In May 2023, the BSI published binding regulations for KRITIS audits. These Basic Requirements in the Verification Procedure are based on §8a (5) BSIG and have only been released in German so far: Die Grundsätzlichen Anforderungen im Nachweisverfahren (GAiN).They define normative framework conditions for KRITIS audits. The newly defined requirements have been mandatory for the most part since 01 June 2023, so are still applicable for the current audit cycle. However, some requirements are not mandatory until January 01, 2024; these are marked accordingly in this article.
The requirements define binding requirements for the performance of audits (D), the required evidence (N) and the auditing bodies (P). This introduces new requirements as well as making existing BSI documents and guidance documents for audits binding. The aim is to make the expectations and framework conditions for audits more centralized and clear.
Auditing body and auditors
Some specifications regarding auditors and auditing bodies are now made mandatory, especially with regard to formal aspects and independence.
Independence: Both the auditing body and the audit team must be independent from the operator, both legally and economically, in order to be able to proceed objectively with the audit.
An internal auditor may act as the auditing body provided that an effective auditing system is in place. Effectiveness must be demonstrated through compliance with IIA standards and, in particular, through a Quality Assessment (QA) in accordance with IDW PS 983 or DIIR Auditing Standard No. 3 (mandatory from 2024).
Audit and verification
The GAiN defines binding requirements for the performance of audits. In particular, there are requirements for the auditors as to which subject areas must be audited using the four-eyes principle. In addition, an inspection of the list of deficiencies and old deficiencies is required.
(mandatory from 2024)
The audit of certain areas must be performed in accordance with the four-eyes principle.
Audit areas: The four-eyes principle must be applied in the following subject areas and areas of KRITIS audits:
- Referenced certificates such as ISO/IEC 27001 and their coverage, suitability and relevance to the KRITIS scope
- Approach to risk analysis and treatment
- Review of previous list of deficiencies
- On-site inspections (visit, walk-through, observation)
Procedures: The topics listed require independent review by two or more qualified auditors who make independent evaluations and directly review each topic. If topics are split, this requires quality control, with individual reviewers not reviewing more than two-thirds of the total time.
Documentation: Topics that have been reviewed in accordance with the four-eyes principle must be identified in the audit plan, including the auditors involved and the time allocation.
List of deficiencies
The handling of old findings from previous KRITIS audits is regulated more precisely. The following applies:
All deficiencies and their correction status from previous audits must be evaluated as part of the current audit. The result must be documented as part of the audit report. Deficiencies that continue to exist must be included in the current list of deficiencies.
The requirements for documentation of the scope (GBD) and the network structure plan (NSP), as specified in the BSI's orientation guide to documentation of compliance, are now mandatory under §8a (5) BSIG.
The requirements for the documents to be submitted are now more formally specified, both in the auditors' report and in the official verification documents.
For the first time, specific requirements are also set for the content of audit reports. The requirements include formal aspects such as language (German, English) and versioning as well as content-related aspects such as the necessary metadata (scope, audit objective, audit times, auditor / auditing body) and information on the audit performance (documentation of the audit steps or the audit objects, from January 01, 2024) as well as comprehensible selection of the samples.
Verifications and forms
The existing BSI templates for providing evidence must now be used in a mandatory manner, and the content must be documented in German. The following documents have been updated:
- Form KI (Information on the audited critical infrastructure and the contact person) (as of May 2, 2023)
- Form P (Details of the audit) (as of May 2, 2023)
- Template for a list of deficiencies in MS Excel format (version 1.2, as of May 12, 2023)
- Template for an audit plan in MS Excel format (as of May 12, 2023)