As operators of a critical infra­structure, you have to prove to the Federal Office for Infor­mation Security (BSI) every two years that you meet the minimum level of IT security. Depending on the critical infra­structure they operate, the legis­lator has set the first deadlines for the provision of evidence on May 3, 2017 and September 26, 2019, respectively.

This proof is provided in the form of an audit report. The audit must be carried out by a qualified auditor who has the certified quali­fi­cation to carry out audits in accor­dance with §8a (3) of the BSI Act.

Before the actual audit, the audit basis must be deter­mined and the audit plan drawn up. If you use an industry-specific safety standard (B3S) with the approval of the BSI, this consid­erably simplifies the defin­ition of the audit basis. Otherwise, the audit basis must first be defined and agreed with the operator of the critical infrastructure.

The audit plan to be drawn up subse­quently defines the audit team, the audit objects, the audit objec­tives and the intended audit method.

The audit itself assesses the available documen­tation on the intended security standards and their practical imple­men­tation. Finally, the required verifi­cation documents, such as the BSI forms and the audit report, are prepared.

We would be pleased to carry out the audit in accor­dance with § 8 (a) BSIG with you and support you with the expertise of our experts in the exchange of infor­mation with the BSI.