scieee Science in your language
[en] (orig)

D4.2 Results of the UI-UX requirements analysis and the work processes – v2

Author: Fessl, Angela; Stefan, Katarina
Publisher: Zenodo
DOI: 10.5281/zenodo.17193493
Source: https://zenodo.org/records/17193493/files/EMERALD_D4.2_Results-of-the-UI-UX-requirements-analysis-and-the-work-processes-v2_v1.0.pdf
Deli e able D4.2
Resul s o he UI-UX equi emen s analysis and he wo k
p ocesses – 2
Edi o (s):
Angela Fessl, Ka ha ina S e an
Responsible Pa ne :
Know Cen e Resea ch GmbH
S a us-Ve sion:
Final – 1.0
Da e:
30.04.2025
Type:
R
Dis ibu ion le el (SEN, PU):
PU
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 2 o 128
www.eme ald-he.eu
P ojec Numbe :
101120688
P ojec Ti le:
EMERALD
Ti le o Deli e able:
D4.2 Resul s o he UI-UX equi emen s analysis and he
wo k p ocesses – 2
Due Da e o Deli e y o he EC
30.04.2025
Wo kpackage esponsible o he
Deli e able:
WP4 - Use in e ac ion and use expe ience de elopmen
Edi o (s):
Angela Fessl, Ka ha ina S e an (KNOW)
Con ibu o (s):
Simone F anza, Leonie Disch (KNOW)
Bjö n Fan a, F anz Deimling, (FABA)
Julius Holde e (IONOS)
Ramon Ma in de Pozuelo, Ma i Fab ega I Pous (CXB)
Na alia Sobieska (CF)
Mika Leskinen, An i Kan e o (NIXU/DNV)
Re iewe (s):
Oli ia Kage e (FABA)
Juncal Alonso, C is ina Ma ínez (TECNALIA)
SAB Re iewe (s):
Samu Nisula (NIXU/DNV)
Ma i Fab ega (CXB)
Bjö n Fan a (FABA)
Sebas ian Kucha ski (CF)
Ali Nikouka (IONOS)
Cons an ino Vázquez (ONS)
App o ed by:
All Pa ne s
Recommended/manda o y
eade s:
WP1, WP2, WP3, WP5, WP6
Abs ac :
Final e sion o he epo on he elici ed UI-UX equi e-
men s om he a ge g oup. Wo k p ocesses and wo k-
lows ha should be co e ed wi h he use in e ace con-
cep , and inal pe sonas and scena ios.
Keywo d Lis :
UI/UX Requi emen s, Wo ks P ocesses, Pe sonas, Sce-
na ios
Licensing in o ma ion:
This wo k is licensed unde C ea i e Commons
A ibu ion-Sha eAlike 4.0 In e na ional (CC BY-SA 4.0
DEED h ps://c ea i ecommons.o g/licenses/by-sa/4.0/)
Disclaime
Funded by he Eu opean Union. Views and opinions
exp essed a e howe e hose o he au ho (s) only and
do no necessa ily e lec hose o he Eu opean Union.
The Eu opean Union canno be held esponsible o
hem.
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 3 o 128
www.eme ald-he.eu
Documen Desc ip ion
Ve sion
Da e
Modi ica ions In oduced
Modi ica ion Reason
Modi ied by
0.1
23.03.2025
Fi s d a e sion
Angela Fessl, Ka ha ina
S e an (KNOW)
0.1
01.04.2025
QA e iew
Oli ia Kage e (FABA)
0.2
02.04.2025
Feedback in eg a ion o QA e iew
Angela Fessl, Ka ha ina
S e an (KNOW)
0.3
03.04.2025
Feedback in eg a ion and e iew
wi h TECNALIA
C is ina Ma inez
(TECNALIA)
0.4
03.04.2025
Feedback in eg a ion o TECNALIA
e iew
Angela Fessl, Ka ha ina
S e an (KNOW)
0.5
03.04.2025
SAB Re iew
Samu Nisula (NIXU/DNV)
Ma i Fab ega (CXB)
Bjö n Fan a (FABA)
Sebas ian Kucha ski (CF)
Ali Nikouka (IONOS)
Cons an ino Vázquez (ONS)
0.6
14.04.2025
SAB Re iew In eg a ion
Angela Fessl (KNOW)
0.7
22.04.025
Final Re iew
Juncal Alonso, C is ina
Ma ínez (TECNALIA)
0.8
23.04.2025
Add essing he commen s om
Final Re iew
Angela Fessl (KNOW)
1.0
30.04.2025
Submi ed o he Eu opean
Commission
Juncal Alonso, C is ina
Ma ínez (TECNALIA)
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 4 o 128
www.eme ald-he.eu
Table o con en s
Te ms and abb e ia ions ............................................................................................................... 9
Execu i e Summa y ..................................................................................................................... 10
1 In oduc ion ......................................................................................................................... 11
1.1 Abou his deli e able .................................................................................................. 11
1.2 Documen s uc u e ..................................................................................................... 12
1.3 Upda es om D4.1....................................................................................................... 13
2 Me hodology ....................................................................................................................... 16
2.1 In e ac i e In e iew Session ....................................................................................... 17
2.2 In e iews .................................................................................................................... 17
2.3 Focus G oups & P ocess Wo kshops ........................................................................... 19
2.4 Pe sonas & Scena ios Wo kshops ............................................................................... 20
3 Resul s o he In e ac i e In e iew Session ....................................................................... 25
4 Wo k P ocesses ................................................................................................................... 29
4.1 Wo k P ocesses in Wo k low Rep esen a ion ............................................................. 29
4.2 Wo k P ocesses o Compliance and Secu i y Manage s pe Pilo Pa ne .................. 30
4.2.1 Pilo 1: IONOS .................................................................................................... 31
4.2.2 Pilo 2: CloudFe o (CF) ..................................................................................... 39
4.2.3 Pilo 3: Fabaso (FABA) ..................................................................................... 46
4.2.4 Pilo 4: CaixaBank (CXB)..................................................................................... 52
4.2.5 Audi o s (NIXU/DNV) ......................................................................................... 59
4.2.6 Compliance Manage (NIXU/DNV) .................................................................... 67
4.3 Bluep in o in oducing EMERALD in audi p epa a ion ........................................... 74
5 Pe sonas, Pe sonas-on- he-go and Scena ios ..................................................................... 79
5.1 Riley – Cloud Se ice P o ide Compliance Manage .................................................. 81
5.1.1 Scena io A: Riley – Managing a New Audi Scope ............................................. 82
5.1.2 Scena io B: Riley – Manage all Con ols o an Audi Scope ............................... 82
5.1.3 Scena io C: Riley – Unco e all “blind spo s” .................................................... 83
5.1.4 Scena io D: Riley – Upda ing a ce i ica ion scheme ......................................... 83
5.1.5 Scena io E: Riley – Accompanying an Audi ...................................................... 83
5.2 Eme son - Compliance Manage in Financial Se ice Ins i u ion ................................ 84
5.2.1 Scena io: Eme son – B ing You Own Ce i ica ion Scheme ............................. 85
5.3 Dylan – In e nal Con ol Owne ................................................................................... 85
5.3.1 Scena io: Dylan – In e nal Con ol Owne Con ol Implemen a ion ................. 87
5.4 Mo gan – Technical Implemen e ............................................................................... 87
5.4.1 Scena io A: Mo gan – Checking Me ics and E idence ..................................... 89
5.4.2 Scena io B: Mo gan – Remo al o Me ic .......................................................... 89
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 5 o 128
www.eme ald-he.eu
5.5 Cha lie – In e nal Audi o ............................................................................................ 90
5.5.1 Scena io: Cha lie – P epa a ion o an Audi by an In e nal Audi o .................. 91
5.6 Ja kko – Lead Audi o .................................................................................................. 92
5.6.1 Scena io A: Ja kko – Scoping ............................................................................. 93
5.6.2 Scena io B: Ja kko – P epa ing o Audi ........................................................... 94
5.6.3 Scena io C: Ja kko – O ganiza ional Audi ......................................................... 94
5.6.4 Scena io D: Ja kko – Ce i ica ion ...................................................................... 94
5.7 Ee o – Technical Audi o .............................................................................................. 94
5.7.1 Scena io A: Ee o – Technical Audi .................................................................... 95
5.7.2 Scena io B: Ee o – Repo ing ............................................................................. 96
6 UI/UX Requi emen s ( e sion 2) ......................................................................................... 97
6.1 Newly Added UI/UX Requi emen s since M9 ............................................................ 101
7 Conclusions ........................................................................................................................ 105
8 Re e ences ......................................................................................................................... 106
9 APPENDIX A: In e iew Documen s ................................................................................... 108
9.1 In e iew Guideline ................................................................................................... 108
9.2 Pa icipan In o ma ion Shee ................................................................................... 111
9.3 Consen Fo m ............................................................................................................. 113
9.4 Da a P o ec ion In o ma ion...................................................................................... 114
10 APPENDIX B: O iginal Use Scena io Desc ip ions ............................................................. 115
10.1 Scena ios Riley ........................................................................................................... 115
10.2 Scena io Eme son ...................................................................................................... 117
10.3 Scena io Dylan ........................................................................................................... 118
10.4 Scena io Mo gan ........................................................................................................ 118
10.5 Scena io Cha lie ......................................................................................................... 118
10.6 Scena ios Ja kko ......................................................................................................... 119
10.7 Scena ios Ee o ........................................................................................................... 121
11 APPENDIX C: UI/UX Requi emen s elici ed be o e M9 ..................................................... 122
Lis o Tables
TABLE 1. OVERVIEW OF DELIVERABLE UPDATES WITH RESPECT TO D4.1 .................................................... 13
TABLE 2. OVERVIEW OF THE CONDUCTED INTERVIEWS ........................................................................... 19
TABLE 3. OVERVIEW OF THE CONDUCTED FOCUS GROUPS AND PROCESS WORKSHOPS ................................. 20
TABLE 4. OVERVIEW OF ALL PERSONA AND SCENARIO WORKSHOPS ......................................................... 21
TABLE 5. STATUS OVERVIEW OF THE DEVELOPMENT OF PERSONAS, SCENARIOS AND USER JOURNEYS ........... 23
TABLE 6. ANSWERS GIVEN TO Q1: “HOW DO THE CURRENT AUDIT PREPARATION PROCESSES LOOK LIKE FOR YOUR
PILOT?” .................................................................................................................................. 25
TABLE 7. SUMMARY OF ANSWERS GIVEN TO THE QUESTION Q2: “WHAT ARE THE “PAIN POINTS” FOR YOUR
CURRENT AUDIT PROCESS?” ....................................................................................................... 26
TABLE 8. SUMMARY OF ANSWERS GIVEN TO THE QUESTION Q3: “ARE THERE ANY SPECIFIC TASKS TO BE SOLVED
BY EMERALD?” ..................................................................................................................... 26

D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 6 o 128
www.eme ald-he.eu
TABLE 9. SUMMARY OF ANSWERS GIVEN TO THE QUESTION Q4: “HOW CAN EMERALD HELP MITIGATE THESE
“PAIN POINTS”? EXPECTATIONS?” .............................................................................................. 27
TABLE 10. SUMMARY OF ANSWERS GIVEN TO THE QUESTION Q5: “WHAT TOOLS ARE YOU CURRENTLY USING FOR
THE AUDITS IN YOUR PILOT?” ..................................................................................................... 28
TABLE 11. SUMMARY OF ANSWERS GIVEN TO THE QUESTION Q6: “WHICH CERTIFICATION SCHEMES ARE YOU AS
PILOT INTERESTED IN?” ............................................................................................................. 28
TABLE 12. PRESENTATION OF ALL SHAPES USED IN THE WORKFLOW REPRESENTATION OF THE AUDIT PREPARATION
PROCESSES .............................................................................................................................. 30
TABLE 13. STATUS OF THE UI/UX REQUIREMENTS REGARDING THE CLICKABLE PROTOTYPE .......................... 98
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 7 o 128
www.eme ald-he.eu
Lis o igu es
FIGURE 1. OVERALL METHODOLOGY APPLIED IN WP4............................................................................ 17
FIGURE 2. IONOS – SIMPLE PROCESS REPRESENTATION WITHOUT EMERALD SUPPORT ............................. 32
FIGURE 3. IONOS – WORKFLOW REPRESENTATION WITHOUT EMERALD SUPPORT .................................. 34
FIGURE 4. IONOS – SIMPLE PROCESS REPRESENTATION WITH EMERALD SUPPORT ................................... 35
FIGURE 5. IONOS – WORKFLOW REPRESENTATION WITH EMERALD SUPPORT ........................................ 38
FIGURE 6. CLOUDFERRO – SIMPLE PROCESS REPRESENTATION WITHOUT EMERALD SUPPORT ..................... 40
FIGURE 7. CLOUDFERRO – WORKFLOW REPRESENTATION WITHOUT EMERALD SUPPORT .......................... 42
FIGURE 8. CLOUDFERRO - SIMPLE PROCESS REPRESENTATION WITH EMERALD SUPPORT ........................... 43
FIGURE 9. CLOUDFERRO - WORKFLOW REPRESENTATION WITH EMERALD SUPPORT................................. 45
FIGURE 10. FABASOFT – SIMPLE PROCESS REPRESENTATION WITHOUT EMERALD SUPPORT ....................... 46
FIGURE 11. FABASOFT – WORKFLOW REPRESENTATION WITHOUT EMERALD SUPPORT ............................. 48
FIGURE 12. FABASOFT – SIMPLE PROCESS REPRESENTATION WITH EMERALD SUPPORT ............................. 49
FIGURE 13. FABASOFT - WORKFLOW REPRESENTATION WITH EMERALD SUPPORT ................................... 51
FIGURE 14. CAIXABANK – SIMPLE PROCESS REPRESENTATION WITHOUT EMERALD SUPPORT ..................... 53
FIGURE 15. CAIXABANK – WORKFLOW REPRESENTATION WITHOUT EMERALD SUPPORT........................... 55
FIGURE 16. CAIXABANK – SIMPLE PROCESS REPRESENTATION WITH EMERALD SUPPORT ........................... 56
FIGURE 17. CAIXABANK – WORKFLOW REPRESENTATION WITH EMERALD SUPPORT ................................ 58
FIGURE 18. NIXU/DNV – SIMPLE PROCESS REPRESENTATION WITHOUT EMERALD SUPPORT .................... 60
FIGURE 19. NIXU/DNV – WORKFLOW REPRESENTATION WITHOUT EMERALD SUPPORT .......................... 62
FIGURE 20. NIXU/DNV – SIMPLE PROCESS REPRESENTATION WITH EMERALD SUPPORT .......................... 64
FIGURE 21. NIXU/DNV - WORKFLOW REPRESENTATION WITH EMERALD SUPPORT ................................ 66
FIGURE 22. NIXU/DNV CM – SIMPLE PROCESS REPRESENTATION WITHOUT EMERALD SUPPORT .............. 67
FIGURE 23. NIXU/DNV CM – WORKFLOW REPRESENTATION WITHOUT EMERALD SUPPORT ................... 69
FIGURE 24. NIXU/DNV CM – SIMPLE PROCESS REPRESENTATION WITH EMERALD SUPPORT .................... 71
FIGURE 25. NIXU/DNV CM - WORKFLOW REPRESENTATION WITH EMERALD SUPPORT .......................... 73
FIGURE 26. EMERALD BLUEPRINT WORKFLOW REPRESENTATION - PART 1 .............................................. 76
FIGURE 27. EMERALD BLUEPRINT WORKFLOW REPRESENTATION – PART 2 ............................................. 77
FIGURE 28. EMERALD BLUEPRINT WORKFLOW REPRESENTATION – PART 3 ............................................. 78
FIGURE 29. OVERVIEW OF THE THREE STAKEHOLDER GROUPS AND THE RESPECTIVE PERSONAS ..................... 80
FIGURE 30. RILEY – CLOUD SERVICE COMPLIANCE MANAGER ................................................................. 81
FIGURE 31. PERSONA-ON-THE-GO FOR RILEY – CLOUD SERVICE COMPLIANCE MANAGER............................ 82
FIGURE 32. RILEY – UPDATING A CERTIFICATION SCHEME ....................................................................... 83
FIGURE 33. EMERSON – COMPLIANCE MANAGER IN FINANCIAL SERVICE INSTITUTION ................................ 84
FIGURE 34. PERSONA-ON-THE-GO FOR EMERSON – COMPLIANCE MANAGER IN FINANCIAL SERVICES ............ 85
FIGURE 35. DYLAN – INTERNAL CONTROL OWNER ................................................................................ 86
FIGURE 36. PERSONA-ON-THE-GO FOR DYLAN – INTERNAL CONTROL OWNER ........................................... 87
FIGURE 37. MORGAN – TECHNICAL IMPLEMENTER ............................................................................... 88
FIGURE 38. PERSONA-ON-THE-GO FOR MORGAN – TECHNICAL IMPLEMENTER .......................................... 89
FIGURE 39. SCENARIO B: MORGAN – REMOVAL OF METRIC ................................................................... 90
FIGURE 40. CHARLIE – AUDITOR ........................................................................................................ 91
FIGURE 41. PERSONA-ON-THE-GO: CHARLIE – INTERNAL AUDITOR .......................................................... 91
FIGURE 42. JARKKO – LEAD AUDITOR ................................................................................................. 93
FIGURE 43. PERSONA-ON-THE-GO FOR JARKKO – LEAD AUDITOR ............................................................ 93
FIGURE 44. EERO – TECHNICAL AUDITOR ............................................................................................ 95
FIGURE 45. PERSONA-ON-THE-GO FOR EERO – TECHNICAL AUDITOR ....................................................... 95
FIGURE 46. SCENARIO A: RILEY – MANGING A NEW AUDIT SCOPE ......................................................... 115
FIGURE 47. SCENARIO B: RILEY – MANAGE ALL CONTROLS OF AN AUDIT SCOPE ...................................... 115
FIGURE 48. SCENARIO C: RILEY – UNCOVER ALL “BLIND SPOTS” ............................................................ 116
FIGURE 49. SCENARIO E: RILEY – ACCOMPANYING AND AUDIT .............................................................. 116
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 8 o 128
www.eme ald-he.eu
FIGURE 50. EMERSON – BRING YOUR OWN CERTIFICATION SCHEME ....................................................... 117
FIGURE 51. DYLAN – INTERNAL CONTROL OWNER CONTROL IMPLEMENTATION ...................................... 118
FIGURE 52. SCENARIO A: MORGAN – CHECKING METRICS AND EVIDENCE .............................................. 118
FIGURE 53. SCENARIO 3: CHARLIE – PREPARATION OF AN AUDIT BY AN INTERNAL AUDITOR ....................... 118
FIGURE 54. SCENARIO A: JARKKO – SCOPING ..................................................................................... 119
FIGURE 55. SCENARIO B: JARKKO – PREPARING FOR AUDIT .................................................................. 119
FIGURE 56. SCENARIO C: JARKKO – ORGANIZATIONAL AUDIT ............................................................... 120
FIGURE 57. SCENARIO D: JARKKO - CERTIFICATION ............................................................................. 120
FIGURE 58. SCENARIO A: EERO – TECHNICAL AUDIT............................................................................ 121
FIGURE 59. SCENARIO B: EERO - REPORTING ..................................................................................... 121
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 9 o 128
www.eme ald-he.eu
Te ms and abb e ia ions
AI
A i icial In elligence
AMOE
B ing You Own Ce i ica ion Scheme
BSI
Fede al O ice o In o ma ion Secu i y (Bundesam ü Siche hei in de
In o ma ions echnik)
C5
Cloud Compu ing Compliance C i e ia Ca alogue
CaaS
Compliance-as-a-Se ice1
CM
Compliance Manage
CSP
Cloud Se ice P o ide
CSV
Comma-sepa a ed alue
DoA
Desc ip ion o Ac ion
DORA
Digi al Ope a ional Resilience Ac
EC
Eu opean Commission
ECB
Eu opean Cen al Bank
EUCS
Eu opean Union Cybe secu i y Ce i ica ion Scheme o Cloud Se ices
GA
G an Ag eemen o he p ojec
GDPR
Gene al Da a P o ec ion Regula ion
GUI
G aphical Use In e ace
IaaS
In as uc u e as a Se ice
ICO
In e nal Con ol Owne
ISO
In e na ional O ganiza ion o S anda diza ion
KPI
Key Pe o mance Indica o
KR
Key Resul
MARI
Mapping Assis an o Regula ions wi h In elligence
MS Teams
Mic oso Teams
RCM
Reposi o y o Con ols and Me ics
SaaS
So wa e as a Se ice
SAB
Secu i y Ad iso y Boa d
SO
Se ice Owne
SOC
Secu i y Ope a ions Cen e amewo ks
SP
Se ice P o ide
TRL
Technology Readiness Le el
UI
Use In e ace
UNED
Uni e sidad Nacional de Educación a Dis ancia (Na ional Uni e si y o
Dis ance Educa ion)
UX
Use Expe ience
1
Please no e ha in p e ious deli e ables and in he DoA, he e m Ce i ica ion-as-a-Se ice was used o
s and o CaaS. Compliance has now been in oduced o cla i y ha EMERALD can be used o assess bo h
no ma i e models and in e nal o ganiza ional models.
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 16 o 128
www.eme ald-he.eu
2 Me hodology
The o e all me hodology o WP4 ollows a co-design, pa icipa o y and con ex ual design
app oach (see [3], [4], [5], [6]) using di e en me hods such as in e iews, ocus g oups, and
wo kshops. Such a co-design app oach aims a b idging he gap be ween echnology designe s,
de elope s, and a ge use s. Te ms like co-design, pa icipa o y and con ex ual design highligh
simila concep s, emphasizing he ac i e in ol emen o all s akeholde s o mee bo h he
indi idual and o ganiza ional needs [7]. Pa icipa o y design is also seen as an emancipa o y ac ,
allowing use s o ha e a say in he ools hey use [6]. Co-c ea ion in ol es sha ed c ea i i y [5],
while co-design applies his c ea i i y h oughou he en i e design p ocess. Ac i e use
pa icipa ion h oughou de elopmen is encou aged, c ea ing a hyb id space ha combines
use and de elope a ibu es. This shi om “use as subjec ” o “use as pa ne ” has changed
s akeholde oles [5], wi h use s po en ially becoming me a-designe s and esea che s ac ing as
acili a o s. Co-design is cha ac e ized by i e a i e lea ning p ocesses in ol ing all s akeholde s.
Goal: We ha e decided o use co-design as an o e all me hodology o he WP4 ac i i ies. We
see his app oach as a iable means o b idge he gap be ween EMERALD echnology pa ne s
and EMERALD pilo pa ne s o de elop a sophis ica ed EMERALD UI/UX. The eby, he aim o
he co-design is:
• o ge a good unde s anding o he unde lying p ocesses and wo k lows ega ding he
p epa a ion and implemen a ion o audi s and he ce i ica ion o cloud se ices,
• o elici a se o equi emen s o de eloping he EMERALD UI/UX,
• o de elop pe sonas, scena ios, and use jou neys (p esen ed in D4.3 [8] and D4.4
(M24)), and
• o de elop a ull- ea u ed clickable p o o ype o he EMERALD UI.
We conduc ed he elici a ion p ocess i e a i ely o con inuously in ol e he a ge g oups
h oughou he di e en ac i i ies and p ocesses, ga he hei eedback and insigh s, and allow
hei inpu o be in eg a ed on he ly. The inal goal is o design a sophis ica ed EMERALD UI
ha in eg a es he needs o all in ol ed pa ies (pilo pa ne s – compliance manage s, secu i y
manage s, in e nal audi o s; audi o s – ex e nal and echnical audi o s; and componen
owne s).
The me hodology we ollowed, and he co esponding esul s de i ed a e depic ed in Figu e 1.
Fi s , we conduc ed an in e ac i e in e iew session a he i s ace- o- ace gene al assembly in
Bilbao, in Ma ch 2024. The aim was o ge insigh s abou he pilo pa ne s, hei pain poin s and
needs du ing se ing-up and conduc ing audi p ocesses. The esul s a e p esen ed in Sec ion 3.
Then we pe o med semi-s uc u ed in e iews wi h he a ge use s, including audi o s,
compliance manage s, and secu i y manage s om he di e en pilo pa ne s and ex e nal
audi o s, which we e ollowed by doing online ocus g oups. This ac i i y esul ed in simple
p ocesses o all in ol ed pa ne s. We did a second e iew ound in o m o p ocess wo kshops
a e we had ans o med all simple p ocesses in o wo k low ep esen a ions. Then, we
de eloped a gene al bluep in ha is alid o all pilo s. The simple p ocesses as well as he
wo k low ep esen a ions a e p esen ed in Sec ion 4. A e he i s ound o in e iews and
ocus g oups, we conduc ed se e al online wo kshops in June 2024 and Sep embe 2024 o he
de elopmen o pe sonas, scena ios and use jou neys. In Sec ion 5, we p esen he inal se o
pe sonas and scena ios ( he use jou neys a e p esen ed in D4.3 [8] and D4.4 (M24). F om all
collec ed insigh s o he ac i i ies, we de eloped a se o 25 UI/UX equi emen s o de eloping
he EMERALD UI, which a e p esen ed in Sec ion 6.

