In January, the German Federal Office for Information Security (BSI) published the document „Reife- und Umsetzungsgradbewertung im Rahmen der Nachweisprüfung (RUN)“ (Maturity and implementation level assessment as part of the verification audit). This document defines how maturity and implementation levels are assessed in the context of the Section 39 (formerly Section 8a) BSIG assessment. The new criteria are intended to ensure greater transparency and standardize the provision of evidence to the BSI for operators and auditing bodies. The new requirements apply to assessments that are completed after April 1, 2025.
The current KRITIS verifications already include an assessment of the maturity levels of the information security management systems (ISMS) and business continuity management systems (BCMS) as well as the degree of implementation of the systems used to detect attacks, which is carried out by the auditing body in each case.
In connection with the newly presented method for determining the degree of maturity and implementation, the following subject areas will be added, for which the respective degree of implementation will also be determined in future as part of the regular verifications to be provided:
• Organizational measures (OrgM)
• Personal measures (PerM)
• Physical measures (PhyM)
• Technical measures (TecM)
Specific measures have been assigned to the new subject areas, leaving room for individual or sector-specific adjustments.
I welcome the development of the BSI now introducing maturity assessments for all subject areas. Audits are often not black or white - especially in complex organizations and environments. However, I have a feeling that this change will de-facto push operators to use the KdA (“Specification of the requirements for the measures to be implemented in accordance with Section 39 (formerly Section 8a) (1) and (1a) BSIG”) and individual audit bases will increasingly take a back seat as further mappings to the RUN become necessary to report the maturity level accordingly. Whether this will have unintended consequences at the end of the day remains to be seen.
Jan Kemper, Head of Security Audits
With the introduction of the RUN, the BSI is pursuing the goal of providing operators and auditing bodies with a standardized basis for assessment and highlighting the need for action.
I like the fact that the BSI wants to further standardize the KRITIS audit and is taking a step in this direction with the RUN. The maturity levels themselves are very deterministic and are based on the measures defined by the BSI. The specific mapping makes them a de facto standard. Other standards may still be used, but these in turn must have a mapping to the BSI requirements so that the maturity levels can be calculated. From our point of view as auditors, this de facto standard is a positive thing, as there is now a mandatory and therefore uniform audit basis that can be expanded to include industry-specific controls.
Vinzent Ratermann, expert for the IT security of critical infrastructures
If you need support or advice on your KRITIS audit, contact us. We will be happy to help you.
