How to submit documentation of compliance
Operators of critical infrastructure (KRITIS) are required by law to provide the BSI with regular documentation demonstrating that they are using state-of-the-art IT security technology.
We have summarised certain points for KRITIS operators, to ensure that the submission process is as smooth as possible:
Submit the compliance documentation on time
Unfortunately, not all operators submit their compliance documentation to the BSI on time, which leads the BSI to make follow-up enquiries and issue warnings. This can be because the auditing bodies require a certain amount of time to compile their results after an audit is completed. We therefore recommend including a buffer in your compliance schedule from the outset. This avoids the need for a warning process, which is time-consuming for all parties.
Make sure that the information in the compliance documentation is complete.
For auditors and operators, the revised orientation guides for documentation of compliance include templates for an audit schedule as well as for a list of deficiencies, including implementation planning. In addition, our website now provides a list of deficiencies as a file for download.
It is extremely important that the information in each column of this document is complete. Implementation plans often fail to include the implementation status as a percentage. If the implementation process for correcting deficiencies has not yet started, “0 %” must be entered here. Audit schedules often fail to include times or time spans for individual audit topics/schedules as well as the role designations for the audit participants. This leads the BSI to submit follow-up requests, creating further work for operators and auditing bodies to add this information retrospectively.
Please use the “Document/appendix overview” from the KI form as a checklist for ensuring that the documentation of compliance and all appendices are complete before sending.
Instructions on avoiding follow-up enquiries and requests for documentation
Some instructions for ensuring that the submission and audit process runs smoothly are provided below:
- When filling in the KI and P compliance documentation, please state the exact designation of your critical infrastructure or facility that you provided when registering with the BSI. Without this, no clear identification will be possible and follow-up enquiries will be inevitable.
- Follow the instructions on scope in Appendix C of the orientation guide for documentation of compliance.
- Documentation of compliance on the basis of an ISO/IEC 27001 certificate must meet the relevant requirements specified by the BSI (see FAQ). A written explanation must be provided explaining how each item was implemented in the audit.
- Section PD.3 “Information on the audit basis” includes the option to tick “Use a different audit basis”. In this case, an explanation of the basis used for the audit must be sent.
- We require a declaration of independence (Appendix PS.B) for each auditor in the audit team. This must be signed by each individual auditor. A general declaration from the auditing body will not be accepted.
- The form listed in Section PS.3,"Self-declaration regarding the general suitability of the auditing body” is only to be submitted by auditing bodies that cannot be allocated any of the accreditations or certifications in PS.3.
In Section PS.5 “Auditing process competence” (PVK), the composition of the audit team determines which documents are required:
- If all auditors are external persons or freelancers, and therefore do not belong to the auditing body, verification of PVK in accordance with Section 8a of the BSI-Act must be submitted for both the auditor and the auditing body.
- If the auditor with additional auditing process competence is an employee of the auditing body, verification of this person’s additional auditing process competence is sufficient.
- It is important to note that employees of the operator are not permitted to be members of the audit team otherwise the audit may be declared invalid and may need to be repeated.
- An audit team must consist of at least two qualified persons in order to adhere to the two-person rule.
- Both the P and KI forms must be signed and the company stamp must be applied.
- All compliance documentation must be submitted in German; only the audit report itself may be in English.
- Due to ongoing digitalisation and efforts to simplify processing, we request that the compliance documentation is submitted by e-mail only. It is not necessary to send documentation additionally by post.
In the past, compliance with these instructions has led to a significant reduction in the number of follow-up requests sent by the BSI. We trust that our instructions and your growing experience will enable this positive trend to continue.