Critical infrastructures (KRITIS) are organisations and facilities that are particularly important for the functioning of the state community. If they fail or are disrupted, long-term supply bottlenecks, significant impairments to public safety or other serious consequences could occur.
A KRITIS assessment in accordance with § 8a (3) BSIG therefore not only offers critical infrastructure operators the advantage of identifying vulnerabilities at an early stage in order to improve their security measures, but also contributes to the security of supply for the community.
The following sectors are classified as critical infrastructure.
KRITIS sectors
The public sector, administration, media and culture are not regulated by the BSI; certain thresholds apply to all other sectors.
Benefits of a KRITIS assessment
Security
You can identify vulnerabilities and quickly fix them, which increases the security of your facility.
Resilience
You are able to minimise damage, respond flexibly to changes and maintain your functionality.
Trust
High standards of safety, reliability and protection signal to customers, partners and authorities that your institution acts responsibly.
Compliance
You will meet the legal requirements and receive proof of implementation of the current state of the art in terms of information security in your institution.
Facilities, installations or parts thereof that have reached a certain level of supply by reaching or exceeding threshold values are subject to KRITIS. The threshold values and their respective calculation formulas can be found in the annexes to the Ordinance on the Determination of Critical Infrastructures under the BSI Act (BSI-Kritisverordnung - BSI-KritisV).
Before the audit, the due date for submitting the supporting documents to the BSI must be determined. The due date is issued by the BSI when registering the KRITIS-compliant facility.
In addition, the scope and the applicable audit basis must be defined. The effort involved in the KRITIS audit is based, among other things, on the size and complexity of the scope and on the level of information security at the facility.
The audit basis specifies the content requirements that operators must meet and how these requirements are methodically reviewed as part of the audit. It must be selected in such a way that it covers the state of the art of the systems and industry-specific aspects.
Possible bases include the guidance on evidence in accordance with § 8a (3) BSIG or the catalogue for specifying the KRITIS requirements from the BSI. In order to cover industry-specific topics, the relevant industry-specific security standard (B3S) can be used, for example.
The audit is carried out by a team, as the key aspects must be checked in accordance with the dual control principle. In order to cover the industry expertise within the team, it may also be necessary to call in an industry expert.
First, a document review is carried out, during which the audit team prepares for the on-site audit with the help of the documents provided in advance and draws up a suitable schedule.
The on-site audit is then carried out in accordance with the self-selected audit basis. The audit determines the maturity and implementation levels for seven subject areas, which clearly show the progress made over the years.
The audit report is then prepared, along with the list of deficiencies and the supporting documents that must be submitted to the BSI.
GUTcert was a competent, fair and reliable partner at all times during the certification of our ISMS according to ISO 27001 and accompanied us with valuable tips and recommendations on the way from the pre-audit through Stage 1 to the successful certification audit.
Mario Konietzny, Stadtwerke Lutherstadt Eisleben GmbH
[Translated with DeepL]
The audit process with GUTcerts was very smooth, and the professionality of the auditor was outstanding. Our Auditor was very helpful with his insights and comments on our ISMS and I would like to forward to you our management’s appreciation for his excellent work.
Peter Mansour, IDEALworks GmbH
[Translated with DeepL]
GUTcert guided us through the certification process in a swift and focussed manner. They always responded quickly and professionally to enquiries. As a result, our initial certification also ran smoothly.
Jan Hotzel, Vision2B GmbH
[Translated with DeepL]
There are no items matching your search.
Further services
Integrated MS
With an integrated management system, you save valuable time, human resources and, last but not least, costs
