IT Security Catalogue § 11(1a)/(b) EnWG – Protection of the public
In order to ensure the stability and security of grid operation and energy generation, binding minimum standards have been defined in the so-called ‘IT security catalogues’.
The IT Security Catalogue (ITSK) is aimed at operators and plant managers, operators of energy supply networks and energy plants that are considered critical infrastructure and whose plants are connected to the public supply network (electricity and/or gas).
Its focus is on the systems, applications and components that are necessary for secure network and plant operation.
Testing of attack detection systems (SzA) and issuance of verification document P*
The obligation to provide evidence applied to electricity and gas network operators and all plant operators covered by the KRITIS-VO for the first time on 1 May 2023, and subsequently every two years.
GUTcert offers its customers a checklist of all requirements in accordance with the BSI guidance. Our auditors go through all requirements with the customers and assess the degree of implementation. The supporting documents are then issued and can be submitted to the BSI.
Facts and information
In addition to the ITSK, the ISO 27001 and ISO 27019 standards serve as the central basis for certification. ISO 27019 was developed specifically for operators of critical infrastructure and builds on the proven security guidelines of ISO 27002. It supplements these with sector-specific requirements and mandatory extensions that are specifically aimed at reducing risk in energy supply.
Within the framework of company-wide risk management, the measures described in the standards do not have to be implemented in full. However, they must be individually assessed for their relevance and, if necessary, integrated into the ISMS.
The ITSK applies to all electricity and gas network operators and plant operators who exceed KRITIS-relevant thresholds and are connected to the supply network. Certification is also mandatory if operations are outsourced to third parties.
Threshold values according to BSI-KritisV (Appendix 1, Part 3):
104 MW electrical connection capacity (power generation) and
5,190 GWh/year of energy consumed (gas distribution)
3,700 GWh/year of energy consumed (electricity distribution)
Mandatory transition to ISO/IEC 27001:2022; since 1 November 2024, all audits have been conducted in accordance with the new standard.
ISO/IEC 27019:2024 is mandatory until 31 October 2027 at the latest.
Implementation required via recertification, verification or special audit.
GAP analysis of the organisation with the resulting action plan for the transition (necessity of changes to the existing ISMS),
updating of the Statement of Applicability (SoA) and the risk treatment plan,
implementation and effectiveness of the new or changed measures
GUTcert was a competent, fair and reliable partner at all times during the certification of our ISMS according to ISO 27001 and accompanied us with valuable tips and recommendations on the way from the pre-audit through Stage 1 to the successful certification audit.
Mario Konietzny, Stadtwerke Lutherstadt Eisleben GmbH
[Translated with DeepL]
The audit process with GUTcerts was very smooth, and the professionality of the auditor was outstanding. Our Auditor was very helpful with his insights and comments on our ISMS and I would like to forward to you our management’s appreciation for his excellent work.
Peter Mansour, IDEALworks GmbH
[Translated with DeepL]
GUTcert guided us through the certification process in a swift and focussed manner. They always responded quickly and professionally to enquiries. As a result, our initial certification also ran smoothly.
Jan Hotzel, Vision2B GmbH
[Translated with DeepL]
There are no items matching your search.
Further services
ISO/IEC 2700
Protect your company's most important assets – your data and that of your customers – with a certified ISMS.
