1. Asses risks
Inventory of IT assets and information
Protection requirements
and risk analysis
IT risk management
Cyber scoring
Penetration test
Awareness training
Vulnerability management
Attack Path Analysis
Digital Forensic
Contingency planning and testing
Anomalies and events
Continuous Security Monitoring
Detection Processes
Maturity audit
IT audit
Improve the internal control system
Inventarisierung der IT-Assets und Informationen
Schutzbedarfs- und Risikoanalyse
IT-Risikomanagement
Inventory of IT assets and information
Protection requirements and risk analysis
IT risk management
Cyber scoring
Penetration test
Awareness training
Vulnerability management
Anomalies and events
Continuous Security Monitoring
Detection Processes
Maturity audit
IT audit
Improve the internal control system
Attack Path Analysis
Digital Forensic
Contingency planning and testing
ISMS IMPLEMENTATION AND AUDIT
OUR PROCEDURE
—
IMPLEMENTING ISMS ACCORDING TO KRITIS
The legal basis for KRITIS in Germany is the IT Security Act (IT-SiG) and the Regulation on the Determination of Critical Infrastructures according to the BSI Act (BSI-KritisV). According to the IT Security Act, operators of critical infrastructures are obliged to take appropriate precautions to ensure IT security. The BSI-KritisV specifies these requirements and defines the sectors in which operators are considered critical infrastructure.
Companies that are active in one of the sectors listed above and reach a certain critical infrastructure threshold are classified as critical infrastructure operators. They must meet the requirements of CRITIS to ensure the security of their infrastructure and minimize the potential impact of cyberattacks or disruptions. It is important to note that the exact thresholds and requirements may vary depending on the sector and size of the company.
If you have already implemented an information security management system (ISMS)
- We review the current status of your ISMS and ensure that it meets the latest requirements and takes into account relevant best practices.
- We identify the specific KRITIS requirements by analyzing the BSI-KritisV and comparing them with the existing ISMS elements.
- We extend the ISMS by adding KRITIS-specific requirements. We create additional policies, procedures, and controls to ensure the protection of our critical infrastructure.
- We review the risk analysis and assessment to ensure that it covers the specific risks and threats to critical infrastructure. Here, we consider the potential impact on society and establish processes for identifying and reporting security incidents.
- We implement protective measures for your critical infrastructure by developing specific measures to ensure its security and resilience. This includes implementing additional technical security measures, strengthening physical security, and implementing access controls.
- We provide training and raise awareness for your team by ensuring that your employees are informed about the specific KRITIS requirements and have received the necessary training. We raise their awareness of the specific risks and threats that critical infrastructure may be exposed to.
- We regularly review the implementation of KRITIS measures by conducting internal audits and identifying and eliminating vulnerabilities or gaps to continuously improve the security of your critical infrastructure.
- We establish a clear process for reporting security incidents according to KRITIS requirements. We ensure that your company can respond appropriately to incidents or attacks and that close cooperation with the relevant authorities is guaranteed.