Daniel Schnetzke joined TÜV TRUST IT in 2019. After completing his business studies, personal motivation and a high affinity for IT topics brought him to the company, where he now works as a consultant with a focus on business continuity management. In this interview, he talks about his job, the importance of a BCMS in everyday business and the effects of the new EU directive NIS2.
Mr Schnetzke, you are responsible for Business Continuity Management at TÜV TRUST IT – what are your responsibilities?
The focus is on consulting within a project for companies across all market segments. The topic of BCM is currently increasingly in demand. Both from CRITIS companies, which have to fulfil the requirements of the BSIG, and from start-ups with few employees, which are concerned about securing their most important business processes and resources. The rough process of a BCM project is basically similar for all customers and is based on the BSI standard IT-Grundschutz 200-4. In the first step, we identify the goals and the scope as well as the relevant, time-critical processes. This is followed by the transfer to emergency planning, the creation of emergency plans and their exercise, meaning application under simulated damage conditions, in the further course and finally an annual update of the BCM process.
You mention the relevance of BCM. Why is this becoming more and more important?
The fact is that the time windows in which one can react to failures and get processes up and running again have become much smaller. Among other things, this is due to the fact that companies are more and more subject to an increase in efficiency, which means that idle and buffer times are melting away. In addition, there are the influences of cybercrime, especially damage caused by ransomware and targeted cyberattacks. According to the Allianz Risk Barometer 2023, business interruptions and targeted or untargeted cyber incidents are among the greatest fears of companies. Against this backdrop, business structures are dependent on emergency management that can be used to respond in a timely manner. BCM thus acts as a kind of protective helmet and benefits from an information security management system (ISMS). The latter ensures the availability of resources during normal operations and the BCM answers the question: How do we react efficiently when something happens and how do we maintain our essential processes?
At the beginning of the year, the new EU directive NIS2 came into force. What does this mean for companies?
First, the EU member states still have time to transpose the NIS2 directive into national law. In Germany, many of the contents of this directive are already reflected in the IT Security Act, which will probably be amended in the foreseeable future (IT Security Act 3.0). The implementation of NIS2, which is supposed to set the minimum security standards for critical infrastructure companies, is expected in the last quarter of 2024. With regard to a BCMS, there is still no explicit obligation to establish or certify one, but the new ISMS standards ISO 27001:2022 in conjunction with ISO 27002:2022 also provide for the application of BCM methodologies. This means that even without the specific obligation to establish a BCM, companies must still introduce emergency measures to a greater extent than before in order to achieve ISMS certification. EU regulation is thus only one of the drivers for BCM. Concerns about cybercrime play a role here, as does the question of dealing with business interruptions and, last but not least, of course, the intrinsic motivation of companies to arm themselves against growing threats and to be able to act even if a negative event occurs.
Which companies will be affected by the changes?
Since the IT Security Act regulates the CRITIS sector, these companies will also be predominantly affected. However, the number of CRITIS operators will increase because, for example, smaller companies will also enter the CRITIS scope via NIS2, which have so far been left out. And within the KRITIS sector, there are also differences with regard to emergency management. The financial or energy sectors are generally more time-critical in their task fulfilment than areas of research and development. The EU’s RCE (Resilience of Critical Entities) directive, which was developed in parallel, focuses on operational security, whereas NIS2 includes information security. I expect that the requirements from the RCE will affect the BCMS more than NIS2.
And how can TÜV TRUST IT support these companies?
As already mentioned, BCM and ISMS usually go hand in hand or benefit from each other, which is why we naturally address both topics in companies in order to meet the demands of our customers as much as possible. In the area of technology, we also offer penetration tests, for example, to test IT infrastructures for resilience. This can also include mobile apps or the behaviour of employees, for example in the case of questionable emails. For the BCMS, the current BSI Standard 200-4 also provides us with attractive forms of implementation: For example, a so-called reactive BCMS can be used to organise emergency management in a company, which only covers the most important business processes, but can be established quite quickly.
Emergency management can also open new doors, because it often shows that too many resources are invested in less important business processes. So, we can also help to manage resources more efficiently and avoid over-engineering. The reverse is also true, of course, if the analysis of the effects of resource failures leads to the conclusion that existing replacement procedures are not sufficient to avert high losses. At this point, reinvestment should be made or the management accepts this risk for the time being.
And last but not least, we also advise companies until they are ready for certification for business continuity according to ISO 22301. Because even though it is not mandatory, such a certification shows in the external effect that a company is dealing with the topic in a well-founded way, which can bring a competitive and image advantage.
Anyone who would like to find out more about the advantages of setting up and certifying a BCMS is welcome to contact us at any time without obligation – of course, this does not only apply to CRITIS companies.
Thank you very much for the interview, Mr Schnetzke!