You can find further notes and examples in the publication
"Zur Dokumentation des Geltungsbereiches bei KRITIS-Betreibern"

Choice of scope

The scope must be precisely defined and described in preparation for the audit.

In particular, checking that the scope has been chosen correctly is very important for the suitability of the documentation. The auditor must question whether the choice of scope is correct and fully include the information technology systems, components and processes belonging to the Critical Infrastructure of the system to be audited, as well as those influencing the Critical Infrastructure.

In this regard, under the aspects to be examined, the auditor must examine and evaluate the following:

• functionality of the essential service
• suitability and necessity
• completeness

The description of the system and the associated aspects of the essential service must be transparent and correspond in its characteristics to the registered system category.
The scope of application must be presented graphically and, where necessary for comprehension, described in writing. The graphic presentation is intended to provide a quick overview, while the textual description supplements this overview with the necessary depth of information. If there are dependencies or interfaces to areas or systems outside the scope of application, these must be recognisable in the graphic overview and described in a comprehensible manner. The same applies to parts of the essential service which are provided by third parties on behalf of the operator.

If the presentation of the scope of application is embedded in a presentation of a larger area or overall network, the boundaries of the scope must be clearly indicated.

Network structure plan

The central element of the graphic presentation is the network structure plan. In its function as an overview, it must map all areas of the Critical Infrastructure, as well as point out communication interfaces and dependencies to the outside world It must indicate the extent to which individual elements are relevant to the essential service. The choice of an appropriate level of abstraction is essential for this. In particular, the network structure plan covers all systems, components and, if applicable, applications that are crucial for the functionality of the essential service. Associated processes can be recorded in the network structure plan or displayed separately. In any case, however, it must be possible to assign processes to the corresponding necessary IT systems, components and applications. It is also important here that the interaction of the essential components with each other and with third parties is made clear.

Similar objects should be meaningfully combined into groups so that the network structure plan remains clear.

Objects may then be assigned to one and the same group if all the components

• are of the same type
• have similar tasks
• are subject to similar framework conditions
• have the same protection needs

If the systems, constituents or other areas of the Critical Infrastructure are distributed over several sites, the scope shall reflect this distribution and identify the sites. It must also show the connections between the sites.
Outsourced parts of the essential service must be identifiable within the scope, along with the communication interfaces used. This also includes maintenance interfaces, provided they are permanently enabled.
This means that at least the following interfaces must be shown in the network structure plan:

• communication interfaces with external networks
• communication interfaces with networks at other sites
• maintenance interfaces that are permanently enabled
• interfaces to outsourced parts of the service

If elements of the network structure plan are represented by symbols to improve clarity, the elements used must be explained in a legend.
A list can also be used to provide a better overview to meet the requirements for presenting the scope in a network structure plan.

Requirements for describing and presenting the scope

• G01: The system is described in a recognisable and transparent way.
• G02: The parts of the essential service provided by the operator are described in a recognisable and transparent way.
• G03: The presentation contains all essential features of the system category.
• G04: All processes relevant to the essential service are recorded.
• G05: All systems, components and applications relevant for the essential service are recorded, if applicable.
• G06: All areas of KRITIS can be seen from the submitted scope.
• G07: The limits of the scope are clearly visible.
• G08: The interfaces to processes, systems, components and, if applicable, applications outside the scope are described in a recognisable and transparent manner.
• G09: The dependencies on processes, systems, components and, if applicable, applications outside the scope are described in a recognisable and transparent manner.
• G10: The parts of KRITIS operated by third parties are described in a recognisable and transparent manner.
• G11: The scope enables an assignment between processes and associated necessary systems, components and, if applicable, applications.
• G12: The scope is presented in a network structure plan.
• G13: Additions to the network structure plan that are necessary for comprehensibility have been made in writing.

Requirements for the presentation of the scope through a network structure plan

• N01: The network structure plan provides an overview of the scope.
• N02: All relevant systems, components and applications are shown, if applicable.
• N03: The level of abstraction has been chosen appropriately.
• N04: The relevance of individual elements of the network structure plan for the essential service is clearly presented.
• N05: All external communication interfaces are shown.
• N06: Maintenance interfaces are mapped if they are permanently enabled.
• N07: The network structure plan shows any existing division into sites, if applicable.
• N08: The IT connections between different sites are shown.
• N09: Outsourced services are shown.
• N10: Functional designations and legends are available if necessary and are comprehensible.