Navigation and service

The BSI is aware of the publications of the IIR and the IDW. The key principles regarding the IS audit based on IT-Grundschutz that they contain are also taken into consideration in the guide. The process described in the guide is specifically based on the IT-Grundschutz methodology, making the guide particularly suitable for performing the IS audit based on the IT-Grundschutz within federal bodies.

If the method and the documentation of the IT security officer in these audits satisfy the requirements of the "Information security audit based on IT-Grundschutz" guide, and if the independent position of the IT security officer in the organisational structure of the institution is guaranteed, the resulting findings can be taken into account. However, please note that the B 1.0 "IT security management" module must be audited by an independent auditor in all cases and not by the IT security officer themselves.

If an organisation undergoing an audit has already established a ISMS in accordance with the BSI Standards, only negligible organisational expenses (e.g. meeting coordination, provision of working materials) should arise.

Provided the IT security officer and the internal audit department employees meet the relevant requirements in accordance with the guide (expert skill, personal suitability, independence etc.), they can in principle assist with the audits. However, this depends on the specific circumstances of the organisation and should always be considered on a case-by-base basis and defined individually within the organisation's internal audit handbook.

If individual information domains of the organisation are certified according to ISO 27001 on the basis of IT-Grundschutz, re-certification and IS audits for these domains should be carried out together if possible. The findings of surveillance audits or certification procedures can be used for IS audits.

No! Because it is recommended that a IS short audit should always be carried out to form an opinion regarding where the comprehensive audit should begin, the use of a base audit as a fall-back position is unnecessary.