Skip to content

Support audits with VIVA#

Audits are the reports needed for a possible certification according to ISO 27001 based on IT-Grundschutz. Audits can be created and managed with the VIVA add-on. In addition to audits, VIVA has other reports that serve continuous quality assurance.

Create audits#

Once all information has been gathered and documented within VIVA, audits can be created. These are based on the selected information network and the type of certification sought (initial certification, surveillance audit, etc.). In terms of content and formatting, they are based on the specifications made in the BSI standards. The audits can be found under the item of the same name in the menu tree.

The following output formats are available for selection:

  • PDF
  • HTML (including head area and stylesheet)
  • HTML-Body (without head area and stylesheet)

The generated HTML documents contain all information necessary for further processing in other applications. They can be easily imported into a word processor and adapted there to your own specifications (for example, to the corporate design).

Reference documents#

The individual reference documents are discussed below.

Reference document A.0 IT security guidelines#

The first reference document contains some overarching information that can be documented directly in the respective audit.

Reference document A.1 IT structure analysis#

The second reference document is fed on the one hand by the data documented within the selected information network (see Creating Target Groups and Assigning Target Objects], and on the other hand by additional data that can be stored directly in the respective audit.

Reference document A.1 IT structure analysis The second reference document is fed, on the one hand, by the data documented within the selected information network. The reference document contains, among other things, an adjusted network diagram (see BSI Standard 100-2, chapters 4.2.3 and 4.3.5.). This can either be referenced textually via the corresponding form field or - if the field is left blank - an automatically generated diagram is used to represent the network plan. The generated diagram contains all information needed for a cleaned up network plan and available through the current documentation: This includes the individual target groups, their communication links to each other, and the associated criticalities. This is supplemented by a color scheme, which is composed of the object type configuration:

Reference document A.2 Identification of protection requirements#

This reference document contains only data that has already been documented within the selected information network. See Defining protection requirement categories and Defining protection requirements.

Reference document A.3 Modeling of the IT network#

This reference document contains only data that has already been documented within the selected information federation. See Modeling information networks.

Reference document A.4 Result of the basic security check#

This reference document only contains data that has already been documented within the selected information network. See Implementing measures.

Reference document A.5 Supplementary safety analysis#

This reference document contains only data that has already been documented within the selected information network. See Performing a Supplementary Security Analysis.

Reference Document A.6 Risk Analysis#

This reference document compiles information to cover a risk analysis according to BSI Standard 100-3. See risk analysis according to IT-Grundschutz.

Reference document A.7 Risk treatment plan#

This reference document is not currently generated.