Within the Federal Administration, the High-Availability Benchmark (HAB) Compact is applied to determine the IT security level for data centres. This is a benchmarking procedure in which maturity levels and potential levels can be attained. The minimum standard specifies minimum values for the 34 indicators in the High-Availability Benchmark (HAB) Compact, which the BSI considers as the minimum to be attained for the application of the High-Availability Benchmark (HAB) Compact.

The High-Availability Benchmark (HAB) Compact is a condensed version of the High-Availability (HA) Benchmark, which utilises a slightly modified methodology compared with the full version and is supplemented with auditing elements. The most important target group to be addressed by the High-Availability (HA) Benchmark are data centre operating companies interested in completing a self-assessment procedure. The High-Availability (HA) Benchmark has the aim of measuring and evaluating the reliability of the IT service or data centre (DC) under consideration. This is achieved with the aid of around 100 especially relevant aspects of reliability (‘indicators’) in combination with the use of maturity models. The term ‘reliability’ describes the expectation that an IT service will fulfil its required functions in a verifiable and transparent manner from the outset. Reliability is a measure of the quality of IT services and is essentially determined by the following seven criteria: availability, integrity, confidentiality, operational safety, maintainability, transparency and performance. The three key security objectives (confidentiality, integrity and availability) are contained within the term ‘reliability’, i.e. reliability encompasses information security but also goes beyond it.

The High-Availability Benchmark (HAB) Compact is an integral part of the minimum standard and is included with it as Annex 1.

Information about the minimum values:

Conforming to the prescribed minimum values is necessary but not in itself adequate to achieve an appropriate level of IT security for data centres serving the offices of the Federal Government. Accordingly, the target values for the 34 indicators must be determined for each data centre on a case-by-case basis, taking individual protection needs into account. Typically, these target values will be higher – but never lower – than the minimum values prescribed by the minimum standard. In order to achieve an adequate level of IT security, the necessary security measures must also be defined and implemented on the basis of recognised standards, and in accordance with the actual protection needs. Yet mere compliance with this minimum standard does not itself guarantee an adequate level of security. This is because the High-Availability Benchmark (HAB) Compact encompasses only a subset of the relevant aspects of data centre (DC) security (34 of 100 indicators) but by no means all of them. Completeness in this regard can be achieved only by applying recognised standards (e.g. IT-Grundschutz, EN 50600). Accordingly, the High-Availability Benchmark (HAB) Compact can never be a full replacement for such standards.

Update June 2018: the BSI has adapted the minimum standard to the new version of the High-Availability (HA) Benchmark Compact (4.0). This now forms a permanent annex to the new minimum standard version 1.1. While the required maturity levels and potential levels remain unchanged, the level descriptions for the High-Availability Benchmark (HAB) Compact have been revised in some cases. This can have consequences for the fulfilment of the minimum standard. The main changes are summarised in a separate overview.

Download minimum standard (only available in German)

Mindeststandard des BSI für die Anwendung des HV-Benchmark kompakt

Download change history (only available in German)

Änderungsübersicht zum Mindeststandard des BSI zur Anwendung des HV-Benchmark 4.0 (Version 1.1)