IS Implementation

The use and operation of IT have long implied an obligation to comply with business, statutory, official, and contractual requirements. Protection of one’s own information assets plays an especially decisive role and an effective ISMS in accordance with ISO 27001 is indispensable.

Establishing an ISMS is useful not only for companies that are aiming to have their ISMS certified. With an effective ISMS in place you create an uniform enterprise-wide process to identify and manage your information security risks and to monitor and continuously improve your information security. We can assist you with our specialised know-how in setting up an ISMS by means of an effective and efficient procedure.

Your benefits

Safeguarding business processes critical for corporate success
Knowledge of your IT risks and thus the possibility, introducing appropriate security measures in a targeted manner – measurably and verifiably

Increase of your information security’s sustainability, efficacy and efficiency
Compliance with legal requirements such as the IT Security Act
A certification granting competitive advantages and proof of quality to customers, partners and insurance companies

Certification in accordance with ISO 27001 confirms an effective information security management system (ISMS) and thereby a high level of information security within the enterprise, but the road to certification by establishing and implementing an ISMS can be very time-consuming and involve high costs. Resource-based aspects are by no means alone in making an ISMS project in accordance with ISO 27001 a major challenge. A project of this kind is, as a rule, very complex and takes a long time to implement, especially in large enterprises. During this period the motivation of the employees involved in the project must not only be maintained at a constantly high level; continuous management support is also indispensable.

With the ISO 27001 development plan TÜV TRUST IT has developed a methodology to enable our customers to master these challenges and develop an effective and certifiable ISMS step by step within a reasonable period and an appropriate business framework that can then be certified in accordance with ISO 27001 by an independent testing organisation.

Your benefits

Masterplan, which divides your project into manageable sub-areas.
Establishing of an effective ISMS that is able to be certified within a reasonable time-frame.
By means of structured and risk-based prioritisation, all parts of the overall scope are successively brought under the control of the ISMS.

The Masterplan helps to generate early proofs of project success that not only maintain the motivation of project employees but also provide the management with evidence of the project’s successful progress.
Optimal starting point for successful certification in accordance with ISO 27001 by an independent testing organisation.

With the implementation of an information security management system (ISMS) in accordance with ISO 27001, processes are established to protect information with regard to its confidentiality, integrity and availability. However, before starting an ISMS project, it is important to analyse whether and to what extent processes and associated measures have already been established.

Therefore, a preliminary gap analysis (also known as an ISMS inventory) should be undertaken by an independent organisation. TÜV TRUST IT has developed a standardised procedure for this purpose, which makes it possible to identify deviations between the TARGET and ACTUAL (the “gap”) and identify potential for optimisation.

Your benefits

Comprehensive inventory with manageable effort and minimised use of resources
Overview of the maturity level of ISMS processes and measures

Final report with recommendations for further steps
Ideal basis for setting up an ISMS

The IT Security Act (IT-SiG) came into force on 25 July 2015. The IT Security Act aims to significantly improve the security of information technology systems (IT security) in Germany. Particular importance is attached to critical infrastructures (CRITIS), which are central to the functioning of the community. The sectors and industries of critical infrastructures are defined by the Federal Office for Information Security (BSI) and currently include ten sectors.

In addition, from May 2023, CRITIS companies are obliged to implement and actively use systems for attack detection (SzA). And finally, CRITIS companies are to prove the use of business continuity management systems (BCMS).

Obligations of KRITIS operators, including

Designation of a contact point in the area of IT security that can be reached at all times vis-à-vis the BSI.
Immediate notification of IT malfunctions worthy of reporting
Implementation of appropriate organisational and technical precautions to prevent malfunctions in accordance with the “state of the art”.
Proof of compliance with the requirements to the BSI (every two years)
From May 2023, use of a system for attack detection (SzA) and proof thereof

Our services

Development of an information security management system (ISMS)
Provision of an external CISO/ISB or coaching of the internal CISO/ISB
Examinations according to §8a (3) BSI Act
Training (§8a BSIG)

Your benefits

Compliance with the requirements of the IT-SiG
Proof of a systematic approach to safeguarding against IT security threats with regard to customers, partners and insurance companies
Protection of your critical business processes

Overview of your IT risks and thus the possibility of introducing appropriate security measures
Effective increase of information security
Investment targeting
After successful certification: proof of quality and competitive advantage

Alongside the NIS 2 Directive, the EU CER Directive (Critical Entities Resilience) came into force in January 2023. As with NIS 2, the deadlines require implementation by the EU member states by 17.10.2024, and CER is to be applied within the EU from 18.10.2024. The KRITIS Umbrella Act is the implementation law of the CER in Germany. A draft bill was last published on 21 December 2023, but from today’s perspective it is doubtful that it will come into force on time, just as with NIS-2. It is an independent law, i.e. not an article law like the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG). The primary supervisory authority will be the Federal Office of Civil Protection and Disaster Assistance (BBK).

