D4.1 Results of the UI-UX requirements analysis and the work processes – v1

Deli e able D4.1
Resul s o he UI-UX equi emen s analysis and he wo k
p ocesses – 1
Edi o (s):
Angela Fessl, Simone F anza, Leonie Disch
Responsible Pa ne :
Know-Cen e GmbH
S a us-Ve sion:
Final 1.0
Da e:
31.07.2024
Type:
R
Dis ibu ion le el (SEN, PU):
PU
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 2 o 54
www.eme ald-he.eu
P ojec Numbe :
101120688
P ojec Ti le:
EMERALD
Ti le o Deli e able:
D4.1 Resul s o he UI-UX equi emen s analysis and he
wo k p ocesses– 1
Due Da e o Deli e y o he EC
31.07.2024
Wo kpackage esponsible o he
Deli e able:
WP4 - Use in e ac ion and use expe ience de elopmen
Edi o (s):
Angela Fessl, Simone F anza, Leonie Disch (KNOW)
Con ibu o (s):
Bjö n Fan a, F anz Deimling, Oli ia Kage e , Lukas
Ruckens uhl (FABA)
Ma ia Ba os Weiss (IONOS)
Ramon Ma in de Pozuelo, Ma i Fab ega I Pous (CXB)
Na alia Sobieska (CF)
Jo di Guija o (ONS)
Re iewe (s):
Oli ia Kage e (FABA)
C is ina Ma ínez, Juncal Alonso (TECNALIA)
SAB Re iewe s:
Samu Nisula (NIXU)
Cons an ino Vázquez (ONS)
Ma io Maawad (CXB)
Daniela G eb (FABA)
Tomasz Aniszewski (CF)
Ali Nikouka (IONOS)
App o ed by:
All Pa ne s
Recommended/manda o y
eade s:
WP1, WP2, WP3, WP5, WP6
Abs ac :
Ini ial e sion o he epo on he elici ed UI-UX
equi emen s om he a ge g oups. Wo k p ocesses
and wo k lows ha should be co e ed wi h he use
in e ace concep .
Keywo d Lis :
UI/UX Requi emen s, Wo ks P ocesses, Pe sonas,
Scena ios
Licensing in o ma ion:
This wo k is licensed unde C ea i e Commons
A ibu ion-Sha eAlike 4.0 In e na ional (CC BY-SA 4.0
DEED h ps://c ea i ecommons.o g/licenses/by-sa/4.0/)
Disclaime
Funded by he Eu opean Union. Views and opinions
exp essed a e howe e hose o he au ho (s) only and
do no necessa ily e lec hose o he Eu opean Union.
The Eu opean Union canno be held esponsible o
hem.
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 3 o 54
www.eme ald-he.eu
Documen Desc ip ion
Ve sion
Da e
Modi ica ions In oduced
Modi ica ion Reason
Modi ied by
0.1
21.06.2024
Fi s d a e sion
Angela Fessl (KNOW)
0.1
26.06.2024
QA e iew
Oli ia Kage e (FABA)
0.2
10.07.2024
Add essing he commen s om he
QA e iew
Angela Fessl, Simone
F anza (KNOW)
0.3
19.07.2024
Add essing he commen s om he
SAB e iew
Angela Fessl, Simone
F anza (KNOW)
0.4
22.07.2024
Submission o D4.1 o TECNALIA
Re iew
Angela Fessl, Simone
F anza (KNOW)
0.5
25.07.2024
Add essing he commen s om
TECNALIA Re iew
Angela Fessl, Leonie
Dish (KNOW)
1.0
31.07.2024
Submi ed o he Eu opean
Commission
C is ina Ma ínez
(TECNALIA)
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 4 o 54
www.eme ald-he.eu
Table o con en s
Te ms and abb e ia ions ............................................................................................................... 6
Execu i e Summa y ....................................................................................................................... 7
1 In oduc ion ........................................................................................................................... 8
1.1 Abou his deli e able .................................................................................................... 8
1.2 Documen s uc u e ....................................................................................................... 9
2 Me hodology ....................................................................................................................... 10
2.1 In e ac i e In e iew Session ....................................................................................... 11
2.1.1 P ocedu e .......................................................................................................... 11
2.2 In e iews .................................................................................................................... 11
2.2.1 P ocedu e .......................................................................................................... 12
2.3 Focus G oups ............................................................................................................... 12
2.3.1 P ocedu e .......................................................................................................... 13
2.4 Pe sonas & Scena ios Wo kshop ................................................................................. 13
2.4.1 P ocedu e .......................................................................................................... 14
2.4.2 Gende -bias in Pe sonas and Scena ios ............................................................ 16
3 Resul s o he In e ac i e In e iew Session ....................................................................... 17
4 Wo k P ocesses ................................................................................................................... 21
4.1 Wo k P ocesses o Compliance and Secu i y Manage s pe Pilo ............................... 21
4.1.1 Pilo 2: CloudFe o ............................................................................................. 21
4.1.2 Pilo 3: Fabaso ................................................................................................. 23
4.1.3 Compliance Manage om NIXU ....................................................................... 25
4.2 Wo k P ocesses o Audi o s ......................................................................................... 26
5 Pe sonas & Scena ios .......................................................................................................... 30
5.1 Pe sonas ....................................................................................................................... 30
5.1.1 Eme son - Compliance Manage in Financial Se ice Ins i u ion ...................... 30
5.1.2 Riley – Cloud Se ice Compliance Manage ...................................................... 31
5.1.3 Dylan – In e nal Con ol Owne ......................................................................... 32
5.1.4 Cha lie - Audi o ................................................................................................ 33
5.2 Scena ios ...................................................................................................................... 34
5.2.1 Scena io 1: Eme son – B ing You Own Ce i ica ion Scheme .......................... 34
5.2.2 Scena io 2: Dylan – In e nal Con ol Owne Requi emen Implemen a ion..... 35
5.2.3 Scena io 3: Cha lie – P epa a ion o an Audi by an In e nal Audi o ............... 35
6 UI/UX Requi emen s ( e sion 1) ......................................................................................... 37
7 Conclusions .......................................................................................................................... 45
8 Re e ences ........................................................................................................................... 46
9 APPENDIX A: In e iew Documen s ..................................................................................... 48
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 5 o 54
www.eme ald-he.eu
9.1 In e iew Guideline ..................................................................................................... 48
9.2 Pa icipan In o ma ion Shee ..................................................................................... 51
9.3 Consen Fo m ............................................................................................................... 53
9.4 Da a P o ec ion In o ma ion........................................................................................ 54
Lis o Tables
TABLE 1. OVERVIEW OF THE CONDUCTED AND PLANNED INTERVIEWS ....................................................... 12
TABLE 2. OVERVIEW OF THE CONDUCTED AND PLANNED FOCUS GROUPS................................................... 13
TABLE 3. SUMMARY OF ANSWERS GIVEN TO THE QUESTION Q1: “HOW DO THE CURRENT AUDIT PROCESSES LOOK
LIKE FOR YOUR PILOT?” ............................................................................................................. 17
TABLE 4. SUMMARY OF ANSWERS GIVEN TO THE QUESTION Q2: “WHAT ARE THE “PAIN POINTS” FOR YOUR
CURRENT AUDIT PROCESS?” ....................................................................................................... 18
TABLE 5. SUMMARY OF ANSWERS GIVEN TO THE QUESTION Q3: “ARE THERE ANY SPECIFIC TASKS TO BE SOLVED
BY EMERALD?” ..................................................................................................................... 18
TABLE 6. SUMMARY OF ANSWERS GIVEN TO THE QUESTION Q4: “HOW CAN EMERALD HELP MITIGATE THESE
“PAIN POINTS”? EXPECTATIONS?” .............................................................................................. 19
TABLE 7. SUMMARY OF ANSWERS GIVEN TO THE QUESTION Q5: “WHAT TOOLS ARE YOU CURRENTLY USING FOR
THE AUDITS IN YOUR PILOT?” ..................................................................................................... 20
TABLE 8. SUMMARY OF ANSWERS GIVEN TO THE QUESTION Q6: “WHICH CERTIFICATION SCHEMES ARE YOU AS
PILOT INTERESTED IN?” ............................................................................................................. 20
Lis o Figu es
FIGURE 1. OVERALL METHODOLOGY APPLIED IN WP4............................................................................ 10
FIGURE 2. PERSONA TEMPLATE .......................................................................................................... 15
FIGURE 3. INDIVIDUAL PHASES OF AN AUDIT PREPARATION PROCESS OF A COMPLIANCE MANAGER AND SECURITY
MANAGER FROM CLOUDFERRO .................................................................................................. 22
FIGURE 4. POTENTIAL SUPPORT OF THE COMPLIANCE MANAGER AND MAYBE SECURITY MANAGER OF CLOUDFERRO
DURING AN AUDIT PREPARATION PROCESS WITH THE EMERALD UI ................................................. 23
FIGURE 5. INDIVIDUAL PHASE OF AN AUDIT PREPARATION PROCESS OF A COMPLIANCE MANAGER FROM FABASOFT
............................................................................................................................................. 24
FIGURE 6. POSSIBLE SUPPORT OF THE COMPLIANCE MANAGER OF FABASOFT DURING AN AUDIT PREPARATION
PROCESS WITH THE EMERALD UI .............................................................................................. 24
FIGURE 7. INDIVIDUAL PHASE OF AN AUDIT PREPARATION PROCESS OF A COMPLIANCE MANAGER (BLUE)
ORGANIZED BY NIXU AND POSSIBLE EMERALD SUPPORT (ORANGE) ............................................... 26
FIGURE 8. INDIVIDUAL PHASES FOR CONDUCTING AUDIT PROCESSES OF IN GENERAL (BLUE) AND ENHANCED FOR
CLOUD SOLUTIONS (GREEN) ....................................................................................................... 28
FIGURE 9. POSSIBLE SUPPORT OF THE AUDIT PROCESS WITH THE EMERALD UI/UX ................................... 29
FIGURE 10. PERSONA EMERSON – COMPLIANCE MANAGER IN FINANCIAL SERVICE INSTITUTION ................... 31
FIGURE 11. PERSONA RILEY – COMPLIANCE MANAGER OF A CLOUD PROVIDER ......................................... 32
FIGURE 12. PERSONA DYLAN – INTERNAL CONTROL OWNER .................................................................. 33
FIGURE 13. PERSONA CHARLIE - AN (INTERNAL) AUDITOR ...................................................................... 34
FIGURE 14. SCENARIO 1: EMERSON – BRING YOUR OWN CERTIFICATION SCHEME ...................................... 35
FIGURE 15. SCENARIO 2: DYLAN – INTERNAL CONTROL OWNER REQUIREMENT IMPLEMENTATION ............... 35
FIGURE 16. SCENARIO 3: CHARLIE - PREPARATION OF AN AUDIT BY AN INTERNAL AUDITOR .......................... 36

D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 6 o 54
www.eme ald-he.eu
Te ms and abb e ia ions
A
Audi o
AI
A i icial In elligence
AI4C
C i e ia Ca alogue o AI Cloud Se ices
AMOE
Assessmen and Managemen o O ganisa ional E idence
BYOCS
B ing You Own Ce i ica ion Scheme
BSI
Fede al O ice o In o ma ion Secu i y (Bundesam ü Siche hei in de
In o ma ions echnik)
C5
Cloud Compu ing Compliance C i e ia Ca alogue
CaaS
Ce i ica ion-as-a-se ice
CISO
Chie In o ma ion Secu i y Manage
CM
Compliance Manage
CIS
Cen e o In e ne Secu i y
CSV
Comma-sepa a ed alue
DoA
Desc ip ion o Ac ion
DORA
Digi al Ope a ional Resilience Ac
ECB
Eu opean Cen al Bank
ENS
Na ional Secu i y F amewo k (Esquema Nacional de Segu idad)
EUCS
Eu opean Union Cybe secu i y Ce i ica ion Scheme o Cloud Se ices
GA
G an Ag eemen o he p ojec
ICO
In e nal Con ol Owne
GUI
G aphical Use In e ace
ISO
In e na ional O ganiza ion o S anda diza ion
GUI
G aphical Use In e ace
KPI
Key Pe o mance Indica o
KR
Key Resul
MARI
Mapping Assis an o Regula ions wi h In elligence
RCM
Reposi o y o Con ols and Me ics
SAB
Secu i y Ad iso y Boa d
TRL
Technology Readiness Le el
UI
Use In e ace
UX
Use Expe ience
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 7 o 54
www.eme ald-he.eu
Execu i e Summa y
The EMERALD UI/UX (use in e ace/use expe ience) o e s he use in e ace (UI) and use
expe ience (UX) o add ess ce i ica ion-as-a-se ice (CaaS) and i s con inuous and lean e-
ce i ica ion aspec s wi h a ocus on he use ’s needs. The goal is o de elop a conc e e use
in e ac ion concep ha in he end leads o a ully- ledged UI/UX o EMERALD.
