FAQ on preparing an industry-specific security standard (B3S)
A sector should first clarify the intersection where its security objectives, threats, risks, processes, technologies, etc. meet.
The overlaps can be covered by a B3S standard (or several specialist B3S standards). The B3S then serves as a guideline for the operators, who can use it to pool their knowledge and benefit from one another. The B3S also sets out abstract requirements that can be implemented regardless of which particular IT is used in each case, for example. Such requirements may describe a methodology or approach, for instance, rather than specific precautions.
If the intersection between different operators is empty or almost empty in an individual case, it may not be worth producing a joint B3S.
B3S are generally developed in the various industry working groups within the CIP Implementation Plan. The CIP Implementation Plan is a public-private cooperation whose purpose is to protect critical infrastructures in Germany.
Further information on it can be found on the webpages of the CIP Implementation Plan in the various industry working groups and on the webpages of the BSI on the sector-specific security standards.
An industry-specific security standard (B3S) is usually determined as suitable for a period of three years. Therefore, after three years at the latest, the B3S should be reviewed to check whether the assumptions made and descriptions contained therein, as well as the actions to be implemented, still reflect the current threat landscape and state of the art. It is possible to submit the same B3S again for a suitability audit.
If the old version of the B3S no longer meets the state of the art, the BSI can withdraw the determination of suitability for that B3S. There will be no 'automatic withdrawal', however. Transitional periods for use as the audit basis, such as in the IT-Grundschutz certification process, are not necessary.
In principle, the B3S does not lose its suitability after three years, but the statement from the BSI regarding its suitability expires. This means the operator must exercise increased caution in the assessment of the statements or precautionary measures defined in the B3S. If a B3S is out of date, the auditor can only trust the statements in the B3S to a limited extent. However, the operator must check that the precautionary measures described in the B3S are up to date, including when a suitability assessment is available.
The B3S can refer to already existing and enforceable provisions, such as standards, norms, policies, best practices or other implementation supports. If doing so, the B3S must unambiguously and transparently identify which of the requirements in those documents the KRITIS operator must fulfil. A B3S can be issued as a supplementary document to an already existing standard.
It is possible to integrate the management systems mentioned into an operator's existing structures, and doing so is often in the economic interest of the operator. However, the tasks of the various management systems can also be integrated into a combined management system.
It is permissible to submit multiple B3S with the same or different scope in a single industry. This could be down to one of the following:
Due to different implementations of the required measures, two different standards can achieve the same result (e.g. situation in two different associations).
The B3S are the property of the authors. The existing B3S may not be available to all operators.
The scopes of the B3S may differ.
Within an industry, there may be different interest groups that each create their own B3S.
Part 3 'Revisability of the implementation (audits)' is recommended so that a B3S can be used as a basis for auditing the provision of documentation of compliance pursuant to Section 8a (3) BSIG. It gives the authors the option to specify the criteria described in the 'Orientation guide to documentation of compliance according to Section 8a (3) BSIG' on an industry-specific basis, but is not required for the suitability assessment within the meaning of the BSI Act.
As part of the suitability audit, the BSI therefore also inspects and comments on Part 3, but does not include it in the suitability assessment.
Cookies help us to provide our services. By using our website you agree that we can use cookies. Read more about our Privacy Policy and visit the following link: Privacy Policy