The Federal Office for Information Security (BSI) has certified TÜV TRUST IT as an IT security service provider in the area of “IS auditing and consulting.”
This certification allows TÜV TRUST IT to assess the information security (IS) of public authorities, among other things. Nationwide, only five other security specialists hold this certificate.
The German government requires federal authorities to regularly conduct comprehensive audits of their information infrastructures based on IT-Grundschutz. Authorities can now commission an external audit team from TÜV TRUST IT for this purpose. The auditors examine the effectiveness of the security organization and determine whether an authority complies with the prescribed standards and legal requirements in the field of information security.
The auditors assess whether the security concept meets current security requirements, whether security measures are implemented and functioning as expected, or whether deficiencies exist. Afterwards, the auditors prepare a report that outlines the authority’s security status. In a final meeting, the auditors explain how any identified security deficiencies can be remedied and how the authority can improve its overall information security within the framework of an Information Security Management System (ISMS).
The basis for IS audits in federal authorities is the “Implementation Plan for Ensuring IT Security in the Federal Administration (UP Bund).” This binding internal IT security directive of the German government describes measures aimed at ensuring medium- and long-term IT security in the federal administration. The UP Bund is a key component of the government’s overarching IT security strategy, the “National Plan for the Protection of Information Infrastructures in Germany (NPSI).”
External service providers must prove their trustworthiness and expertise to the BSI through a certification process in order to conduct IS audits for authorities. This includes having their own Information Security Management System aligned with ISO 27001 based on IT-Grundschutz, as well as a Quality Management System according to ISO 17025. TÜV TRUST IT has provided this evidence. This also enables the company to support authorities in developing security concepts based on IT-Grundschutz and to advise them on conducting security and risk analyses.
TÜV TRUST IT has been offering comparable services to commercial enterprises for many years. Detlev Henze, Managing Director of TÜV TRUST IT, reports:
“IS audits are not only required for public authorities but also for financial service providers and, for example, in the automotive supply industry. Automotive manufacturers often require their suppliers to establish an Information Security Management System according to ISO 27001.”
Banks and insurance companies, in particular, are subject to similar requirements as public authorities. BaFin (Federal Financial Supervisory Authority) defines legal minimum requirements for risk management (MaRisk), which are relevant for the design of IT systems and corresponding IT processes.
“For risk management in banks,” explains Detlev Henze, “the BSI’s IT-Grundschutz catalogs and the ISO 2700x series of standards provide a solid foundation.”
In this area, TÜV TRUST IT works with its own proven audit plans.