KRITIS-Audit

Security proof for operators of critical infrastructures

Critical Infrastructures (KRITIS)

Critical infrastructures are organizational and physical structures and facilities of such vital importance to a nation’s society and economy that their failure or degradation would result in sustained supply shortages, significant disruption of public safety and security, or other dramatic consequences.

Definition by BSI

With increasing digitization, modern infrastructures are becoming more efficient and intelligent – but also more susceptible to disruptions and breakdowns, for example through attacks by cybercriminals. In order to provide the best possible protection for these infrastructures, which are essential to the general public, the German Federal Office for Information Security (BSI) has issued legal regulations.

The BSI Act requires operators of critical infrastructures (KRITIS) to take appropriate organizational and technical precautions to protect against disruptions to the availability, integrity, authenticity and confidentiality of their information technology systems, components or processes. The state of the art shall be observed.

Are you an operator of critical infrastructures?

For each KRITIS-relevant sector, the BSI has defined different thresholds. If a company reaches the threshold value, it is considered an operator of critical infrastructures.

Even if your company is not classified as a KRITIS company, IT security certifications may be necessary for you. Especially if you are a partner or supplier of a KRITIS company.

The regulation applies to the following sectors:

  • Energy (electricity and gas supply)
  • Water
  • Nutrition
  • Information technology and telecommunications
  • Health
  • Transport and traffic
  • Finance and insurance

How do you obtain the proof of compliance?

As an operator of critical systems, you must present a special audit report to the BSI to confirm that your IT security is state of the art. For this purpose, an independent, accredited testing agency will test your IT security in the course of a KRITIS audit in accordance with § 8a paragraph 3 BSIG. Which security requirements you have to meet in detail depends on your industry. These requirements are fleshed out in industry-specific security standards recognized by the BSI (B3S).

In order to prepare yourself optimally for the audit, you should

  • Create a network structure plan
  • Conduct risk assessments
  • Perform an internal pre-audit

How can we help?

As an IT security consulting firm and accredited Qualified Security Assessor with many years of experience in a wide variety of IT security consulting projects and audits, we are the optimal partner for your KRITIS audit. While our team conducts the audit at your premises, we work closely with an accredited testing agency which confirms the test report for the BSI.

On the BSI website you can read about the strict conditions we have to meet in order to be allowed to conduct tests according to § 8a paragraph 3 BSIG. These include, for example:

  • Uniformity in security assessments
  • Independence and neutrality
  • Competent employees and extensive human resources
  • Secure infrastructure, systems and applications
  • Sound knowledge in the areas of information security and information security management systems (ISMS)
  • Familiarity with common norms and standards of IT and information security
icon lupe orange 006

Synergy effects with other certifications

Existing IT security certifications can be accredited for the KRITIS proof. Use synergies and combine, for example, your KRITIS audit with your PCI DSS assessment. This saves you time and effort.

Our approach

Icons Wie gehen wir vor 10

Phase 1

Audit preparation, including determination of audit basis and audit scope

Icons Wie gehen wir vor 12

Phase 4

On-site audit

 

Icons Wie gehen wir vor 09

Phase 2

Creation of the audit plan

Icons Wie gehen wir vor 05 1

Phase 5

On-site audit follow-up

Icons Wie gehen wir vor 03 1

Phase 3

Documentation review

 

Icons Wie gehen wir vor 11

Phase 6

Creation of the audit report

usd pci unser team

Your KRITIS audit

Is your company subject to the KRITIS regulation? Do you need support with the KRITIS proof or do you have any questions?

Get a non-binding consultation from our experts.

icon symbol orange 007

Keep track with your proof compliance

The KRITIS proof of compliance must be provided every 2 years.

Contact

 

Please contact us with any questions or queries.

Phone: +49 6102 8631-190
Email: sales@usd.de
PGP Key
S/MIME
Contact Form

 

Kontakt usd Sales

Anna-Magdalena Kohl
usd Team Lead Sales,
PCI Professional