{ "name": "Kopexa Compliance Universe Dataset", "version": "1.0", "license": "CC-BY-4.0", "licenseUrl": "https://creativecommons.org/licenses/by/4.0/", "attribution": "Kopexa GmbH — https://kopexa.com", "source": "https://kopexa.com/tools/compliance-universe", "generatedAt": "2026-04-18T18:44:39.216Z", "note": "Figures are conservative mid-size-org estimates expressed in person-days for initial implementation. The field hlsOverlapRatio × baseEffortDays represents the share consolidated via the ISO Harmonised Structure (Annex SL). For non-HLS frameworks with strong overlap to a selected security baseline (ISO 27001 anchors NIS2, TISAX, DORA and SOC 2), an additional reduction is applied when the anchor is present.", "frameworks": [ { "id": "iso-9001", "name": { "de": "ISO 9001 Qualitätsmanagement", "en": "ISO 9001 Quality Management" }, "short": "ISO 9001", "domain": "quality", "context": "b2b-typical", "hlsCompliant": true, "clauseCount": 10, "baseEffortDays": 90, "hlsOverlapRatio": 0.62, "sectorOverlapFamily": "iso-mgmt-hls", "color": "#2563EB", "icon": "badge-check", "tagline": { "de": "Qualitätsmanagement als HLS-Basis für alle weiteren ISO-Normen.", "en": "Quality management as the HLS baseline for every further ISO standard." }, "topAreas": { "de": [ "Kundenanforderungen und Zufriedenheit", "Prozessorientierter Ansatz", "Produktrealisierung und Freigabe", "Kontinuierliche Verbesserung" ], "en": [ "Customer requirements and satisfaction", "Process-based approach", "Product realisation and release", "Continual improvement" ] } }, { "id": "iso-27001", "name": { "de": "ISO 27001 Informationssicherheit", "en": "ISO 27001 Information Security" }, "short": "ISO 27001", "domain": "security", "context": "b2b-typical", "hlsCompliant": true, "clauseCount": 10, "baseEffortDays": 150, "hlsOverlapRatio": 0.5, "sectorOverlapFamily": "iso-mgmt-hls", "color": "#7C3AED", "icon": "shield-check", "tagline": { "de": "Das Rückgrat moderner Informationssicherheit mit 93 Annex-A-Controls.", "en": "The backbone of modern information security with 93 Annex A controls." }, "topAreas": { "de": [ "Risikobewertung und SoA", "93 Annex-A-Controls", "Informations-Klassifizierung", "Vorfall- und Kontinuitätsmanagement" ], "en": [ "Risk assessment and SoA", "93 Annex A controls", "Information classification", "Incident and continuity management" ] } }, { "id": "iso-14001", "name": { "de": "ISO 14001 Umweltmanagement", "en": "ISO 14001 Environmental Management" }, "short": "ISO 14001", "domain": "environment", "context": "esg", "hlsCompliant": true, "clauseCount": 10, "baseEffortDays": 80, "hlsOverlapRatio": 0.62, "sectorOverlapFamily": "iso-mgmt-hls", "color": "#10B981", "icon": "leaf", "tagline": { "de": "Umweltaspekte und rechtliche Verpflichtungen im Griff.", "en": "Environmental aspects and legal obligations under control." }, "topAreas": { "de": [ "Umweltaspekte und Auswirkungen", "Rechtliche Verpflichtungen", "Betriebs- und Notfallplanung", "Umweltbezogene Leistungsbewertung" ], "en": [ "Environmental aspects and impacts", "Legal and other obligations", "Operational and emergency planning", "Environmental performance evaluation" ] } }, { "id": "iso-45001", "name": { "de": "ISO 45001 Arbeitsschutz", "en": "ISO 45001 Occupational Health & Safety" }, "short": "ISO 45001", "domain": "safety", "context": "b2b-typical", "hlsCompliant": true, "clauseCount": 