The KRITIS Umbrella Act is intended to strengthen the resilience of critical facilities according to the all-hazards approach. In contrast to the NIS2UmsuCG, which is intended to strengthen the IT security of critical facilities, the KRITIS Umbrella Act is intended to strengthen the physical protection of these facilities and their resilience. It thus complements the NIS2UmsuCG. However, all legal ordinances relating to the KRITIS Umbrella Act and NIS2UmsuCG are to be coordinated.

Operators of critical facilities, which are defined by legal ordinance in analogy to the IT Security Act, must conduct a risk analysis and assessment for the first time 9 months after registration of a facility and every 4 years thereafter. This risk analysis will be based on a national risk analysis, which has to be provided by the BBK for the first time by 17 January 2026. All natural, climatic and man-made risks affecting economic stability must be taken into account. Based on these risk analyses, operators of critical facilities must implement appropriate and reasonable technical, safety-related and organisational measures to ensure their resilience in accordance with the state of the art. These measures cover the areas of BCM/emergency management, physical security, personnel and risk/crisis management and they are to be documented in a resilience plan.

Incidents must be reported immediately to the supervisory authority by the operator of critical facilities. In addition, the KRITIS Umbrella Act provides for fines, although these have not yet been quantified in the latest draft bill. Finally, the KRITIS Umbrella Act includes obligations and liability for management analogous to the NIS2UmsuCG.

The essential obligations for operators of critical facilities, e.g. risk analyses and implementation of measures, are not to come into force until 01.01.2026. This means that a not inconsiderable transitional period is currently planned.

The requirements of the KRITIS Umbrella Act only apply to operators of critical facilities. The legal ordinance in which critical facilities are defined should be the same for the KRITIS Umbrella Act and the NIS-2 Implementation Act in order to create a standardised regulatory framework.

We offer you a special range of services. Contact us.

Intrusion detection systems describe a service, technology alone does not fulfil the requirements of the BSI.

With increasing digitalisation, the risks of cyber attacks have also been rising for years. As a result, processes, customer data and company secrets have long been considered critical information. Many companies have recognised this threat and have already invested heavily in expanding their security infrastructure. A regulatory framework is also being created through various legal provisions.

The problem is that it often takes several months before a cyber attack is detected, giving attackers plenty of time to look around the company and steal valuable information or prepare for blackmail through encryption.

An intrusion detection system (IDS) makes it possible to detect a cyber attack early on and initiate an immediate response. The system acts as an alarm unit and, thanks to its holistic approach, the information from all monitored systems is centralised and analysed. This rapid response prevents damage and saves the attacker time. It is not without reason that CRITIS operators were forced to implement an IDS by 1 May 2023. We are happy to support you with a wide range of services relating to this topic.

Our customers benefit from various services relating to intrusion detection systems:

Preliminary project IDS: As part of a preliminary project, we support you in preparing your bid for an intrusion detection system. We pay attention to the key aspects and ask the right questions in order to fulfil the existing legal requirements and select the most suitable system.
Technical audit: We analyse and evaluate your technical security infrastructure. We will provide you with a recommendation for action to effectively secure your company.
IT security consulting: We advise you on your path to the best possible protection against cyber attacks. We compare your IT security infrastructure with the standards required by law and define the steps towards an optimum IT security landscape.
BSI Act §8a audit: Under BSIG §8a (3), CRITIS operators are also required to provide the German Federal Office for Information Security (BSI) with evidence of the use of an intrusion detection system every two years. We are happy to organise this audit for you. Find out more here.
Audits in accordance with EnWG §11 (1f): For companies in the energy sector via TÜV AUSTRIA Deutschland GmbH.
SOCaaS for IT and/or OT (Security Operations Centre as a Service from CSOC) – We are happy to monitor your IT and/or OT infrastructure around the clock with a SOCaaS. Certified Security Operations Center GmbH offers services specifically for SMEs, based on a holistic approach to protection against cybercrime. Find out more here.

Your benefits

As a TÜV organisation, we are familiar with the legal regulations on the subject of intrusion detection systems. We help you to assess your situation and support you in implementing the necessary measures.

Consulting in terms of intrusion detection systems and deployment of a SOC: We not only support you in taking stock of a suitable IDS and analysing the security environment, but also offer you a high-performance SOC through our joint venture, Certified Security Operations Center GmbH.