D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 17 o 128
www.eme ald-he.eu
2.1 In e ac i e In e iew Session
The in e ac i e in e iew session was conduc ed a he gene al assembly in Bilbao, in Ma ch
2024. The goal o his session was o ge insigh s abou he pilo pa ne s, hei pain poin s, and
hei needs du ing se ing-up and conduc ing audi p ocesses, as well as o ge i s ideas o
insigh s on whe e he EMERALD UI could suppo hem. A se o six ques ions was p epa ed:
• Q1: How do he cu en audi p epa a ion p ocesses look like o you pilo ?
• Q2: Wha a e he “pain poin s” o you cu en audi p ocess?
• Q3: A e he e any speci ic asks o be sol ed by EMERALD?
• Q4: How can EMERALD help mi iga e hese “pain poin s”? Expec a ions?
• Q5: Wha ools a e you cu en ly using o he audi s in you pilo ?
• Q6: Which ce i ica ion schemes a e you as pilo in e es ed in?
P ocedu e
This in e iew session was conduc ed in he whole plenum o he gene al assembly in Bilbao. A
he beginning o he in e iew session, he idea o he session was in oduced o he whole
conso ium. A e all pilo pa ne s ag eed o pa icipa e, hey we e asked o answe he abo e
ques ions one a e he o he . Addi ionally, all EMERALD pa ne s in he mee ing had he
oppo uni y o ask u he ques ions o in e es .
The in e ac i e in e iew session was eco ded, la e on ansc ibed, and quali a i ely analysed.
The esul s o his session can be ound in Sec ion 3.
2.2 In e iews
The o e all goal o he in e iews was wo old: Fi s , wi h he in e iews we aimed o ge a
deepe unde s anding o how he audi p epa a ion p ocesses o he pilo pa ne s and he audi
p ocesses o he ex e nal audi o s (NIXU/DNV) ook place. In he con ex o EMERALD [2], he
a ge g oups a e, on he one hand, he pilo pa ne s, and pa icula ly hose employees who
a e esponsible o p epa ing and ensu ing compliance wi h cybe secu i y s anda ds in he
Figu e 1. O e all me hodology applied in WP4
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 18 o 128
www.eme ald-he.eu
espec i e o ganisa ions. These employees consis o (in e nal) audi o s, chie in o ma ion
secu i y manage s, compliance manage s, secu i y manage s, e c. The second a ge g oup is
(ex e nal) audi o s, i.e., audi o s who a e assigned o conduc he cybe secu i y audi s wi hin
he scope o an o icial audi . Second, he in e iews helped us o elici equi emen s o he
de elopmen o he EMERALD UI/UX.
In mo e de ail, he goal o he in e iews is o elici in-dep h insigh s abou he wo k o audi o s,
compliance manage s (CM), and (chie in o ma ion) secu i y manage s in ela ion o con inuous
cloud audi ing p ocesses. Wi h he in e iews we aimed o ge : i) a good unde s anding o he
wo k o ou a ge use s in gene al, ii) ac i i ies and asks ele an o he ce i ica ion p ocess o
cloud compu ing sys ems, iii) insigh s on how EMERALD could suppo hese wo king ac i i ies,
i ) insigh s abou he a ge use s’ expec a ions ega ding he EMERALD UI, ) insigh s abou
exis ing pain poin s, and i) in o ma ion abou he use s’ backg ound knowledge, especially
ega ding a i icial in elligence (AI) (as some pa s o EMERALD will use AI echnologies). By
analysing he gi en answe s, we we e able o elici a i s se o UI equi emen s.
Acco dingly, we p epa ed an in e iew guideline co e ing he ollowing opics: i) ques ions o
ob ain gene al in o ma ion abou he pa icipan s, including hei backg ound (educa ion) and
hei ole in he company including he espec i e ac i i ies, ii) ques ions abou he wo k lows
o he audi p epa a ion, iii) ques ions abou how EMERALD could suppo hem, and i )
ques ions abou AI in gene al and AI li e acy in speci ic. To comply wi h he cu en GDPR, we
also p epa ed an in o ma ion shee o pa icipan s, which p o ided in e iewees wi h all
ele an in o ma ion abou he in e iew, including he da a p o ec ion. We also p epa ed a
consen o m ha allowed us o ob ain he w i en consen om he pa icipan s o use he
in e iew esul s. In addi ion, we p o ided a da a p o ec ion in o ma ion shee . All p epa ed
documen s can be ound in APPENDIX A: In e iew Documen s and we e also added o he
EMERALD D7.2 deli e able [9].
P ocedu e
To in i e ou espec i e a ge g oups, we con ac ed he EMERALD pilo pa ne s and he
ex e nal audi o s and asked hem o b ing us in con ac wi h hei (in e nal) audi o s, compliance
manage s and in o ma ion secu i y manage s. We scheduled an in e iew appoin men wi h all
in e iewees. In ad ance, we sen hem he pa icipan in o ma ion shee and he da a
p o ec ion shee and ga e hem he possibili y o cla i y any open ques ions. We hen asked
hem o sign he consen o m and send i back o us.
All bu one o he in e iews we e conduc ed ia MS Teams, eco ded, and la e ansc ibed.
One o he in e iews was conduc ed o line – meaning ha CaixaBank ecei ed he in e iew
guideline om us and collec ed he answe s om hei In o ma ion Secu i y Go e nance eam
in a w i en way.
The p ima y in e iew da a was analysed h ough quali a i e con en analysis, ollowing Glaese
and Laudel [10]. The basic p ocedu e consis s o unde s anding and in e p e ing he collec ed
ex s (in e iew ansc ip s) in a sys ema ic and ule-based way. The aim o his analysis is o
unco e he wo k lows and p ocesses on how o p epa e o an audi , exis ing pain poin s, how
he EMERALD UI migh help, and o de i e conc e e equi emen s o he EMERALD UI/UX
de elopmen . The esul s we e condensed in o one slide se pe pilo pa ne . These slide se s
we e sen ou o he espec i e pa ne s in p epa a ion o he planned ocus g oups (see
Sec ion 2.3).
Al oge he , we ha e conduc ed 8 in e iews in he imespan o Ma ch 2024 o Feb ua y 2025
wi h compliance manage s, secu i y manage s and audi o s, as depic ed in Table 2.
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 19 o 128
www.eme ald-he.eu
Table 2. O e iew o he conduc ed in e iews
Pilo Pa ne s
Pa icipan s
Type
IONOS
• 1 in e iew wi h a leade o he secu i y
managemen eam
Online in MS Teams
• 1 in e iew wi h a secu i y manage
Online in MS Teams
CloudFe o
• 1 In e iew wi h a compliance manage
Online in MS Teams
• 1 In e iew wi h a secu i y manage
Online in MS Teams
Fabaso
• 1 In e iew wi h 3 compliance manage s
Online in MS Teams
CaixaBank
• 1 (w i en) in e iew wi h he in o ma ion
secu i y go e nance eam
W i en in e iew
answe s
NIXU/DNV
• 1 In e iew wi h 3 audi o s
Online in MS Teams
• 1 in e iew wi h a compliance manage
Online in MS Teams
2.3 Focus G oups & P ocess Wo kshops
To complemen he in e iews, we held a ocus g oup pe pilo , whe e all in e iewees o
pa ne s om he espec i e pilo o ex e nal audi o s om NIXU/DNV pa icipa ed in, allowing
o an in-dep h discussion on he de i ed esul s and cla i ica ion o any possible
misunde s andings.
Focus g oups can ypically be seen as g oup in e iews bu guided by speci ic igge s o
discussion [11]. In ou case, he igge s we e he consolida ed esul s o he indi idual
in e iews, which consis ed o a summa y o he gene al insigh s gained om he in e ac i e
in e iew session o he gene al assembly in Bilbao (Ma ch 2024), he p ocesses de i ed om
he indi idual in e iews, and ou in e p e a ion o whe e he EMERALD UI could o e suppo .
These p ocesses we e p esen ed in a simple p ocess o ma .
In he nex s ep, we u he imp o ed and enhanced he elici ed p ocesses. Fi s , we ans e ed
he simple p ocesses in o wo k low ep esen a ions – one co e ing he s a us quo and one
co e ing he s a us o how he p ocess would look like wi h he EMERALD UI. Then, we se up a
se ies o p ocess wo kshops wi h all pilo pa ne s and he ex e nal audi o s o pe o m ano he
e iew ound on he p ocesses. Finally, we we e able o de i e a bluep in p ocess se ing as an
o e all EMERALD p ocess o all pilo pa ne s.
P ocedu e
To se up a ocus g oup, we con ac ed he pilo pa ne s and he in e iew pa icipan s ia email.
In his email, we in i ed he pa icipan s o an online ocus g oup and a ached he
co esponding slide se wi h ou in e iew indings. Addi ionally, he pa icipan s we e asked o
go h ough he slide se be o e he ocus g oup was scheduled o ensu e hey could p o ide us
wi h aluable eedback and addi ional de ails beyond he al eady collec ed da a.
Du ing he ocus g oup, we guided he pa icipan s h ough he p epa ed slide se and asked o
conc e e inpu and eedback. This ime, he discussion was no eco ded, bu no es we e aken.
A e he ocus g oup, he slide se wi h he p ocesses was adap ed wi h all gained insigh s and
sen ou again o he espec i e ocus g oup pa icipan s.
We ha e conduc ed 4 ocus g oups as depic ed in Table 3. The explici ocus g oup wi h IONOS
was omi ed (as i ook some ime o do he second in e iew) and ins ead combined wi h he
inal wo kshop o he p ocess alida ion.
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 20 o 128
www.eme ald-he.eu
Table 3. O e iew o he conduc ed ocus g oups and p ocess wo kshops
Pilo
Pa icipan s
Type
CloudFe o
• 1 ocus g oup wi h he conso ium membe
Online in MS Teams
• 1 p ocess wo kshop wi h he conso ium membe
Online in MS Teams
Fabaso
• 1 ocus g oup wi h 1 compliance manage and 1
conso ium membe
Online in MS Teams
• 2 p ocess wo kshops wi h he conso ium
membe s
Online in MS Teams
CaixaBank
• 1 ocus g oup wi h he pilo pa ne s
Online in MS Teams
• 1 p ocess wo kshop wi h he conso ium membe
Online in MS Teams
DNV/NIXU
• 1 ocus g oup wi h 1 compliance manage and he
NIXU/DNV p ojec manage om he conso ium
Online in MS Teams
• 2 p ocess wo kshops wi h he conso ium
membe s, an ex e nal audi o and a compliance
manage
Online in MS Teams
In he nex s ep, we u he imp o ed and enhanced he i s elici ed simple p ocesses. Fo each
pilo pa ne and he audi o s, we ans e ed he manual p ocess, and he p ocess enhanced
wi h he EMERALD solu ion in o he wo espec i e wo k low ep esen a ions. As a esul , we
c ea ed o each pilo pa ne and he audi o s an indi idual Mi o
4
boa d, whe e we included
bo h p ocesses. Addi ionally, we added a i s e sion o he bluep in , whe e we ied o
combine all di e en p ocesses in o one ha should be alid o all pilo pa ne s. A e wa ds,
we sen he pilo pa ne s and he audi o s an email wi h he link o he boa ds and asked hem
o go h ough he p ocesses and ga he eedback.
We se up indi idual p ocess wo kshops (Feb ua y/Ma ch 2025) wi h he pilo pa ne s and
audi o s, as p esen ed in Table 3, whe e we wen h ough he p ocesses oge he o see wha
o imp o e, we in eg a ed he collec ed eedback and adap ed he p ocesses acco dingly.
Addi ionally, we asked all in i ed pa ies o ha e a inal look a he p ocesses o con i m ha
hey we e ok o hem. These ac i i ies esul ed in he inal de ini ion o he p ocesses o he
pilo pa ne s and he audi o s: he cu en “as-is” p ocess, and he p ocess wi h EMERALD
suppo . Addi ionally, a bluep in p ocess ha is alid o all pilo pa ne s was c ea ed. This
bluep in could be o in e es o o he companies who would like o use he EMERALD solu ion
o suppo hei audi p epa a ion p ocesses. The inal p ocesses pe pilo pa ne and audi o s,
and he bluep in a e p esen ed in Sec ion 4.
2.4 Pe sonas & Scena ios Wo kshops
Based on he insigh s gained om he in e iews and he ocus g oups, e.g., wha he audi
p epa a ion p ocesses and audi s in gene al look like, which pe sons and oles a e in ol ed in
hese p ocesses and wha in o ma ion is needed, a i s Pe sonas and Scena ios wo kshop was
o ganised. The goal o his wo kshop was o de elop de ailed pe sonas and scena ios on how
he a ge g oups will use he EMERALD UI and which unc ionali ies should be a ailable.
Pe sonas a e a goal-di ec ed design ool in oduced by Coope [12]. A pe sona ypically
ep esen s a ic ional indi idual o a ep esen a i e g oup o pe sons wi h simila cha ac e is ics
(see [13], [14]). They a e o en desc ibed in a na a i e way o make he pe son seem au hen ic
and o p o ide he needs o hese indi iduals in he ela ed con ex [15]. Pe sonas a e ypically
4
h ps://mi o.com/
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 21 o 128
www.eme ald-he.eu
used in combina ion wi h scena ios. Scena ios desc ibe, in a na a i e way, how a ge use s will
ideally in e ac wi h he de eloped echnology [16]. A e de eloping pe sonas and scena ios,
use jou neys [17] a e ano he design me hod o help unde s and he in e ac ion be ween a
use and a echnology. The ini ial use jou neys ha e been p esen ed in D4.3 [8] and he inal
use jou neys will be p esen ed in D4.4 (M24).
O e all, de ining pe sonas and engaging in scena ios helps o gain a deepe unde s anding o
he use s, hei asks, and hei in e ac ions wi h he sys em. The esul s o he wo kshops
should ailo he UI/UX o EMERALD o he speci ic needs o he use s (e.g., compliance
manage s and audi o s). The aim is o cla i y how he di e en use g oups will in e ac wi h he
EMERALD UI du ing di e en wo king ac i i ies and asks. Fu he mo e, his will help ga he ing
in o ma ion on he unc ionali ies o be p o ided in he EMERALD UI.
Al oge he , we ha e conduc ed ou wo kshops based on he insigh s gained om he in e iews
and ocus g oups, as p esen ed in Table 4. In he wo wo kshops held in June 2024, we we e
able o de i e ou pe sonas and h ee scena ios. As he de elopmen o he pe sonas and
scena ios was no comple ed, we se up again wo o he wo kshops in au umn 2024. One
wo kshop wi h NIXU/DNV o c ea e audi o -speci ic pe sonas and scena ios, and ano he wi h
he EMERALD conso ium pa ne s o inalize and expand exis ing wo k. Finally, we de eloped
se en pe sonas ac oss h ee s akeholde g oups and 16 scena ios.
Table 4. O e iew o all Pe sona and Scena io Wo kshops
Pe sonas & Scena io
Wo kshop
Da e
Type
Wo kshop Resul s
Pe sonas & Scena ios
Wo kshop Pa I
05.06.2024
Online in
MS Teams
De elopmen o 4 Pe sonas:
Eme son, Riley, Dylan, Cha lie
Pe sonas & Scena ios
Wo kshop Pa II
12.06.2024
Online in
MS Teams
De elopmen o 3 Scena ios o
Eme son, Dylan, Cha lie
Pe sonas & Scena ios
Wo kshop wi h
NIXU/DNV
13.08.2024
Online in
MS Teams
De elopmen o 2 Pe sonas and 2
Scena ios o Ja kko and Ee o
Pe sonas & Scena ios
Wo kshop Pa III
07.10.2024
Online in
MS Teams
De elopmen o 1 addi ional
Pe sona, Mo gan, and all missing
scena ios
Once all he ele an pe sonas and scena ios we e elabo a ed and well de ined, we de i ed om
hem he so-called “pe sonas-on- he-go”. “Pe sonas-on- he-go” p o ide a e y concise, p ecise
summa y o ou pe sonas, highligh ing key cha ac e is ics in a b ie desc ip ion. These ensu e
ha a ge use s and ex e nal audiences can quickly unde s and he pu pose and needs o he
pe sonas in ela ion o he EMERALD UI. All pe sonas, he espec i e scena ios and he
“pe sonas-on- he-go” a e p esen ed in Sec ion 5.
P ocedu e
To in i e pa icipan s o he wo kshop, we con ac ed he pilo pa ne s and all membe s o WP4
and WP5 by email. All Pe sonas & Scena ios Wo kshops we e conduc ed online using MS Teams.
To acili a e collabo a ion, we used Mi o, an online collabo a i e whi eboa d.
Below, we desc ibe all Pe sona & Scena ios Wo kshops done in mo e de ail:
Wo kshop Pa I: The i s pa o he wo kshop was a ended by 11-14 pa icipan s. The agenda
was as ollows: i s , we in oduced how o use he Mi o Boa d. Then, we se he s age and goal
o he wo kshop and in i ed he pa icipan s o ake pa in an ac i i y, namely, o no e down

