‘Request review’ button that was previously located on risks (top right).

Once an update is initiated, the interface is read-only for experts and professionals in the management system. The risk’s status is set to ‘Update Pending’. Clicking the violet “Update Pending” button displays the changes already entered by the advisor, and experts or professionals can revert these changes by selecting “Reject update”. Experts/professionals or practitioner users can leave comments for their colleagues explaining their respective workflow steps. These can then be viewed at via the new “Messages & History” button.

While the risk is being updated, a Practitioner user can edit the risk’s master data or the measures and controls for risk treatment as part of an update.

After saving the changes and when submitting the update, HITGuard summarizes the changes in a separate overview (“Show changes”). This allows Advisors to compare old and new values. Later, when reviewing the update, the Professional or Expert will also see the same overview. This makes it easier to assess whether to reject or accept the update, or whether further changes need to be incorporated. You can see how the overview looks for the expert and professional below:

During the update, the risk owner or advisor first enters a justification. Later, the Professional or Expert can edit this justification. HITGuard then files these jointly created entries in the risk’s timeline, creating a traceable history of the workflow steps and changes to the risk.

You can find out more about the new workflow in our Online help.

Some customers wished to store documentation relating to risks. Expert and Professional users can now attach one or more documents or links to a risk. Practitioner users can now also use this functionality when creating or updating a risk.

To provide a better overview of the protection requirement classes of your resources, we have implemented a new KPI: Under the “Risk Management” section, you will now find the KPI “Resources by Protection Requirements”. This allows you to view your assets grouped by protection requirements in a doughnut chart. You can also filter by protection objectives or display specific model segments.

You can find out mor about this new KPI in our Online help.

To make better use of the synergies between multiple management systems, new display options for protection requirement classes are now available. Under Administration > Resources and Administration > Suppliers, the protection requirement classes are displayed as colored icons in the first column of the table. You now also include the protection requirement classifications of all other management systems. The most critical value, i.e. the highest protection requirement class of the resource, is displayed. The new KPI (see section 1.3) also offers this configuration option.

To make it easier to work with saved configurations in the structure analysis, we have introduced the ability to search, filter and sort within the saved views. This makes it easier to quickly locate saved views again.

To make the evaluation of reviews more flexible and useful, we have expanded the filtering options for the Compliance Spider KPIs. This applies to the KPI ‘Compliance Fulfilment’, a central evaluation mechanism, as well as ‘Question Coverage Percentage’ and ‘Question Coverage Total’, which provide you with an overview of the progress of your reviews. You can now filter by reviews, analysis periods or custom-defined periods.
In addition, customers using the Audit Management module can restrict the display to audit programs and audits. Customers using the Supplier Management module can now restrict the three KPIs mentioned above, as well as the KPI “Compliance by knowledge bases”, to supplier audits only or exclude them entirely.

To enable you to streamline your audit reports, we have revised the settings in the audit report, non-conformity analysis report and compliance report . It is now possible to evaluate objects of review in detail without necessarily printing details of the audit questions. This allows for detailed evaluations whilst maintaining streamlined reports. To this end, the options from the ‘Objects of Review’ section have been integrated into the existing ‘Detailed Evaluation’ section. In this report options section, you can now configure detailed settings for objects of review and/or audit questions separately.

With the new release, HITGuard automatically sets the person responsible for an organizational unit as the person in charge of an audit as soon as you select the organizational unit when creating the audit. This allows you to leverage the information from their master data more effectively for pre-assignment and thus create audits more quickly.

To support the recording of different types of audit related activities, we have introduced the new audit type “Inspection”. Customers often wish to record results from tests or reviews carried out by external service providers or supplier reviews without implying that these constitute an audit against a standard. The “Inspection” audit type allows this distinction to be made.

From this release onwards, reviews can be created and assigned directly within the Case Management dossiers. To this end, the dossier now features the same ‘Create’ buttons as those found in the review overviews from Risk and Audit Management.

From now on, multiple responsible parties (multiple individuals, multiple teams, or a combination of individuals and teams) can be assigned to measures. This allows you to assign measures to those responsible for implementation more flexibly.

You can find out more in our Online help.

When submitting progress reports for measures, it is now possible to upload multiple documents simultaneously as evidence. This simplifies and speeds up the workflow for your Practitioner users, as the upload dialogue no longer needs to be opened repeatedly.

For the KPI “OEs’ Measures – By Status”, it is now possible to filter content. You can search for specific reviews and organizational units. You can also restrict the KPI to a custom time period or to analysis periods.

If audit management is enabled, you can also filter by audit programs and audits. This allows you to configure the KPI more precisely and focus on the information that is most relevant to you.

This release improves how HITGuard displays processing activities in the organization tree view. Previously, all processing activities of a node, including those of all subordinate nodes, were displayed, resulting in a very extensive list. With this update, only the processing activities directly assigned to the selected node are now displayed. For a complete overview of all processing activities, the list view without a tree structure remains available.

