New BSI guidance on evidence according to § 8a paragraph 3 BSIG
The IT Security Act (IT-Sig) in conjunction with the KRITIS regulation has been in use for over five years. The main objective is the regulation of KRITIS operators according to the BSI Act. The Federal Office for Information Security (BSI) accompanies law and regulation with the so-called BSI Orientation Guide to Evidence.
IT-Sig 2.0 — Is it coming or not?
Unfortunately, the topic “IT security law 2.0” has become very quiet lately. Therefore no amendment of the KRITIS regulation is to be expected in the short term. However, the current draft of the IT-Sig 2.0 can be taken from the present speaker draft. For example, the inclusion of waste management in the existing sectors is being considered. In addition, an expansion of the target group beyond the KRITIS operators to include companies in the special public interest (e.g. due to their economic importance) is also being considered. For these companies, the preparation of safety concepts, the obligation to report incidents, the registration and management of a reporting office and the trustworthiness of the employees in the area are important. The planned tightening of the framework for fines from the previous maximum of EUR 100,000 to a maximum of EUR 20,000,000 (or 4% of the total annual company turnover worldwide in the previous business year) is particularly striking.
New guidance on evidence
While IT-Sig 2.0 is still a long way off, in the second half of August the BSI published its new “Guidance on evidence pursuant to Section 8a (3) BSIG”. Version number 1.1 already suggests it: the changes include many concretisations and clarifications of the facts and requirements. In addition, there are further significant changes. For example, the new Form P combines the information contained in the previously used forms PD (test performance), PE (test results) and PS (testing body). In addition to the written submission, a digital/machine-readable copy is now also required. The list of safety deficiencies and the implementation plan are now combined in one document, while existing test results (maximum 12 months old) must be explicitly checked for topicality and stock. A clear innovation is the well-founded assessment of the maturity levels of the management systems for information security (ISMS) and business continuity (BCMS). The strong focus on the aspect of traceability is also very noticeable. This becomes visible at various points:
- Detailed description of the scope (with its interfaces, dependencies and parts of the critical service operated by third parties) and
- the installation (including associated parts of the critical service and all essential features) as well as
- Provision of a comprehensible network structure plan.
- In addition, a list of deficiencies must also be comprehensible without the need for further documents.
Even without IT-Sig 2.0, the new BSI orientation guide requires attention. SRC experts will be pleased to discuss the innovations and their effects with you and support you in the implementation of the extended requirements.