D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 22 o 128
www.eme ald-he.eu
hei expec a ions owa ds he wo kshop sho ly. A e wa ds, we p esen ed a summa y o he
wo k p ocesses elici ed om he di e en pilo pa ne s’ in e iews. Ha ing his in o ma ion in
mind (and on he Mi o boa d), we di ided he pa icipan s in o ou g oups. Each g oup was
asked o c ea e a pe sona, using a p ede ined pe sona empla e, ep esen ing one o he a ge -
use s o he EMERALD P ojec .
The pe sona empla e consis ed o h ee pa s wi h se e al sub- opics:
• Abou he pe sona: This pa includes p i a e in o ma ion, occupa ion, goal, and o he
cha ac e is ics.
• Wha do I do: This sec ion collec s wo king asks, mo i a ion and goals a wo k,
us a ions and pain poin s.
• Con ac s: In o ma ion abou depa men s and oles he pe sona is wo king wi h.
• Wo k con ex : This co e s in o ma ion abou day- o-day asks, and whe e he EMERALD
UI could help.
Wo kshop Pa II: The second pa o he wo kshop was a ended by ele en pa icipan s. The
agenda was as ollows: i s , we made a sho ecap o he i s pa o he wo kshop by b ie ly
summa izing he ou pe sonas de eloped. Second, we in oduced scena ios and use s o ies as
co-design me hod in gene al. Then, we p esen ed 6 p e-de ined scena ios as s a ing poin s.
A e wa ds, we di ided he pa icipan s in o h ee g oups and asked hem o c ea e a scena io
o he pe sona hey had de eloped in he i s wo kshop. They could use one o he p e-de ined
scena ios as a s a ing poin . A e de eloping he scena io, hey we e asked o b eak i down
in o di e en s eps o de e mine how he pe sona would in e ac wi h he EMERALD UI and o
discuss hese use s o ies in ela ion o he p e-de ined mock-ups.
The ac i i ies o bo h wo kshops esul ed in ou pe sonas: Eme son – Compliance Manage in
Financial Se ices, Riley – Cloud P o ide Compliance Manage , Dylan – In e nal Con ol Owne ,
Cha lie – In e nal Audi o , and h ee scena ios: Scena io 1: Eme son – B ing you own
ce i ica ion scheme, Scena io 2: Dylan – ICO Requi emen Implemen a ion and Scena io 3:
Cha lie – P epa a ion o an audi by an in e nal audi o .
Pe sona & Scena io Wo kshop wi h NIXU/DNV: The Wo kshop wi h NIXU/DNV was held in
Augus 2024. This wo kshop was conduc ed online in MS Teams, and we used Mi o again o
acili a e he collabo a ion.
Be o e he wo kshop, we enhanced he al eady exis ing EMERALD Mi o boa d o de elop
audi o pe sonas. We held a sho mee ing wi h he colleagues om NIXU/DNV and explained
wha we would like o ha e and how o use he Mi o Boa d. We also explained he wo empla es
we had p epa ed o he de elopmen o pe sonas and scena ios ha we used in he p e ious
wo kshops. Subsequen ly, we asked hem o de elop necessa y pe sonas and de ine espec i e
scena ios o each pe sona hemsel es. A e wa ds, we held a wo kshop o go h ough he
pe sonas and he espec i e scena ios and o discuss and e ine hem in de ail. These ac i i ies
esul ed in wo new pe sonas – Ja kko – Lead audi o in a consul ing company and Ee o –
Technical audi o in a consul ing company.
Final Pe sonas & Scena ios Wo kshop Pa III: The inal wo kshop was a ended by wel e
pa icipan s. Be o e in i ing all EMERALD pa ne s o he hi d pe sona & scena io wo kshop,
we ead D5.1 – Pilo de ini ion, se -up & alida ion plan [18]. The goal was o in es iga e which
addi ional s akeholde s we e in ol ed wi hin he pilo de ini ions and se -up (see D5.1 [18],
Sec ion 2). We c ea ed a able wi h all in ol ed s akeholde s men ioned in he pilo de ini ions
and discussed wi h he conso ium which o hem a e ele an o EMERALD. Subsequen ly, we
ag eed on a lis ep esen ing all EMERALD s akeholde s and iden i ied, which o hem a e s ill
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 23 o 128
www.eme ald-he.eu
missing. This se ed as a s a ing poin o he inal wo kshop whe e we p epa ed a Mi o boa d
wi h a s uc u ed empla e. We highligh ed he s ill missing gaps ega ding one pe sona, se e al
scena ios and use jou neys. The co esponding empla es we e documen ed in D4.1 [1] – Figu e
2 and D4.3 [8], Figu e 2.
Table 5 e lec s he inal s a us upon comple ion o all wo kshops. Addi ionally, we de eloped a
i s se o use jou neys o he espec i e pe sonas which will be p esen ed in D4.4 – Use
In e ac ion and Use Expe ience Concep – 2 (M24). These use jou neys a e closely ied o he
scena ios and he ongoing de elopmen o he EMERALD UI and a e he e o e unde
con inuously de elopmen .
Table 5. S a us O e iew o he De elopmen o Pe sonas, Scena ios and Use Jou neys
Roles
No es
Pe sonas
Scena ios
Use
Jou neys
Compliance
S akeholde s
Compliance Manage
UI/UX: hey will be
me ged in one ole in
he EMERALD UI
Riley
done
in p og ess
Compliance Manage
o inancial se ices
Eme son
done
in p og ess
In e nal Con ol
Owne
-
Dylan
done
in p og ess
Technical
S akeholde
Technical
Implemen e
One ole co e ing all
echnical oles
including he me ic
implemen e ,
de elope s, e c.
(Old name: Me ic
Implemen o )
Mo gan
done
in p og ess
Audi o
S akeholde s
In e nal Audi o
-
Cha lie
done
in p og ess
Ex e nal Lead Audi o
UI/UX: hey will be
me ged in one ole
in he EMERALD UI
Ja kko
done
in p og ess
Ex e nal Technical
Audi o
Ee o
done
in p og ess
Gende -bias in Pe sonas and Scena ios
I is known om li e a u e ha gende bias du ing echnology de elopmen is a p oblem
because women a e o en unde - ep esen ed in design eams and in co-c ea ion and co-design
p ocesses (see [19], [20], [21]). Wi h ega d o pe sonas, se e al s a egies on how o mi iga e
gende bias du ing he de elopmen o pe sonas and scena ios exis – one o hem is o use
gende -neu al pe sonas (see [22], [23]) and o o mula e scena ios in a gende -neu al way.
The e o e, we c ea ed a lis o gende -neu al names o use du ing he wo kshops, and did no
ask o a speci ic gende in he pe sona empla e. A e wa ds, all gende -speci ic o mula ions
we e emo ed (e.g., all wo ding e e ing o he/she was eplaced wi h hey).
To make he de elopmen o he pe sonas mo e un o he pa icipan s, we asked hem o
c ea e a p o ile pic u e o each pe sona. O iginally, we planned o emo e he p o ile pic u es
om he inal pe sonas. Howe e , ins ead o emo ing he p o ile pic u es, we made hem
gende -neu al o se e al easons.
• Inclusi i y: Gende -neu al pe sonas ensu e ha all use s, ega dless o gende iden i y,
eel ep esen ed and conside ed in design and decision-making p ocesses [23].
• A oiding Bias: Gende ed pe sonas can ein o ce s e eo ypes, such as associa ing ce ain
oles o beha iou s wi h speci ic gende s. Neu al igu es help p e en hese biases.
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 24 o 128
www.eme ald-he.eu
• Flexibili y: Gende -neu al pe sonas can be mo e uni e sally applicable, allowing
s akeholde s o ocus on use needs, beha iou s, and challenges a he han gende -
based assump ions [23].
• Encou aging Di e si y: They os e a mo e di e se and equi able app oach o p oblem-
sol ing, ensu ing ha solu ions do no unin en ionally exclude o disad an age any
g oup [23].
• Re lec ing Reali y: Many eal-wo ld scena ios in ol e indi iduals whose gende is no
immedia ely ele an o who iden i y ou side he bina y. Gende -neu al pe sonas
acknowledge his di e si y [24].
Using gende -neu al p o ile pic u es makes pe sonas and scena ios mo e inclusi e, adap able,
and e ec i e in add essing a b oad ange o use s’ needs. The e o e, we decided o keep he
p o ile pic u es.
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 25 o 128
www.eme ald-he.eu
3 Resul s o he In e ac i e In e iew Session
The in e ac i e in e iew session was conduc ed pe pilo a he gene al assembly in Bilbao
(Ma ch 2024). The esul s a e p esen ed below as ollows: i s , o each ques ion a sho
summa y is p esen ed, ollowed by a able summa izing he esul s o all pilo s in mo e de ail.
Q1: How do he cu en audi p epa a ion p ocesses look like o you pilo ?
All pilo pa ne s desc ibed he audi p epa a ion p ocesses e y simila ly. Audi s ake place
yea ly up o e e y 4-5 yea s. The equency o he audi depends on he ype o he audi (e.g.,
some audi s ake place yea ly, some only e e y 2-3 yea s) and he s anda d ha is audi ed.
Typically, he p epa a ion o an audi is a epe i i e and ime-consuming manual p ocess ha
in ol es many people om di e en depa men s, as desc ibed in Table 6.
Table 6. Answe s gi en o Q1:
“How do he cu en audi p epa a ion p ocesses look like o you pilo ?”
Q1: How do he cu en audi p epa a ion p ocesses look like o you pilo ?
Pilo 1: IONOS
Pilo 2: CloudFe o
Pilo 3: Fabaso
Pilo 4: CaixaBank
• epe i i e
manual
p ocesses
• in ol emen
o a ious
eams
• ely on
ex e nal
consul ancy
companies
• based on a
sp eadshee
→ u ned
in o icke s
• documen s
such as
employee
ce i ica ions,
need o be
o malized
and
p esen ed
• mul iple audi s
yea ly
• ime-consuming
• audi s las 2-4
days
• signi ican
p epa a ion ime
• manual
p epa a ion o
p ocedu es,
policies, and
documen a ion
• adi ional audi s: no
always able o deal wi h
au oma ically collec ed
e idence o digi al
suppo o he s eps
• au oma ically collec ed
p e-p ocessed e idence
has o be p esen ed as
manual e idence
• audi o s a e able o ha e
he e idence chains
• many people in ol ed in
p epa ing he audi and
du ing he audi
• majo ool: sp eadshee
• c ea e a huge numbe o
icke s and issues ha
need o be add essed by
a lo o people
• pilo co e s se e al
en i onmen s
• con inuous
assessmen on own
p emises
• in e nal audi
yea ly, wi h
addi ional audi s o
cloud p o ide
license enewals
• pe iodic audi s by
ECB e e y 4-5 yea s,
co e ing all aspec s
o bank secu i y
• audi s occu
annually
Q2: Wha a e he “pain poin s” o you cu en audi p ocess?
The pilo pa ne s men ioned simila “pain poin s” ha hey mus deal wi h du ing he audi
p epa a ion phase, as p esen ed in Table 7. Pain poin s men ioned a e ha i) he audi
p epa a ion phase is a e y cos ly p ocess as i in ol es consul ancy om ou side, and many
people and depa men s om inside, ii) i is a e y ime-consuming p ocess o show e idence
o all equi emen s necessa y o he espec i e audi , and iii) i needs manual e i ica ion o
ex ensi e documen s.
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 32 o 128
www.eme ald-he.eu
4.2.1.2 Wo k low Rep esen a ion o he P ocess wi hou EMERALD suppo
In he nex s ep, we ans e ed he simple p ocess ep esen a ion in o a de ailed wo k low
ep esen a ion. This ep esen a ion was discussed wi h he colleagues om IONOS, o
in es iga e i he wo k low ep esen a ion is co ec . A e some mino imp o emen s, he
esul ing wo k low p ocess is p esen ed in Figu e 3.
• Phase 1 – P epa a ion (Figu e 3, Phase 1):
o Landscape p epa a ion: CM p epa es he sys em landscape o se ing up he audi
p epa a ion p ocess.
o Change managemen : CM ini ia es he change managemen and uses he
es ablished in e nal con ol sys em including a sp eadshee .
• Phase 2 – Documen a ion (Figu e 3, Phase 2):
o Documen a ion: In he second s ep, he CM needs o ensu e ha all manda o y
documen s as well as he sys em desc ip ions a e up o da e.
• Phase 3 – Managemen o Con ols (Figu e 3, Phase 3):
o Secu i y policies and con ols: CM o ganizes all secu i y policies wi h con ols.
o Sp eadshee c ea ion: CM manages he con ols in a sp eadshee . The sp eadshee
consis s o in o ma ion such as: con ols; con ol equency; ype o con ol;
esponsible pe son o he con ol; e idence we need o show ha i has been
implemen ed.
• Phase 4 – Audi Scope (Figu e 3, Phase 4):
o Audi scope: CM needs o keep he audi scope desc ip ion up o da e.
o Con ol checking: CM checks he s a us o he con ols and escala es i he e idence
epo ed is insu icien o no p epa ed in ime.
• Phase 5 – Audi Se up (Figu e 3, Phase 5):
o Audi se up: The E en Manage se s up he audi and decides on he audi eam
(ex e nal no i ied body).
o Renew con ac : A e deciding o an audi , he IONOS eam upda es he con ac
wi h he audi o s. I he audi is agains BSI C5, he e needs o be a ce i ica e
con i ming no con lic s o in e es (bo h sides).
o Se p ac icali ies: Audi da es, scope and pa ame e s a e se and need o be ag eed
o. Also, he indi idual audi plan mus be ag eed o.
Figu e 2. IONOS – Simple p ocess ep esen a ion wi hou EMERALD suppo