10, "baseEffortDays": 85, "hlsOverlapRatio": 0.62, "sectorOverlapFamily": "iso-mgmt-hls", "color": "#F59E0B", "icon": "hard-hat", "tagline": { "de": "Arbeitsschutz-Managementsystem nach Annex SL.", "en": "Occupational health and safety management aligned to Annex SL." }, "topAreas": { "de": [ "Gefährdungsbeurteilung", "Beteiligung der Beschäftigten", "Notfallvorsorge und Reaktion", "Vorfalluntersuchung" ], "en": [ "Hazard and risk assessment", "Worker participation", "Emergency preparedness and response", "Incident investigation" ] } }, { "id": "iso-50001", "name": { "de": "ISO 50001 Energiemanagement", "en": "ISO 50001 Energy Management" }, "short": "ISO 50001", "domain": "energy", "context": "esg", "hlsCompliant": true, "clauseCount": 10, "baseEffortDays": 75, "hlsOverlapRatio": 0.62, "sectorOverlapFamily": "iso-mgmt-hls", "color": "#EAB308", "icon": "zap", "tagline": { "de": "Energetische Ausgangsbasis und kontinuierliche Effizienzsteigerung.", "en": "Energy baseline and continual efficiency improvement." }, "topAreas": { "de": [ "Energetische Bewertung", "Energie-Leistungskennzahlen (EnPI)", "Energieeinkauf und Auslegung", "Energie-Datenerfassung" ], "en": [ "Energy review", "Energy performance indicators (EnPI)", "Energy procurement and design", "Energy data collection" ] } }, { "id": "iso-22301", "name": { "de": "ISO 22301 Business Continuity", "en": "ISO 22301 Business Continuity" }, "short": "ISO 22301", "domain": "security", "context": "b2b-typical", "hlsCompliant": true, "clauseCount": 10, "baseEffortDays": 95, "hlsOverlapRatio": 0.6, "sectorOverlapFamily": "iso-mgmt-hls", "color": "#0EA5E9", "icon": "life-buoy", "tagline": { "de": "Business Continuity und Wiederanlauf nach HLS.", "en": "Business continuity and recovery planning aligned to HLS." }, "topAreas": { "de": [ "Business Impact Analyse (BIA)", "Kontinuitätsstrategien", "Notfallpläne und Tests", "Wiederanlauf kritischer Aktivitäten" ], "en": [ "Business impact analysis (BIA)", "Continuity strategies", "Response plans and exercises", "Recovery of critical activities" ] } }, { "id": "iso-27701", "name": { "de": "ISO 27701 Datenschutz-Erweiterung", "en": "ISO 27701 Privacy Extension" }, "short": "ISO 27701", "domain": "privacy", "context": "privacy-ext", "hlsCompliant": true, "clauseCount": 10, "baseEffortDays": 90, "hlsOverlapRatio": 0.58, "sectorOverlapFamily": "iso-mgmt-hls", "color": "#A855F7", "icon": "fingerprint", "tagline": { "de": "Datenschutz-Managementsystem aufbauend auf ISO 27001.", "en": "Privacy information management built on top of ISO 27001." }, "topAreas": { "de": [ "PIMS-spezifische Erweiterungen", "Rollen als Verantwortlicher und Auftragsverarbeiter", "Betroffenenrechte", "Datenschutz-Folgenabschätzung" ], "en": [ "PIMS-specific extensions", "Controller and processor roles", "Data subject rights", "Data protection impact assessment" ] } }, { "id": "dsgvo", "name": { "de": "DSGVO / GDPR", "en": "GDPR" }, "short": "DSGVO", "domain": "privacy", "context": "regulatory", "hlsCompliant": false, "clauseCount": 99, "baseEffortDays": 70, "hlsOverlapRatio": 0.4, "sectorOverlapFamily": "privacy", "color": "#8B5CF6", "icon": "scale", "tagline": { "de": "EU-Datenschutzverordnung, rechtlich verbindlich.", "en": "EU data protection regulation, legally mandatory." }, "topAreas": { "de": [ "Verarbeitungsverzeichnis (VVT)", "Rechtsgrundlagen und