This deli e able D4.1 is ela ed o WP4 - Use in e ac ion and use expe ience de elopmen and
p esen s i s esul s ega ding T4.1 - Requi emen s enginee ing wi h compliance manage s and
audi o s and T4.2 - Modelling wo k p ocesses. The documen desc ibes he applied me hodology
and he equi emen analysis conduc ed so a , as well as he i s esul s de i ed, namely he
ini ial wo k p ocesses and he i s se o conc e e UI/UX equi emen s ele an o
implemen ing he EMERALD UI/UX.
In mo e de ail, his deli e able p esen s he esul s o he in e ac i e in e iew session o ge
insigh s abou he pilo pa ne s’ needs, he ini ially elici ed wo k p ocesses, he i s se o
pe sonas and co esponding scena ios, and he elici ed UI/UX equi emen s. The main indings
can be summa ized as ollows:
• F om he in e ac i e in e iew session a he gene al assembly in Bilbao, Spain (Ma ch
2024), we we e able o de i e insigh s abou he pilo s’ audi p epa a ion p ocesses in
gene al, hei needs, some pain poin s and some expec a ions ega ding EMERALD.
• F om he 7 in e iews and 2 ocus g oups conduc ed so a , we we e able o de i e
ini ial conc e e wo k p ocesses pe pilo and o ex e nal audi o s ega ding he
p epa a ion and conduc ion o audi s om he pe spec i e o compliance manage s,
secu i y manage s and audi o s.
• F om he Pe sonas and Scena ios wo kshop ha was conduc ed in June 2024, we
de i ed ou pe sonas – 2 di e en compliance manage pe sonas, 1 in e nal con ol
owne pe sona, and 1 audi o pe sona. Addi ionally, we de eloped 6 gene al scena ios
and 3 de ailed scena ios o unde s and he wo k o compliance manage s, in e nal
con ol owne s and audi o s in mo e de ail.
• Finally, we we e able o de i e an ini ial se o 17 UI/UX equi emen s o de eloping
he EMERALD UI/UX.
In he upcoming mon hs, we will con inue wi h he ac i i ies o be able o p o ide a he end o
M18 he inal e sions o he wo k p ocesses, pe sonas and scena ios, and a comple e se o
UI/UX equi emen s o he EMERALD UI/UX. The e o e, a subsequen e sion o his documen
(D4.2) will be eleased in M18, whe e he inal esul s o T4.1 and T4.2 will be p esen ed.
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 8 o 54
www.eme ald-he.eu
1 In oduc ion
The EMERALD UI/UX o e s he use in e ace (UI) and use expe ience (UX) o add ess
ce i ica ion-as-a-se ice (CaaS) and i s con inuous and lean e-ce i ica ion aspec s wi h a ocus
on he use ’s needs. The use expe ience (UX) desc ibes he quali y o he expe ience he a ge
use s ha e wi h a speci ic p oduc o se ice, while he use in e ace (UI) ep esen s he design
and layou o he p oduc o se ice. UI and UX a e closely linked o each o he , wi h a seamless
UI design playing a c ucial ole in shaping a posi i e and e icien UX.
This deli e able desc ibes he applied me hodology and he equi emen analysis conduc ed so
a , as well as he i s esul s de i ed, namely he ini ial de i ed wo k p ocesses and he i s se
o conc e e UI/UX equi emen s ele an o implemen ing he EMERALD UI/UX. The e o e,
di e en me hods we e applied, and di e en s udies we e conduc ed o elici which
in o ma ion he a ge use s need o ha e du ing an audi p ocess o o p epa ing an audi . The
de eloped EMERALD UI/UX will be ailo ed o he use s’ needs o suppo hem du ing all s ages
o an audi and o guide hem h ough he p ocess o iden i ying p oblems op down – om high
le el equi emen s down o speci ic implemen a ion in documen s (e.g., policies) o echnical
speci ica ions.
This sec ion in oduces he con ex o his deli e able ega ding he EMERALD p ojec , he aim
and audience o he con en as well as he documen s uc u e. This deli e able p esen s he
ini ial esul s o ask T4.1 – Requi emen s enginee ing wi h compliance manage s and audi o s
and T4.2 – Modelling wo k p ocesses, as bo h asks will con inue un il M18 o he EMERALD
p ojec . The inal esul s o bo h asks will be summa ised in D4.2, o be eleased in M18.
1.1 Abou his deli e able
One o he p ojec ’s objec i es as de ined in he DoA [1] is:
“O3: P o ide a seamless use expe ience o con inuous audi ing o audi o s and audi ees: The
EMERALD p ojec aims a p o iding a concep on how o app oach he audi p ocess and iew
he da a in a sui able and in ui i e way. This includes desc ip ions o oles o he di e en use s
in ol ed (e.g., compliance manage , in e nal con ol owne , audi o , …), de elopmen o a
concep o he in eg a ion o componen s and da a ela ed o he ce i ica ion p ocess and
building a unique o e iew pla o m o ce i ica ion s akeholde s.” [2]
In his deli e able, we desc ibe he me hodological app oach used o each his objec i e and
p esen he i s conc e e esul s o T4.1 and T4.2. All esul s a e p elimina y and will be
con inuously u he de eloped, upda ed, and alida ed un il M18 o he p ojec .
Di e en me hods ha e been used and applied o mee he EMERALD p ojec con ex ega ding
he UI/UX de elopmen , and consis s o h ee majo elemen s:
• Me hodology: The o e all me hodology was used o de i e he ini ial se o UI/UX
equi emen s and he ini ial wo k p ocesses o he a ge g oups. This o e all
me hodology consis ed o di e en in e iews, ocus g oups, and he i s pe sona &
scena io wo kshop.
• Wo k P ocesses: F om he in e iews, ocus g oups, and he pe sona & scena io
wo kshop, a i s se o wo k p ocesses was de i ed.
• UI/UX Requi emen s: Finally, 17 UI/UX equi emen s we e de i ed. These equi emen s
co e he mos impo an iews and unc ionali ies ha he EMERALD UI/UX mus o e
o he a ge use s.
The a ge audience o his deli e able is wo old:
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 9 o 54
www.eme ald-he.eu
• Fi s , all EMERALD pa ne s: The echnical pa ne s, because hei componen s and he
co esponding ou pu s will be connec ed o and p esen ed in he EMERALD UI. The pilo
pa ne s, as hei employees including compliance manage s, in e nal con ol owne s
and audi o s, a e he a ge g oups o he EMERALD p ojec .
• Second, his documen is also a ge ed o he b oade EMERALD a ge use s (e.g.,
po en ial end-use s, s a egic pa ne s, communi ies, o policymake s) who a e
in e es ed in socio- echnical design, co-c ea ion and co-design. Fo hem, i will p o ide
some guidance and conc e e examples on how o elici knowledge om people wi h
di e en backg ounds (e.g., in e iews, ocus g oups), and how o ca y ou a UI/UX
de elopmen p ocess ha co esponds o he needs and wishes o he a ge use s.
The goal o his deli e able is o p esen he applied me hodology and equi emen analysis
conduc ed so a , as well as he ini ial e sions o he wo k p ocesses and wo k lows elici ed
om he a ge g oups. Fu he mo e, we p esen he i s de i ed se o UI/UX equi emen s
necessa y o he u u e EMERALD UI/UX de elopmen .
1.2 Documen s uc u e
The documen is s uc u ed as ollows:
A e he in oduc ion sec ion, Sec ion 1, Sec ion 2 p esen s he o e all me hodology used o
ul illing he objec i es o Tasks 4.1 and 4.2. Subsequen ly, i includes a sepa a e sec ion o each
s ep o he me hodology o p esen i s esul s.
Sec ion 3 summa izes he indings o he in e ac i e in e iew session held a he gene al
assembly in Bilbao. Sec ion 4 p esen s he ini ial e sions o he wo k p ocesses elici ed so a
om he in e iews and ocus g oups conduc ed wi h he pilo pa ne s. Sec ion 5 consolida es
he indings om he i s wo kshop on pe sonas and scena ios. Sec ion 6 p esen s he ini ial se
o UI/UX equi emen s we ha e de i ed om all he ac i i ies conduc ed (e.g., in e iews, ocus
g oups, wo kshops). Finally, Sec ion 7 concludes he epo and p esen s he nex s eps.
In addi ion, APPENDIX A: In e iew Documen s includes he in e iew guideline, he pa icipan
in o ma ion shee , he consen o m, and he da a p o ec ion shee .