D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 33 o 128
www.eme ald-he.eu
o Repo c ea ion: Repo s mus be c ea ed: including an in e nal con ol sys em wi h
all es ablished con ols and he mapping o BSI C5 c i e ia.
o Hand o e epo : Repo s mus be handed o e o he audi o s a he beginning o
he audi .
D4.2 Resul s o he UI-UX equi emen s analysis and he wo k p ocesses – 2 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 34 o 128
www.eme ald-he.eu
Figu e 3. IONOS – Wo k low Rep esen a ion wi hou EMERALD suppo
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 35 o 128
www.eme ald-he.eu
4.2.1.3 Simple P ocess wi h EMERALD suppo
Fo each o he i e phases men ioned abo e in he IONOS audi p epa a ion p ocess, we ha e
de i ed some ideas on how he audi p epa a ion p ocess o cloud solu ions a IONOS could be
suppo ed by he EMERALD UI, as shown in Figu e 4.
• Phase 1 – P epa a ion (Figu e 4, Phase 1):
o Se up con ols: The CM can use EMERALD o suppo he p epa a ion p ocess by
ge ing he lis wi h all con ols.
• Phase 2 – Documen a ion (Figu e 4, Phase 2):
o Upload documen s: The CM can upload all ele an and upda ed documen s in o
he EMERALD UI.
o Ex ac e idence: EMERALD can help ex ac e idence om he documen s and map
hem o he con ols.
o Visualisa ion o Con ols/Me ics and E idence: EMERALD UI/UX p o ides a able
showing he con ols/me ics and he ound e idence and links o he espec i e
documen s.
• Phase 3 – Managemen o Con ols (Figu e 4, Phase 3):
o Lis o con ols: EMERALD p o ides he lis o he con ols o he CM.
o Managemen o con ols: The CM can use EMERALD o manage he con ols; assign
esponsible people o a con ol; add documen a ion, and keep ack o he e idence;
e c.
• Phase 4 – Audi Scope (Figu e 4, Phase 4): EMERALD can help o keep he audi scope up-
o-da e.
• Phase 5 – Audi Se up (Figu e 4, Phase 5):
o Repo ing: EMERALD can suppo p epa ing and p in ing ou he epo s (e.g.,
di e en o ma s, di e en con en ) ha need o be handed o e o he audi o s a
he beginning o he audi .
4.2.1.4 Wo k low Rep esen a ion o he P ocess wi h EMERALD suppo
In he nex s ep, we ans e ed he simple p ocess ep esen a ion in o a de ailed wo k low
ep esen a ion. This ep esen a ion was again discussed wi h he colleagues om IONOS, o
Figu e 4. IONOS – Simple p ocess ep esen a ion wi h EMERALD suppo
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 36 o 128
www.eme ald-he.eu
in es iga e i he wo k low ep esen a ion is co ec . A e some mino imp o emen s, he
esul ing wo k low p ocess is p esen ed in Figu e 5.
• Phase 1 – P epa a ion (Figu e 5, Phase 1):
o Sys em landscape p epa a ion: CM p epa es he sys em landscape o he audi .
o CM ini ia es change managemen : CM uses he es ablished in e nal con ol sys em
(including sp eadshee ) o ini ia e he change managemen .
o Upload Con ols: CM uploads he ce i ica ion scheme, hus he ex ac ed con ols,
in o EMERALD.
o EMERALD: EMERALD makes all con ols a ailable.
o EMERALD: EMERALD au oma ically assigns me ics o con ols.
• Phase 2 – Documen a ion (Figu e 5, Phase 2):
o Check Me ics: CM goes h ough all au oma ically assigned me ics o a con ol.
o Me ic Check no ok: CM checks all me ics and changes hem whe e needed.
o Me ic Check ok: CM con inues in he p ocess.
• Phase 3 – Managemen o Con ols (Figu e 5, Phase 3):
o Se up a ge o e alua ion: New a ge o e alua ion needs o be se up and he
app op ia e e idence ex ac o s need o be ins alled. The e, he CM can upload he
policy documen s in EMERALD.
o The CM se s up he audi scope using he c ea ed a ge o e alua ion in EMERALD.
o EMERALD au oma ically ex ac s me ics- ela ed da a/in o ma ion om he
documen s and makes he assessmen esul s a ailable o he CM.
o Managing Con ols: CM can manage all con ols in EMERALD.
o Fil e ing Con ols: CM can il e o all con ols ha a e s ill ma ked as “open” and
manually check he assessmen esul s.
o Check o nex open Con ol: I a nex open con ol exis s, he CM checks he con ol
and i s assessmen esul s / e idence.
o Check Assessmen Resul : I he check is ok, based on he a ailable assessmen
esul s, CM can se he con ol / me ic in EMERALD o complian .
o Check Assessmen Resul : I he check is no ok, CM/Pe son assigns con ol/me ic
o a pe son o a depa men . The pe son checks he assessmen esul s o he
assigned con ol/me ic p o ided in EMERALD.
o Check Assessmen Resul (by Pe son): I he check is ok based on he a ailable
assessmen esul s, he pe son can se a con ol/me ic o complian in EMERALD.
o Check Assessmen Resul (by Pe son): I he check is no ok, bu he pe son knows
how o sol e i , he pe son implemen s he me ic and se s he me ic/con ol in
EMERALD o complian .
o In bo h cases, he pe son assigns he con ol/me ic back o he CM.
o All Con ols Checked: A e he CM has checked all con ols/me ics and documen s,
he CM consolida es e e y hing o he audi .
• Phase 4 – Audi Scope Managemen (Figu e 5, Phase 4):
o Keep Audi Scope Up- o-da e: CM needs o keep he audi scope desc ip ion up- o-
da e.
o Check Audi Scope Repo ing: CM checks he epo ing and escala es i he e idence
epo ed is insu icien o no p epa ed in ime wi h he help o EMERALD.
• Phase 5 – Audi Se up (Figu e 5, Phase 5):
o Se up Audi : The E en Manage se s up he audi and decides o he audi eam
(ex e nal company).
o Renew Con ac : A e deciding o an audi eam, IONOS needs o upda e he
con ac wi h he audi o s. I he audi is agains BSI C5, he e needs o be a
ce i ica e con i ming no con lic s o in e es (bo h sides).
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 37 o 128
www.eme ald-he.eu
o Se P ac icali ies: Audi da es, scope and pa ame e s a e se and need o be ag eed
upon. Also, he indi idual audi plan mus be ag eed o. The decision needs o be
made on whe he EMERALD can be used du ing he audi .
o Use EMERALD: I i is ag eed o ha he audi can be conduc ed wi h he suppo o
EMERALD, i can be used o e alua e con ols/me ics, assessmen esul s and
documen s.
o Use EMERALD: I i is no ag eed o ha he audi can be conduc ed wi h he suppo
o EMERALD, all e idence mus be handed o e o he audi o s a he beginning o
he audi ; his includes he in e nal con ol sys em wi h all es ablished con ols,
e idence and he mapping o BSI C5 c i e ia.

D4.2 Resul s o he UI-UX equi emen s analysis and he wo k p ocesses – 2 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 38 o 128
www.eme ald-he.eu
Figu e 5. IONOS – Wo k low Rep esen a ion wi h EMERALD suppo
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 39 o 128
www.eme ald-he.eu
4.2.2 Pilo 2: CloudFe o (CF)
We conduc ed wo in e iews wi h CloudFe o employees: one wi h a compliance manage and
one wi h a secu i y manage . A e wa ds, we conduc ed a ocus g oup wi h CloudFe o o
alida e ou indings ega ding he p ocesses wi h hem. F om hese discussions he simple
p ocess o how o p epa e o an audi was de i ed. Figu e 6 p esen s he simple p ocess o an
audi p epa a ion p ocess as i is now, while Figu e 8 p esen s he simple p ocess enhanced wi h
he EMERALD suppo .
A e ha ing ans e ed he simple p ocess in o he wo k low ep esen a ion, we conduc ed a
wo kshop wi h an employee om CloudFe o o discuss he wo k low ep esen a ion and o
adap i – i necessa y. The CF wo k low ep esen a ion o he cu en audi p epa a ion p ocess
wi hou EMERALD suppo is p esen ed in Figu e 7, and he wo k low ep esen a ion wi h
EMERALD suppo is p esen ed in Figu e 9.
In he ollowing we p esen he simple p ocess and he co esponding wo k low p esen a ion
co e ing he audi p epa a ion p ocesses as hey a e now. Then we p esen he simple p ocess
and he elabo a ed wo k low ep esen a ion as hey would look like using he EMERALD
solu ion.
4.2.2.1 Simple P ocess wi hou EMERALD suppo
The simple p ocess wi hou EMERALD suppo consis s o he ollowing ou phases:
• Phase 1 – S a ing wi h analysis (Figu e 6, Phase 1): In phase 1, he esponsible pe son s a s
wi h a coo dina ion check and con ac s he ce i ica ion boa d. The audi p epa a ion
p ocess di e s a bi depending on whe he he audi p epa a ion is done o a new
ce i ica ion scheme, o an exis ing ce i ica ion scheme ha was upda ed, o o checking
he cu en ce i ica ion scheme. I a new ce i ica ion scheme is added, mo e wo k is
needed o ul il all con ols. I a ce i ica ion scheme was upda ed, hey check which con ols
we e upda ed and which a e new. Thei goal is o implemen as many con ols as possible
in he mos e icien way.
• Phase 2 – S anda d (Figu e 6, Phase 2): In phase 2, he esponsible pe son deals wi h he
espec i e ce i ica ion scheme o be p epa ed. They buy ei he he new s anda d o
o ganize he upda ed s anda d. They go e y ca e ully h ough he espec i e s anda d and
elici ei he all con ols om he new s anda d o only he new and upda ed con ols om
he upda ed s anda d.
• Phase 3 – Check wi h documen a ion (Figu e 6, Phase 3): All con ols need o be cla i ied
on how o deal wi h hem i hey need o be implemen ed ( echnically), i espec i e
documen s need o be upda ed, e c. Whe e necessa y, o he depa men s o indi iduals will
be con ac ed o help cla i y con ols.
• Phase 4 – Iden i y gaps (Figu e 6, Phase 4): In his phase, all exis ing gaps a e iden i ied o
manage open con ols and discuss how o deal wi h hem.
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 40 o 128
www.eme ald-he.eu
4.2.2.2 Wo k low Rep esen a ion o he P ocess wi hou EMERALD suppo
In he nex s ep, we ans e ed he simple p ocess ep esen a ion in o a de ailed wo k low
ep esen a ion. This ep esen a ion was again discussed wi h he colleagues om CloudFe o,
o in es iga e i he wo k low ep esen a ion is co ec . A e some mino imp o emen s, he
esul ing wo k low p ocess is p esen ed in Figu e 7.
• Phase 1 – S a ing wi h analysis (Figu e 7, Phase 1):
o Coo dina ion check and s anda d: In he i s phase, he CM does a coo dina ion
check and ge s in con ac wi h he ce i ica ion boa d. Addi ionally, he CM checks
he new o upda ed s anda d.
• Phase 2 – S anda d (Scheme) (Figu e 7, Phase 2):
o S anda d (scheme): Depending i he CM has o deal wi h he same s anda d as in
he las audi , an upda ed e sion o he s anda d o a new s anda d, he CM needs
o do di e en ac i i ies:
▪ Same s anda d: No ac i i ies a e equi ed he e.
▪ Upda ed s anda d: CM needs o check o he new o upda ed con ols in
he s anda d.
▪ New s anda d: CM needs o buy he new s anda d and ge amilia wi h i .
The CM has o ex ac all con ols om he new s anda d.
• Phase 3 – Check wi h documen a ion (Figu e 7, Phase 3):
o Check documen a ion: The CM needs o check back he new o upda ed con ols
wi h he co esponding documen s. The CM makes su e o ind he exac
in o ma ion o ul il he con ols. The CM w i es down hei esponses o each
con ol and makes su e o p o ide he documen a ion and p o ide links o hei
solu ion.
o Con ac colleagues: As a CM does no always ha e all de ailed domain knowledge
abou all con ols, he CM con ac s colleagues and/o depa men s o cla i y he
new o upda ed con ols.
• Phase 4 – Iden i y gaps (Figu e 7, Phase 4):
o Iden i y gaps: The CM and hei colleagues iden i y gaps in he documen a ion and
y o implemen as much o he new/upda ed con ol as possible.
Figu e 6. CloudFe o – Simple p ocess ep esen a ion wi hou EMERALD suppo
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 41 o 128
www.eme ald-he.eu
• Phase 5 – Managing con ols (Figu e 7, Phase 5):
o Sp eadshee o wo d documen : Depending on he s anda d, he CM c ea es a
sp eadshee o a wo d documen in which all con ols a e managed. The CM c ea es
new con ols o upda es exis ing con ols and hei p og ess o implemen a ion.
o O ganiza ional and echnical con ols: Fo o ganiza ional con ols, he CM checks i
in some o hei documen s some hing is w i en abou he con ol. Depending on
he ex ound, he CM mus decide: i) i he w i en ex is ok, hen no hing needs
o be done; ii) i he w i en ex needs o be upda ed in line wi h he con ol; o iii)
i he e is no w i en ex e e ing o he con ol, hen he ex needs o be w i en.
Fo he echnical con ols, he CM elies on bes p ac ices and he company’s CI/CD
o ini ia e he equi ed implemen a ion (so wa e upda es, implemen a ion o
secu i y ools, con igu a ion changes...).
o Final check: Finally, he CM needs o consolida e e e y hing o he audi .
A e wa ds he CM plans he audi wi h an ex e nal no i ied body and cla i ies he
de ails including he da e, he audi scope, he a ge o e alua ion, and o he
logis ics.
D4.2 Resul s o he UI-UX equi emen s analysis and he wo k p ocesses – 2 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 48 o 128
www.eme ald-he.eu
Figu e 11. Fabaso – Wo k low Rep esen a ion wi hou EMERALD suppo

D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 49 o 128
www.eme ald-he.eu
4.2.3.3 Simple P ocess wi h EMERALD suppo
Fo each o he h ee phases men ioned abo e in he Fabaso audi p epa a ion p ocess, we
ha e de i ed some ideas on how he audi p epa a ion p ocess o cloud solu ions a Fabaso
could be suppo ed by he EMERALD UI, as shown in Figu e 12.
• Phase 1 – Se -up Mapping (Figu e 12, Phase 1): EMERALD can suppo he compliance
manage wi h he ollowing asks o se ing up he mapping:
o Con ol o e iew: EMERALD can c ea e a lis wi h all con ols o he espec i e
ce i ica ion scheme o he upcoming audi .
o Con ol me ics: EMERALD can p o ide he possibili y o se he espec i e me ics o
all con ols.
o Con ol s a us: EMERALD can show he s a us o each con ol on wo le els –
compliance le el and s a us le el.
• Phase 2 – Se -up (Figu e 12, Phase 2): EMERALD can suppo he compliance manage wi h
he ollowing asks:
o Fil e ing: EMERALD allows o il e o con ols ha need u he inpu .
o Add no es: EMERALD allows o add no es o a con ol e.g., sugges ions on how a
con ol could be add essed.
o Assigning con ols: EMERALD allows o assign con ols o depa men s o indi iduals
and ice e sa, con ols can be assigned back o he compliance manage .
• Phase 3 – Ve i ica ion (Figu e 12, Phase 3): EMERALD can suppo he compliance manage
and he o he depa men s wi h he ollowing asks du ing he e i ica ion phase:
o Ve i ica ion by depa men s o indi iduals: EMERALD allows he espec i e
depa men s o indi iduals o e i y he con ols.
o Ve i ica ion by he compliance manage s: EMERALD allows he compliance manage
o ma k he espec i e con ols as eady o being used in an audi .
4.2.3.4 Wo k low Rep esen a ion o he P ocess wi h EMERALD suppo
In he nex s ep, we ans e ed he simple p ocess ep esen a ion in o a de ailed wo k low
ep esen a ion. This ep esen a ion was again discussed wi h he colleagues om Fabaso , o
in es iga e, i he wo k low ep esen a ion is co ec . A e some mino imp o emen s, he
esul ing wo k low p ocess is p esen ed in Figu e 13.
• Phase 1 – Se -up Mapping (Figu e 13, Phase 1): EMERALD can suppo he compliance
manage wi h he ollowing asks o se ing up he mapping:
o Se up he ce i ica ion scheme: Using EMERALD, he CM can ei he upload a new
ce i ica ion scheme o use an exis ing scheme ha is a ailable in EMERALD. EMERALD
makes he scheme and all espec i e con ols a ailable and au oma ically assigns
me ics o he con ols.
Figu e 12. Fabaso – Simple p ocess ep esen a ion wi h EMERALD suppo
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 50 o 128
www.eme ald-he.eu
o Check me ics: The CM uses EMERALD o check all sugges ed me ics ha we e
assigned o a con ol and can decide i he me ics a e ok o need o be changed.
o Se up a ge o e alua ion: A e ha ing se up he scheme and assigned o each
con ol he espec i e me ics, he CM se s up a a ge o e alua ion. Addi ionally, he
CM can (wi h he help o he IT depa men ) se up he espec i e e idence ex ac o s
(e.g., AI-SEC, AMOE, Cloudi o Disco e y, Codyze, eknows-e3).
o Se up Audi Scope: Finally, he CM c ea es a new audi scope in EMERALD using he
newly c ea ed a ge o e alua ion and he espec i e ce i ica ion scheme, including
i s con ols and me ics.
• Phase 2 – Mapping (Figu e 13, Phase 1): In he mapping phase, EMERALD can suppo he
compliance manage wi h he ollowing asks:
o Au oma ic e idence ex ac ion: EMERALD ies o au oma ically ex ac e idence o
all con ols and hei me ics. The EMERALD UI p esen s a lis o all con ols and me ics
and he ex ac ed assessmen esul s om he e idence ex ac o s.
o Fil e con ols: The CM can il e o all con ols and me ics and check manually all
assessmen esul s.
o CM checks non-complian con ols/open me ics: Especially o hose con ols o
me ics ha a e non-complian o open he CM needs o decide wha o do. Fi s , he
CM checks he assessmen esul s. Depending on he assessmen esul s and
depending on he CMs domain knowledge, he CM has wo op ions: i) he CM can
decide o a con ol ha he assessmen esul s (o a leas one assessmen esul s) o
me ic(s) a e ok and change he me ic s a us o ok; ii) he CM can assign he con ol
o me ic o ano he pe son o depa men .
o Pe son checks non-complian con ols/open me ics: I a CM assigns a con ol o me ic
o an indi idual, ha pe son mus e iew he co esponding assessmen esul s. This
pe son has h ee possible cou ses o ac ion:
▪ I he pe son possesses he necessa y domain knowledge, hey e i y he
accu acy o a leas one o he p o ided assessmen esul s, ma k he con ol
as complian o he me ic as done, and e u n i o he CM.
▪ I he pe son can implemen he me ic’s measu emen , he pe son p oceeds
wi h he implemen a ion, documen s he ac ions aken, and hen eassigns he
con ol o me ic o he CM.
▪ I he pe son lacks he expe ise o implemen he con ol o me ic, he pe son
ei he e u ns i o he CM o o wa ds i o ano he indi idual who migh ha e
he equi ed knowledge. Ul ima ely, all con ols should be eassigned o he
CM.
• Phase 3 – Ve i ica ion (Figu e 13, Phase 3): EMERALD can suppo he compliance manage
and he o he depa men s wi h he ollowing asks du ing he e i ica ion phase:
o Validi y check: In he inal phase o he p ocess, he CM does a alidi y check, hus, a
inal check ha all espec i e con ols a e complian .
o Fil e o con ols: To do so he CM goes h ough all con ols again, checks all con ols
especially hose ha ha e been assigned back o he CM o need mo e discussions.
D4.2 Resul s o he UI-UX equi emen s analysis and he wo k p ocesses – 2 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 51 o 128
www.eme ald-he.eu
Figu e 13. Fabaso - Wo k low Rep esen a ion wi h EMERALD suppo
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 52 o 128
www.eme ald-he.eu
4.2.4 Pilo 4: CaixaBank (CXB)
Wi h CXB, we conduc ed a w i en in e iew wi h compliance manage s. Addi ionally, a e
ha ing analysed he esul s, we conduc ed a ocus g oup wi h he esponsible compliance
manage and he p ojec manage on behal o CXB o EMERALD o ge inpu and eedback
abou he de i ed simple p ocesses. Figu e 14 p esen s he cu en simple p ocess o an audi
p epa a ion p ocess e e ing o a cloud se ice p o ide whe e CXB is a cus ome , while Figu e
16 p esen s he simple p ocess enhanced wi h he EMERALD suppo .
A e ha ing ans o med he simple p ocess ep esen a ion in o a wo k low ep esen a ion, we
conduc ed a wo kshop wi h he CXB colleagues o alida e he p ocesses. Figu e 15 p esen s he
de i ed wo k low ep esen a ion o he simple p ocess as i is now, and Figu e 17 p esen s he
wo k low ep esen a ion wi h EMERALD suppo .
Fi s , we p esen he simple p ocess and he co esponding wo k low p esen a ion co e ing he
p ocesses as hey a e now. Then, we p esen he simple p ocess and he elabo a ed wo k low
ep esen a ion as i would look like using he EMERALD solu ion.
4.2.4.1 Simple P ocess wi hou EMERALD suppo
The simple p ocess wi hou EMERALD suppo consis s o he ollowing i e phases:
• Phase 1 – Ini ia ion (Figu e 14, Phase 1): The se ice owne (SO) o CXB ini ia es he
in o ma ion acquisi ion om a cloud se ice p o ide (CSP) wi h he help o he
ques ionnai e. When ha ing ecei ed he illed in ques ionnai e om he CSP, he CM
de e mines alignmen wi h p ede ined pa ame e s p o ided by he CSP.
• Phase 2 – Risk Ga he ing (Figu e 14, Phase 2): The se ice p o ide (SP) ga he s he UNED
Se ice Risk In o ma ion. Based on his in o ma ion, he SO issues he secu i y ques ionnai e
o he CSP o collec de ailed in o ma ion abou hei da a handling and da a p ocessing.
• Phase 3 – Ma ix C ea ion (Figu e 14, Phase 3): Wi h he help o he in o ma ion collec ed
om he second ques ionnai e, he CM gene a es he con ol & e idence ma ix o
managing he CSPs con ols. Then he CM asks he CSP o submi he e idence o compliance
o he iden i ied con ols o CXB.
• Phase 4 – Risk Analysis (Figu e 14, Phase 4): Based on he e idence ecei ed, he CM
conduc s a isk analysis and con ol e alua ion o assess esidual isks. I he isk o an
e idence o a con ol is oo high, he CM de elops emedia ion plans o explo e al e na i e
solu ions. I he isk o e idence is accep able, he CM pe o ms a con inuous moni o ing
and pe iodic e-e alua ion o he con ols, and he e idence assigned.
• Phase 5 – Repo ing (Figu e 14, Phase 5): In his phase di e en epo s a e c ea ed:
o Audi Repo : ou lines a eas o compliance and non-compliance.
o T ack Reco d o E idence: includes documen a ion p o ided by he CSP, esul s o
isk analysis, e idence o he implemen a ion o con ols.
o Compliance S a us: documen s he compliance o he se ice wi h s anda ds,
egula ions and isk h esholds o CaixaBank.
o Re-e alua ion: p o ides he documen a ion o ongoing moni o ing and pe iodic e-
e alua ion p ocess.
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 53 o 128
www.eme ald-he.eu
4.2.4.2 Wo k low Rep esen a ion o he P ocess wi hou EMERALD suppo
In he nex s ep, we ans e ed he simple p ocess ep esen a ion in o a de ailed wo k low
ep esen a ion. This ep esen a ion was again discussed wi h he colleagues om CXB, o
in es iga e i he wo k low ep esen a ion is co ec . A e some imp o emen s, he esul ing
wo k low p ocess is p esen ed in Figu e 15.
• Phase 1 – Ini ia ion (Figu e 15, Phase 1):
o Ini ia ing he p ocess: The Se ice Owne is ini ia ing he acquisi ion o in o ma ion
om a hi d-pa y cloud se ice p o ide by sending ou a ques ionnai e.
o Go e nance and compliance e iew: When ha ing ecei ed he illed in
ques ionnai e om he CSP, he CM e iews he go e nance and compliance
in o ma ion o de e mine i s alignmen wi h p ede ined pa ame e s, conside ing
da a ypes and p ocessing loca ions p o ided by he CSP.
• Phase 2 – Risk Ga he ing (Figu e 15, Phase 2):
o Risk ga he ing: The CSP needs o ga he he se ice isk in o ma ion ocusing on
a ious isk axonomies like legal, business con inui y, IT, and secu i y.
o Secu i y ques ionnai e: The SO issues he secu i y ques ionnai e o he CSP o ga he
de ailed in o ma ion abou hei da a handling p ac ices, including he ypes o
in o ma ion p ocessed, da a p ocessing loca ions, and handling me hods. This
ques ionnai e is designed o assess he p o ide ’s compliance wi h speci ic secu i y
con ols.
• Phase 3 – Ma ix C ea ion (Figu e 15, Phase 3):
o Con ol-e idence ma ix: The CM gene a es a con ol and e idence ma ix based on
he se ice ype and he in o ma ion p o ided in he secu i y ques ionnai e. The
con ol ma ix, which is p ede ined, is hen sen o he CSP.
o The CSP p o ides e idence o compliance o he iden i ied con ols, such as secu i y
ce i ica ions and policies.
• Phase 4 – Risk Analysis (Figu e 15, Phase 4):
o Based on he e idence ecei ed, he CM conduc s a isk analysis and con ol
e alua ion o assess esidual isks agains he accep able h eshold. Depending on
he isk assessmen , he ollowing op ions a e possible ( wo op ions o isks abo e
he h eshold):
Figu e 14. CaixaBank – Simple p ocess ep esen a ion wi hou EMERALD suppo

