Implementation of an ISMS for KRITIS organizations

Implementation of an ISMS for operators of critical infrastructures according to KRITIS to establish the "state of the art".

This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

The steps to your KRITIS-compliant ISMS

KRITIS gap analysis

The first step is a KRITIS gap analysis. Our KRITIS experts assess and evaluate - through a combination of document review and interview sessions with the respective departments or the persons responsible for the operation of the critical facilities - the status of your current implementation, based on the applicable requirements (e.g. B3S, concretisation of the requirements for the measures to be implemented, ...). In parallel to the audit of the ISMS framework, a random check of the state of the art for selected facilities is also carried out.

This KRITIS gap analysis gives you and us a clear picture of your ISMS or BCMS maturity level and makes it possible to realistically estimate the implementation effort, clearly structure the project and define the individual work packages.

If you have already carried out a gap analysis, we work with this one and do not carry it out again.

KRITIS gap analysis

'Where do you currently stand?'
< >

Establish framework

Before we start with the implementation of concrete measures, we create the framework conditions together with you and establish the basis for a functioning and effective ISMS according to the state of the art. 

  • We define and describe the test object based on the requirements for the critical service(s).
  • We select an appropriate audit basis (B3S, B3S guidance, relevant standards such as ISO 27001, own audit standard, etc.).
  • We define and establish the security policy and objectives.
  • We clarify the required security organisation including roles, committees and their responsibilities.
  • We create the project organisation for the development of your ISMS. 

Establish framework

'Lay the right foundation'
< >

Create policies

We can only achieve the defined information security goals or the desired ISMS / BCMS maturity level by defining clear and precise rules. We define these "rules" in various guidelines, both for the entire workforce in the scope of the ISMS and for specific areas or target groups (e.g. IT admins, software development, purchasing, human resources or facility management).

We do not reinvent the wheel but use our numerous templates, which have been successfully tested in practice for several years and are regularly updated so that they always correspond to the state of the art.

We coordinate the created guidelines with the necessary people in the departments and integrate them into the relevant business areas.

Create policies

'Without clear rules, there is no KRITIS ISMS'
< >

Information security risk management

Information security risk management is at the heart of an effective ISMS because it helps you to distinguish the important from the unimportant and to proceed pragmatically. For Critical Infrastructures, there are additional requirements in the area of risk management, which are

  • the 'all-hazards approach', which means that all relevant threats and vulnerabilities related to the provision of the critical service must be considered, and 
  • the limited acceptance of risks, meaning that risks must not be considered in only business terms or accepted or transferred without restriction, especially if the risk could lead to supply shortages in the provision of the critical service. 

Together with you, we create the necessary operational and organisational structure to record, assess, treat (i.e. derive appropriate measures) and document all relevant information security risks in a structured and systematic manner.

If you already have a risk management system or your own risk management concept in your company, we build on this and, if necessary, enrich it with missing relevant aspects (e.g. insufficient consideration of the protection goals).

Information security risk management

'Identify risks and derive measures'
< >

Implement measures

Now you "only" have to implement the defined measures. In this phase, we provide very targeted coaching and also support you if necessary in the event of any resource shortages. It is important to us to prepare you or a member of your team as good as possible for the tasks of an information security officer.

When implementing measures, we pay a lot of attention to practicable solutions, meaning measures that

  • ensure the security of supply and maintenance of the critical service(s),
    help to achieve the desired level of security,
  • help to achieve the desired level of security,
  • are economical and feasible, and
  • still meet the respective legal requirements (IT Security Act, BSI Act, etc.) or standard requirements.

Implement measures

'Eliminate deficits and implement requirements'
< >

Pre-audit & preparatory session

In order to meet all formal requirements for KRITIS operators and to achieve the necessary certification maturity, you must regularly conduct internal ISMS audits. We are happy to support you in planning and conducting your internal KRITIS audits.

And to avoid auditing our own consultancy work here - which could lead to a significant conflict of interest - the internal KRITIS audit can be carried out by an experienced KRITIS audit person from our partner network who was not involved in setting up your ISMS and is therefore completely neutral. 

In our experience, the 'pre-audits' deliver a high level of benefit:

  • You get a realistic status on your state and progress.
  • They fulfil the ISO 27001 requirement to conduct internal audits.
  • They prepare audit participants for the real audit sessions. If necessary, we coach the participants to sovereignly avoid 'typical pitfalls' in the real audit.

Pre-audit & preparatory session

'Let's see how the KRITIS audit would go'
< >

KRITIS audit

Der letzte formelle Schritt ist die KRITIS-Prüfung, also die Nachweiserbringung des Stands-der-Technik. Diese muss von einer vom BSI akkreditierten Prüfstelle für Prüfungen gem. §8a BSIG durchgeführt werden.

Grundsätzlich sind wir eine solche geeignete Prüfstelle und führen KRITIS-Prüfungen gem. §8a BSIG durch. Wenn wir Sie beim Aufbau Ihres ISMS begleitet haben, können wir Sie aber nicht auch noch prüfen, wir würden dabei unsere eigene Arbeit zertifizieren.

KRITIS audit

"Den Nachweis erbringen"
< >

Do you want help to help yourself?

Let us get to know you in a web meeting and talk about your situation and goals. We will show you how we have helped in similar customer situations.
Yes, let's talk!

Which companies are actually relevant to KRITIS?

Critical infrastructures as defined by the BSI Act (BSIG) are installations or facilities

  • of the KRITIS sectors and
  • which are of high importance for the functioning of the community, because their failure or impairment would result in significant supply shortages or threats to public safety.

For this reason, the BSIG (esp. §8 BSIG) defines various requirements for CRITIS operators and obliges relevant organisations to prove the implementation of appropriate security measures according to the current state of the art. Sector-specific security standards (B3S), relevant standards or own test catalogues can be used as a basis for this.