The legislator obliges the operators of critical infrastructures to adequately secure their IT according to the state of the art and to meet the IT security standards. The IT Security Act passed in 2015 requires operators of critical infrastructures to review security every two years. The Federal Office for Security and Information Technology (BSI) must also be notified by KRITIS operators of all significant incidents in the area of IT security. The basic services that are important for our society are called critical infrastructures (KRITIS).

Basic infrastructures are healthcare facilities such as hospitals, pharmacies or manufacturers of vital medical products. They also include water and energy supply as well as emergency and rescue services, information technology and telecommunications. These are all areas on which people in our society depend for their basic needs. Reliable, secure infrastructures are an important basis for our society with its ever-increasing trend towards technology and digitisation.

The disruption or destruction of critical infrastructures can have serious implications for the health, safety, economic or social well-being of the population or the effective functioning of governments. Industrial production is not possible without electricity. Drinking water is vital for our survival and would be inconceivable without a continuous supply. The banking business would come to a standstill without functioning information and communication technology. Public life would collapse within a very short time.

The structure of an ISMS according to DIN ISO/IEC 27001 provides protection against such attacks. This international standard for ISMS, which is based on a risk-based approach, offers corresponding possibilities and instruments.

The key requirement of the security catalogue to be implemented is the pursuit of a holistic approach. This is fulfilled by the operators of critical infrastructures with the introduction of an ISMS (information security management). The Federal Network Agency issues a security law and obliges all operators of critical infrastructures to introduce an information management system in accordance with the ISO/IEC 27001 standard. According to the current draft, operators of critical infrastructures only have one year after the adoption of the regulation to implement it.

An information management system is aimed at the permanent fulfilment of legal requirements and the sustainable limitation of risks. Only by establishing and adhering to an ISMS with the definition of the associated organisational structure and responsibilities can a continuous improvement in information security be achieved.

An ISMS introduced in the company in accordance with DIN ISO 27001 ensures the availability of business processes and offers appropriate protection against incidents that could damage business. Risks are limited sustainably. Intelligent integration with IT service management creates a further building block for the continuous optimisation of IT systems and processes.

Parallel to the introduction of an ISMS, network operators are obliged to appoint an IT security officer as a contact person for the Federal Network Agency. The task of the IT security officer is to coordinate all IT security-related measures. To fulfil these tasks, the IT security officer works closely with the company management, the IT management, the data protection officer and all other departments of information security management. Trigonum Consulting will provide you with an external security officer on request. Our security officers have many years of expertise. They are experts in the field of national and international information security standards and certified ISO 27001 basic protection auditors.