German it security act

As a fragment of the “Digital Agenda of the Federal Government”, the IT Security Act (IT-SiG) took effect in 2015, which stipulates a limit to the IT security of organizations whose failure or impairment would entail significant supply bottlenecks or threats to public security. Such organizations are referred to as CRITIS (Critical Infrastructures) by law. Per current status, the following are included in the CRITIS: Energy (see IT security catalogue per § 11 paragraph 1a ENWG) Organizations in the field of information technology and telecommunications, transportation and transport, health, water, nutrition as well as finance and insurance.

Within the scope of this development, also suppliers and partners of CRITIS come to the need to provide information security in the form of an implemented and certified ISMS.

To meet the requirements of the IT security law and the demand for established security processes, it is advisable for all companies to include the implementation of an overarching ISMS per ISO 27001 or based on IT-Grundschutz – for companies for which the EnwG is binding the establishment of an ISMS with certification according to ISO 27001 is even mandatory. This mainly includes energy suppliers from the electricity and gas sectors.
We support the development of an ISMS with the knowhow from many years of consulting-experience and the professional competence of our auditors ISO / IEC 27001 EnwG and lead auditors ISO / IEC 27001.

Our consultants are also familiar with the specialties of the IT security catalogue, which deviate from the classic ISO 27001, and know how to meet the specific requirements, e.g. to the scoping, the creation of an IT security catalogue conform network map or the requirements for risk management, in practice or an ISMS implementation project. For example, scoping the ISMS according to IT security catalogue is differentiated from an ISMS according to ISO 27001 in the specifications, which must be respected. ISO 27001 leaves the company a great open space as far as the definition of the scope is concerned. For example, individual processes can also be defined as an area of validity. The IT security catalogue stipulates that all Communication and IT systems are included in the scope of the ISMS. Therefore, in an implementation project, these must be collected and classified separately, so that the scope conform to the requirements can be formed.

You can find more information about the implementation of an ISMS here.