Navigation and service

BSI - Federal Office for Information Security (Link to homepage)

Information for auditors

These pages provide useful information for auditors on proof of compliance pursuant to Section 8a (3) of the BSI-Act.

An auditing body is an appropriate organisation commissioned by the KRITIS operator to determine whether the operator has taken appropriate precautions in line with Section 8a (1) of the BSI-Act.

Additional information is available in our orientation guide to documentation of compliance pursuant to Section 8a (3) BSI-Act.

Qualification

An auditing body is suitable if the following criteria are met:

  • The necessary processes (e.g. information security management system (ISMS), quality assurance procedures, documentation and recording procedures, archiving and backup concept, audit process) must be introduced, implemented and documented in concepts.
  • The auditing body must carry out each audit in line with the documented audit process. The uniform understanding of deviations is absolutely essential for assessing the deficiencies. If a security deficiency is assessed as a severe deviation, the reasons must be analysed and documented transparently.
  • It must be ensured that each audit is independent and impartial, neutral and free of instructions.
  • Compliance with the ethical principles must be ensured.
  • The type and extent of the audit actions and results are documented uniformly, objectively and properly.

  • Sufficiently competent human resources and suitable infrastructures are made available. An auditing body must meet the following criteria:

    • have at least one full-time head of the auditing body and one representative
    • perform the audit processes within a reasonable period of time (six months at the most)
    • be able to document secure infrastructure, systems, applications and a secure IT network structure

  • The auditing body shall have a defined process in place to determine the competence of the audit team and other persons involved in conducting the audits (e.g. technical experts). The following competencies must be represented in the audit team for this:

    • reliable knowledge of the field of information security
    • industry expertise and technical know-how in the field of providing the essential services of the audited KRITIS operators
    • reliable knowledge in the field of management systems and particularly information security management systems (ISMS)
    • detailed knowledge of the requirements of audits in line with Section 8a (3) of the BSI-Act
    • trustworthiness, impartiality and diligence

In order to provide for a comparable quality of the audit results, the audits should be performed within the documentation framework on the basis of common standards. Compliance with the requirements regarding the auditing body and the implementation of the processes should be checked by an independent authority.

An auditing body may be deemed appropriate if it has demonstrated its neutrality and qualification towards this independent authority.

More Information

Back to Critical Infrastructures (KRITIS)