The preferred procedure for developing a industry-specific security standard (B3S) is in the sector working groups of UP KRITIS. This established cooperation platform between operators and the government provides the appropriate structures for this. The prerequisite for membership in an sector working group is participation in UP KRITIS, as well as the agreement of the other members of the working group.

If a B3S has been developed, it can be submitted to the BSI for review using a form. The form includes the necessary data to apply for the review as well as a check list of formal requirements for the document. In addition to the form, a mapping-table should be submitted; this helps to ensure transparency in agreeing the suitability of the B3S.

The BSI then determines whether a B3S is suitable for meeting the 'state-of-the-art'requirements for the scope in relation to the sector-specific threat landscape and risk assessment. The review of suitability is carried out in consultation with the Federal Office of Civil Protection and Disaster Assistance (BBK) and the competent supervisory authorities.
The BSI generally approves the suitability of a B3S for two years, after which it must be resubmitted.

Fees

On 1 October 2019, the Special Fees Ordinance (BGebV) of the Federal Ministry of the Interior and Community (BMI) came into force for individually attributable public services.

Section 7 (6) of the schedule of fees and expenses now also provides for reviewing the suitability of sector-specific security standards pursuant to Section 3 (1) Sent. 2 No. 17 in conjunction with Section 8a (2) Sent. 2 of the BSI-Act as a new fee element. The BSI must thus list the hours of work required to examine the suitability of the submitted B3S proposal and charge the costs to the applicant.

The fees for the review are incurred regardless of the result of the review.

Interim result

Since a B3S industry-specific security standard is subject to a particular maturation process, it is usually prepared in three parts:

1. Requirements (see sections 1 to 4 of the B3S orientation guide)
2. State of the art of safeguards and procedures (see sections 5 and 6 of the B3S orientation guide)
3. Evidence (see Section 7 of the B3S orientation guide)

To enable operators and associations to identify at an early stage the requirements that should be met in accordance with Section 8a (1) of the BSI-Act in terms of the 'state of the art', the BSI offers to comment on the respective components of a B3S before a final determination of suitability is made.

On the basis of the information provided and subject to the necessary coordination with other authorities within the framework of the actual suitability review, the applicant can receive an interim result regarding the suitability of the B3S developed. Operators can then use these results when implementing an appropriate 'state of the art'.

With the consent of the applicant, these interim results can also be passed to the other authorities for advance information, allowing the later, actual suitability review to be accelerated.

Publication (B3S industry-specific security standard)

After the successful suitability review of a B3S, the overview on the BSI website is amended (B3S overview).

The applicant may classify the B3S or parts thereof as confidential and determine that the B3S shall only be made available to certain operators. The B3S is only published on the BSI website or the place of publication indicated there with the consent of the applicant.