Implementation of an ISMS for KRITIS organizations

Before we start with the implementation of concrete measures, we create the framework conditions together with you and establish the basis for a functioning and effective ISMS according to the state of the art. 

• We define and describe the test object based on the requirements for the critical service(s).
• We select an appropriate audit basis (B3S, B3S guidance, relevant standards such as ISO 27001, own audit standard, etc.).
• We define and establish the security policy and objectives.
• We clarify the required security organisation including roles, committees and their responsibilities.
• We create the project organisation for the development of your ISMS. 

We can only achieve the defined information security goals or the desired ISMS / BCMS maturity level by defining clear and precise rules. We define these "rules" in various guidelines, both for the entire workforce in the scope of the ISMS and for specific areas or target groups (e.g. IT admins, software development, purchasing, human resources or facility management).

We do not reinvent the wheel but use our numerous templates, which have been successfully tested in practice for several years and are regularly updated so that they always correspond to the state of the art.

We coordinate the created guidelines with the necessary people in the departments and integrate them into the relevant business areas.

Information security risk management is at the heart of an effective ISMS because it helps you to distinguish the important from the unimportant and to proceed pragmatically. For Critical Infrastructures, there are additional requirements in the area of risk management, which are

• the 'all-hazards approach', which means that all relevant threats and vulnerabilities related to the provision of the critical service must be considered, and 

• the limited acceptance of risks, meaning that risks must not be considered in only business terms or accepted or transferred without restriction, especially if the risk could lead to supply shortages in the provision of the critical service. 

Together with you, we create the necessary operational and organisational structure to record, assess, treat (i.e. derive appropriate measures) and document all relevant information security risks in a structured and systematic manner.

If you already have a risk management system or your own risk management concept in your company, we build on this and, if necessary, enrich it with missing relevant aspects (e.g. insufficient consideration of the protection goals).

Now you "only" have to implement the defined measures. In this phase, we provide very targeted coaching and also support you if necessary in the event of any resource shortages. It is important to us to prepare you or a member of your team as good as possible for the tasks of an information security officer.

When implementing measures, we pay a lot of attention to practicable solutions, meaning measures that

• ensure the security of supply and maintenance of the critical service(s),
  help to achieve the desired level of security,
• help to achieve the desired level of security,
• are economical and feasible, and
• still meet the respective legal requirements (IT Security Act, BSI Act, etc.) or standard requirements.

In order to meet all formal requirements for KRITIS operators and to achieve the necessary certification maturity, you must regularly conduct internal ISMS audits. We are happy to support you in planning and conducting your internal KRITIS audits.

And to avoid auditing our own consultancy work here - which could lead to a significant conflict of interest - the internal KRITIS audit can be carried out by an experienced KRITIS audit person from our partner network who was not involved in setting up your ISMS and is therefore completely neutral. 

In our experience, the 'pre-audits' deliver a high level of benefit:

• You get a realistic status on your state and progress.
• They fulfil the ISO 27001 requirement to conduct internal audits.
• They prepare audit participants for the real audit sessions. If necessary, we coach the participants to sovereignly avoid 'typical pitfalls' in the real audit.

Der letzte formelle Schritt ist die KRITIS-Prüfung, also die Nachweiserbringung des Stands-der-Technik. Diese muss von einer vom BSI akkreditierten Prüfstelle für Prüfungen gem. §8a BSIG durchgeführt werden.

Grundsätzlich sind wir eine solche geeignete Prüfstelle und führen KRITIS-Prüfungen gem. §8a BSIG durch. Wenn wir Sie beim Aufbau Ihres ISMS begleitet haben, können wir Sie aber nicht auch noch prüfen, wir würden dabei unsere eigene Arbeit zertifizieren.