D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 54 o 128
www.eme ald-he.eu
▪ Risks oo high (abo e h eshold): The CSP needs o de elop emedia ion
plans and explo e al e na i e solu ions.
▪ Risks oo high (abo e h eshold): The CSP needs o send o he solu ions o
means o mi iga e he isk.
▪ Risk accep able: The CM con inues he moni o ing and pe iodic e-
e alua ion o he con ols and hei e idence o ensu e con inued
compliance and add ess any changes as needed.
• Phase 5 – Repo ing (Figu e 15, Phase 5): In his phase he di e en ypes o epo s a e
c ea ed:
o Audi Repo : This documen compiled by audi o s summa izes he indings o he
audi p ocess. I ou lines a eas o compliance and iden i ies any non-compliance
issues.
o T ack Reco d o E idence: A comp ehensi e eco d o e idence is ga he ed and
main ained. This e idence includes documen a ion p o ided by he se ice
p o ide , esul s o isk analysis, e idence o con ols.
o Compliance S a us: The audi p ocess esul s in a de e mina ion o he compliance
s a us o he se ice in ques ion. I indica es whe he he se ice mee s he
es ablished s anda ds, egula ions, and isk h eshold.
o Ca ego iza ion o he Se ice: The ou come also includes documen a ion o he
ongoing moni o ing and pe iodic e-e alua ion p ocess. This ensu es ha
compliance is main ained o e ime and ha any changes o upda es a e add essed
p omp ly.
D4.2 Resul s o he UI-UX equi emen s analysis and he wo k p ocesses – 2 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 55 o 128
www.eme ald-he.eu
Figu e 15. CaixaBank – Wo k low Rep esen a ion wi hou EMERALD suppo
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 56 o 128
www.eme ald-he.eu
4.2.4.3 Simple P ocess wi h EMERALD suppo
In he nex s ep, we ans e ed he simple p ocess ep esen a ion in o a de ailed wo k low
ep esen a ion. This ep esen a ion was again discussed wi h he colleagues om CXB, o
in es iga e, i he wo k low ep esen a ion is co ec . A e some mino imp o emen s, he
esul ing wo k low p ocess is p esen ed in Figu e 16.
• Phase 1 – Ini ia ion (Figu e 16, Phase 1): This phase is ou o he scope o EMERALD.
• Phase 2 – Risk Ga he ing (Figu e 16, Phase 2): This phase is ou o he scope o EMERALD.
• Phase 3 – Ma ix C ea ion (Figu e 16, Phase 3): EMERALD can p o ide suppo by c ea ing
he con ols and e idence ma ix. Addi ionally, EMERALD can p o ide suppo by p o iding
a possibili y o managing cus omized secu i y schemes.
• Phase 4 – Risk Analysis (Figu e 16, Phase 4): The CSP can use EMERALD o p o ide e idence
o he con ols o he CM o CXB. The CM can hen use EMERALD as a baseline o do he
isk analysis.
• Phase 5 – Repo ing (Figu e 16, Phase 5): The EMERALD UI could help wi h he c ea ion o
some epo s such as he ou come o an audi (o e iew o con ols and e idence), acking
he eco d o e idence, compliance s a e o con ols and e idence and e-e alua ion.
4.2.4.4 Wo k low Rep esen a ion o he P ocess wi h EMERALD suppo
In he nex s ep, we ans e ed he simple p ocess ep esen a ion in o a de ailed wo k low
ep esen a ion. This ep esen a ion was again discussed wi h he colleagues om CXB, o
in es iga e, i he wo k low ep esen a ion is co ec . A e some mino imp o emen s, he
esul ing wo k low p ocess is p esen ed in Figu e 17.
• Phase 1 – Ini ia ion (Figu e 17, Phase 1): This phase is ou o he scope o EMERALD.
o Ini ia ing he P ocess: The Se ice Owne ini ia es he acquisi ion o in o ma ion
om a hi d-pa y cloud se ice p o ide by sending ou a ques ionnai e.
o When ha ing ecei ed he illed-in ques ionnai e om he CSP, he CM e iews he
go e nance and compliance in o ma ion o de e mine i s alignmen wi h p ede ined
pa ame e s, conside ing da a ypes and p ocessing loca ions p o ided by he CSP.
• Phase 2 – Risk Ga he ing (Figu e 17, Phase 2): This phase is ou o he scope o EMERALD.
o Risk Ga he ing: The se ice p o ide (SP) needs o ga he he se ice isk
in o ma ion ocusing on a ious isk axonomies like legal, business con inui y, IT,
and secu i y.
o Secu i y Ques ionnai e: The SO issues he secu i y ques ionnai e o he cloud se ice
p o ide o ga he de ailed in o ma ion abou hei da a handling p ac ices,
Figu e 16. CaixaBank – Simple p ocess ep esen a ion wi h EMERALD suppo
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 57 o 128
www.eme ald-he.eu
including he ypes o in o ma ion p ocessed, da a p ocessing loca ions, and
handling me hods. This ques ionnai e is designed o assess he p o ide s’
compliance wi h speci ic secu i y con ols.
• Phase 3 – Ma ix C ea ion (Figu e 17, Phase 3):
o De ine Own Ce i ica ion Scheme: In EMERALD, CXB can de ine hei own
ce i ica ion scheme based on he answe s p o ided by he ques ionnai e om he
CSPs – using exis ing con ols om di e en schemes and de ining hei own
con ols.
o Replace Con ol and E idence Ma ix: By se ing up an audi scope wi h a a ge o
e alua ion and wi h he new ce i ica ion scheme, EMERALD can eplace he CXB
con ol and e idence ma ix.
o P o ide Access o EMERALD: The se ice owne p o ides he CSP access o EMERALD
ins ance, and hey se up he EMERALD e idence ex ac o s.
o Au oma ic E idence Ex ac ion: EMERALD ies o ex ac e idence o all con ols
and hei me ics au oma ically.
o Lis o Con ols and Assessmen Resul s: EMERALD p o ides a lis o all con ols and
hei espec i e assessmen esul s and he CSP can ensu e ha e e y hing is se up.
o CSP in o ms CXB: CSP in o ms he se ice owne ha e e y hing is se up and he
se ice owne in o ms he compliance manage .
• Phase 4 – Risk Analysis (Figu e 17, Phase 4):
o Check Con ols and Assessmen Resul s: CM checks he con ols and hei
assessmen esul s / e idence in EMERALD.
o Risk Analysis & Con ol E alua ion: The e idence p o ided unde goes a isk analysis
& con ol e alua ion o assess esidual isk agains he accep able h eshold.
Depending on he isk assessmen , he ollowing op ions exis ( wo op ions o isks
abo e he h eshold):
▪ Risks oo high (abo e h eshold): The CSP needs o de elop emedia ion
plans and explo e al e na i e solu ions.
▪ Risks oo high (abo e h eshold): The CSP needs o send o he solu ions o
means o mi iga e he isk.
▪ Risk accep able: The CM con inues he moni o ing and pe iodic e-
e alua ion o he con ols and hei e idence o ensu e con inued
compliance and add esses any changes as needed.
• Phase 5 – Repo ing (Figu e 17, Phase 5): In his phase di e en ypes o epo s a e c ea ed,
whe e EMERALD migh suppo he epo c ea ion:
o Audi Repo : This documen compiled by audi o s summa izes he indings o he
audi p ocess. I ou lines a eas o compliance and iden i ies any non-compliance
issues.
o T ack Reco d o E idence: A comp ehensi e eco d o e idence is ga he ed and
main ained. This e idence includes documen a ion p o ided by he se ice
p o ide , esul s o isk analysis, e idence o con ols implemen a ion.
o Compliance S a us: The audi p ocess esul s in a de e mina ion o he compliance
s a us o he se ice in ques ion. The compliance s a us indica es whe he he
se ice mee s he es ablished s anda ds, egula ions, and isk h eshold.
o Ca ego iza ion o he Se ice: The ou come also includes documen a ion o he
ongoing moni o ing and pe iodic e-e alua ion p ocess. This ensu es ha
compliance is main ained o e ime and ha any changes o upda es a e add essed
p omp ly.
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 64 o 128
www.eme ald-he.eu
4.2.5.4 Wo k low Rep esen a ion o he P ocess wi h EMERALD suppo
In he nex s ep, we ans e ed he simple p ocess ep esen a ion in o a de ailed wo k low
ep esen a ion. This ep esen a ion was again discussed wi h he colleagues om NIXU/DNV, o
in es iga e, i he wo k low ep esen a ion is co ec . A e some mino imp o emen s, he
esul ing wo k low p ocess is p esen ed in Figu e 21.
• Phase 1: Ini ia ing and P epa a ion (Figu e 21, Phase 1):
o Audi scope: The audi o and he cus ome de ine he audi scope oge he .
o Documen a ion & sel -assessmen o m: The audi o asks he cus ome o
documen a ion and a illed-in sel -assessmen o m.
o EMERALD suppo : The EMERALD UI can p o ide he policy documen s (i uploaded in
EMERALD) and he sel -assessmen o m. Bo h can be accessed by he audi o s.
• Phase 2: Audi Ac i i ies & Phase 3: Technical Tes ing/Valida ion (Figu e 21, Phase 2 & 3):
o Audi mee ing: The audi o s open he mee ing and se up he p ac icali ies and
logis ics. The audi o s e iew he documen a ion. The audi o s can use EMERALD o
check he di e en assessmen esul s o all con ols.
o Check con ols: The audi o s need o check all echnical and o ganisa ional con ols.
▪ Audi scope: Audi o s can use EMERALD o e iew he o ganisa ional and
echnical con ols and hei ul ilmen ega ding he s anda d in he
espec i e “Audi scope”. The audi o can e iew he (o ganisa ional)
documen a ion using EMERALD. The echnical audi o can use EMERALD o
e iew he echnical assessmen esul s.
▪ Ce i ica ion scheme: Audi o s can use EMERALD o alida e he me ics se
o he con ols o a scheme. I p o ides an o e iew o he con ols, and
he me ics assigned o hem. “Secu i y Cen e ” → “Ce i ica ion Schemes”
▪ Sel -assessmen o m: EMERALD p o ides a sel -assessmen ques ionnai e
o EUCS, which he cus ome s ill in. Audi o s can access his ques ionnai e
o simpli y he audi p ocess.
o Audi o conduc s wo kshops on he cus ome s’ side o in e ac wi h he cus ome and
use EMERALD as a baseline.
• Phase 4: Repo ing (Figu e 21, Phase 4):
o Repo : A e he audi o s ha e comple ed he audi , hey compile hei indings in o
a epo . The epo includes de ails abou he audi p ocess, he scope, indings,
Figu e 20. NIXU/DNV – Simple p ocess ep esen a ion wi h EMERALD suppo

D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 65 o 128
www.eme ald-he.eu
obse a ions, ecommenda ions, and any non-con o mi ies iden i ied du ing he audi .
Such a epo is only accessible by audi o s wi h he app op ia e secu i y clea ance.
o Repo gene a ion wi h EMERALD: Audi o s can use EMERALD o c ea e he epo .
EMERALD p o ides di e en epo s acco ding o he selec ed ce i ica ion scheme;
epo s should be gene a ed in di e en o ma s such as .xlsx, docx o pd .
• Phase 5: Closing he mee ing (Figu e 21 and Figu e 19, Phase 5):
o Closing mee ing: The audi o s hold a closing mee ing wi h he cus ome s o discuss he
audi indings. This mee ing p o ides an oppo uni y o cla i ica ions, discussions
abou non-con o mi ies, and ag eeing on any necessa y co ec i e ac ions. The
audi o s can use EMERALD o guide he discussions abou he indi idual con ols and
assessmen esul s.
• Phase 6: Ce i ica e (Figu e 21, Phase 6):
o Ce i ica ion: Depending on he audi c i e ia and s anda d and i all con ols ha e been
me , he audi o s may g an a ce i ica e o compliance. EMERALD does no suppo
his s ep.
D4.2 Resul s o he UI-UX equi emen s analysis and he wo k p ocesses – 2 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 66 o 128
www.eme ald-he.eu
Figu e 21. NIXU/DNV - Wo k low Rep esen a ion wi h EMERALD suppo
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 67 o 128
www.eme ald-he.eu
4.2.6 Compliance Manage (NIXU/DNV)
We conduc ed an in e iew wi h a compliance manage om NIXU/DNV which was o ganised
by he NIXU/DNV EMERALD p ojec manage . Addi ionally, a e ha ing analysed he esul s, we
conduc ed a ocus g oup wi h he esponsible compliance manage and he NIXU/DNV EMERALD
p ojec manage o ge inpu and eedback abou he de i ed simple p ocesses. Figu e 22
p esen s he simple p ocess o an audi p epa a ion p ocess as i is now, while Figu e 24 p esen s
he simple p ocess enhanced wi h he EMERALD suppo .
A e ha ing ans o med he simple p ocess ep esen a ion in o a wo kshop ep esen a ion
wi hou and wi h EMERALD suppo , we conduc ed a wo kshop wi h he NIXU/DNV colleagues
o alida e he p ocesses. Figu e 23 p esen s he de i ed wo k low ep esen a ion o he simple
p ocess as i is now, and Figu e 25 p esen s he wo k low ep esen a ion wi h EMERALD suppo .
We i s p esen he simple p ocess and he co esponding wo k low p esen a ion co e ing he
p ocesses as hey a e now. Then, we p esen he simple p ocess and he elabo a ed wo k low
ep esen a ion as i would look like using he EMERALD solu ion.
4.2.6.1 Simple P ocess wi hou EMERALD Suppo
The simple p ocess wi hou EMERALD suppo consis s o he ollowing i e phases:
• Phase 1 - P epa a ion and Se up (Figu e 22, Phase 1): Phase 1 is he se up, including
es ablishing he compliance amewo k, se ing up he con inuous compliance moni o ing
p ocess, and in o ming all ele an s akeholde s.
• Phase 2 - Moni o ing and Iden i ica ion (Figu e 22, Phase 2): In his phase, he con inuous
moni o ing and iden i ica ion o he con ols and he espec i e e idence should ake place.
I some de ia ions o non-con o mi ies a e iden i ied, he ele an s akeholde s need o be
in o med.
• Phase 3 - E alua ion & Decision Making (Figu e 22, Phase 3): In his phase, iden i ied
de ia ions o non-con o mi ies need o be e alua ed, and a decision mus be aken i and how
co ec i e ac ions will be aken.
• Phase 4 - Co ec i e Ac ion Planning & Implemen a ion (Figu e 22, Phase 4): I i has been
decided o ake co ec i e ac ions, hese ac ions mus be planned, pu sued, and
implemen ed.
• Phase 5 – Repo ing (Figu e 22, Phase 5): In his phase, all ac i i ies done ega ding he
con ols and hei e idence, as well as all in o ma ion ela ed o co ec i e ac ions, need o
be summa ised in epo s o be a ailable o he audi .
Figu e 22. NIXU/DNV CM – Simple p ocess ep esen a ion wi hou EMERALD suppo
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 68 o 128
www.eme ald-he.eu
4.2.6.2 Wo k low Rep esen a ion o he P ocess wi hou EMERALD Suppo
In he nex s ep, we ans e ed he simple p ocess ep esen a ion in o a de ailed wo k low
ep esen a ion. While he wo k low ollows a con inuous compliance managemen p ocess wi h
a loop, he loop i sel is no explici ly depic ed in he ep esen a ion. This ep esen a ion was
again discussed wi h he colleagues om NIXU/DNV, o in es iga e i he wo k low
ep esen a ion is co ec . A e some mino imp o emen s, he esul ing wo k low p ocess is
p esen ed in Figu e 23.
• Phase 1 - P epa a ion & Se up (Figu e 23, Phase 1):
o S akeholde Engagemen : The CM iden i ies key s akeholde s, including echnical
a chi ec s, secu i y manage s, and compliance manage s, and es ablishes egula
mee ing schedules o se ing up he audi p epa a ion p ocess.
o Con ols: The CM iden i ies ex e nal and in e nal equi emen s o selec sui able
compliance amewo ks in ela ion o he cloud se ice ha will be audi ed.
o Es ablish Compliance F amewo ks: The CM de e mines he compliance amewo ks
ele an o he o ganisa ion, e.g. ISO 27001, SOC, and GDPR.
o Con inuous Compliance Moni o ing Se up: The CM se s up all espec i e sys ems and
he go e nance model o con inuous moni o ing o he compliance s a us, including
ools and dashboa ds, e c.
• Phase 2 - Moni o ing and Iden i ica ion (Figu e 23, Phase 2):
o Con inuous Moni o ing: The CM collec s epo s and dashboa d in o ma ion egula ly
o moni o compliance s a us agains es ablished amewo ks.
o De ia ion Iden i ica ion: The CM uses ools and dashboa ds (e.g., Excel o acking,
manual p ocesses, le e age specialized compliance moni o ing ools like Azu e’s
in e nal ools
6
) o iden i y de ia ions om compliance con ols.
• Phase 3 - E alua ion & Decision Making (Figu e 23, Phase 3):
o De ia ion E alua ion: The CM e alua es iden i ied de ia ions o de e mine hei
accep abili y o i co ec i e ac ions a e equi ed.
o Excep ion Managemen and Risk Iden i ica ion: Excep ion and isk managemen a e
closely connec ed and i e a ed p ocesses.
o Excep ion Managemen : Se ing excep ions - when du ing e alua ion some hing is
ound o be no complian bu migh be accep able in a speci ic en i onmen o unde
dis inc i e condi ions and hus, no co ec i e ac ions a e needed he e, excep ions a e
de ined and se .
o Risk Iden i ica ion: Fo each iden i ied excep ion, he isk is assessed and is ei he
accep ed and epo ed o co ec i e s eps will be aken.
• Phase 4 - Co ec i e Ac ion Planning & Implemen a ion (Figu e 23, Phase 4):
o Co ec i e Ac ion Planning: The CM plans co ec i e ac ions o iden i ied de ia ions
and assigns esponsibili ies o ele an pe sonnel.
o Co ec i e Ac ion Implemen a ion: The CM and he ele an pe sonnel implemen
co ec i e ac ions and add ess echnical issues and policy- ela ed conce ns.
• Phase 5 – Repo ing (Figu e 23, Phase 5):
o Compliance T end De elopmen : The CM pu sues he compliance end de elopmen
o he con ols and does manual epo ing.
o Documen a ion and Repo ing: The CM summa ises discussions and e iews
in o ma ion be o e p esen ing i in he espec i e audi s.
6
h ps://azu e.mic oso .com/
D4.2 Resul s o he UI-UX equi emen s analysis and he wo k p ocesses – 2 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 69 o 128
www.eme ald-he.eu
Figu e 23. NIXU/DNV CM – Wo k low Rep esen a ion wi hou EMERALD suppo

