As operators of a critical infrastructure, you have to prove to the Federal Office for Information Security (BSI) every two years that you meet the minimum level of IT security. Depending on the critical infrastructure they operate, the legislator has set the first deadlines for the provision of evidence on May 3, 2017 and September 26, 2019, respectively.
This proof is provided in the form of an audit report. The audit must be carried out by a qualified auditor who has the certified qualification to carry out audits in accordance with §8a (3) of the BSI Act.
Before the actual audit, the audit basis must be determined and the audit plan drawn up. If you use an industry-specific safety standard (B3S) with the approval of the BSI, this considerably simplifies the definition of the audit basis. Otherwise, the audit basis must first be defined and agreed with the operator of the critical infrastructure.
The audit plan to be drawn up subsequently defines the audit team, the audit objects, the audit objectives and the intended audit method.
The audit itself assesses the available documentation on the intended security standards and their practical implementation. Finally, the required verification documents, such as the BSI forms and the audit report, are prepared.
We would be pleased to carry out the audit in accordance with § 8 (a) BSIG with you and support you with the expertise of our experts in the exchange of information with the BSI.