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 16 o 54
www.eme ald-he.eu
Wo kshop Pa II: The second pa o he wo kshop was a ended by 9-11 pa icipan s. The
agenda was as ollows: i s , we made a sho ecap o he i s pa o he wo kshop, by b ie ly
summa izing he 4 pe sonas de eloped. Second, we in oduced scena ios and use s o ies as co-
design me hod in gene al. Then we p esen ed 6 p e-de ined scena ios as s a ing poin .
A e wa ds, we di ided he pa icipan s in o h ee g oups and asked hem o c ea e a scena io
o he pe sona hey had de eloped in he i s wo kshop. The eby, hey could use one o he
p e-de ined scena ios as a s a ing poin . A e de eloping he scena io, hey we e asked o
b eak i down in o di e en s eps o how he pe sona would in e ac wi h he EMERALD UI and
o discuss hese use s o ies in ela ion o he p e-de ined mock-ups.
Finally, 3 di e en scena ios we e de eloped in his wo kshop (see Sec ion 5.2):
• Scena io 1: Eme son – B ing you own ce i ica ion scheme
• Scena io 2: Dylan – ICO Requi emen Implemen a ion
• Scena io 3: Cha lie - P epa a ion o an audi by an in e nal audi o
2.4.2 Gende -bias in Pe sonas and Scena ios
I is known om li e a u e ha gende bias du ing echnology de elopmen is a p oblem,
because women a e o en unde - ep esen ed in design eams and in co-c ea ion and co-design
p ocesses (see [17], [18], [19]).
Wi h ega d o pe sonas, he e exis se e al s a egies on how o mi iga e gende bias du ing
he de elopmen o pe sonas and scena ios – one o hem is o use gende -neu al pe sonas
(see [20], [21]) and o o mula e scena ios in a gende -neu al way. The e o e, we c ea ed a lis
o gende -neu al names o use du ing he wo kshop, did no ask o a speci ic gende in he
pe sona empla e, and a e wa ds, all gende speci ic o mula ions we e emo ed (e.g., all
wo ding e e ing o he/she we e eplaced wi h hey).
To make he de elopmen o he pe sonas mo e un o he pa icipan s, we asked hem o
c ea e a pic u e o each o he pe sonas. Howe e , as he esul ing igu es a e no gende -
neu al, hey will be emo ed om he inal e sion o he pe sonas (in D4.2).

D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 17 o 54
www.eme ald-he.eu
3 Resul s o he In e ac i e In e iew Session
The in e ac i e in e iew session was conduc ed pe pilo a he gene al assembly in Bilbao
(Ma ch 2024). The esul s a e p esen ed below as ollows: i s , o each ques ion a sho
summa y is p esen ed, ollowed by a able summa izing he esul s o all pilo s in mo e de ail.
Q1: How do he cu en audi p epa a ion p ocesses look like o you pilo ?
All pilo pa ne s desc ibed he audi p epa a ion p ocesses e y simila ly. Audi s ake place
yea ly up o e e y 4-5 yea s; he eby, he equency o he audi depends on he ype o he
audi (e.g., some audi s ake place yea ly, some only e e y 2-3 yea s) and he s anda d ha is
audi ed. Typically, he p epa a ion o an audi is a epe i i e manual p ocess ha is e y ime
consuming and in ol es many people om di e en depa men s, as desc ibed in Table 3.
Table 3. Summa y o answe s gi en o he ques ion Q1:
“How do he cu en audi p ocesses look like o you pilo ?”
Q1: How do he cu en audi p epa a ion p ocesses look like o you pilo ?
Pilo 1: IONOS
Pilo 2: CloudFe o
Pilo 3: Fabaso
Pilo 4: CaixaBank
• epe i i e
manual
p ocesses
• in ol emen
o a ious
eams
• ely on
ex e nal
consul ancy
companies
• based on a
sp eadshee
→ u ned
in o icke s
• documen s
such as
employee
ce i ica ions,
need o be
o malized
and
p esen ed
• mul iple audi s
yea ly
• ime-consuming
• audi s las 2-4
days
• signi ican
p epa a ion ime
• manual
p epa a ion o
p ocedu es,
policies, and
documen a ion
• adi ional audi s: no
always able o deal wi h
au oma ically collec ed
e idence o digi al
suppo o he s eps
• au oma ically collec ed
p e-p ocessed e idence
has o be p esen ed as
manual e idence
• audi o s a e able o ha e
he e idence chains
• many people in ol ed in
p epa ing he audi and
du ing he audi
• majo ool: sp eadshee
• c ea e a huge numbe o
icke s and issues ha
need o be add essed by
a lo o people
• pilo co e s se e al
en i onmen s
• con inuous
assessmen on own
p emises
• in e nal audi
yea ly, wi h
addi ional audi s o
cloud p o ide
license enewals
• pe iodic audi s by
ECB e e y 4-5 yea s,
co e ing all aspec s
o bank secu i y
• audi s occu
annually
Q2: Wha a e he “pain poin s” o you cu en audi p ocess?
The pilo pa ne s men ioned simila “pain poin s” ha hey mus deal wi h du ing he audi
p epa a ion phase, as p esen ed in Table 4. Pain poin s men ioned a e ha i) he audi
p epa a ion phase is a e y cos ly p ocess as i in ol es consul ancy om ou side, and many
people and depa men s om inside, ii) i is a e y ime-consuming p ocess o show e idence
o all equi emen s necessa y o he espec i e audi , and iii) i needs manual e i ica ion o
ex ensi e documen s.
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 18 o 54
www.eme ald-he.eu
Table 4. Summa y o answe s gi en o he ques ion Q2:
“Wha a e he “pain poin s” o you cu en audi p ocess?”
Q2: Wha a e he “pain poin s” o you cu en audi p ocess?
Pilo 1: IONOS
Pilo 2: CloudFe o
Pilo 3: Fabaso
Pilo 4: CaixaBank
• cos ly
p ocesses
(because o
consul ancy
and manual
wo k)
• la ge wo kload
(because
p ocess is
based on a
sp eadshee
which is hen
u ned in o
icke s
manually)
• audi s
comp ehensi e &
ime-consuming
• manual e i ica ion
o ex ensi e
documen a ion
• in ol emen o
mul iple eams
• many people
in ol ed o a huge
numbe o days o
one single
ce i ica ion
• based on a
sp eadshee
• ob aining all e idence
• e alua ing agains
in e nal sp eadshee
• need o exhaus i e
moni o ing o c i ical
p o ide s
• imp o ing con ols,
benchma ks, and
s anda ds o cloud
p o ide s
• iden i ying and
implemen ing
equi ed con ols o
di e en clouds
Q3: A e he e any speci ic asks o be sol ed by EMERALD?
The pilo pa ne s ha e conc e e sugges ions o speci ic asks o be sol ed wi hin he EMERALD
p ojec and especially by he EMERALD UI, as p esen ed in Table 5. The pilo pa ne s came up
wi h sugges ions such as i) au oma ing he collec ion and iden i ica ion o ele an documen s
o show e idence ega ding equi emen s, ii) suppo ing he whole wo k low managemen ,
including especially he manual p ocesses, and iii) allowing he au oma ic ex ac ion o e idence
om di e en documen s ( o o ganisa ional and echnical equi emen s likewise). A di ec
quo e was, u he mo e, “We would like o ge id o ou [sp eadshee ]!” ( he sp eadshee is
huge and used o managing all equi emen s o a espec i e s anda d).
Table 5. Summa y o answe s gi en o he ques ion Q3:
“A e he e any speci ic asks o be sol ed by EMERALD?”
Q3: A e he e any speci ic asks o be sol ed by EMERALD?
Pilo 1: IONOS
Pilo 2: CloudFe o
Pilo 3: Fabaso
Pilo 4: CaixaBank
• au oma e
collec ing and
iden i ying
documen a i
on (e.g., on
employee
ce i ica ions
and ainings)
• acili a e and
au oma e
manual
p ocesses
• policy and
p ocedu e
documen a ion
managemen ,
in eg a ion o
AMOE
• suppo he
whole wo k low
managemen
including a ai
co e age o
manual
p ocesses
• show pa h o
new app oach o
audi s
• eal- ime moni o ing and
e idence collec ion o cloud
and on-p emises se ups
• analysis and ma ching o
policies and p ocedu es o
ce i ica ion scheme
• need o au oma ed sys em o
ecognize documen s and
con ols
• linking e idence o sou ce
documen s o audi pu poses
• p o iding ex ac ed e idence
om comme cial ools o
assessmen
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 19 o 54
www.eme ald-he.eu
• w i ing w appe o ools o
submi e idence
• include on-p emises
assessmen i desi ed
• building in e nal ool simila o
Cloudi o 2 o au oma ing
e idence collec ion om
di e en en i onmen s
Q4: How can EMERALD help mi iga e hese “pain poin s”? Expec a ions?
To mi iga e he exis ing pain poin s, he pilo pa ne s ha e se e al ideas whe e he EMERALD
p ojec migh come in o play, as desc ibed in Table 6. Fo example, EMERALD could help o i)
educe he manual wo k o e idence collec ion, ii) suppo he e i ica ion p ocess o e idence
in ela ion o equi emen s, iii) educe he in ol ed pe sonnel cos s as i educes he ime o
p epa ing he audi s and he numbe o pe sons in ol ed ac oss he pilo s, and i ) i possible,
he solu ion de eloped wi hin EMERALD should be accep ed by audi o s as a ool suppo ing he
audi p ocess.
Table 6. Summa y o answe s gi en o he ques ion Q4:
“How can EMERALD help mi iga e hese “pain poin s”? Expec a ions?”
Q4: How can EMERALD help mi iga e hese “pain poin s”? Expec a ions?
Pilo 1: IONOS
Pilo 2: CloudFe o
Pilo 3: Fabaso
Pilo 4: CaixaBank
• collec , iden i y
and p esen
impo an
documen a ion
• au oma e
epe i i e
p ocesses →
educe manual
wo k
• au oma e he
e i ica ion
p ocess
• main expec a ion:
cos s o he audi s
will be dec eased
• assis h oughou all
espec i e manual
p ocesses ega ding
o ganiza ional pa s and
e idence
• map EUCS in o he digi al
wo ld
• no only collec and
manage hese hings
digi ally and au oma ically,
bu also enable comple e
audi chains
• assis wi h a ansi ion in o
a new app oach o audi s
• echnical audi API o
s anda dize he
communica ion o
e idence o echnical
equi emen s
• EMERALD solu ion should
be accep ed by audi o s
• compa ing
in e nal ool wi h
Cloudi o o
audi ing
• compa e ou own
ool wi h
EMERALD/
Cloudi o and see
how hey can
complemen each
o he
• in eg a e me ics
ecommende and
AMOE in o audi
p ocesses
• deploy and u ilize
selec ed EMERALD
ools o eal- ime
assessmen s
Q5: Wha ools a e you cu en ly using o he audi s in you pilo ?
