Information security with ISO 27001 certification for KRITIS (critical infrastructure) operators

KRITIS (critical infrastructure) operators are attractive targets for cyberattacks. If their security does not meet the highest standards, this can have a serious impact on the public. For this and other reasons, software-supported information security, proven by ISO 27001 certification for example, is mandatory for all critical infrastructures.

KRITIS stands for critical infrastructures. This refers to facilities that are important for the public community (according to the Federal Office of Civil Protection and Disaster Assistance). If there is a failure or disruption in these facilities, this has an impact on public safety or leads to supply bottlenecks.

Who counts as a KRITIS operator is determined by the federal government. Today, this includes facilities from the following sectors: energy, food, finance & insurance, healthcare, information technology (IT) and telecommunications, municipal waste disposal, media & culture, government & administration and transportation & traffic. However, it is not only the sector that plays a role, but also the size and therefore importance of the utility, as this is associated with the impact of potential claims.

ISO/IEC 27001 is the international standard for information security in companies. The full title of the current version is “Information security, cybersecurity and privacy protection—Information security management systems—Requirements”. It provides a framework for the implementation of an ISMS (“information security management system”).

The aim of this is to guarantee the confidentiality, integrity and availability of information. Those who comply with the international standard can be certified as part of an audit with periodic monitoring and recertification audits.

One advantage of the ISO/IEC 27001 standard is that it is not very specific and can therefore be adapted to the context (size, type of organization, sector, etc.) of each organization. It can also be viewed “through KRITIS glasses”.

Further information on the standard in connection with information security management systems can be found here.

According to German IT Security Act 2.0, all KRITIS operators must use an information security management system. According to section 8a BSIG, they are obliged to prove every two years that their IT security is at the [current] state of the art. Attack detection systems have also been mandatory since May 1st, 2023. Compliance with the requirements can be demonstrated, for example, by an ISO 27001 certificate or in accordance with the requirements of BSI’s IT-Grundschutz (IT basic protection, published by Federal Office for Information Security).

ISO certification is therefore not mandatory. However, it is recommended—especially for the protection goals of critical services. This is because the contents of ISO 27001 serve as best practice for the implementation of a functioning ISMS. In addition, ISO 27001 rightly has numerous overlaps in content with the IT-Grundschutz-Compendium published by the German Federal Office for Information Security (BSI). The international standard is therefore also the model for the German regulations. In addition, the “Industry-specific security standards (B3S)” are suitable for demonstrating your own implementation of security standards to the BSI during an audit.

In addition to the laws prescribed by the federal government, there is also an EU directive to strengthen cyber security: the cross-sector NIS2 Directive. It is binding for all KRITIS operators throughout Europe. The NIS2 Directive and the ISO 27001 standard also have many overlaps. However, the NIS2 rules are transposed into national legislation, while ISO 27001 is an international standard for which any institution can obtain voluntary certification.

There are many reasons why KRITIS organizations should be certified according to ISO 27001. This should be done with software support. The most important reasons are:

• Cyber defense and strengthening IT security

It is in the nature of things: Every organization that complies with the ISO 27001 standard increases its data security and protects itself against threats such as data theft and system failures by reducing corresponding risks using specific measures and control mechanisms. KRITIS organizations are popular targets for such cyberattacks.

• Risk assessment

Anyone dealing with the international standard must record all conceivable risks and assess their impact. This enables better measures to be developed and selected for each incident. This systematic approach significantly reduces the damage to the population caused by impaired KRITIS operators.

• Building trust

The certificate shows that this institution takes care of its information security and has set itself a high standard. Many people are familiar with the IEC/ISO standards. They therefore increase trust among the population, which is, after all, dependent on the KRITIS operators.

• Compliance fulfillment

Adhering to the ISO 27001 specifications helps to meet compliance expectations. This means that it is easier to maintain legal conformity with regard to all requirements. The ISO standard can also be used as a basis for upcoming changes. This is because the more components are already documented and certified, the easier it is to make updates, as a basic process-based understanding has already been established.

• Cost reduction

All security measures are optimized and responsibilities clarified in the process leading up to certification. Risks are eliminated according to their priority. If issues occur, everyone involved knows what to do. This indirectly increases efficiency and productivity in all steps of the IT security process.

• Competitive advantages

The globally recognized ISO standard gives every KRITIS operator a competitive advantage over non-certified competitors due to legal obligations to provide evidence. They offer their customers and business partners greater (cyber) security and reliability. This will not only have a qualitative impact on cooperation, but also a quantitative one: Customers will come to you more often and thus generate more sales.

• Support from auditors and inspectors

ISO 27001 certification cannot be carried out by the KRITIS operator alone. An external auditor is called in. This gives the facility an outside perspective that can uncover blind spots. Any relevant deviations must be rectified.

• Supply guarantee

ISO 27001 considers the context of the organization in all points. Experts can apply the guidelines to any company. This creates flexibility of action to ensure the continuous provision of services to citizens.

• Protection goals

ISO 27001 provides a clear overview of what is important for IT security, especially when entering a KRITIS sector for the first time or when the threshold that makes an infrastructure critical for the community is breached for the first time. The protection goals of information security—protection against attack, as well as confidentiality, integrity and availability—are covered.

• Internationality

The German IT Security Act 2.0 must be complied with, even if parts of it are not included in the ISO standard. This includes, for example, the obligation to report failures to the BSI. However, the standard makes international cooperation easier. The security and recognition of the certificate extend beyond Germany.

• Preparatory work for legal compliance

The Federal Office for Information Security states that an ISO/IEC 27001 certificate can be officially used as part of the proof in accordance with Section 8a (3) BSIG (Act on the Federal Office for Information Security: BSI Act - BSIG). However, the entire relevant scope is not automatically covered. This must be defined accordingly by the critical infrastructure.

KRITIS organizations should therefore take a closer look at ISO 27001 certification and put it into practice.

Critical infrastructures need to have a wide range of threats on their radar. Outages can also be caused by human errors or natural disasters. However, information security is a crucial part of this.

An ISMS is therefore mandatory and should be verified by ISO certification. The implementation and effectiveness of such a system is best achieved with the help of software—software that provides you with the optimum support in demonstrating compliance with ISO standards. The OMNITRACKER GRC Center helps you to pass audits and implement compliance requirements in a documented and audit-proof manner.