Einwilligung", "Betroffenenrechte und DSAR", "Datenschutz-Folgenabschätzung" ], "en": [ "Records of processing activities", "Legal basis and consent", "Data subject rights and DSAR", "Data protection impact assessment" ] } }, { "id": "nis2", "name": { "de": "NIS2", "en": "NIS2" }, "short": "NIS2", "domain": "security", "context": "regulatory", "hlsCompliant": false, "clauseCount": 10, "baseEffortDays": 120, "hlsOverlapRatio": 0.72, "sectorOverlapFamily": "security-sector", "color": "#243F93", "icon": "landmark", "tagline": { "de": "EU-Richtlinie für besonders wichtige und wichtige Einrichtungen.", "en": "EU directive for essential and important entities." }, "topAreas": { "de": [ "Risikomanagement-Maßnahmen nach Art. 21", "Meldepflichten an Behörden", "Lieferkettensicherheit", "Haftung der Geschäftsleitung" ], "en": [ "Article 21 risk management measures", "Authority reporting obligations", "Supply chain security", "Management body accountability" ] } }, { "id": "tisax", "name": { "de": "TISAX Automotive", "en": "TISAX Automotive" }, "short": "TISAX", "domain": "security", "context": "sector", "hlsCompliant": false, "clauseCount": 7, "baseEffortDays": 110, "hlsOverlapRatio": 0.68, "sectorOverlapFamily": "security-sector", "color": "#F29400", "icon": "car", "tagline": { "de": "Branchenstandard der Automobilindustrie, auf VDA ISA basierend.", "en": "Automotive sector standard based on the VDA ISA catalogue." }, "topAreas": { "de": [ "Prototypenschutz", "Anbindung an OEM-Netze", "Klassifizierung nach Schutzbedarf", "Lieferanten-Selbstauskunft (VDA ISA)" ], "en": [ "Prototype protection", "Connectivity to OEM networks", "Classification by protection level", "Supplier self-assessment (VDA ISA)" ] } }, { "id": "dora", "name": { "de": "DORA Finanzsektor", "en": "DORA Financial Sector" }, "short": "DORA", "domain": "sector-finance", "context": "regulatory", "hlsCompliant": false, "clauseCount": 5, "baseEffortDays": 130, "hlsOverlapRatio": 0.72, "sectorOverlapFamily": "security-sector", "color": "#059669", "icon": "banknote", "tagline": { "de": "EU-Verordnung für digitale operationelle Resilienz im Finanzsektor.", "en": "EU regulation for digital operational resilience in finance." }, "topAreas": { "de": [ "IKT-Risikomanagement-Rahmen", "IKT-Vorfall-Reporting an BaFin", "Threat-Led Penetration Testing (TLPT)", "Drittparteien-IKT-Risikomanagement" ], "en": [ "ICT risk management framework", "ICT incident reporting to regulators", "Threat-led penetration testing (TLPT)", "Third-party ICT risk management" ] } }, { "id": "soc-2", "name": { "de": "SOC 2", "en": "SOC 2" }, "short": "SOC 2", "domain": "security", "context": "us-market", "hlsCompliant": false, "clauseCount": 5, "baseEffortDays": 100, "hlsOverlapRatio": 0.65, "sectorOverlapFamily": "security-sector", "color": "#0891B2", "icon": "file-check", "tagline": { "de": "US-Prüfstandard der AICPA für SaaS- und Cloud-Anbieter.", "en": "US AICPA attestation standard for SaaS and cloud providers." }, "topAreas": { "de": [ "Trust Service Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy)", "Kontrolldokumentation und Evidence", "Type I vs Type II Prüfung", "CPA-Auditor-Zusammenarbeit" ], "en": [ "Trust service criteria (security, availability, confidentiality, processing integrity, privacy)", "Control documentation and evidence", "Type I vs Type II attestation", "CPA auditor collaboration" ] } } ] }