The statement refers to the application of an internationally recognised standard equivalent to the BSI IT-Grundschutz. In this case, any special requirements resulting from the needs of aviation must be taken into account during implementation.
No. In accordance with the task transfer decree of the Federal Ministry of the Interior and Home Affairs, the BSI is responsible for the control and coordination of information security in aviation security. This includes the development of the technical principles for the implementation of the measures as well as the establishment and operation of the reporting and information system. The BSI is not responsible for approving the information security section of the aviation security programme.
The audits must be conducted by "suitable auditors". Suitable auditors are the auditors of an organisation approved by the Deutsche Akkreditierungsstelle GmbH (DAkkS), auditors/auditing companies or IT service providers certified by the BSI. To ensure independence and objectivity, each audit team should consist of at least two auditors, who can either come from the same or different organisations.
Only "suitable auditors" can perform the audits. Suitable auditors are the auditors of an organisation accredited by the Deutsche Akkreditierungsstelle GmbH (DAkkS), auditors/auditing companies or IT service providers certified by the BSI. An association can have itself accredited as an organisation by the DAkkS and subsequently carry out the audits.
According to the National Quality Control Programme (NQP), there are security audits, inspections and tests in the area of aviation security. Provided the results of these quality control measures are known in detail, they can be taken into account when drawing up aviation security programmes.
In addition to BSI IT-Grundschutz, comparable international standards (e.g. ISO 2700X series) can also be applied.
Airports in Germany regulated under Regulation 300/2008 must demonstrate the level of basic security by 1 January 2024 and the level of standard security according to BSI IT-Grundschutz by 1 January 2027. Accordingly, the aviation security programmes for information security must be submitted for approval to the responsible aviation security authorities with an appropriate lead time on the two above-mentioned cut-off dates.
Training providers are not required to demonstrate certification. Providers of cyber training and education should be certified to the ISO 9001:2015 standard and instructors should be proven experts in the field of information security. Trainers should also have proven expertise in adult learning and knowledge transfer. It must be ensured that the trainers have sufficient methodological-didactic experience and communicative and social skills.