D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 70 o 128
www.eme ald-he.eu
4.2.6.3 Simple P ocess wi h EMERALD Suppo
Fo each o he i e phases men ioned abo e in he simple p ocess o he audi p epa a ion, we
ha e de i ed some ideas on how he audi p epa a ion p ocess o cloud solu ions could be
suppo ed by he EMERALD UI, as shown in Figu e 24.
• Phase 1 - P epa a ion & Se up (Figu e 24, S ep 1): EMERALD can p o ide suppo o he
ollowing asks:
o Se up: EMERALD can suppo he se up o he espec i e compliance amewo k,
s anda ds, o ce i ica ion schemes.
o Cloud se ice: EMERALD can suppo he selec ion o he cloud solu ion o be audi ed.
o Con inuous moni o ing se up: EMERALD can suppo he de ini ion o speci ic
pa ame e s o he con inuous moni o ing o con ols and e idence.
o Tasks: EMERALD can suppo ask managemen h oughou he audi p epa a ion
p ocess.
• Phase 2 - Moni o ing and Iden i ica ion & Phase 3 - E alua ion & Decision Making (Figu e
24, S ep 2 – S ep 3): EMERALD can p o ide suppo o he ollowing asks:
o Con inuous moni o ing: EMERALD can help o suppo con inuous moni o ing o he
cloud se ice acco ding o di e en pa ame e s. The EMERALD UI should p o ide a
dashboa d ha in eg a es da a om di e en a ge s o e alua ion o ha e all da a
and c i ical de ia ions in one glance. The eby, EMERALD should show possible
de ia ions o non-con o mi ies ound.
o Log his o ical da a (e.g., when was a de ia ion, how was his sol ed, e c.): Addi ionally,
he EMERALD UI should p o ide ac i i y log da a in he o m o a his o y o make all
changes o con ols o me ics isible, aceable and anspa en .
• Phase 4 - Co ec i e Ac ion Planning & Implemen a ion (Figu e 24, S ep 4): EMERALD can
p o ide suppo o he ollowing asks:
o Co ec i e ac ion managemen : EMERALD should allow he possibili y o no ing down
decisions made ega ding he implemen a ion o co ec i e ac ions. This includes, o
example, ha ing a lis o pending asks ha allows o plan and ollow up he
implemen a ion o he co ec i e ac ions.
o His o y: EMERALD can collec , sa e and isualise a his o y log ile o all asks and
ac i i ies pe o med wi hin he EMERALD UI.
• Phase 5 – Repo ing (Figu e 24, S ep 5): EMERALD can p o ide suppo o he ollowing asks:
o Con ols and e idence: EMERALD could o e he possibili y o c ea e a documen
co e ing all in o ma ion abou he con ols and me ics and he espec i e assessmen
esul s and e idence.
o Suppo du ing audi s: EMERALD could p o ide he possibili y o download di e en
ypes o epo s o suppo he audi p epa a ion p ocess (e.g., di e en documen s in
di e en o ma s like Excel shee s, Wo d Files, e c.).
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 71 o 128
www.eme ald-he.eu
4.2.6.4 Wo k low Rep esen a ion o he P ocess wi h EMERALD suppo
In he nex s ep, we ans e ed he simple p ocess ep esen a ion in o a de ailed wo k low
ep esen a ion. While he wo k low ollows a con inuous compliance managemen p ocess wi h
a loop, he loop i sel is no explici ly depic ed in he ep esen a ion. This ep esen a ion was
again discussed wi h he colleagues om NIXU/DNV, o in es iga e, i he wo k low
ep esen a ion is co ec . A e some mino imp o emen s, he esul ing wo k low p ocess is
p esen ed in Figu e 25.
• Phase 1 - P epa a ion & Se up (Figu e 25, S ep 1):
o S akeholde engagemen : The CM iden i ies key s akeholde s, including echnical
a chi ec s, secu i y manage s, and compliance manage s, and es ablishes egula
mee ing schedules.
o Con ols: The CM iden i ies ex e nal and in e nal equi emen s o selec sui able
compliance amewo ks in ela ion o he cloud se ice ha will be audi ed.
o Es ablish compliance amewo ks: The CM de e mines he compliance amewo ks
ele an o he o ganisa ion, e.g., ISO 27001, SOC, and GDPR.
o Con inuous compliance moni o ing se up: CM p epa es and uploads he ce i ica ion
scheme o wo ks wi h an exis ing scheme in EMERALD.
o The EMERALD UI makes a ailable all con ols and au oma ically assigns me ics o
con ols.
• Phase 2 - Moni o ing and Iden i ica ion (Figu e 25, Phase 2):
o Con inuous moni o ing: CM collec s epo s and dashboa d in o ma ion egula ly o
moni o compliance s a us agains es ablished amewo ks.
o De ia ion iden i ica ion: CM se s up a a ge o e alua ion and audi scope in
EMERALD. CM uses he di e en iews and unc ionali ies o he EMERALD UI o access
con ols ha a e noncomplian .
o EMERALD: EMERALD ies o au oma ically ex ac e idence o all con ols and hei
me ics.
o EMERALD: EMERALD p o ides a lis o all con ols, me ics, and he espec i e
assessmen esul s o each audi scope.
• Phase 3 - E alua ion and Decision Making & Phase 4 – Co ec i e Ac ion Planning &
Implemen a ion (Figu e 25, Phase 3 & 4):
o Check con ols: CM manually checks all assessmen esul o all con ols and me ics
in EMERALD and can il e o all con ols ha a e s ill ma ked as “open”.
o I all con ols/me ics a e complian o no open anymo e, he CM con inues wi h
Phase 5.
o Check assessmen esul s: The CM checks o each con ol and me ics and he
assessmen esul s/e idence in EMERALD.
Figu e 24. NIXU/DNV CM – Simple p ocess ep esen a ion wi h EMERALD suppo
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 72 o 128
www.eme ald-he.eu
o De ia ion e alua ion: The CM iden i ies de ia ions o de e mine hei accep abili y o
i co ec i e ac ions a e equi ed. Depending on wha is necessa y, he CM ei he ca es
o he excep ion and isk managemen o wi h he implemen a ion o co ec i e
ac ions.
o Excep ion managemen and isk iden i ica ion: Excep ion and isk managemen a e
closely connec ed and i e a ed p ocesses.
▪ Excep ion managemen : Se ing excep ions - when du ing e alua ion
some hing is ound o be no complian bu migh be accep able in a speci ic
en i onmen o unde dis inc i e condi ions and hus, no co ec i e ac ions
a e needed he e, excep ions a e de ined and se .
▪ Risk iden i ica ion: Fo each iden i ied excep ion, he isk is assessed and is
ei he accep ed and epo ed o co ec i e, s eps will be aken.
o Co ec i e ac ion planning:
▪ The CM plans co ec i e ac ions o he iden i ied de ia ions.
▪ Co ec i e ac ion planning: CM assigns con ols o me ics o ele an
pe sonnel.
▪ Check assessmen esul : Assigned pe son checks he assessmen esul s o
he assigned con ol/me ic p o ided in EMERALD.
▪ Co ec i e ac ion implemen a ion: The pe son implemen s he co ec i e
ac ions, add essing echnical issues and policy- ela ed conce ns
acco dingly.
▪ Pe son assigns he con ol/me ic in EMERALD back o he CM.
• Phase 5 – Repo ing (Figu e 25, Phase 5):
o Compliance end de elopmen : The CM pu sues he compliance end de elopmen
o he con ols and does manual epo ing.
o Documen a ion and epo ing: The CM summa izes discussions and e iews
in o ma ion be o e p esen ing i in he espec i e audi s.
D4.2 Resul s o he UI-UX equi emen s analysis and he wo k p ocesses – 2 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 73 o 128
www.eme ald-he.eu
Figu e 25. NIXU/DNV CM - Wo k low Rep esen a ion wi h EMERALD suppo
D4.2 Resul s o he UI-UX equi emen s analysis and he wo k p ocesses – 2 Ve sion 1.0 – Final. Da e: 30.04.2025
© EMERALD Conso ium Con ac No. GA 101120688 Page 80 o 128
www.eme ald-he.eu
Figu e 29. O e iew o he h ee s akeholde g oups and he espec i e pe sonas

D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 81 o 128
www.eme ald-he.eu
5.1 Riley – Cloud Se ice P o ide Compliance Manage
The i s pe sona – a cloud se ice p o ide compliance manage – was named Riley and is
depic ed in Figu e 30.
• Abou Riley: Riley is 26 yea s old, single, eads mys e y no els, and has a Maine Coon ca as
a pe . Riley ecen ly g adua ed and has s a ed he i s ull- ime posi ion as a compliance
manage . Riley’s esponsibili ies as a compliance analys a e o ganizing audi s and managing
he scheduling o di e en compliance schemes. He /his o e all goal is o gain expe ience
as a compliance manage and g ow o become a senio compliance manage .
• Tasks, Mo i a ion, and Pains: Riley’s asks consis o checking audi imelines, o ganizing
and delega ing asks du ing audi s, being he con ac pe son o audi o s, and epo ing
audi s a us in e nally. Riley’s goals a e o suppo he company in being us wo hy,
pe ec ing audi p ocesses, being up o da e wi h secu i y s anda ds, and pe o ming asks
mo e e icien ly. Pain poin s o Riley a e he dependency on o he s o inish asks imely,
he lack o e icien audi ools, and he lack o unde s anding o complex ce i ica ion
amewo ks.
• Con ac s: Riley’s con ac s a e he managing boa d o he company, he chie in o ma ion
secu i y manage , he inancial depa men , de elope s, and as ex e nal con ac s, he
audi ing companies and audi o s.
• Wo k Con ex : EMERALD should help Riley wi h he day- o-day asks by speeding up he
wo k. Fo ha , aceabili y and anspa ency o he wo k should be ensu ed. Fu he ,
p ocess s eps should be au oma ed, and me ics, con ols and e idence should be made
eusable o upcoming audi s. Simpli ying he c ea ion o audi epo s would also help Riley
in hei day- o-day wo k.
Figu e 31 summa izes Riley’s main cha ac e is ic in a “pe sona-on- he-go”.
Figu e 30. Riley – Cloud Se ice Compliance Manage
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 82 o 128
www.eme ald-he.eu
5.1.1 Scena io A: Riley – Managing a New Audi Scope
In his scena io, Riley’s goal is o manage a new audi scope as shown in Figu e 46 (in Sec ion 10,
APPENDIX B). F om he C-Le el Riley was in o med ha a new ce i ica ion scheme o one o
hei cloud se ices needs o be used – namely BSI C5. Thus, hey need o amilia ize hemsel es
wi h he new ce i ica ion scheme and p epa e he company o he new audi wi h he
EMERALD solu ion. The e o e, Riley opens EMERALD and na iga es o he Ce i ica ion Schemes
o upload a new ce i ica ion scheme (EMERALD Componen s: MARI, RCM). Riley uses he
Con ol Mapping unc ion in EMERALD o ind ou which con ols o he p e iously used EUCS
do map o con ols o e ed by he new scheme BSI C5, addi ionally he me ics o he
co esponding con ols in EUCS can be ans e ed. Riley also na iga es o he Me ics Mapping
o manually map me ics o con ols. Then Riley se s up a a ge o e alua ion which includes a
h ee s eps desc ip ion o he cloud solu ion, se ing up all ele an EMERALD ex ac o s and
enables, i desi ed, he T us wo hiness Sys em. Riley c ea es an audi scope wi h he newly
c ea ed a ge o e alua ion and ce i ica ion scheme and checks he espec i e assessmen
esul s and e idence o he con ols e ie ed so a . Las ly, Riley uses he newly c ea ed audi
scope o manage he new ce i ica ion scheme o he selec ed cloud se ice.
5.1.2 Scena io B: Riley – Manage all Con ols o an Audi Scope
In his scena io, Riley is pa o an audi ha will ake place in wo mon hs o enew ce i ica es
ega ding EUCS as shown in Figu e 47 (see Sec ion 10, APPENDIX B). Riley checks he espec i e
audi scope in he EMERALD UI o iden i y i all con ols o he scheme can be me wi h some
e idence ( echnical o o ganisa ional). Riley can use il e s o be e unde s and he o e all
s a us o he con ols. Riley knows ha all con ols ma ked wi h a g een checkma k a e
complian . Riley can open he espec i e con ol (Con ol De ails View) o ge mo e in o ma ion
abou he a ailable assessmen esul s. Addi ionally, Riley can ei he assign non-complian
con ols di ec ly o a pe son o depa men .
Figu e 31. Pe sona-on- he-go o Riley – Cloud Se ice Compliance Manage
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 83 o 128
www.eme ald-he.eu
5.1.3 Scena io C: Riley – Unco e all “blind spo s”
When p epa ing o an audi , Riley is esponsible ha all con ols a e ul illed and he e a e no
blind spo s as shown in Figu e 48 (see Sec ion 10, APPENDIX B). In he EMERALD UI all con ols
ha e an owne (ini ial c ea o o he audi scope) and a s a us (complian / non-complian ). Fo
u he in es iga ion Riley needs o dis ibu e he non-complian con ols o a colleague o
depa men by assigning hem ia he EMERALD UI o he espec i e con ol o me ic. Any
addi ional communica ion ega ding a ollow-up p ocess and an escala ion needs o be
pe o med ou side o EMERALD.
5.1.4 Scena io D: Riley – Upda ing a ce i ica ion scheme
In his scena io, an audi will be conduc ed in i e mon hs o enew one o he ce i ica es o
EUCS. Since he las audi he EUCS has been upda ed, Riley needs o in es iga e which o he
con ols ha e been changed o added ( his will no be suppo ed by EMERALD). Riley opens he
EMERALD UI and uploads he new EUCS e sion as a new ce i ica ion scheme and c ea es a new
audi scope. In he Me ics Mapping Riley can check o each con ol he associa ed me ics. In
he espec i e Audi Scope O e iew Riley disco e s con ols ha a e non-complian and need
o be u he deal wi h. Fo his p ocess Riley uses he EMERALD UI o assign he non-complian
con ols o ano he depa men o colleague. The scena io was e ised om he o iginal e sion
by he pilo pa ne s as p esen ed in Figu e 32 o anspa en ly e lec ha he ini ial desc ip ion
was no ully suppo ed by he EMERALD UI, while ensu ing he co e use case emains iable.
5.1.5 Scena io E: Riley – Accompanying an Audi
In his scena io, Riley is accompanying an audi . They a e he mos impo an con ac pe son
when an audi is aking place a he CSP as p esen ed in Figu e 49 (see Sec ion 10, APPENDIX B).
Riley is pa o an audi eam on he companies’ si e, o suppo he ex e nal audi o s conduc ing
he audi agains a ce ain s anda d, e.g., EUCS o BSI C5 on he company’s p emises. The lead
audi o has al eady selec ed a big sample o con ols ha need o be checked du ing he audi .
To ensu e ha he cloud sys em is complian wi h he selec ed con ols, Riley can p esen he
indi idual e idence o he con ols in he EMERALD UI o he lead audi o .
Figu e 32. Riley – Upda ing a ce i ica ion scheme
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 84 o 128
www.eme ald-he.eu
5.2 Eme son - Compliance Manage in Financial Se ice Ins i u ion
The second pe sona – a compliance manage in a inancial se ice ins i u ion – was named
Eme son and is depic ed in Figu e 33.
• Abou Eme son: Eme son is 35 yea s old and ma ied, plays baske ball, and has a abbi as
a pe . Eme son has 5 yea s o expe ience in he cu en posi ion. The job desc ip ion s a es
ha Eme son ocuses on isk managemen o hi d-pa y cloud se ices, assesses con ols
based on isk and egula ion, manages con ac ual ag eemen s, and moni o s compliance.
Responsibili ies include p ocess supe ision, e alua ing and alida ing compliance wi h
secu i y measu es, and managing da a p i acy secu i y. The o e all goal o Eme son is o
ensu e ha all se ice p o ide s a e complian wi h gi en s anda ds.
• Tasks, Mo i a ion and Pains: Eme son’s asks consis o , among o he hings, he de ini ion
o he audi scheme including con ols ha mus be ul illed by he cloud se ice p o ide ,
and he assessmen o p o ided e idence o espec i e con ols. In ha , goals a e o ensu e
ha all se ice p o ide s comply wi h he cu en egula ions and ensu e sa e y by
mi iga ing isks associa ed wi h audi equi emen s. Pain poin s in Eme son's day- o-day a e
ha he communica ion wi h o he depa men s is some imes no luid, asks like
e i ica ion o mul iple e idence is no au oma ed bu mus be done manually, and he
managemen o a high olume o p o ide s and hei e idence is ough and ime-consuming.
• Con ac s: Eme son's wo kplace con ac s a e he cloud se ice managemen , IT, and legal
eams.
• Wo k Con ex : EMERALD could help Eme son in he day- o-day asks by p o iding a
cen alised poin o e idence, me ics, and con ols, u he by au oma ing edious
p ocesses and managemen o nume ous audi s and hus minimizing human e o and
wo kload.
Figu e 34 summa izes Eme son’s main cha ac e is ic in a “pe sona-on- he-go”.
Figu e 33. Eme son – Compliance Manage in Financial Se ice Ins i u ion
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 85 o 128
www.eme ald-he.eu
5.2.1 Scena io: Eme son – B ing You Own Ce i ica ion Scheme
Gene ally, in his scena io Eme son’s goal would be o de ine hei own ce i ica ion scheme,
hus, he new ce i ica ion scheme should be a selec ion and combina ion o con ols om o he
ce i ica ion schemes ("B ing You Own Ce i ica ion Scheme - BYOCS" op ion) as p esen ed in
Figu e 50 (see Sec ion 10 , APPENDIX B). The e o e, Eme son opens he iew ha allows o se
up a new ce i ica ion scheme and selec s a se o con ols om a ailable ce i ica ion schemes
(e.g., EUCS, BSI C5). Thei line manage hen in o ms Eme son ha Depa men X has decided o
acqui e a new cloud se ice p o ide - namely XYZ. Eme son c ea es an audi scope o manage
cloud solu ions and he co esponding BYOCS. Eme son opens EMERALD, selec s he audi scope
and he XYZ cloud solu ion o be audi ed, and uploads all ele an documen s (links, e c.).
Eme son’s ask is o go h ough and check all con ols, o which Eme son goes o he EMERALD
UI. Eme son uses di e en EMERALD UI unc ionali ies o il e he con ols and uses di e en
isualiza ions o he o e all s a us o all con ols o de e mine which con ols need o be deal
wi h and which a e al eady complian .
5.3 Dylan – In e nal Con ol Owne
The hi d pe sona – an in e nal con ol owne – was named Dylan and is depic ed in Figu e 35.
• Abou Dylan: Dylan is 45 yea s old, ma ied, enjoys gol and has h ee ca s and one snake as
pe s. Dylan's job expe ience en ails en yea s as a p og amme and i een yea s as a eam
lead and p oduc owne . Dylan's esponsibili ies as head o p oduc ion se ice include
leading a eam and o e seeing and planning p oduc de elopmen and backend se ices.
Rega ding audi s, Dylan's esponsibili y is o ensu e ha con ols a e add essed, and all
e idence is collec ed. The o e all goal is o ha e no non-compliance o all se ices.
• Tasks, Mo i a ion and Pains: Dylan's asks consis o de ining me ics, collec ing e idence
o con ols, and assigning and delega ing con ol implemen a ion o he eam. In ha , he
Figu e 34. Pe sona-on- he-go o Eme son – Compliance Manage in inancial se ices