So a , he pilo pa ne s use di e en ools o p epa ing an audi , as shown in Table 7. Nea ly
all pa ne s use a sp eadshee o manage he equi emen s o he espec i e s anda ds. One
2
h ps://gi hub.com/cloudi o /cloudi o
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 20 o 54
www.eme ald-he.eu
ow ep esen s one conc e e equi emen . Fo each single equi emen , each ow con ains
in o ma ion abou how he espec i e equi emen is ul illed (including links o he espec i e
documen s and e idence), who is esponsible o he equi emen and wha he s a us o he
equi emen is. Addi ionally, he pilo pa ne s use o he ools o managing he equi emen s
such as JIRA, OpenS ack o o he dashboa ds o ools ailo ed o hei needs.
Table 7. Summa y o answe s gi en o he ques ion Q5:
“Wha ools a e you cu en ly using o he audi s in you pilo ?”
Q5: Wha ools a e you cu en ly using o he audi s in you pilo ?
Pilo 1: IONOS
Pilo 2: CloudFe o
Pilo 3: Fabaso
Pilo 4: CaixaBank
• Sp eadshee
• JIRA
• Mos ly manual
• OpenS ack
• Sp eadshee /Wo d
• Sp eadshee
• P ede ined
Wo k lows and
icke s
• In e nal moni o ing
ool
• CIS benchma ks o
cloud en i onmen s
• Own cen alized ool
is planned wi h
dashboa d
Q6: Which ce i ica ion schemes a e you as pilo in e es ed in?
Table 8 p esen s he ce i ica ions s anda ds in which he pilo pa ne s a e in e es ed and which
o hem hey would like o be suppo ed by EMERALD. Mos o he pilo pa ne s a e in e es ed
in BSI C5 and EUCS schemes, as well as o he s anda ds ele an o hei indi idual cloud
se ices.
Table 8. Summa y o answe s gi en o he ques ion Q6:
“Which ce i ica ion schemes a e you as pilo in e es ed in?”
Q6: Which ce i ica ion schemes a e you as pilo in e es ed in?
Pilo 1: IONOS
Pilo 2: CloudFe o
Pilo 3: Fabaso
Pilo 4: CaixaBank
• BSI C5
• ISO
• BSI C5
• EUCS
• BSI C5
• AIC4
• ENS
• DORA
• Requi emen s om
Eu opean Cen al
Bank
• In e nal schemes
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 21 o 54
www.eme ald-he.eu
4 Wo k P ocesses
This sec ion p esen s an o e iew o he wo k p ocesses de i ed om he conduc ed in e iews
and ocus g oups. Fi s ly, we p esen he esul s o he in e iews wi h he in o ma ion secu i y
manage s and compliance manage s o he pilo pa ne s, hus, we p esen he wo k p ocesses
and he indi idual s eps hey need o ollow in o de o ho oughly p epa e an audi o cloud
solu ions. Secondly, we p esen he esul s o he in e iews wi h he audi o s. We show he
wo k p ocess and indi idual s eps o how hey conduc an audi o cloud solu ions.
4.1 Wo k P ocesses o Compliance and Secu i y Manage s pe Pilo
This sec ion desc ibes he esul s o he in e iews and ocus g oups conduc ed wi h all pilo
pa ne s. The eby, we p esen i s ly he de i ed audi p epa a ion p ocesses, and secondly how
EMERALD could be used o suppo hese p ocesses. The esul s p esen ed a e p elimina y, as
he conduc ion o he in e iews and ocus g oups has no ye been inished. Addi ionally, all
gained insigh s need o be discussed wi h he echnical pa ne s ega ding hei easibili y.
In he ollowing, we p esen he wo k p ocesses elici ed om Pilo 2: CloudFe o, Pilo 3:
Fabaso and he p ocesses de i ed o he compliance manage s suppo ed by NIXU. Please
no e ha he wo k p ocesses e e ing o IONOS and CaixaBank a e omi ed, as hey a e
cu en ly “wo k-in-p og ess”, and will be documen in D4.2.
4.1.1 Pilo 2: CloudFe o
We conduc ed wo in e iews wi h CloudFe o employees: one wi h a compliance manage and
one wi h a secu i y manage . A he ime o w i ing, he ocus g oup is s ill pending, hus, we
p esen he e only he p elimina y esul s ha a e up- o-change du ing he cou se o he p ojec .
In he ollowing, we i s p esen how he audi p epa a ion p ocesses ake place a CloudFe o,
as shown in Figu e 3, and hen how he EMERALD UI could suppo he di e en phases o he
p ocess, as shown in Figu e 4.
• Phase 1 – S a ing wi h analysis: In phase 1, he esponsible pe son s a s wi h a
coo dina ion check and ge s in con ac wi h he ce i ica ion boa d. The audi
p epa a ion p ocess di e s a bi depending on i he audi p epa a ion is done o a new
ce i ica ion scheme, o an exis ing ce i ica ion scheme ha was upda ed, o jus
checking he cu en ce i ica ion scheme. I a new ce i ica ion scheme is added, mo e
wo k is needed o ul il all equi emen s. I a ce i ica ion scheme was upda ed, hey
check which equi emen s we e upda ed and which a e new, howe e , hei goal is o
implemen as many o he equi emen s as possible in he mos e icien way.
• Phase 2 – S anda d: In phase 2, he esponsible pe son deals wi h he espec i e
ce i ica ion scheme o be p epa ed. They buy ei he he new s anda d o o ganize he
upda ed s anda d. They go e y ca e ully h ough he espec i e s anda d and elici
ei he all equi emen s om he new s anda d, o only he new and upda ed
equi emen s om he upda ed s anda d.
• Phase 3 – Check wi h documen a ion: All equi emen s need o be cla i ied on how o
deal wi h hem, i hey need o be implemen ed ( echnically), i espec i e documen s
need o be upda ed e c. Whe e necessa y, o he depa men s o indi iduals will be
con ac ed o help wi h he cla i ica ion o equi emen s.
• Phase 4 – Iden i y gaps: In his phase all exis ing gaps a e iden i ied o manage open
equi emen s and discuss how o deal wi h hem.

D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 22 o 54
www.eme ald-he.eu
Figu e 3. Indi idual phases o an audi p epa a ion p ocess o a compliance manage and secu i y
manage om CloudFe o
Fo h ee o he ou phases men ioned abo e in he CloudFe o audi p epa a ion p ocess, we
ha e de i ed some ideas on how he audi p epa a ion p ocess o cloud solu ions a CloudFe o
could be suppo ed by he EMERALD UI, as shown in Figu e 4 (in o ange).
• Phase 2 – S anda d: EMERALD can suppo he compliance manage wi h he ollowing
asks o se ing up a new s anda d o o dealing wi h an upda e o an exis ing s anda d:
o New S anda d: A e ha ing uploaded a new s anda d in EMERALD, he
EMERALD UI can se -up he lis o all equi emen s ex ac ed om he new
s anda d. Addi ionally, i can p o ide he possibili y o add he co esponding
me ics o each equi emen .
o Upda e a S anda d: EMERALD can suppo he upload o an upda ed s anda d
and allow audi ins ances o be upda ed wi h i . Addi ionally, he EMERALD UI
shows upda ed equi emen s as well as new equi emen s ha ha e been
added o he upda ed e sion o he s anda d.
• Phase 3 – Check wi h documen a ion: EMERALD can suppo he compliance manage
wi h he ollowing asks o se ing up a new s anda d o o dealing wi h an upda e o
an exis ing s anda d:
o Fo a new s anda d as well as o an upda ed s anda d, EMERALD can help o
de i e e idence o o ganisa ional and echnical equi emen s.
• Phase 4 – Iden i y gaps:
o Fo a new s anda d as well as o an upda ed s anda d, EMERALD can show
iden i ied gaps and de ec ed non-con o mi ies o he new o he upda ed
equi emen s.
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 23 o 54
www.eme ald-he.eu
Figu e 4. Po en ial suppo o he compliance manage and maybe secu i y manage o CloudFe o
du ing an audi p epa a ion p ocess wi h he EMERALD UI
4.1.2 Pilo 3: Fabaso
We conduc ed an in e iew wi h h ee compliance manage s om Fabaso . Addi ionally, a e
ha ing analysed he esul s, we conduc ed a ocus g oup wi h he esponsible compliance
manage and he EMERALD p ojec manage o ge inpu and eedback. Acco dingly, we
imp o ed he elici ed audi p epa a ion p ocess and p esen i s ac ual s a us in Figu e 5 as
ollows:
• Phase 1 – Se -up Mapping: In phase 1 o se ing up an audi p epa a ion o a new s anda d,
all equi emen s a e added in o a sp eadshee . This means ha each equi emen is
p esen ed in an indi idual line. Fo each o he equi emen s, a se o pa ame e s will be
c ea ed and collec ed in phase 2.
• Phase 2 – Se -up: In his phase, he compliance manage s a s illing in he sp eadshee o
all equi emen s as a as possible. Requi emen s ha he compliance manage canno ill in
a e assigned o o he depa men s o indi idual pe sons, who a e esponsible ha he
espec i e equi emen s a e ul illed.
• Phase 3 – Ve i ica ion: In he e i ica ion phase, he compliance manage mus check whe he
all equi emen s ha e been illed-in in he sp eadshee and whe he all equi emen s ha e
been assigned co ec and conc e e e idence ha can be shown o he audi o s.
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 24 o 54
www.eme ald-he.eu
Figu e 5. Indi idual phase o an audi p epa a ion p ocess o a compliance manage om Fabaso
Fo each o he h ee phases men ioned abo e in he Fabaso audi p epa a ion p ocess, we
ha e de i ed some ideas on how he audi p epa a ion p ocess o cloud solu ions a Fabaso
could be suppo ed by he EMERALD UI, as shown in Figu e 6 (in o ange).
• Phase 1 – Se -up Mapping: EMERALD can suppo he compliance manage wi h he
ollowing asks o se ing up he mapping:
o Requi emen s o e iew: EMERALD UI can c ea e a lis wi h all equi emen s o he
espec i e ce i ica ion scheme o he upcoming audi .
o Requi emen pa ame e s: EMERALD UI can p o ide he possibili y o se he espec i e
pa ame e s o all equi emen s.
o Requi emen s a us: EMERALD UI can show he s a us o each equi emen on wo
le els – compliance le el and s a us le el.
• Phase 2 – Se -up: EMERALD can suppo he compliance manage wi h he ollowing asks:
o Fil e ing: EMERALD UI allows o il e o equi emen s ha need u he inpu .
o Add no es: EMERALD UI allows o add no es o a equi emen e.g., sugges ions on how
a equi emen can be add essed.
o Assigning equi emen s: EMERALD UI allows o assign equi emen s o depa men s o
indi iduals and ice e sa, equi emen s can be assigned back o he compliance
manage .
