An auditing body is an appropriate organisation commissioned by the KRITIS operator to determine whether the operator has taken appropriate precautions in line with Section 8a (1) of the BSI-Act. This section includes an excerpt from the orientation guide to documentation of compliance pursuant to Section 8a (3) of the BSI-Act

Appropriate auditing bodies

In many cases, the auditing body does not have to prove to the BSI that the aforementioned suitability criteria have been met, as they are already subject to a recognised accreditation regime. The auditing body may document its qualification with the following, for example:

• an accreditation with the DAkkS for ISO/IEC 27001 certification (accredited certification bodies of the DAkkS)
• a certification as IT security service provider or an approval as auditing body with the BSI
• an external quality assessment according to 'International Standards for the Professional Practice of Internal Auditing' (IIA) and/or DIIR auditing standard no. 3 'Examination of Internal Auditing Systems (Quality Assessments)' (DIIR)
• an accreditation as an accounting institution
• an individual documentation of suitability by self-declaration to the BSI

In addition, it should be demonstrated that the individual members of the audit team as a whole have all the necessary competencies.