D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 86 o 128
www.eme ald-he.eu
goals a e o inc ease anspa ency, aceabili y, and accessibili y o e idence. Addi ional
goals a e o ha e no non-compliances and o ensu e high secu i y. Pain poin s a e manual
asks ha mus be add essed in addi ion o he day- o-day ac i i ies, epe i i e asks, and
acking con ol dis ibu ion can be di icul .
• Con ac s: Dylan's in e nal con ac s in he company a e o he con ol owne s, in e nal
audi o s, eam membe s (especially implemen e s), and he compliance manage .
Ex e nally, Dylan ge s in con ac wi h audi o s.
• Wo k Con ex : EMERALD could help Dylan in hei day- o-day asks by simply delega ing
asks, p o iding an o e iew o assigned con ols and displaying assessmen esul s. Fu he ,
acking he p og ess o ongoing audi s and he possibili y o de ining a ge alues and
ha ing e idence moni o ing and ex ac ion ools.
Figu e 36 summa izes Dylan’s main cha ac e is ic in a “pe sona-on- he-go”.
Figu e 35. Dylan – In e nal Con ol Owne
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 87 o 128
www.eme ald-he.eu
5.3.1 Scena io: Dylan – In e nal Con ol Owne Con ol Implemen a ion
O e all, in his scena io Dylan opens he EMERALD UI, assesses a con ol ha is s ill open and
would like o delega e he implemen a ion o his con ol o a colleague Y as p esen ed in Figu e
51 (see Sec ion 10 , APPENDIX B). Y selec s a se o me ics ha ma ches he con ols,
implemen s he con ol and in o ms Dylan ia he EMERALD UI ha he me ic was
implemen ed. Dylan checks whe he he me ic has been implemen ed co ec ly and mee s he
con ol.
5.4 Mo gan – Technical Implemen e
The ou h pe sona – a echnical implemen e (me ic implemen e , de elope s, e c.) – was
named Mo gan and is depic ed in Figu e 37.
• Abou Mo gan: Mo gan is 30 yea s old, single, a dog owne and enjoys gaming and ping
pong. Mo gan has been wo king in De Ops o en yea s and hei cu en esponsibili ies
a e as a De Ops Expe . Mo gan’s o e all goal is o imp o e aceabili y and anspa ency as
well as o ha e a mo e s uc u ed app oach o implemen a ion.
• Tasks, Mo i a ion and Pains: Mo gan’s asks, among o he s, include implemen ing me ics,
deploying new cloud se ices, adjus ing con igu a ions o align wi h secu i y policies, and
se ing up e i ica ion mechanisms o upg ades. Ensu ing a s uc u ed app oach o me ic
implemen a ion, cen alized epo ing, and clea isibili y in o con ols is c ucial. Mo gan’s
ocus is on ea ly p oblem de ec ion, main aining aceabili y and ensu ing anspa ency
ac oss all p ocesses. Pain poin s include di e se ools o he e idence collec o s, no
o e iew o e idence, and impac s o sys em upg ades.
• Con ac s: Mo gan is solely communica ing in e nally wi h he compliance manage , in e nal
con ol owne and echnical implemen e as well as a echnical audi o .
Figu e 36. Pe sona-on- he-go o Dylan – In e nal Con ol Owne
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 88 o 128
www.eme ald-he.eu
• Wo k Con ex : In Mo gan’s daily ac i i ies, he EMERALD UI could enhance he wo k low by
o e ing a comp ehensi e o-do lis , allowing Mo gan o easily ack which con ols a e
assigned o hem. I could also display an o e iew o me ics, including alues, his o y, and
s a us, wi h he abili y o di ec ly no i y he compliance manage when a me ic is
success ully implemen ed. A cen al in o ma ion hub would p o ide quick access o con ol
s a uses and would enable Mo gan o e iew and eassess assigned con ols, wi h he op ion
o decline hose ou o scope. Addi ionally, he EMERALD UI could allow Mo gan o check
he s a us o ce i ica es and e idence, ensu ing all ele an in o ma ion is easily accessible
in one place.
Figu e 38 summa izes Mo gan’s main cha ac e is ic in a “pe sona-on- he-go”.
Figu e 37. Mo gan – Technical Implemen e
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 89 o 128
www.eme ald-he.eu
5.4.1 Scena io A: Mo gan – Checking Me ics and E idence
In his scena io, Mo gan is checking hei assigned me ics as p esen ed in Figu e 52 (see Sec ion
10 , APPENDIX B). They begin by selec ing an e idence ex ac ion ool and e i ying he accu acy
o he a ge alues o he speci ic me ic. Addi ionally, hey e iew he s a us o he e idence
and con ols associa ed wi h p e iously p ocessed me ics. I e e y hing is co ec , Mo gan
no i ies he compliance manage ha he me ics ha e been success ully implemen ed. I issues
a ise, hey e u n o he speci ic me ics o oubleshoo and debug.
5.4.2 Scena io B: Mo gan – Remo al o Me ic
In his scena io, Mo gan p e iously had o manually emo e me ics and ela ed sc ip s. Wi h
he EMERALD UI, manual emo al o me ics is no longe necessa y, hough he unde lying use
case emains alid. Ins ead, EMERALD o e s he Me ics Mapping unc ion whe e me ics can
be assigned and unassigned o a speci ic con ol. Due o his di ec suppo in he EMERALD UI,
compliance manage s can now di ec ly make hese changes hemsel es when doing he
mapping o me ics o con ols. Thus, he e is no need o Mo gan o emo e o adap any hing.
Fo anspa ency and comple eness, he scena io is s ill p esen ed in i s o iginal o m in Figu e
39.
Figu e 38. Pe sona-on- he-go o Mo gan – Technical Implemen e
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 96 o 128
www.eme ald-he.eu
5.7.2 Scena io B: Ee o – Repo ing
Ee o epo s back o he lead audi o wi h his indings. They iden i ied all non-compliances and
c ea ed an audi epo whe e hey documen and ansla e all non-compliances (see Figu e 59
in APPENDIX B: O iginal Use Scena io Desc ip ions).

D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 97 o 128
www.eme ald-he.eu
6 UI/UX Requi emen s ( e sion 2)
All equi emen s o he EMERALD UI/UX we e elici ed du ing all ac i i ies (e.g. in e iews, ocus
g oups, wo kshops…) ha ha e been conduc ed in WP4. The goal o he equi emen s is o
collec all ea u es and needs o he pilo pa ne s and componen owne s o design and de elop
he EMERALD UI, esul ing in 25 equi emen s o e all. All equi emen s ha e been added o he
common Gi eposi o y o he EMERALD p ojec . E e y equi emen was desc ibed wi h he
ollowing ields: Requi emen Id, sho i le, desc ip ion, s a us, p io i y, componen , sou ce,
ype, ela ed KR, ela ed KPI, and alida ion accep ance c i e ia. Addi ionally, we added
in o ma ion abou he cu en p og ess s a us o he equi emen s ega ding he clickable
p o o ype o he EMERALD UI. The p og ess s a us o he equi emen s ega ding he
implemen a ion o he UI ha e been epo ed in D4.5 (M15) [25] and will be epo ed in D4.6
(M27).
The ela ed key esul and KPI o all he UI/UX equi emen s a e:
• KR6: EMERALD UI/UX - Use expe ience o complexi y educ ion: A use in e ac ion
concep and conduc ed s udies o show wha in o ma ion each use needs in an audi
p ocess. The concep shall lead o a use in e ace (UI), which is ailo ed o he use s’ needs
du ing all s ages o an audi and guides hem h ough he p ocess o iden i ying p oblems
op-down – om high-le el equi emen s down o speci ic implemen a ion in documen s
(e.g., policies) o echnical speci ica ions [2].
• KPI 6.3: P o ide a g aphical use in e ace o ole-based access o ce i ica ion in o ma ion
con en [2].
Table 13 p o ides an o e iew o all UI/UX equi emen s and he cu en p og ess ega ding he
implemen a ion o he clickable p o o ype o he EMERALD UI.
All equi emen s ha ha e been elici ed be o e M9 ha e been p esen ed using hei ull
desc ip ion in APPENDIX C: UI/UX Requi emen s elici ed be o e M9. All newly elici ed
equi emen s since M9 a e p esen ed in Sec ion 6.1.
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 98 o 128
www.eme ald-he.eu
Table 13. S a us o he UI/UX equi emen s ega ding he clickable p o o ype
ID
Sho i le
Desc ip ion
P og ess
UIUX.01
Landing Page
The landing page o he UI has o p o ide
quick access o he ollowing iews:
• Audi Scope C ea ion View
• MARI Tool View
• Ce i ica ion Schemes Manage View
95% - Add essed –
wai ing o
eedback and inpu
om all EMERALD
pa ne s
UIUX.02
Audi Scope
C ea ion View
The e mus be a iew o c ea e and sa e a
new audi scope. This iew allows o:
• Se up a name o he audi scope
• Selec one o he a ailable a ge s o
e alua ion
• Selec one o he a ailable
ce i ica ion schemes
• Upload policy documen s
The a ailable a ge s o e alua ion and
ce i ica ion schemes mus be e ie ed
om he backend. Once he audi scope is
sa ed, he policy documen s mus be
uploaded o he backend.
90% - Mos ly
add essed - maybe
some mino
changes o come
UIUX.03
Con ols
O e iew View
The e mus be a iew whe e all he
con ols a e p esen ed. The con ols mus
be e ched om he backend o he
cu en ly selec ed audi scope. Fo each
con ol show:
• ID
• Desc ip ion
• Ca ego y
• Pe son o depa men o whom he
con ol is cu en ly assigned
• Compliance
Compliance can be one o :
• Complian
• Non-complian
80% - The con ol
o e iew iew is
he e; i s ill needs
o be decided
which s a us
in o ma ion will be
shown.
UIUX.04
Con ols
O e iew View:
P og ess
Indica o s
On he Con ols O e iew View a cha
mus p esen he s a us and he
compliance o he con ols.
80% - The cha in
he con ol
o e iew iew is
he e, bu i s ill
needs o be
decided wha o
exac ly show
he e.
UIUX.05
Con ols
O e iew View:
Fil e ing and
Sea ching
I mus be possible o il e he con ols
by each o he p esen ed columns. I
mus also be possible o sea ch o
speci ic con ols by en e ing ei he he ID
o pa s o he desc ip ion.
100% - Add essed
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 99 o 128
www.eme ald-he.eu
ID
Sho i le
Desc ip ion
P og ess
UIUX.06
Policy
Documen s
Manage View
The e mus be a iew whe e use s can
manage (upload, emo e) he policy
documen s.
90% - S ill some
mino hings o
implemen
UIUX.07
Policy
Documen s
Manage View:
Me ics
Selec ion
I should be possible o selec one o
mo e me ics pe policy documen .
When ex ac ing e idence om his
documen , he AMOE componen should
only conside he selec ed me ics.
100%
UIUX.08
E idence
Ex ac o s View
The e mus be a iew whe e use s can
see he s a us o he e idence ex ac o s.
This iew mus also allow o pause o
enable exis ing ones. I one o he
e idence ex ac o s igge s an e o , his
should be p esen ed he e.
95% - Add essed -
maybe some mino
changes o come
UIUX.09
Con ol De ail
View
The e mus be a iew whe e he use s
can see all he de ails ela ed o a single
con ol. All he in o ma ion a ailable
abou he con ol should be lis ed he e.
95% - Mos ly
add essed – i
needs o be
decided which
in o ma ion abou
he con ol should
be p esen ed.
UIUX.10
Con ol De ail
View:
Assignmen
The e mus be an elemen , which he
use can use o assign a con ol o
ano he use o a depa men .
95% - Add essed –
maybe some mino
changes o come.
UIUX.11
Con ol De ail
View: His o y
The e mus be a iew, whe e he use
can check he en i e his o y o a con ol.
75% - Mos ly
add essed – i
needs o be
decided which
in o ma ion should
be displayed he e.
UIUX.12
Con ol De ail
View: E idence
The e mus be a iew whe e he use can
check he e idence ga he ed o he
me ics o a con ol.
80% - Wo k in
p og ess
UIUX.13
Con ol De ail
View: Non-
Compliance
The e mus be an explana ion, why he
cu en con ol is no complian .
80% - Wo k in
p og ess
UIUX.14
MARI Tool View
The e mus be a iew, whe e he use
can in e ac wi h he MARI ool.
95% - Add essed –
maybe some mino
changes o come
UIUX.15
Ce i ica ion
Schemes
Manage View
The e mus be a iew, whe e he use can
see he a ailable ce i ica ion schemes.
95% - Add essed –
maybe some mino
changes o come
UIUX.16
Ce i ica ion
Schemes
Manage View:
BYOCS
On he Ce i ica ion Schemes Manage
View i should be possible o c ea e a new
ce i ica ion scheme by selec ing con ols
om exis ing ce i ica ion schemes o by
de ining cus om con ols. (BYOCS = B ing
You Own Ce i ica ion Scheme).
90% - Add essed -
maybe some mino
changes o come
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 100 o 128
www.eme ald-he.eu
ID
Sho i le
Desc ip ion
P og ess
UIUX.17
Ce i ica ion
Schemes
Manage View:
Impo /Expo
On he Ce i ica ion Schemes Manage
View i should be possible o impo new
ce i ica ion schemes o o expo exis ing
ones ia a CSV ile o OSCAL o ma iles.
90% - Impo &
Expo Add essed -
maybe some mino
changes o come.
UIUX.18
T us wo hiness
Check
The EMERALD UI should display a symbol
o le he use know i he in eg i y o he
e idence and/o assessmen s has been
comp omised. The in eg i y check should
happen a egula in e als and can be
manually igge ed by he use .
100% - The symbol
is a ailable and
allows he use o
e- igge he
in eg i y check; i
necessa y, use s
can see and
download a epo
con aining he
comp omised
e idence and/o
assessmen s.
UIUX.19
In ui i e and
Smoo h UI
The EMERALD UI mus be use - iendly
and easy o use, so ha all employees can
unde s and i . The UI mus allow o easily
moni o compliance s a us ac oss a ious
a ge s o e alua ion. Fu he mo e, he
ini ial load o he UI should no exceed
no mal iming on a s anda d b oadband
connec ion and mus espond o use
ac ions wi hin ew seconds o all
in e ac ions.
70% - Wo k in
p og ess
UIUX.20
Reusable
me ics
I mus be possible o euse al eady-se -
up me ics. The me ics mus be
sugges ed o he use , when a second
ce i ica ion scheme is looked a , so ha
he use does no ha e o emembe ha
hese me ics exis .
80% - Wo k in
p og ess
UIUX.21
T ans e o
Audi o
EMERALD
The EMERALD UI should ha e a wiza d o
a wo k low ha helps new use s o
ans e cu en audi p ocesses o
EMERALD.
20% - Di icul
UIUX.22
Con ol De ail
View: Manual
E idence
Con ols ha canno be au oma ically
assessed should ha e a ield whe e he
use can upload a ile as e idence.
90% - Add essed
UIUX.23
Repo ing
Use s o he EMERALD UI can c ea e
di e en epo s e.g., lis o non-
complian con ols, expo in o di e en
o ma s (e.g. xlsx, pd . docx).
0% - o be
discussed
UIUX.24
UI
Documen a ion
The e should be a documen a ion (in o m
o ex o ideos) o he EMERALD UI in
clea and unde s andable language so
ha use s can easily unde s and he ool
and he componen s o onboa d ool
adminis a o s, compliance manage s and
o he a ge use s.
0% - o be
discussed
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 101 o 128
www.eme ald-he.eu
ID
Sho i le
Desc ip ion
P og ess
UIUX.25
Sel -
Assessmen
Ques ionnai e
o EUCS
The e should be he possibili y o pe o m
a sel -assessmen (in he o m o a
ques ionnai e) o he ul ilmen deg ee o
he EUCS ce i ica ion scheme o a ious
le els (Basic, Subs an ial, and High) in he
EMERALD UI. The ques ionnai e will allow
use s o answe a se ies o ques ions o
e alua e he ul ilmen o each con ol
in ol ed. I also p o ides he op ion o
use s o en e commen s ela ed o each
ques ion, as well as ex ual e e ences o
loca e he e idence suppo ing he gi en
answe .
The sys em will gene a e a summa y
dashboa d displaying quan i a i e alues
ha e lec he deg ee o ul ilmen o
each le el. Addi ionally, audi o s will ha e
access o he ques ionnai e, whe e hey
can e iew he sel -assessmen and en e
non-con o mi ies o any con ols ha a e
no ul illed, p o iding a comp ehensi e
o e iew o he ce i ica ion s a us.
5% - Wo k in
p og ess
6.1 Newly Added UI/UX Requi emen s since M9
Below we p esen he eigh addi ional equi emen s o he EMERALD UI/UX, which ha e been
added since M9. In his case we p esen he whole desc ip ion and he s a us p og ess o he
clickable p o o ype.
Field
Desc ip ion
Requi emen id
UIUX.18
Sho i le
T us wo hiness Check
Desc ip ion
The EMERALD UI should display a symbol o le he use know i he
in eg i y o he e idence and/o assessmen s has been
comp omised. The in eg i y check should happen a egula
in e als and can be manually igge ed by he use .
S a us
Implemen ed (in clickable p o o ype)
P io i y
Mus
Componen
TWS
Sou ce
Componen
Type
GUI
Rela ed KR
KR7_INTEROP
Rela ed KPI
-
Valida ion accep ance
c i e ia
The symbol should be isible and e lec he s a us o he in eg i y
o he e idence and assessmen s. Fu he mo e, i mus be possible
o igge a new check manually.
P og ess
100% - The symbol is a ailable and allows he use o e- igge he
in eg i y check; i necessa y, use s can see and download a epo
con aining he comp omised e idence and/o assessmen s.

