CRITIS & ISO 27001 for a Public Utility 

Project Overview 

Our client, a major public utility company, needed to transition from the B3S water and wastewater industry standard to the Basic Protection Compendium and methodology. The primary goal was to ensure that critical facilities and processes met the stringent requirements of the BSIG CRITIS 8a examination and achieve ISO 27001 certification based on IT baseline protection. 

Project Description 

Building Information Networks to Integrate the Entire Organization into ISMS Based on IT Baseline Protection 

To achieve this, we undertook a comprehensive project that involved the following steps: 

• Creation of the Scope Design with Multiple IT Networks 

• Creation of Object and Subobject Types as well as the Nomenclature/Identifiers 

• Transfer of Assets and Integration into the New Structure 

• Modeling of Processes and Their Dependencies 

• Establishing the Procedure for Determining the Protection Needs and Its Inheritance 

• Structuring the Automatic Module Mapping to Target Objects 

• Defining the Procedure for Conducting the IT Baseline Protection Check 

• Preparing a Concept for Risk Management 

• Creation of the Basic Threat Catalog with Initial Assessment 

• Providing Information Security Concepts and Revising Internal Procedures 

Outcome 

Within a very short project duration, the KRITIS audit as well as the foundation for ISO27001 certification based on IT baseline protection were achieved. The GRC-tool-supported execution of the IT baseline protection check allowed for real-time tracking of the progress of requirement verification and fulfillment. The integrated task management function enabled monitoring and controlling responsibilities and tasks.    

The client received a future-proof solution for their ISMS. They can migrate to the latest compendium at any time, customize the system according to their specifications, and benefit from support for all future functions and features.