• Phase 3 – Ve i ica ion: EMERALD can suppo he compliance manage and he o he
depa men s wi h he ollowing asks du ing he e i ica ion phase:
o Ve i ica ion by depa men s o indi iduals: EMERALD UI allows he espec i e
depa men s o indi iduals o e i y he equi emen s and con ols.
o Ve i ica ion by he compliance manage s: EMERALD UI allows he compliance manage
o ma k he espec i e equi emen s as eady o being used in an audi .
Figu e 6. Possible suppo o he compliance manage o Fabaso du ing an audi p epa a ion p ocess
wi h he EMERALD UI
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 25 o 54
www.eme ald-he.eu
4.1.3 Compliance Manage om NIXU
An in e iew and a ollow-up ocus g oup was conduc ed wi h a compliance manage (no om
NIXU) o ganized by he NIXU p ojec manage . Again, we could de i e he di e en p ocess
phases o how he audi p epa a ion p ocess is conduc ed, as depic ed in Figu e 7 (in blue), as
ollows:
• Phase 1 - P epa a ion and Se up: In his phase he whole audi p epa a ion p ocess is se up,
including he es ablishmen o he compliance amewo k, se ing up he con inuous
compliance moni o ing p ocess, and in o ming all ele an s akeholde s.
• Phase 2 - Moni o ing and Iden i ica ion: In his phase, he con inuous moni o ing and
iden i ica ion o he equi emen s and he espec i e e idence should ake place. I some
de ia ions o non-con o mi ies a e iden i ied, he ele an s akeholde s need o be in o med.
• Phase 3 - E alua ion & Decision Making: In his phase, iden i ied de ia ions o non-
con o mi ies need o be e alua ed and a decision mus be aken i and how co ec i e ac ions
will be aken.
• Phase 4 - Co ec i e Ac ion Planning & Implemen a ion: I i has been decided o ake
co ec i e ac ions, hese ac ions ha e o be planned, pu sued, and implemen ed.
• Phase 5 - Repo ing: In his phase all ac i i ies done ega ding he equi emen s and hei
e idence, as well as all in o ma ion ela ed o co ec i e ac ions, need o be summa ized in
epo s o be a ailable o he audi i sel .
Fo each o he i e phases men ioned abo e in he audi p epa a ion p ocess, we ha e de i ed
some ideas on how he audi p epa a ion p ocess o cloud solu ions could be suppo ed by he
EMERALD UI, as shown in Figu e 7 (in o ange).
• Phase 1 - P epa a ion and Se up: EMERALD can p o ide suppo o he ollowing asks:
o Se -up: EMERALD UI can suppo he se -up o he espec i e compliance amewo k,
s anda ds, o ce i ica ion schemes.
o Cloud se ice: EMERALD UI can suppo he selec ion o he cloud solu ion o be
audi ed.
o Con inuous moni o ing se up: EMERALD UI can suppo o de ine speci ic pa ame e s
o he con inuous moni o ing o equi emen s and e idence.
o Tasks & Mee ings: EMERALD UI can o e o manage asks o schedule espec i e
mee ings.
• Phase 2 - Moni o ing and Iden i ica ion & Phase 3 - E alua ion & Decision Making: EMERALD
can p o ide suppo o he ollowing asks:
o Con inuous moni o ing: EMERALD UI can help o suppo con inuous moni o ing o he
sys em acco ding o di e en pa ame e s. Addi ionally, EMERALD UI should show
possible de ia ions o non-con o mi ies ound in he co esponding isualisa ions in
EMERALD UI.
o S akeholde in ol emen : EMERALD UI can help in o m s akeholde s when non-
con o mi ies, de ia ions o o he p oblems occu (e.g., by au oma ically sending an
email o displaying no i ica ions).
• Phase 4 - Co ec i e Ac ion Planning & Implemen a ion: EMERALD can p o ide suppo o
he ollowing asks:
o Co ec i e Ac ion Managemen : EMERALD UI should allow he possibili y o no e down
decisions aken ega ding he implemen a ion o co ec i e ac ions. This includes, o
example, ha ing a lis o pending asks ha allows o plan and ollow up he
implemen a ion o he co ec i e ac ions.
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 32 o 54
www.eme ald-he.eu
Figu e 11. Pe sona Riley – Compliance Manage o a Cloud P o ide
5.1.3 Dylan – In e nal Con ol Owne
The hi d pe sona – an in e nal con ol owne – was named Dylan. The summa ized pe sona is
depic ed Figu e 12.
• Abou Dylan: Dylan is 45 yea s old, ma ied, enjoys gol and has h ee ca s and one
snake as pe s. Dylan's job expe ience en ails en yea s as a p og amme and i een yea s
as a eam lead and p oduc owne . Dylan's esponsibili ies as head o p oduc ion se ice
include leading a eam and o e seeing and planning p oduc de elopmen and backend
se ices. Rega ding audi s, Dylan's esponsibili ies a e o ensu e ha equi emen s a e
add essed and ha all e idence a e collec ed. The o e all goal is o ha e no non-
compliance o all se ices.
• Tasks, Mo i a ion and Pains: Dylan's asks consis o de ining me ics, collec ing
e idence o con ols, and assigning and delega ing con ol implemen a ion o he eam.
In ha , he goals a e o inc ease anspa ency, aceabili y, and accessibili y o e idence.
Addi ional goals a e o ha e no non-compliances and o ensu e high secu i y. Pain poin s
a e manual asks ha mus be add essed in addi ion o he day- o-day ac i i ies,
epe i i e asks, and acking con ol dis ibu ion can be di icul .
• Con ac s: Dylan's in e nal con ac s in he company a e o he con ol owne s, in e nal
audi o s, eam membe s (especially implemen e s), and he compliance manage .
Ex e nally, Dylan ge s in con ac wi h audi o s.
• Wo k Con ex : EMERALD could help Dylan in hei day- o-day asks by simply delega ing
asks, p o iding an o e iew o assigned con ols and displaying assessmen esul s.
Fu he , acking he p og ess o ongoing audi s and he possibili y o de ining a ge
alues and ha ing e idence moni o ing and ex ac ion ools.

D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 33 o 54
www.eme ald-he.eu
Figu e 12. Pe sona Dylan – In e nal Con ol Owne
5.1.4 Cha lie - Audi o
The ou h pe sona – an audi o – was named Cha lie. The summa ized pe sona is depic ed in
Figu e 13.
• Abou Cha lie: Cha lie is a senio audi o wi h en yea s o job expe ience. Cha lie is
de ail-o ien ed and me iculous and has knowledge o secu i y ce i ica ions. As an
audi o o secu i y compliance wi h cloud se ices, Cha lie's esponsibili ies include
managing he audi p ocess, planning, epo ing, and main aining con ac wi h
cus ome s. The o e all goal is o de ec non-compliances, con ol isk managemen , and
se up p ocedu es. Cha lie did no wan o p o ide any u he pe sonal in o ma ion.
• Tasks, Mo i a ion and Pains: Cha lie's asks include managing audi p ocesses,
p epa ing audi s, conduc ing audi in e iews, and pa icipa ing in compliance no el ies
aining. Fu he , Cha lie p o ides empla es o cus ome s, su eys analysis, epo s on
di e en le els (o ganiza ional, echnical), checks con ols and p ocedu es o non-
con o mi ies and checks e idence. In ha , he goals a e o p o ide easy access o
in o ma ion/e idence, educe isks, ul il audi KPIs, and help cus ome s. Pain poin s a e
o ge in con ac wi h he esponsible pe son and ge he co ec in o ma ion, upda e
di e en schemes, conside a as numbe o equi emen s and con ols o audi s,
manual, edious p ocesses, and dis ibu ed ools used du ing he audi .
• Con ac s: Cha lie is in con ac wi h chie in o ma ion secu i y o ice s, se ice manage s,
compliance manage s, o he audi o s, and s anda diza ion bodies and egula o s.
• Wo k Con ex : In Cha lie's day- o-day ac i i ies, he EMERALD UI could help by p o iding
an o e iew o he equi ed in o ma ion, enabling con inuous checks o capabili ies and
epo s, making hei own schemes in eg able, enabling ad anced sea ch ea u es, and
making in o ma ion om p e ious audi s eusable. Rega ding epo ing, Cha lie could
be suppo ed by p o iding in o ma ion expo ea u es in he EMERALD UI and
gene a ing epo s on di e en le els o de ail, o ins ance. Wi h ega d o e idence,
Cha lie would need o ha e access o a simpli ied e idence managemen sys em whe e
i is possible o join e idence om di e en sou ces, o example. Addi ionally,
EMERALD could help Cha lie by in eg a ing he au oma ion o epe i i e asks, such as
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 34 o 54
www.eme ald-he.eu
he measu emen o me ics, enabling in o ma ion exchange wi h cloud se ice
p o ide s, and in eg a ing ex e nal se ices, e.g., icke ing sys ems.
Figu e 13. Pe sona Cha lie - An (in e nal) audi o
5.2 Scena ios
In he second pa o he Pe sonas & Scena ios wo kshop, we asked he pa icipan s o de elop
scena ios using he p e iously de eloped pe sonas as baseline (see Sec ion 5.1). To do so, he
pa icipan s selec ed p ede ined scena ios and used mock-ups (p e-c ea ed by WP4) o analyse
how he asks desc ibed in he scena ios could be pe o med wi h he use in e ace. We had
p ede ined six gene al scena ios. Th ee o hese scena ios we e enhanced and adap ed by he
wo kshop pa icipan s o align hem wi h he pe sonas ha we e de eloped be o e. Thus, h ee
de ailed scena ios o unde s and he wo k o compliance manage s in inancial se ice
ins i u ions, in e nal con ol owne s and audi o s in mo e de ail we e c ea ed. Please no e ha
scena ios we e c ea ed o he pe sonas Eme son, Dylan, and Cha lie, and no o Riley due o
he lowe wo kshop a endance. Howe e , Riley will be aken up in an upcoming wo kshop.
5.2.1 Scena io 1: Eme son – B ing You Own Ce i ica ion Scheme
The wo kshop pa icipan s adap ed he scena io o he pe sona Eme son – a compliance
manage in a inancial se ice ins i u ion – o i he pe sona's asks. The sho scena io
desc ip ion is p esen ed below and he whole scena io is depic ed in Figu e 14.