D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 102 o 128
www.eme ald-he.eu
Field
Desc ip ion
Requi emen id
UIUX.19
Sho i le
In ui i e and Smoo h UI
Desc ip ion
The EMERALD UI mus be use - iendly and easy o use, so ha all
employees can unde s and i . The UI mus allow o easily moni o
compliance s a us ac oss a ious a ge s o e alua ion.
Fu he mo e, he ini ial load o he UI should no exceed no mal
iming on a s anda d b oadband connec ion and mus espond o
use ac ions wi hin ew seconds o all in e ac ions.
S a us
P oposed
P io i y
Mus
Componen
Eme aldUI
Sou ce
Pilo s
Type
GUI
Rela ed KR
KR6_EMERALD UI/UX
Rela ed KPI
KPI::6.3
Valida ion accep ance
c i e ia
Valida e he design by pe o ming wo kshops wi h he a ge use s.
P og ess
70% - Wo k in p og ess
Field
Desc ip ion
Requi emen id
UIUX.20
Sho i le
Reusable me ics
Desc ip ion
I mus be possible o euse al eady-se -up me ics. The me ics
mus be sugges ed o he use , when a second ce i ica ion scheme
is looked a , so ha he use does no ha e o emembe ha hese
me ics exis .
S a us
Implemen ed (in he clickable p o o ype)
P io i y
Mus
Componen
Eme aldUI, RCM, MARI
Sou ce
Pilo s
Type
GUI
Rela ed KR
KR6_EMERALD UI/UX
Rela ed KPI
KPI 6.3
Valida ion accep ance
c i e ia
Me ics ha ha e al eady been se up, should be sugges ed o he
use , when se ing up a new ce i ica ion scheme.
P og ess
80% - Wo k in p og ess
Field
Desc ip ion
Requi emen id
UIUX.21
Sho i le
T ans e o Audi o EMERALD
Desc ip ion
The EMERALD UI should ha e a wiza d o a wo k low ha helps new
use s o ans e cu en audi p ocesses o EMERALD.
S a us
P oposed
P io i y
Should
Componen
Eme aldUI
Sou ce
Pilo s
Type
GUI
Rela ed KR
KR6_EMERALD UI/UX
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 103 o 128
www.eme ald-he.eu
Rela ed KPI
KPI 6.3
Valida ion accep ance
c i e ia
The wiza d/wo k low is p esen and can be unde s ood ( alida ion
ia wo kshop) by new use s.
P og ess
20% - Di icul
Field
Desc ip ion
Requi emen id
UIUX.22
Sho i le
Con ol De ail View: Manual E idence
Desc ip ion
Con ols ha canno be au oma ically assessed should ha e a ield
whe e he use can upload a ile as e idence.
S a us
P oposed
P io i y
Should
Componen
Eme aldUI, Cloudi o -E idence S o e, Cloudi o -Assessmen
Sou ce
Pilo s
Type
GUI
Rela ed KR
KR6_EMERALD UI/UX
Rela ed KPI
KPI 6.3
Valida ion accep ance
c i e ia
I is possible o upload e idence iles o manual con ols.
P og ess
90% - Add essed
Field
Desc ip ion
Requi emen id
UIUX.23
Sho i le
Repo ing
Desc ip ion
Use s o he EMERALD UI can c ea e di e en epo s e.g., lis o
non-complian con ols, expo in o di e en o ma s (e.g. xlsx, pd .
docx).
S a us
P oposed
P io i y
Should
Componen
Eme aldUI
Sou ce
Pilo s
Type
GUI
Rela ed KR
KR6 EMERALD UI/UX
Rela ed KPI
KPI 6.3
Valida ion accep ance
c i e ia
Repo s can be c ea ed and downloaded.
P og ess
0% - o be discussed
Field
Desc ip ion
Requi emen id
UIUX.24
Sho i le
UI Documen a ion
Desc ip ion
The e should be a documen a ion (in o m o ex o ideos) o he
EMERALD UI in clea and unde s andable language so ha use s can
easily unde s and he ool and he componen s o onboa d ool
adminis a o s, compliance manage s and o he a ge use s.
S a us
P oposed
P io i y
Should
Componen
Eme aldUI
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 104 o 128
www.eme ald-he.eu
Sou ce
Pilo s
Type
GUI
Rela ed KR
KR6_EMERALD UI/UX
Rela ed KPI
KPI 6.3
Valida ion accep ance
c i e ia
Documen a ion should co e all componen s o EMERALD as well as
he ool i sel in a clea and unde s andable language. Plausible
Measu emen s:
▪ Re iew he documen a ion o ensu e i includes de ailed
desc ip ions, usage guidelines, and in e ac ions o each
componen in EMERALD.
• Conduc usabili y es s/pilo s wi h audi o s o e alua e hei
unde s anding and ease o onboa ding using he documen a ion
and use manuals.
P og ess
0% - o be discussed
Field
Desc ip ion
Requi emen id
UIUX.25
Sho i le
Sel -Assessmen Ques ionnai e o EUCS
Desc ip ion
The e should be he possibili y o pe o m a sel -assessmen (in he
o m o a ques ionnai e) o he ul ilmen deg ee o he EUCS
ce i ica ion scheme o a ious le els (Basic, Subs an ial, and High)
in he EMERALD UI. The ques ionnai e will allow use s o answe a
se ies o ques ions o e alua e he ul ilmen o each con ol
in ol ed. I also p o ides he op ion o use s o en e commen s
ela ed o each ques ion, as well as ex ual e e ences o loca e he
e idence suppo ing he gi en answe .
The sys em will gene a e a summa y dashboa d displaying
quan i a i e alues ha e lec he deg ee o ul ilmen o each
le el. Addi ionally, audi o s will ha e access o he ques ionnai e,
whe e hey can e iew he sel -assessmen and en e non-
con o mi ies o any con ols ha a e no ul illed, p o iding a
comp ehensi e o e iew o he ce i ica ion s a us.
S a us
P oposed
P io i y
Should
Componen
Eme aldUI
Sou ce
Componen
Type
GUI
Rela ed KR
KR6_EMERALD UI/UX
Rela ed KPI
KPI 6.3
Valida ion accep ance
c i e ia
Ensu e use s can answe ques ions, add commen s and e e ences,
and sa e esponses; e i y he dashboa d displays accu a e
ul ilmen le els, audi o s can e iew assessmen s and documen
non-con o mi ies, and ha audi o s can ack and esol e non-
con o mi ies e ec i ely.
P og ess
5% - Wo k in p og ess
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 105 o 128
www.eme ald-he.eu
7 Conclusions
This deli e able p esen s he esul s o ask T4.1 – Requi emen s enginee ing wi h compliance
manage s and audi o s and T4.2 – Modelling wo k p ocesses. The e o e, i has p esen ed he
o e all me hodology used in WP4 and he esul s achie ed by applying di e en me hods in he
con ex o he EMERALD p ojec . In mo e de ail:
• We de i ed i s insigh s abou he pilo s’ audi p epa a ion p ocesses in gene al, hei
needs, some pain poin s and expec a ions owa ds EMERALD. This was needed o ge
i s ideas o insigh s on whe e he EMERALD UI could suppo hem du ing he audi
p epa a ion and execu ion p ocess.
• Fo each o he pilo pa ne s and he audi o s and compliance manage s om
NIXU/DNV we we e able o de i e conc e e wo k p ocesses abou he audi p epa a ion
and he audi execu ion. These p ocesses p esen he p epa a ion and execu ion o
audi s om he pe spec i e o compliance manage s, secu i y manage s, and audi o s
including he wo king asks, he in o ma ion and da a hey need o do hei asks, and
how he EMERALD solu ion could be used o suppo hem.
• F om he indi idual wo k p ocesses, we de eloped a uni e sally applicable bluep in
o implemen ing EMERALD in audi p epa a ion and audi execu ion wo k lows. This
bluep in may be aluable o o he companies seeking o use he EMERALD solu ion o
enhance hei audi p epa a ion p ocesses o o suppo audi execu ions.
• We de i ed se en pe sonas di ided in o 3 di e en s akeholde g oups – 3 pe sonas
ela ed o he compliance s akeholde s, one pe sona ela ed o he echnical
s akeholde s and 3 pe sonas ela ed o audi o s akeholde s. Fo hese pe sonas, we
de eloped a “pe sona-on- he-go” and 18 de ailed scena ios. The pe sonas and
scena ios helped us o unde s and he oles and asks o compliance manage s, audi o s,
and echnical s akeholde s. This is essen ial o designing a sys em ha e ec i ely
suppo s ce i ica ion p epa a ion and audi execu ion and o iden i ying he key
unc ionali ies needed in he EMERALD UI o suppo each s akeholde g oup.
• Finally, we we e able o de i e 25 UI/UX equi emen s o de eloping he EMERALD UI.
T4.1 and T4.2 ha e ended in M18 o he EMERALD p ojec . This means ha we p esen ed he
inal wo k p ocesses, pe sonas and scena ios, and he equi emen s. Howe e , he wo k in WP4
will be con inued using he esul s gained om T4.1 and T4.2. On he one hand, o T4.3 we will
use he esul s o u he de elop he clickable p o o ype o EMERALD and b ing i in o a s a e
ha has implemen ed all equi emen s ( o a ce ain ex en ). Addi ionally, we will ensu e ha
he p o o ype suppo s he espec i e wo k p ocesses and use he pe sonas as baseline oles
o he use adminis a ion in EMERALD, including o in o m which use is allowed o do wha in
he EMERALD UI. On he o he hand, he wo k o T4.3 is s ongly aligned wi h T4.4, whe e he
EMERALD UI will be implemen ed. Thus, esul s gained T4.3 ha a e based on T4.1 and T4.2 will
di ec ly be aken o e in T4.4.
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 112 o 128
www.eme ald-he.eu
Bene i s o he pa icipa ion
I is likely ha you migh no ecei e any di ec pe sonal bene i o you pa icipa ion in his
in e iew besides possibly lea ning mo e abou he EMERALD p ojec in gene al. Howe e , by
pa icipa ing you will make a subs an ial con ibu ion o he success o he EMERALD p ojec , as
we need you expe ise o de eloping a good and easy- o-use EMERALD UI/UX ha suppo s
you du ing you wo k.
Disad an ages and/o isks o he pa icipa ion
No isk is o eseen. You a e only eques ed o be a ailable o pa icipa e.
Con iden iali y and publica ion o he s udy da a
Any esponses you p o ide in he in e iew can be eco ded o w i en down. The da a,
howe e , will no include any pe sonal iden i ica ion; hence i will no be possible o iden i y you
a e wa ds. All he da a you p o ide will be anonymised and ea ed con iden ially. The
in o ma ion you p o ide will be analysed and p esen ed in p ojec epo s oge he wi h he
in o ma ion om o he pa icipan s. The aw da a will be s o ed in he in e nal se e s o he
Know-Cen e p o ec ed by passwo ds ha a e only known o esea che s conduc ing he
in e iew. All he aw da a will be s o ed o 5 yea s a e he p ojec inalisa ion.
Funding o he esea ch
The esea ch leading o his in e iew has ecei ed unding om he Eu opean Union’s Ho izon
Eu ope Resea ch and Inno a ion P og amme, unde G an Ag eemen no 101120688.
Con ac o u he in o ma ion o in case o wi hd awal om he s udy
DI D . Angela Fessl, Know-Cen e GmbH, a essl@know-cen e .a

D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 113 o 128
www.eme ald-he.eu
9.3 Consen Fo m
Backg ound o his s udy
EMERALD is a Ho izon Eu ope P ojec (GA no.: 101120688) wi h he objec i e o pa e he oad
owa ds Compliance-as-a-Se ice (CaaS) o con inuous ce i ica ion o ha monized
cybe secu i y schemes like he EUCS. This in e iew is conduc ed wi hin WP4 – Use In e ac ion
and Use Expe ience de elopmen o he EMERALD P ojec . The goal o his in e iew is o elici
equi emen s om ou a ge g oups such as audi o s/chie in o ma ion secu i y
manage s/compliance manage s e c. necessa y o de eloping he in eg a ed EMERALD UI. In
mo e de ail, ou goal is o elici in-dep h insigh s abou you wo k as audi o s/chie in o ma ion
secu i y manage s/compliance manage s in ela ion o con inuous cloud audi ing p ocesses.
S a emen o esea che 's esponsibili y
As esea che , I ha e explained he na u e o his esea ch s udy and he p ocedu es o be
unde aken in his con ex . I ha e o e ed o answe any ques ions and ully answe ed such
ques ions.
Decla a ion o pa icipan
I con i m ha : I am 18 yea s old o olde and I am compe en o p o ide consen . I ha e ead
and unde s ood he in o ma ion abou his s udy, as p o ided in he In o ma ion Shee . I ha e
also had he oppo uni y o ask ques ions, and all my ques ions ha e been answe ed o my
sa is ac ion. I eely and olun a ily ag ee o pa icipa e in his esea ch s udy. I unde s and ha
I may e use o answe any ques ion and ha I may wi hd aw a any ime wi hou being
penalised o wi hd awing no ques ioned on why I ha e wi hd awn. I ag ee ha my pe sonal
in o ma ion will emain con iden ial and ha my da a will be used anonymously and secu ely in
esea ch and publica ions, in a way ha my iden i y canno be e ealed. I unde s and ha o he
esea che s will ha e access o his da a only i hey ag ee o p ese e he con iden iali y o he
da a.
I ag ee o he e ms and o he eco ding o he consen p ocedu e/ and in e iew (phone
in e iews)
Pa icipan :
________________________ ______________________________ ________________
Name Signa u e Da e
Resea che :
________________________ ______________________________ ________________
Name Signa u e Da e
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 114 o 128
www.eme ald-he.eu
9.4 Da a P o ec ion In o ma ion
Con olle :
Know-Cen e GmbH Resea ch Cen e o Da a D i en Business & Big
Da a Analy ics, Sandgasse 36/4, 8010 G az
Con ac : in o@know-cen e .a
Da a p o ec ion
o ice :
Da a P o ec ion O ice o Know-Cen e GmbH
Sandgasse 34/4, 8010 G az
Con ac : da enschu z@know-cen e .a
Pu pose o p ocessing:
Main aining business con ac s o he ex en ha his is co e ed by
he easons o being con ac ed o which he da a subjec has
consen ed.
Da a:
Name, e-mail add ess, ele an o con ac ing he in e iew
pa ne s o which hey ha e gi en hei consen .
Basis in law:
Consen pu suan o GDPR A 6 (1) (a)
Recipien :
No ansmission o hi d pa ies; no con ac p ocessing
T ansmission o hi d
coun ies:
No
Du a ion o s o age:
Un il he ime when you wi hd aw you consen . I espec i e o
wi hd awal o consen , he da a will be dele ed i you e-mail
add ess becomes in alid o i we ecei e no i ica ion ha
communica ions a e undeli e able.
Da a subjec igh s:
You ha e he igh o:
- In o ma ion and access, o ind ou whe he we ha e pe sonal
da a o you s s o ed and wha da a i is.
- Rec i ica ion – co ec ion and/o comple ion o you pe sonal
da a ha a e inco ec o incomple e
- E asu e – dele ion o you pe sonal da a ha a e being
p ocessed in a manne which is no law ul o is no longe law ul
- Res ic ion o p ocessing
- Da a po abili y
- Wi hd aw consen ha you ha e gi en, e ec i e o he u u e:
i.e., u he p ocessing o you da a is hen no allowed om ha
poin in ime onwa ds, unless he e is an o e iding legi ima e
eason o doing so.
- Objec o any asse ion by Know-Cen e GmbH o an o e iding
legi ima e in e es in s o ing/p ocessing he da a
To exe cise hese igh s please con ac da enschu z@know-
cen e .a .
You also ha e a igh o make a complain o he Da a P o ec ion
Au ho i y.
In his ega d, we also e e o hei homepage, which can be
accessed unde he link h ps://www.dsb.g .a
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 115 o 128
www.eme ald-he.eu
10 APPENDIX B: O iginal Use Scena io Desc ip ions
In he ollowing sec ions we included all use scena io desc ip ions ha ha e no been adap ed.
The adap a ion o he use scena ios ook place i he e was an adap ion needed based on he
echnical easibili y in EMERALD.
10.1 Scena ios Riley
Figu e 46. Scena io A: Riley – Manging a new audi scope
Figu e 47. Scena io B: Riley – Manage all Con ols o an Audi Scope
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 116 o 128
www.eme ald-he.eu
Figu e 48. Scena io C: Riley – Unco e all “blind spo s”
Figu e 49. Scena io E: Riley – Accompanying and audi
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 117 o 128
www.eme ald-he.eu
10.2 Scena io Eme son
Figu e 50. Eme son – B ing you own ce i ica ion scheme

D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 118 o 128
www.eme ald-he.eu
10.3 Scena io Dylan
10.4 Scena io Mo gan
10.5 Scena io Cha lie
Figu e 51. Dylan – In e nal Con ol Owne Con ol Implemen a ion
Figu e 52. Scena io A: Mo gan – Checking Me ics and E idence
Figu e 53. Scena io 3: Cha lie – P epa a ion o an audi by an in e nal audi o
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 119 o 128
www.eme ald-he.eu
10.6 Scena ios Ja kko
Figu e 54. Scena io A: Ja kko – Scoping
Figu e 55. Scena io B: Ja kko – P epa ing o audi
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 120 o 128
www.eme ald-he.eu
Figu e 56. Scena io C: Ja kko – O ganiza ional Audi
Figu e 57. Scena io D: Ja kko - Ce i ica ion
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 121 o 128
www.eme ald-he.eu
10.7 Scena ios Ee o
Figu e 58. Scena io A: Ee o – Technical Audi
Figu e 59. Scena io B: Ee o - Repo ing
D4.2 Resul s o he UI-UX equi emen s analysis Ve sion 1.0 – Final. Da e: 30.04.2025
and he wo k p ocesses – 2
© EMERALD Conso ium Con ac No. GA 101120688 Page 128 o 128
www.eme ald-he.eu
Field
Desc ip ion
Requi emen id
UIUX.17
Sho i le
Ce i ica ion Schemes Manage View: Impo /Expo
Desc ip ion
On he Ce i ica ion Schemes Manage View i should be possible o
impo new ce i ica ion schemes o o expo exis ing ones ia a
CSV ile.
S a us
Implemen ed (in clickable p o o ype)
P io i y
Could
Componen
Eme aldUI, Cloudi o -O ches a o , RCM
Sou ce
Pilo
Type
GUI
Rela ed KR
KR6_EMERALD_UI/UX
Rela ed KPI
KPI 6.3
Valida ion accep ance
c i e ia
I is possible o impo o expo he desi ed ce i ica ion scheme
using a CSV ile.