A valid ISO/IEC 27001 certificate can be used as part of a documentation of compliance in line with Section 8a (3) BSIG, as long as some basic conditions are met. This applies both to native ISO/IEC 27001 certificates as well as ISO/IEC 27001 certificates based on IT-Grundschutz.

An ISO/IEC 27001 certification does not automatically cover the entire scope relevant for the documentation of compliance in line with Section 8a BSIG. The scope of the documentation of compliance must cover the critical infrastructure or the essential service fully (process layer).

In addition, the information security process with regard to the essential service must be viewed through 'KRITIS glasses'. Avoiding shortage of supplies in essential services is very important in the context of KRITIS. The essential service must therefore be considered with the focus on avoiding shortage of supplies for the population.

The following section will consider the general framework conditions for the use of ISO/IEC 27001 certificates for documentation of compliance in line with Section 8a (3) BSIG:

1. Defining scope
   The scope must include the systems operated according to the BSI KRITIS Regulation. The interfaces should be suitably defined.
   
   

2. Extended scope
   The scope must be extended to outsourced areas and a comprehensive security assessment carried out from the KRITIS perspective. This can be based on ISO/IEC 27001 or other comparable procedures.
   

   In the case of an existing ISO/IEC 27001 certification, this can be extended to the previously unaudited parts of the scope for documentation of compliance in accordance with Section 8a (3) BSIG. In this way, a supplementary audit of the area already audited can be carried out with regard to the KRITIS protection objectives. This means the documentation can be examined on the basis of the audit of an initial certification, a monitoring or re-certification audit and synergy effects can be used. The test results form part of the documentation of compliance in accordance with Section 8a (3) BSIG.
   
   

3. Consideration of KRITIS protection objectives
   The BSIG requires appropriate measures to be taken for the operation-relevant parts of the respective systems in accordance with the protection requirements.
   Maintaining the security of supply of the population must be the central concern in information security risk management. The requirements placed on the provision of services are also referred to as KRITIS protection objectives. The KRITIS protection objectives of the operation-relevant parts are to be suitably defined. The KRITIS protection objectives (e.g. the availability of the essential service) are to be included in the proprietary risk analysis and additionally considered throughout all processes and safeguard implementations ('KRITIS glasses').
   
   
4. KRITIS IT protection needs
   As part of risk management, the protection objectives of availability, confidentiality, integrity and authenticity must therefore be assessed in terms of the extent to which the essential service is maintained. A purely economic view is not generally sufficient (see 'Dealing with risks'). The impact on the functioning of the essential infrastructure and essential service should be considered as an indication of the level of risk to the public. For the risk treatment, it should also be considered that the effort required to implement the safeguards is proportionate to the level of risk for the population.
   Note: Section 8a (1) BSIG requires '[...] Precautions to avoid disruption to availability, integrity, authenticity and confidentiality [...]'. Risk management based on the evaluation of confidentiality, integrity and availability, as is usual in ISO/IEC 27001 or IT-Grundschutz of the BSI, is possible as long as it is ensured that authenticity is considered in the risk assessment and selection of safeguards.
   
   

5. Dealing with risks
   A purely economic consideration of the risks and the protection needs is not generally sufficient. In particular, the level of risk to the public, i.e. the impact on the functioning of the essential infrastructure and essential service, must be taken into account. In selecting safeguards, care must be taken to ensure appropriateness, i.e. the possible consequences of a failure or impairment of public services must be considered in relation to the cost of security precautions.
   

   • Risk acceptance
     According to Section 8a (1) BSIG, risks in scope may not be accepted if state-of-the-art security precautions are possible and appropriate. Risk acceptance is only possible for the remaining residual risk.
   • Insurability of risks
     A transfer of the risks, e.g. by insurance, is not a substitute for the security precautions in line with Section 8a (1) BSIG. In the case of insurance or other risk transfer, appropriate security precautions must also be taken in accordance with the state of the art. However, the KRITIS operator is free to take out additional insurance.
     
     
6. Implementation of safeguards
   In principle, all the measures necessary for the maintenance of the essential service must be implemented as part of risk management. All safeguards that are only planned, for example in the continuous improvement process (CIP), in the implementation plan or in the risk treatment plan, must be included in the list of security deficiencies according to Section 8a (3) BSIG. In order to assess these deficiencies, explanatory documents such as the deficiency assessment, CIP documentation and implementation plan should also be submitted.