Governance & Compliance Glossary
Compliance (IT-Sicherheits-Compliance)
IT security compliance refers to adherence to legal provisions, regulatory requirements, and contractual obligations in the field of information security. Relevant frameworks for German companies: GDPR, NIS2, ISO 27001, BSI IT-Grundschutz, KRITIS Regulation, industry-specific regulations (BAIT, VAIT, KAIT).
IT Security Compliance refers to the totality of all activities that ensure a company meets the security requirements applicable to it and can demonstrate this. Important: Compliance is the minimum standard—security goes beyond that.
The Compliance Landscape for German Companies
Overview of Relevant Requirements (2026):
ALL companies in the EU:
GDPR (since May 2018):
→ Protection of personal data
→ Art. 32: Technical and organizational measures (TOMs)
→ Fines: up to 4% of global annual turnover
→ Reporting obligation: Data breaches must be reported to the supervisory authority within 72 hours
SPECIFIC sectors / types of companies:
NIS2 (effective October 2024):
→ "Important" and "essential" facilities
→ Sectors: Energy, transportation, healthcare, water, ICT, finance, etc.
→ Also: medium-sized companies with 50+ employees / €10 million in revenue
→ Measures: Risk management, incident response, reporting obligations
→ Fines: up to 10 million EUR (essential) / 7 million EUR (important)
KRITIS (BSI Act):
→ Operators of critical infrastructure (thresholds by sector)
→ Every 2 years: Security audit by the BSI
→ Minimum standards: ISMS, reporting obligations, redundancy
INDUSTRY-SPECIFIC:
Financial sector:
BAIT (Banks): IT requirements for credit institutions
VAIT (Insurance): Insurance supervisory requirements
DORA (from 2025): Digital Operational Resilience Act (EU, financial sector)
PCI DSS: Credit card processing (international)
Healthcare:
SGB V / KRITIS: Hospitals with 30,000 or more inpatient cases
DiGAV / PDSG: Digital health applications
Automotive:
TISAX: Information security in the automotive supply chain
UN R155/R156: Cybersecurity for vehicles
US Market / International:
SOC 2 Type II: US market, SaaS providers
ISO 27001: Internationally recognized certificationCompliance vs. Security – the important difference
Compliance is no guarantee of security:
Compliance pitfall:
Company passes ISO 27001 certification audit ✓
Company gets hacked 3 months later ← despite that!
Why?
→ Compliance checks processes and documentation
→ Audit: "Do you have a password policy?" → "Yes" → Check
→ Audit does NOT check: are the passwords actually strong?
→ Audit does NOT check: Is the policy being followed?
→ Audit does NOT check: Are there unknown security vulnerabilities?
Compliance is therefore:
✓ Minimum requirement
✓ Proof of basic security hygiene
✓ Mandatory for regulated industries
✓ Trust with customers/partners
✗ No protection against targeted attacks
✗ No substitute for regular security testing
✗ No substitute for active monitoring
Recommendation:
Compliance as a foundation → Penetration tests as a reality check
Both together: documented process + practical verificationControl Mapping - One Measure for Multiple Requirements
Efficiency through integrated compliance management:
Example: Multi-factor authentication (MFA)
ISO 27001:2022 A.8.5: "Secure authentication" ✓
GDPR Art. 32: "Appropriate technical measures" ✓
NIS2 Art. 21(2)(i): "Multi-factor authentication" ✓
KRITIS/BSI: Recommended in IT-Grundschutz ✓
PCI DSS v4 Req. 8.4: MFA for all administrators ✓
→ A single MFA implementation meets 5 different requirements!
→ No duplication of effort if mapping is documented
Further examples:
Patch management:
→ ISO 27001 A.8.8 + NIS2 + BSI + GDPR Art. 32
Backup and recovery:
→ ISO 27001 A.8.13 + NIS2 + BSI CON.3 + GDPR (Availability)
Incident Response:
→ ISO 27001 A.5.26 + NIS2 reporting obligation + GDPR 72-hour deadline
Employee Training:
→ ISO 27001 A.6.3 + NIS2 + BSI ORP.3 + GDPR obligation to provide evidence
Tool support for control mapping:
→ verinice (Open Source): BSI + ISO 27001
→ ServiceNow GRC: any frameworks can be mapped
→ Excel/Confluence: manual, but free
→ AWARE7 recommendation: start with Excel, then scalePrepare for the compliance audit
Audit preparation checklist (ISO 27001):
6 months in advance:
□ Gap analysis: what is still missing?
□ Are all policies up to date and signed by management?
□ Has the risk analysis been updated?
□ Has the last internal audit been conducted?
□ Has the management review been documented?
3 months in advance:
□ Have all critical findings from the internal audit been resolved?
□ Training records available for all employees?
□ Is the asset inventory up to date?
□ Has the supplier assessment been completed?
1 month in advance:
□ Are all documents available in their current versions?
□ Have employee testimonials been prepared?
□ Technical controls verified (does backup and restore work?)
□ All outstanding security vulnerabilities addressed?
Audit week:
□ Keep contact persons available
□ System access prepared for auditor
□ Quiet room for auditor
□ Do not “quickly tweak” documents—it’s too late!
Common audit findings:
→ No documented regular backup tests
→ Policy older than 12 months without review
→ Missing asset classification
→ Penetration test not conducted within the last 12 months
→ Employee training not verified for all employees
