The IT Security Act (ITSiG) and the BSI Act require operators of critical infrastructures to comply with minimum technical and organisational security standards, among other things. The underlying idea of the decrees is that the security measures are based on the state of the art in the operator’s industry in order to avoid IT malfunctions or failures.
For operators of critical infrastructures, this fuzzy formulation raises many a question:
- WWhat are the minimum technical or organisational standards?
- Where do we, as operators of critical infrastructure, exceed this minimum standard and where do we deviate from it?
- GIs there a specific state of the art in my industry and if not, what can I orientate myself on, or how can I define such an industry-specific standard?
- Which audits and certifications already completed simplify the verification process towards the BSI?
This scope for interpretation has been deliberately granted by law. The first step is to take an overview of the audit reports to be submitted in the first step with regard to the precautions taken by the operators and the security levels customary in the industry. In addition, the sectors are to be given the opportunity to agree on industry-specific security standards (B3S).
If no specific security standards are developed for an industry, the BSI has the opportunity to specify these security standards. A corresponding possibility is granted by KritisVO.
This is an opportunity that critical infrastructure operators should seize. It is to be expected that the Federal Office for Information Security (BSI) will propose a more detailed formulation of the KritisVO on the basis of the findings gained in the first audit round.
We would be pleased to offer you the opportunity to draw on the expertise of our experts when checking your technical and organisational security standards. We would also be pleased to support you in formulating your industry-specific standards.