In this release, we have revised and simplified the expiry behavior for suppliers. An expired supplier is a supplier who is currently unable to log in via the Supplier Risk Management Portal and respond to a review. As a result, they are deactivated and no longer consume a license. An expired supplier whose expiry date lies in the past is automatically considered deactivated. For a supplier who is deactivated manually, the current date is set as the expiry date. In doing so, all login details for supplier users are also removed. The two deactivation methods therefore have the same effect. You can find out more in our Online help.

Previously, you already had the option to define an internal team that would be notified in good time before supplier contracts expire, meaning they could no longer be subject to reviews via the Supplier Risk Management Portal. With the new release, you can allocate responsibility in even greater detail. It is now possible to enter a specific team or an individual person (a HITGuard user) as the contact person for each supplier. This ensures that specific responsible parties are notified in a more targeted manner before the supplier’s contract expires.

In addition to the existing option to restrict a KPI to specific suppliers, you now also have the option to specifically exclude suppliers from the KPI or to restrict the KPI to suppliers (all or only selected suppliers). This applies to all KPIs that represent risks, including but not limited to the “Risk Matrix”, “Risks/Opportunities by Status”, and “Risks by Threats”. You can also filter all KPIs that evaluate compliance reviews in this way. This applies, for example, to “Gap Analyses by Status” and “Compliance Fulfilment”.

With this update, the following standards are available to all customers:

• B3S Health 1.3.1 – Sector-specific security standard ‘Medical Care’
• BSIG – Act on the Federal Office for Information Security and on Information Security in Institutions (BSI Act – BSIG)
• EN ISO 22301:2019 – Security and resilience – Business continuity management system – Requirements (ISO 22301:2019)
• EN ISO 31000-2018 – Risk management – Guidelines (ISO 31000:2018)
• AI Regulation – Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence
• NISG2026 - Federal Act on Ensuring a High Level of Cybersecurity for Network and Information Systems (Network and Information Systems Security Act 2026 – NISG 2026)
• ÖNORM D 4901 – Risk management for organisations and systems – Requirements for the risk management system – Guidance on the implementation of ISO 31000
• RKEG – Critical Infrastructure Resilience Act
• RKE/CER Directive – Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical infrastructure and repealing Council Directive 2008/114/EC

The standard EN ISO/IEC 42001:2023 has been expanded in Annex A to include Chapters A.2 to A.10.
In the KDR and KDR-OG standards, paragraphs § 6, § 11, § 52 and § 53 have been added. In addition to the expansion, there have been minor adjustments to standard mapping, sorting order and master data for the standards.

To make editing knowledge bases easier, we revised the display and many aspects of the interaction in the second tab, ‘Topics’, of the knowledge base. Individual topics can now be opened and edited with a double-click; all linked elements on this page can not only be linked, but also unlinked in the list view using a dedicated button. This allows for more efficient editing of knowledge bases.

This release enables customers to manager templates for risks and opportunities in knowledge bases. This allows risks and opportunities to be prepared in knowledge bases and accessed later when working with HITGuard.
The risks and opportunities can be assigned to one or more categories within the knowledge base. These categories can be freely edited and help with filtering risks and opportunities when using these templates to create a risk or opportunity.
These templates can be accessed directly in the risk or opportunity. Expert users will now see a ‘Book’ button that allows them to access the templates from the knowledge bases.

the import function for risks was expanded as well. Risks can now be assigned additional properties during import. This includes the strategy, comments, the advisor and the risk status. This allows you to import not only risks in the status ‘Active’, as before, but also ‘Accepted’ or ‘Submitted’ risks. As before, submitted risks trigger a report to management system administrators. You can find more information on importing via Excel in our Online help.

The import function under Administration > Data Imports has been expanded. You can now also import and update users quickly and easily via Excel.

You can find an import template for users in our Online help.

In HITGuard, you can import various elements into in knowledge bases as templates. Previously, this only included test questions, measures, controls and justification templates. With the new release, we expanded the import function under Administration > Data Import so that in addition to the previously available elements, you can now also import topics, risks and threats via Excel. Furthermore, it is possible to define the links between topics and audit questions directly in this Excel file and import these links as well. This saves time when creating knowledge bases and makes additions and updates easier and faster. You can find an extended import template for knowledge bases in our Online help.

An additional extension of the import function is available for resources, for which the new import type “Resource connection” is now available. This allows you to create or update relationships between resources and other structural elements. This saves you from having to manually enter relationships when creating information networks.

You can find an import template for resource links in our Online help.

The options for import via REST API have also been expanded. All changes explained in sections 7.5, 7.6 and 7. 8 have also been implemented for the REST API interface. This means you can also import risks in different statuses as well as relationships between resources via the REST API. You can find out more in our Online help.