Gene ally, in his scena io, Eme son’s goal would be o de ine i s own ce i ica ion scheme, hus,
he new ce i ica ion scheme should be a selec ion and combina ion o equi emen s om o he
ce i ica ion schemes ("B ing You Own Ce i ica ion Scheme - BYOCS" op ion). The e o e,
Eme son opens he iew ha allows o se -up a new ce i ica ion scheme and selec s a se o
con ols om a ailable ce i ica ion schemes (e.g., EUCS, BSI C5). Thei line manage hen
in o ms Eme son ha Depa men X has decided o acqui e a new cloud se ice p o ide -
namely XYZ. Eme son c ea es an audi ins ance (= a ge o e alua ion) o manage cloud
solu ions and he co esponding BYOCS. Eme son opens EMERALD, selec s he audi ins ance
and he XYZ cloud solu ion o be audi ed, and uploads all ele an documen s (links, e c.).
Eme son's ask is o go h ough and check all equi emen s and con ols, o which Eme son
goes o he EMERALD UI. Eme son uses di e en EMERALD UI unc ionali ies o il e he
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 35 o 54
www.eme ald-he.eu
equi emen s and uses di e en isualiza ions o he o e all s a us o all equi emen s o
de e mine which equi emen s need o be deal wi h and which a e al eady complian .
Figu e 14. Scena io 1: Eme son – B ing you own ce i ica ion scheme
5.2.2 Scena io 2: Dylan – In e nal Con ol Owne Requi emen
Implemen a ion
The wo kshop pa icipan s de eloped a scena io o he pe sona Dylan – an in e nal con ol
owne (ICO) – ha co esponds wi h Dylan’s wo king asks. The scena io is sho ly summa ized
below, and he de ailed desc ip ion is depic ed in Figu e 15.
O e all, in his scena io Dylan opens he EMERALD UI, assesses a equi emen /con ol ha is
s ill open and would like o delega e he implemen a ion o his con ol o a colleague Y. Y selec s
a se o me ics ha ma ches he equi emen , implemen s he equi emen and in o ms Dylan
ia he EMERALD UI ha he me ic was implemen ed. Dylan checks whe he he me ic has
been implemen ed co ec ly and mee s he equi emen s.
Figu e 15. Scena io 2: Dylan – In e nal Con ol Owne Requi emen Implemen a ion
5.2.3 Scena io 3: Cha lie – P epa a ion o an Audi by an In e nal Audi o
The scena io o he pe sona Cha lie - an audi o - was adap ed om a p e-de ined one o be in
line wi h he audi o s’ asks. A sho desc ip ion is p o ided below, and he de ailed scena io is
shown in Figu e 16.
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 36 o 54
www.eme ald-he.eu
In his scena io, Cha lie would like o e iew all equi emen s acco ding o hei compliance
s a us. Cha lie en e s he EMERALD UI, looks o he equi emen s ela ed o EUCS high and
looks o equi emen s which a e ma ked as non-complian . Cha lie has a close look o he
easons o non-compliance; hus, i should be clea which me ic/assessmen esul is causing
he non-compliance so ha he compliance manage can be in o med. Once Cha lie has
e iewed all non-compliances, an in e nal epo should be c ea ed o he compliance manage .
Figu e 16. Scena io 3: Cha lie - P epa a ion o an audi by an in e nal audi o
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 37 o 54
www.eme ald-he.eu
6 UI/UX Requi emen s ( e sion 1)
In e e y so wa e p ojec i is ex emely impo an o documen equi emen s o ensu e ha
he desi ed unc ionali ies a e implemen ed and alida ed. In he case o he EMERALD UI/UX,
he equi emen s de ine which elemen s should be p esen ed o he use , how hey in e ac
wi h each o he , and he EMERALD a chi ec u e.
O e all, h ee di e en ypes o equi emen s a e elici ed in EMERALD. In WP1, all echnical
equi emen s o he di e en EMERALD componen s a e collec ed and will be summa ized in
D1.3 “EMERALD solu ion a chi ec u e- 1”. In WP5, business-d i en equi emen s om he pilo s
a e elici ed and p esen ed in D5.1 [22]. In WP4, equi emen s o he EMERAL UI – he g aphical
use in e ace (GUI) - a e elici ed and a e p esen ed in his deli e able.
So a , we ha e elici ed 17 equi emen s o he EMERALD UI (GUI) by analysing he in e iews
and ocus g oups conduc ed wi h he pilo pa ne s. We homogenized he equi emen s based
on hei simila i ies and added hem o he common Gi eposi o y o he EMERALD p ojec .
Each equi emen is p esen ed along he common EMERALD equi emen de ini ion able
consis ing o he ollowing ields:
• Requi emen id: Con ains he unique iden i ie o he equi emen . All equi emen s
e e ing o he EMERALD UI begin wi h “UIUX” ollowed by a unique numbe e.g.,
UIUX.01.
• Sho i le: Con ains a sho i le o he equi emen .
• Desc ip ion: Desc ibes he equi emen in mo e de ail.
• S a us: Con ains he s a us o he equi emen , consis ing o one o he ollowing alues:
P oposed → Accep ed/Disca ded → Wo k in P og ess → Implemen ed (Pa ial/Full) →
Tes ed → Valida ed
• P io i y: P io i y alues a e: Mus ; Should; Could.
• Componen : Con ains he name o he componen he equi emen is ela ed o; in he
case o WP4 i is “Eme aldUI”.
• Sou ce: De ines whe e he equi emen comes om: pilo , componen , DoA o KPI.
• Type: Desc ibes he ype o he equi emen . In he case o WP4 i is always a “GUI”
equi emen .
• Rela ed KR: Desc ibes he ela ed key esul o he DoA. In he case o WP4, he ela ed
key esul is “KR6_EMERALD_UI/UX” (see below).
• Rela ed KPI: Desc ibes he ela ed key pe o mance indica o o he DoA. So a , all
equi emen s e e o KPI 6.3 (see below).
• Valida ion accep ance c i e ia: Desc ibe how o alida e he equi emen .
The ela ed key esul o all he UI/UX equi emen s is:
• KR6: EMERALD UI/UX - Use expe ience o complexi y educ ion: A use in e ac ion
concep and conduc ed s udies o show wha in o ma ion each use needs in an audi
p ocess. The concep shall lead o a use in e ace (UI), which is ailo ed o he use s’
needs du ing all s ages o an audi and guides hem h ough he p ocess o iden i ying
p oblems op down – om high le el equi emen s down o speci ic implemen a ion in
documen s (e.g., policies) o echnical speci ica ions [1].
Cu en ly, he equi emen s a e ela ed o KPI 6.3:

D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 38 o 54
www.eme ald-he.eu
• KPI 6.3: P o ide a g aphical use in e ace o ole-based access o ce i ica ion
in o ma ion con en [1].
The ollowing ables p esen he collec ed equi emen s o de eloping he EMERALD UI/UX.
Please no e ha he equi emen s collec ed so a a e an ini ial se o equi emen s ha will be
enhanced, ewo ked and imp o ed in he coming mon hs. The inal se o he UI/UX
Requi emen s will be p esen ed in D4.2 (M18).
Landing Page
Field
Desc ip ion
Requi emen id
UIUX.01
Sho i le
Landing Page
Desc ip ion
The landing page o he UI has o p o ide quick access o he
ollowing iews:
• Audi Ins ance C ea ion View
• MARI Tool View
• Ce i ica ion Schemes Manage View
S a us
P oposed
P io i y
Mus
Componen
Eme aldUI
Sou ce
Componen
Type
GUI
Rela ed KR
KR6_EMERALD_UI/UX
Rela ed KPI
KPI 6.3
Valida ion accep ance
c i e ia
The desi ed iews can be eached om he landing page o he
EMERALD UI.
Audi Ins ance C ea ion View
Field
Desc ip ion
Requi emen id
UIUX.02
Sho i le
Audi Ins ance C ea ion View
Desc ip ion
The e mus be a iew o c ea e and sa e a new audi ins ance. This
iew allows o:
• Se a name o he audi ins ance
• Selec one o he a ailable cloud se ices o add a new one
• Selec one o he a ailable ce i ica ion schemes o c ea e a
new one
• Upload policy documen s
The a ailable cloud se ices and ce i ica ion schemes mus be
e ie ed om he backend. Once he ins ance is sa ed, he policy
documen s mus be uploaded o he backend.
S a us
P oposed
P io i y
Mus
Componen
Eme aldUI, O ches a o
Sou ce
KPI
Type
GUI
Rela ed KR
KR6_EMERALD_UI/UX
Rela ed KPI
KPI 6.3
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 39 o 54
www.eme ald-he.eu
Valida ion accep ance
c i e ia
The iew allows o c ea e a new audi ins ance wi h he desi ed
ields and he ins ance is sa ed in he backend.
Requi emen s O e iew View
Field
Desc ip ion
Requi emen id
UIUX.03
Sho i le
Requi emen s O e iew View
Desc ip ion
The e mus be a iew whe e all he equi emen s a e p esen ed. The
equi emen s mus be e ched om he backend o he cu en ly
selec ed audi ins ance. Fo each equi emen he iew will show:
• ID
• Desc ip ion
• Owne
• Pe son o depa men o whom he equi emen is cu en ly
assigned
• Compliance
• S a us
Compliance can be one o :
• Complian
• Non-complian
S a us can be one o :
• Open
• Need o discussion
• Wai ing o inpu
• Wai ing o con i ma ion by CM
• Ve i ied
S a us
P oposed
P io i y
Mus
Componen
Eme aldUI, RCM, Cloudi o -O ches a o
Sou ce
Componen
Type
GUI
Rela ed KR
KR6_EMERALD_UI/UX
Rela ed KPI
KPI 6.3
Valida ion accep ance
c i e ia
All he equi emen s o he scheme a e displayed wi h he equi ed
in o ma ion.
Requi emen s O e iew View: P og ess Indica o s
Field
Desc ip ion
Requi emen id
UIUX.04
Sho i le
Requi emen s O e iew View: P og ess Indica o s
Desc ip ion
On he Requi emen s O e iew View a cha mus p esen he
s a us and he compliance o he equi emen s.
S a us
P oposed
P io i y
Mus
Componen
Eme aldUI
Sou ce
Componen
Type
GUI
Rela ed KR
KR6_EMERALD_UI/UX
Rela ed KPI
KPI 6.3
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 40 o 54
www.eme ald-he.eu
Valida ion accep ance
c i e ia
The cha is isible and upda ed co ec ly whene e he e is a
change in he equi emen s.
Requi emen s O e iew View: Fil e ing and Sea ching
Field
Desc ip ion
Requi emen id
UIUX.05
Sho i le
Requi emen s O e iew View: Fil e ing and Sea ching
Desc ip ion
I mus be possible o il e he equi emen s by each o he
p esen ed columns. I mus also be possible o sea ch o speci ic
equi emen s by en e ing ei he he ID o pa s o hei desc ip ion.
