Best practice approach

Establishing an ISMS for KRITIS companies

  Profit from 20+ years of security experience

  Efficiently get your proof according BSI-KRITISV

  Helping you to help yourself

Talk to our experts

 

500+ customers place their trust in us – from startups to large companies

 

Your goal

You operate critical infrastructures as defined by the BSI KRITIS Ordinance (BSI-KRITISV) and must provide proof of the 'state of the art' in the area of information security every two years.

 

Our service

We provide you with the necessary knowledge and accompany you from the start of the project to the KRITIS audit, with the right setup, proven templates, suitable tools and a lot of experience.

 

The result

You have successfully passed the KRITIS audit and, as Chief Information Security Officer (CISO), know everything you need to know to operate the ISMS on a permanent basis and to continuously further develop it.

The steps to your KRITIS-compliant ISMS

1. Gap analysis

Check status quo and define needs

KRITIS gap analysis

The first step is a KRITIS gap analysis. Our KRITIS experts assess and evaluate - through a combination of document review and interview sessions with the respective departments or the persons responsible for the operation of the critical facilities - the status of your current implementation, based on the applicable requirements (e.g. B3S, concretisation of the requirements for the measures to be implemented, ...). In parallel to the audit of the ISMS framework, a random check of the state of the art for selected facilities is also carried out.

This KRITIS gap analysis gives you and us a clear picture of your ISMS or BCMS maturity level and makes it possible to realistically estimate the implementation effort, clearly structure the project and define the individual work packages.

If you have already carried out a gap analysis, we work with this one and do not carry it out again.

2. Framework

Create the right basis

Establish a framework

Before we start with the implementation of concrete measures, we create the framework conditions together with you and establish the basis for a functioning and effective ISMS according to the state of the art.

  • We define and describe the test object based on the requirements for the critical service(s).
  • We select an appropriate audit basis (B3S, B3S guidance, relevant standards such as ISO 27001, own audit standard, etc.).
  • We define and establish the security policy and objectives.
  • We clarify the required security organisation including roles, committees and their responsibilities.
  • We create the project organisation for the development of your ISMS.
3. Policies

No ISMS without clear rules

Create policies

We can only achieve the defined information security goals or the desired ISMS / BCMS maturity level by defining clear and precise rules. We define these "rules" in various guidelines, both for the entire workforce in the scope of the ISMS and for specific areas or target groups (e.g. IT admins, software development, purchasing, human resources or facility management).

We do not reinvent the wheel but use our numerous templates, which have been successfully tested in practice for several years and are regularly updated so that they always correspond to the state of the art.

We coordinate the created guidelines with the necessary people in the departments and integrate them into the relevant business areas.

4. InfoSec risk

Identify risks and derive measures

Information security risk management

Information security risk management is at the heart of an effective ISMS because it helps you to distinguish the important from the unimportant and to proceed pragmatically. For Critical Infrastructures, there are additional requirements in the area of risk management, which are

  • the 'all-hazards approach', which means that all relevant threats and vulnerabilities related to the provision of the critical service must be considered, and
  • the limited acceptance of risks, meaning that risks must not be considered in only business terms or accepted or transferred without restriction, especially if the risk could lead to supply shortages in the provision of the critical service. 
     

Together with you, we create the necessary operational and organisational structure to record, assess, treat (i.e. derive appropriate measures) and document all relevant information security risks in a structured and systematic manner.

If you already have a risk management system or your own risk management concept in your company, we build on this and, if necessary, enrich it with missing relevant aspects (e.g. insufficient consideration of the protection goals).

5. Implementation

Eliminate deficits and implement requirements

Implement defined measures

Now you "only" have to implement the defined measures. In this phase, we provide very targeted coaching and also support you if necessary in the event of any resource shortages. It is important to us to prepare you or a member of your team as good as possible for the tasks of an information security officer.

When implementing measures, we pay a lot of attention to practicable solutions, meaning measures that

  • ensure the security of supply and maintenance of the critical service(s),
  • help to achieve the desired level of security,
  • are economical and feasible, and
  • still meet the respective legal requirements (IT Security Act, BSI Act, etc.) or standard requirements.
6. Pre-audit

Let's see how far we've come

Pre-audit & preparatory session

In order to meet all formal requirements for KRITIS operators and to achieve the necessary certification maturity, you must regularly conduct internal ISMS audits. We are happy to support you in planning and conducting your internal KRITIS audits.

And to avoid auditing our own consultancy work here - which could lead to a significant conflict of interest - the internal KRITIS audit can be carried out by an experienced KRITIS audit person from our partner network who was not involved in setting up your ISMS and is therefore completely neutral.

In our experience, the 'pre-audits' deliver a high level of benefit:

  • You get a realistic status on your state and progress.
  • They fulfil the ISO 27001 requirement to conduct internal audits.
  • They prepare audit participants for the real audit sessions. If necessary, we coach the participants to sovereignly avoid 'typical pitfalls' in the real audit.
7. KRITIS audit

The fruit of labor

KRITIS audit

The last formal step is the KRITIS audit, i.e. the verification of the state of the art. This must be carried out by a BSI-accredited test center for tests in accordance with §8a BSIG.

In principle, we are such a suitable testing body and carry out KRITIS tests in accordance with §8a BSIG. However, if we have assisted you in setting up your ISMS, we cannot also audit you, as we would be certifying our own work.

 

Want our help to help yourself?

Let us get to know you in a web meeting and talk about your situation and goals. We will show you how we have helped in similar customer situations.

Yes, let's talk

Critical Infrastructure

Which companies are actually relevant to KRITIS?

Critical infrastructures as defined by the BSI Act (BSIG) are installations or facilities

  • of the KRITIS sectors and
  • which are of high importance for the functioning of the community, because their failure or impairment would result in significant supply shortages or threats to public safety.
     

For this reason, the BSIG (esp. §8 BSIG) defines various requirements for KRITIS operators and obliges relevant organisations to prove the implementation of appropriate security measures according to the current state of the art. Sector-specific security standards (B3S), relevant standards or own test catalogues can be used as a basis for this.

Other services for KRITIS companies

ISMS Policy Templates Preview

Individual ISMS & BCMS guidelines, ISO 27001 & NIS2-compliant - up-to-date, tested & tailored to your company. Discover the latest templates now!

Read more