Together with the compliance controls catalogue "Definition of requirements for measures to be implemented in accordance with Section 8a (1) of the BSIG" of the BSI/IDW, the supplementary auditing practices of the IDW PH 9.860.2 provide operators of critical infrastructure and auditing bodies with orientation regarding appropriate criteria for implementing a proper audit of the security precautions taken, so that the necessary documentation of compliance pursuant to Section 8a (3) of the BSIG can be submitted. However, it is the responsibility of the operator and the auditing body to decide in the specific application scenario whether these requirements are suitable for the organisation or whether additional requirements are necessary.
In accordance with the implementation of sample audits detailed in the Orientation guide to documentation of compliance pursuant to Section 8a (3) of the BSIG, sample audits are conducted exclusively as part of audits of effectiveness when applying IDW PH 9.860.2. In synchronisation with audits outside IDW PH 9.860.2, it must be ensured in parallel that proof of the fulfilment of requirements from Section 8a (1) of the BSIG is provided through the implementation of audits of effectiveness (taking account of the additional framework conditions relating to submission of documentation as specified by the BSI). As such, implementing the adequacy audits alone in accordance with IDW PH 9.860.2 is not equivalent.