S a us
P oposed
P io i y
Mus
Componen
Eme aldUI
Sou ce
Pilo s
Type
GUI
Rela ed KR
KR6_EMERALD_UI/UX
Rela ed KPI
KPI 6.3
Valida ion accep ance
c i e ia
The il e ing and sea ching unc ions wo k co ec ly and deli e he
co ec esul s.
Policy Documen s Manage View
Field
Desc ip ion
Requi emen id
UIUX.06
Sho i le
Policy Documen s Manage View
Desc ip ion
The e mus be a iew whe e use s can manage (upload, emo e,
eplace) he policy documen s.
S a us
P oposed
P io i y
Mus
Componen
Eme aldUI, AMOE
Sou ce
Pilo s
Type
GUI
Rela ed KR
KR6_EMERALD_UI/UX
Rela ed KPI
KPI 6.3
Valida ion accep ance
c i e ia
The iew is p esen and allows o pe o m he desi ed ac ions.
Policy Documen s Manage View: Me ics Selec ion
Field
Desc ip ion
Requi emen id
UIUX.07
Sho i le
Policy Documen s Manage View: Me ics Selec ion
Desc ip ion
I should be possible o selec one o mo e me ics pe policy
documen . When ex ac ing e idence om his documen , he
AMOE componen should only conside he selec ed me ics.
S a us
P oposed
P io i y
Should
Componen
Eme aldUI, AMOE
Sou ce
Componen
Type
GUI
Rela ed KR
KR6_EMERALD_UI/UX
Rela ed KPI
KPI 6.3
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 41 o 54
www.eme ald-he.eu
Valida ion accep ance
c i e ia
The me ics can be selec ed and AMOE analyses he documen s
using only he desi ed me ics.
E idence Ex ac o s View
Field
Desc ip ion
Requi emen id
UIUX.08
Sho i le
E idence Ex ac o s View
Desc ip ion
The e mus be a iew whe e use s can see he s a us o he e idence
ex ac o s. This iew mus also allow o connec /add a new
ex ac o , dele e o disable exis ing ones. I one o he e idence
ex ac o s igge s an e o , his should be p esen ed he e.
S a us
P oposed
P io i y
Mus
Componen
Eme aldUI
Sou ce
Pilo s
Type
GUI
Rela ed KR
KR6_EMERALD_UI/UX
Rela ed KPI
KPI 6.3
Valida ion accep ance
c i e ia
The iew is p esen and allows o in e ac wi h he e idence
ex ac o s.
Requi emen De ail View
Field
Desc ip ion
Requi emen id
UIUX.09
Sho i le
Requi emen De ail View
Desc ip ion
The e mus be a iew whe e he use s can see all he de ails ela ed
o a single equi emen . All he in o ma ion a ailable abou he
equi emen should be lis ed he e.
S a us
P oposed
P io i y
Mus
Componen
Eme aldUI
Sou ce
Componen
Type
GUI
Rela ed KR
KR6_EMERALD_UI/UX
Rela ed KPI
KPI 6.3
Valida ion accep ance
c i e ia
The desi ed equi emen is co ec ly displayed wi h all he
co esponding in o ma ion.
Requi emen De ail View: Assignmen
Field
Desc ip ion
Requi emen id
UIUX.10
Sho i le
Requi emen De ail View: Assignmen
Desc ip ion
The e mus be a iew whe e he use can assign a equi emen o
ano he use o a depa men .
S a us
P oposed
P io i y
Mus
Componen
Eme aldUI
Sou ce
Pilo s
Type
GUI
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 48 o 54
www.eme ald-he.eu
9 APPENDIX A: In e iew Documen s
The documen s p epa ed o he in e iews a e p esen ed. These documen s consis o he
in e iew guideline wi h he p epa ed ques ions, he pa icipan in o ma ion shee co e ing all
in o ma ion an in e iew pa icipan needs o know, a co esponding consen o m ha needs
o be signed by he in e iew pa icipan s be o e he in e iew, and he da a p o ec ion
in o ma ion. All p epa ed documen s ollow he GDPR guidelines and we e checked by he
Know-Cen e ’s legal depa men and he espec i e da a p o ec ion o ice .
9.1 In e iew Guideline
In oduc ion
Sho in oduc ion o he in e iewe – my name is Angela Fessl. I am ….
EMERALD is an HEU P ojec (GA no.: 101120688) wi h he objec i e o pa e he oad owa ds
Ce i ica ion-as-a-Se ice (CaaS) o con inuous ce i ica ion o ha monized cybe secu i y schemes
like he EUCS. This in e iew is conduc ed wi hin WP4 – Use In e ac ion and Use Expe ience
de elopmen o he EMERALD P ojec . The goal o his in e iew is o elici equi emen s om
ou a ge g oups such as audi o s/chie in o ma ion secu i y manage s/compliance manage s
e c. necessa y o de eloping he in eg a ed EMERALD UI.
In mo e de ail, ou goal is o elici in-dep h insigh s abou he wo k o [audi o s/chie in o ma ion
secu i y manage s/compliance manage s] in ela ion o con inuous cloud audi ing p ocesses.
The e o e, we a e conduc ing a se ies o in e iews aiming a ge ing …
• … a good unde s anding o you wo k in gene al,
• … you ac i i ies and asks in he cloud compu ing sys ems ce i ica ion p ocess,
• … insigh s on how EMERALD could suppo you wo king ac i i ies,
• … insigh s abou you expec a ions owa ds he EMERALD UI,
• … insigh s abou exis ing pain poin s,
• (… and i you ha e been in he MEDINA p ojec , wha wen good o no so good in
MEDINA, and wha could be done be e o di e en in EMERALD)
The in e iew will co e he ollowing opics:
• Gene al In o ma ion abou you and you wo k as [audi o s/chie in o ma ion secu i y
manage s/compliance manage s].
• [AUDITORS] The audi p ocess o cloud compu ing sys ems and used echnologies as an
audi o including all ele an s eps.
• [CISO] The wo k low ensu ing compliance o he cloud compu ing sys ems and used
echnologies as a chie in o ma ion secu i y manage , including all ele an s eps.
• [CM] The wo k low ensu ing compliance o he cloud compu ing sys ems and used
echnologies as a compliance manage , including all ele an s eps.
• How he EMERALD echnologies can suppo he [audi p ocess/ CISO-CM wo k low].
• And which AI li e acy ela ed compe ences do [audi o s/chie in o ma ion secu i y
manage s/compliance manage s] need, o success ully conduc [audi p ocess/ CISO-
CM wo k low] o could compu ing se ices.
Be o e we s a , is i ok o eco d his in e iew?

D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 49 o 54
www.eme ald-he.eu
Gene al
A he beginning o he in e iew, I would like o know mo e abou you and you company, as
well as you ole as [audi o /chie in o ma ion secu i y manage /compliance manage ].
Addi ionally, I would like o know mo e abou you esponsibili ies and wha asks a e ela ed o
you [audi p ocess/CISO-CM wo k low].
- Please b ie ly desc ibe who you a e and wha educa ion you ha e.
- Please b ie ly desc ibe he ield o ac i i y o you company.
- Please b ie ly desc ibe you ole in you company.
- And please desc ibe you ole as [audi o /chie in o ma ion secu i y
manage /compliance manage ]
Audi /CM Wo k low and Technology Suppo
In his sec ion, I would like o ge mo e in-dep h in o ma ion abou he [audi p ocess/CISO-CM
wo k low].
Please sho ly desc ibe he [audi p ocess/CISO-CM wo k low] o cloud compu ing sys ems you
a e ypically in ol ed in – i possible, s ep by s ep.
- Please desc ibe o each s ep, which in o ma ion/da a you need o ha e.
- Please desc ibe o each s ep, which o he s eps you do pe o m you sel and which o
hem a e pe o med by you colleagues and why?
- Wha is he ou come o he [audi p ocess/CISO-CM wo k low]?
o An audi epo (audi o ), a ack eco d o e idence, …
- [Audi o ques ion] Wha a e he main objec i es o audi ing cloud compu ing sys ems
om a compliance pe spec i e?
- [Audi o ques ion] How do you iden i y and assess isks associa ed wi h cloud compu ing
sys ems du ing he audi p ocess?
- [Audi o ques ion] Wha a e he key challenges you encoun e when audi ing cloud
compu ing sys ems o compliance?
- [CISO/CM ques ion] Wha a e he main objec i es when p epa ing o an audi o cloud
compu ing sys ems?
- [CISO/CM ques ion] Wha a e he key challenges you encoun e when p epa ing o an
audi ?
- [CISO/CM ques ion] Do you con inuously moni o o compliance? I so, how?
- Wha happens when non-compliance is de ec ed?
- Which ools, so wa e, amewo k do you use o which s ep in he [audi p ocess/CISO-
CM wo k low]?
- Which da a/in o ma ion do he ools p o ide o which s ep?
- Wha a e cu en pain poin s and challenges ega ding he audi p ocess / CM p ocess?
- How do you ensu e he accu acy and eliabili y o he in o ma ion collec ed du ing he
audi p ocess?
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 50 o 54
www.eme ald-he.eu
EMERALD P ojec Resul s / EMERALD Technologies
The goal o he EMERALD p ojec is o p o ide e idence managemen o con inuous
ce i ica ion as a se ice in he cloud. EMERALD le e ages he indings o he well es eemed
H2020 p ojec MEDINA, s a ing om TRL 5 in summe 2023 and ad ances hem in he EMERALD
Co e o TRL 7. EMERALD will ocus on e idence managemen componen s o he con inuous
ce i ica ion app oach. EMERALD will p o ide a p oo o concep (PoC) o mapping he indings
o u u e AI ce i ica ion schemes.
- Think abou how new echnologies including AI could help you in imp o ing he [audi
p ocess/CISO-CM wo k low]?
o Wha would be help ul o you in gene al?
o Wha could be use ul ea u es?
o Which in o ma ion / da a should such a ool p o ide o you wo k?
o A e he e speci ic asks o a eas wi hin he audi p ocess whe e AI could p o ide
he mos alue?
- Thinking now explici ly abou EMERALD, how could EMERALD suppo you du ing he
[audi p ocess/CISO-CM wo k low]?
o Wha mus EMERALD p o ide o you o make EMERALD success ul o you?
The Role o AI in Audi P ocesses
I you hink now abou he [audi p ocess/CISO-CM wo k low] o he cloud compu ing sys ems,
i is impo an o ake in o conside a ion ha an AI-based ool suppo ing hem needs o be
us wo hy – hus you need o us hem. In his ega d, he EU has de ined 7 key equi emen s
ha AI sys ems should mee in o de o be conside ed as us wo hy. We will no add ess all o
hem du ing his in e iew, bu a leas hose ha a e ele an o he de elopmen o he
EMERALD UI/UX.
Show p epa ed slidese wi h de ini ions.
