Skip to content

IMS Content Review Checklist

Domain-specific review criteria for each management system.

Universal Checks (all domains)

  • [ ] YAML frontmatter has all Pflichtfelder with valid values
  • [ ] Content is written in professional German
  • [ ] No English mixed in (except established technical terms like "Backup", "SSO", "CRM")
  • [ ] No placeholder text remaining (TODO, CHANGEME, [fill in], template markers)
  • [ ] [[Wiki-links]] use correct file names (case-sensitive)
  • [ ] norm_refs contains only valid values
  • [ ] Content is specific to VisiTrans (not generic boilerplate)
  • [ ] review_date is set to a future date
  • [ ] approved_by and approved_date are filled for status=aktiv

ISMS-Specific Checks

Controls (ISO 27001, VDA ISA, NIS2)

  • [ ] Reifegrad is plausible for a 15-person SaaS company
  • [ ] Reifegrad ≤2 unless strong evidence for higher (policies reviewed, KPIs tracked)
  • [ ] Beschreibung der Umsetzung references actual VisiTrans systems/tools
  • [ ] Nachweise links point to real policies in vault/IMS/05 - Richtlinien & Arbeitsanweisungen/
  • [ ] Cross-references between ISO 27001 and VDA ISA are consistent
  • [ ] NIS2 controls reference corresponding ISO 27001 Annex A controls
  • [ ] Abwahlgrund is justified for reifegrad=na controls

Incidents

  • [ ] schweregrad is appropriate (hoch only for actual critical incidents)
  • [ ] betroffene_systeme lists real VisiTrans systems
  • [ ] datenpanne flag is set correctly (true only if personal data affected)

DSMS-Specific Checks

VVT (Art. 30)

  • [ ] zweck is specific (not generic like "Datenverarbeitung")
  • [ ] rechtsgrundlage cites the correct DSGVO article with specific littera
  • [ ] datenkategorien lists actual data types processed
  • [ ] empfaenger lists actual service providers (from supplier directory)
  • [ ] loeschfristen cite legal basis for retention period
  • [ ] AVV status mentioned for external processors

TOM (Art. 32)

  • [ ] Status assessment (umgesetzt/teilweise/offen) is accurate
  • [ ] Implementation description matches actual VisiTrans infrastructure
  • [ ] Cross-reference to corresponding ISMS control is present
  • [ ] "nicht relevant" status has justification

DSFA (Art. 35)

  • [ ] Only created for genuinely high-risk processing activities
  • [ ] Risk assessment is structured (likelihood × impact)
  • [ ] DSB-Stellungnahme section is present (even if placeholder for ext. DSB)

QMS-Specific Checks

ISO 9001 Controls

  • [ ] Reifegrad assessment considers VisiTrans as SaaS company (not manufacturing)
  • [ ] Process descriptions are relevant to software development and SaaS operations
  • [ ] Quality objectives are measurable and realistic

KPIs

  • [ ] einheit is a real measurement unit
  • [ ] zielwert is achievable and meaningful
  • [ ] messfrequenz matches data availability
  • [ ] Measurement method is described and feasible with available tools

IMS Central Checks

Policies

  • [ ] All 9 policies have review_date set
  • [ ] norm_refs correctly list all applicable norms
  • [ ] Content is current (no references to deprecated systems like "Confluence" or "SmartKit")

Management Review

  • [ ] Dataview queries reference correct vault paths
  • [ ] Aggregation covers all 4 domains (ISMS, QMS, DSMS, IMS)
  • [ ] Template sections match PRD Chapter 6 requirements

Suppliers

  • [ ] umwelt_bewertung is filled
  • [ ] Supplier data matches actual contracts/relationships