Common Norm Reference Mistakes
Frequent errors in IMS content that reviewers should catch.
ISO 27001:2022 Common Mistakes
| Mistake |
Correct |
| Referencing old Annex A structure (A.5-A.18) |
New structure: A.5-A.8 (4 categories) |
| Using "ISO 27001:2013" references |
Current version: ISO/IEC 27001:2022 |
| Confusing controls with requirements |
Annex A = controls, Chapters 4-10 = requirements |
| Wrong control count ("114 controls") |
Current: 93 controls in Annex A |
| Mixing chapter numbers with control numbers |
Chapters 4-10 (requirements) vs. A.5-A.8 (controls) |
Annex A Categories (2022 version)
- A.5: Organisatorische Massnahmen (37 controls)
- A.6: Personenbezogene Massnahmen (8 controls)
- A.7: Physische Massnahmen (14 controls)
- A.8: Technologische Massnahmen (34 controls)
VDA ISA Common Mistakes
| Mistake |
Correct |
| Referencing VDA ISA 5.x (old version) |
Current: VDA ISA 6.0.2 |
| Confusing VDA ISA with TISAX |
VDA ISA = assessment catalog, TISAX = assessment/certification process |
| Wrong chapter structure |
7 main chapters: 1.x Governance, 2.x Zugriff, 3.x Personal, 4.x Lieferanten, 5.x Technik |
| Missing Prototypenschutz chapter |
Chapter 6/7 for prototype and data protection (if applicable) |
NIS2 Common Mistakes
| Mistake |
Correct |
| Referencing NIS1 articles |
NIS2 = Directive (EU) 2022/2555 |
| Wrong article numbers |
Art. 20-23 are the main obligations |
| Confusing NIS2 with national implementation |
In Germany: NIS2UmsuCG (Umsetzungsgesetz) |
| Missing incident reporting timelines |
24h initial notification, 72h update, 1 month final report |
ISO 9001:2015 Common Mistakes
| Mistake |
Correct |
| Referencing "ISO 9001:2008" |
Current: ISO 9001:2015 |
| Using "procedures" language |
ISO 9001:2015 uses "documented information" |
| Confusing "shall" and "should" |
"shall" = requirement, "should" = recommendation |
| Wrong chapter count |
Chapters 4-10 (7 chapters, ~30 control areas) |
| Applying manufacturing concepts to SaaS |
VisiTrans is SaaS — no physical production, no warehouse |
DSGVO Common Mistakes
| Mistake |
Correct |
| Citing "DSGVO Art. 6a" |
Correct: "Art. 6 Abs. 1 lit. a DSGVO" |
| Confusing Auftragsverarbeitung (Art. 28) with gemeinsame Verantwortlichkeit (Art. 26) |
AVV = processor acts on instructions, Joint Controller = shared purposes |
| Missing Abs./lit. in legal basis |
Always cite fully: Art. 6 Abs. 1 lit. b DSGVO |
| Wrong retention period sources |
Check specific laws: HGB § 257, AO § 147, BDSG, ArbZG |
| Confusing Betroffenenrechte articles |
Art. 15 Auskunft, Art. 16 Berichtigung, Art. 17 Loeschung, Art. 20 Datenportabilitaet |
Cross-Norm Consistency Checks
| Check |
What to verify |
| ISO 27001 ↔ VDA ISA |
Same topic should have same reifegrad (±1 level tolerance) |
| ISO 27001 ↔ NIS2 |
NIS2 Art. 21(2) measures should map to Annex A controls |
| ISMS controls ↔ TOM |
TOM measures should reference corresponding Annex A controls |
| Policies ↔ Controls |
Controls claiming reifegrad ≥2 should reference existing policies |