The e o e, om you opinion and pe spec i e:
- How can he anspa ency and in e p e abili y o AI algo i hms used in he [audi
p ocess/CISO-CM wo k low] be ensu ed?
- Wha measu es should be implemen ed o add ess po en ial biases o e hical conce ns
in AI-based audi ing sys ems?
AI Li e acy
In he las sec ion, we would like o know om you pe spec i e, which AI Li e acy Skills a
[audi o /chie in o ma ion secu i y manage /compliance manage ] mus ha e, o eliably be
able o ho oughly conduc he [audi p ocess/CISO-CM wo k low]
Do you know he e m “AI Li e acy”?
“AI li e acy as a se o compe encies ha enables indi iduals o c i ically e alua e AI
echnologies; communica e and collabo a e e ec i ely wi h AI; and use AI as a ool online, a
home, and in he wo kplace.” [23]
- Wha do you associa e wi h he e m AI / a i icial in elligence?
o F om which sou ces do you ge you knowledge abou AI?
- Which AI echnologies do you know o use?
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 51 o 54
www.eme ald-he.eu
o Do you ha e a basic unde s anding o he ma hema ical models unde lying ML
models?
- Wha le el o AI li e acy o amilia i y wi h AI echnologies do you belie e is necessa y
o audi o s o e ec i ely u ilize AI ools o sys ems in he audi p ocess o cloud
compu ing sys ems?
- How do you cu en ly add ess any gaps in AI li e acy among [audi o /chie in o ma ion
secu i y manage /compliance manage ] wi hin you o ganiza ion o eam?
o Which s a egies do you employ o enhance you unde s anding o he
unde s anding o you colleagues o AI echnologies ele an o audi ing?
Closing
This is al eady he end o he in e iew.
- Is he e any addi ional in o ma ion o insigh s you would like o sha e ega ding audi ing
cloud compu ing sys ems o he ole o AI in he audi p ocess?
Thank you o you ime and aluable inpu .
9.2 Pa icipan In o ma ion Shee
In oduc ion
You a e in i ed o pa icipa e in an in e iew s udy ela ed o he EMERALD P ojec . Be o e
deciding on whe he you wan o pa icipa e o no , please ead he in o ma ion below. Please
ask he esea che all he ques ions you may ha e so you a e comple ely su e ha you
unde s and all he p oceedings o he s udy. The con ac de ails a e p o ided a he end o his
in o ma ion shee .
Pu pose o he s udy
EMERALD is an HEU P ojec (GA no.: 101120688) wi h he objec i e o pa e he oad owa ds
Ce i ica ion-as-a-Se ice (CaaS) o con inuous ce i ica ion o ha monized cybe secu i y
schemes like he EUCS. This in e iew is conduc ed wi hin WP4 – Use In e ac ion and Use
Expe ience De elopmen o he EMERALD P ojec . The goal o his in e iew is o elici
equi emen s o [audi o s/chie in o ma ion secu i y manage s/compliance manage s]
necessa y o de eloping he in eg a ed EMERALD UI.
In mo e de ail, ou goal is o elici in-dep h insigh s abou you wo k as [audi o s/chie
in o ma ion secu i y manage s/compliance manage s] in ela ion o con inuous cloud audi ing
p ocesses. The e o e, we a e conduc ing a se ies o in e iews aiming a ge ing …
• … a good unde s anding o you wo k in gene al,
• … you ac i i ies and asks in he cloud compu ing sys ems ce i ica ion p ocess,
• … insigh s on how EMERALD could suppo you wo king ac i i ies,
• … insigh s abou he expec a ions owa ds he EMERALD UI,
• … insigh s abou exis ing pain poin s,
• (… and i you ha e been in he MEDINA p ojec , wha wen good o no so good in
MEDINA, and wha could be done be e o di e en in EMERALD)
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 52 o 54
www.eme ald-he.eu
You pa icipa ion in he s udy
You a e in i ed o pa icipa e in his s udy on a olun a y basis and you a e ee o wi hd aw
om he s udy a any ime wi hou p o iding any eason o doing so. I you ag ee o pa icipa e
in his in e iew, you gi e us pe mission o:
• Collec in o ma ion om you
• Sha e in o ma ion (only answe s you p o ide wi hou any pe sonal in o ma ion) wi h
he people o he p ojec
• Conduc he s udy
• Use his in o ma ion in he analysis and o publica ion.
Bene i s o he pa icipa ion
I is likely ha you migh no ecei e any di ec pe sonal bene i o you pa icipa ion in his
in e iew besides possibly lea ning mo e abou he EMERALD p ojec in gene al. Howe e , by
pa icipa ing you will make a subs an ial con ibu ion o he success o he EMERALD p ojec , as
we need you expe ise o de eloping a good and easy- o-use EMERALD UI/UX ha suppo s
you du ing you wo k.
Disad an ages and/o isks o he pa icipa ion
No isk is o eseen. You a e only eques ed o be a ailable o pa icipa e.
Con iden iali y and publica ion o he s udy da a
Any esponses you p o ide in he in e iew can be eco ded o w i en down. The da a,
howe e , will no include any pe sonal iden i ica ion; hence i will no be possible o iden i y you
a e wa ds. All he da a you p o ide will be anonymised and ea ed con iden ially. The
in o ma ion you p o ide will be analysed and p esen ed in p ojec epo s oge he wi h he
in o ma ion om o he pa icipan s. The aw da a will be s o ed in he in e nal se e s o he
Know-Cen e p o ec ed by passwo ds ha a e only known o esea che s conduc ing he
in e iew. All he aw da a will be s o ed o 5 yea s a e he p ojec inalisa ion.
Funding o he esea ch
The esea ch leading o his in e iew has ecei ed unding om he Eu opean Union’s Ho izon
Eu ope Resea ch and Inno a ion P og amme, unde G an Ag eemen no 101120688.
Con ac o u he in o ma ion o in case o wi hd awal om he s udy
DI D . Angela Fessl, Know-Cen e GmbH, a essl@know-cen e .a
D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 53 o 54
www.eme ald-he.eu
9.3 Consen Fo m
Backg ound o his s udy
EMERALD is a Ho izon Eu ope P ojec (GA no.: 101120688) wi h he objec i e o pa e he oad
owa ds Ce i ica ion-as-a-Se ice (CaaS) o con inuous ce i ica ion o ha monized
cybe secu i y schemes like he EUCS. This in e iew is conduc ed wi hin WP4 – Use In e ac ion
and Use Expe ience de elopmen o he EMERALD P ojec . The goal o his in e iew is o elici
equi emen s om ou a ge g oups such as audi o s/chie in o ma ion secu i y
manage s/compliance manage s e c. necessa y o de eloping he in eg a ed EMERALD UI. In
mo e de ail, ou goal is o elici in-dep h insigh s abou you wo k as audi o s/chie in o ma ion
secu i y manage s/compliance manage s in ela ion o con inuous cloud audi ing p ocesses.
S a emen o esea che 's esponsibili y
As esea che , I ha e explained he na u e o his esea ch s udy and he p ocedu es o be
unde aken in his con ex . I ha e o e ed o answe any ques ions and ully answe ed such
ques ions.
Decla a ion o pa icipan
I con i m ha : I am 18 yea s old o olde and I am compe en o p o ide consen . I ha e ead
and unde s ood he in o ma ion abou his s udy, as p o ided in he In o ma ion Shee . I ha e
also had he oppo uni y o ask ques ions and all my ques ions ha e been answe ed o my
sa is ac ion. I eely and olun a ily ag ee o pa icipa e in his esea ch s udy. I unde s and ha
I may e use o answe any ques ion and ha I may wi hd aw a any ime wi hou being
penalised o wi hd awing no ques ioned on why I ha e wi hd awn. I ag ee ha my pe sonal
in o ma ion will emain con iden ial and ha my da a will be used anonymously and secu ely in
esea ch and publica ions, in a way ha my iden i y canno be e ealed. I unde s and ha o he
esea che s will ha e access o his da a only i hey ag ee o p ese e he con iden iali y o he
da a.
I ag ee o he e ms and o he eco ding o he consen p ocedu e/ and in e iew (phone
in e iews)
Pa icipan :
________________________ ______________________________ ________________
Name Signa u e Da e
Resea che :
________________________ ______________________________ ________________
Name Signa u e Da e

D4.1 – Resul s o he UI-UX equi emen s analysis
and he wo k p ocesses – 1 Ve sion 1.0 – Final. Da e: 31.07.2024
© EMERALD Conso ium Con ac No. GA 101120688 Page 54 o 54
www.eme ald-he.eu
9.4 Da a P o ec ion In o ma ion
Con olle :
Know-Cen e GmbH Resea ch Cen e o Da a D i en Business & Big
Da a Analy ics, Sandgasse 36/4, 8010 G az
Con ac : in o@know-cen e .a
Da a p o ec ion
o ice :
Da a P o ec ion O ice o Know-Cen e GmbH
Sandgasse 34/4, 8010 G az
Con ac : da enschu z@know-cen e .a
Pu pose o p ocessing:
Main aining business con ac s o he ex en ha his is co e ed by
he easons o being con ac ed o which he da a subjec has
consen ed.
Da a:
Name, e-mail add ess, ele an o con ac ing he in e iew
pa ne s o which hey ha e gi en hei consen .
Basis in law:
Consen pu suan o GDPR A 6 (1) (a)
Recipien :
No ansmission o hi d pa ies; no con ac p ocessing
T ansmission o hi d
coun ies:
No
Du a ion o s o age:
Un il he ime when you wi hd aw you consen . I espec i e o
wi hd awal o consen , he da a will be dele ed i you e-mail
add ess becomes in alid o i we ecei e no i ica ion ha
communica ions a e undeli e able.
Da a subjec igh s:
You ha e he igh o:
- In o ma ion and access, o ind ou whe he we ha e pe sonal
da a o you s s o ed and wha da a i is.
- Rec i ica ion – co ec ion and/o comple ion o you pe sonal
da a ha a e inco ec o incomple e
- E asu e – dele ion o you pe sonal da a ha a e being
p ocessed in a manne which is no law ul o is no longe law ul
- Res ic ion o p ocessing
- Da a po abili y
- Wi hd aw consen ha you ha e gi en, e ec i e o he u u e:
i.e., u he p ocessing o you da a is hen no allowed om ha
poin in ime onwa ds, unless he e is an o e iding legi ima e
eason o doing so.
- Objec o any asse ion by Know-Cen e GmbH o an o e iding
legi ima e in e es in s o ing/p ocessing he da a
To exe cise hese igh s please con ac da enschu z@know-
cen e .a
You also ha e a igh o make a complain o he Da a P o ec ion
Au ho i y.
In his ega d, we also e e o hei homepage, which can be
accessed unde he link h ps://www.dsb.g .a