Many small and medium-sized enterprises (SMEs) would like to do more for their IT security, but often do not know how. Existing standard works for setting up an information security management system, such as the BSI's IT-Grundschutz compendium or the ISO/IEC 27001 standard, are not ideally suited to companies with fewer than 50 employees in particular.

Consortium for the development of a DIN SPEC

In order to also support small and medium-sized enterprises, a consortium for the development of a DIN SPEC was founded in cooperation with the Bundesverband mittelständische Wirtschaft (BVMW). The German Federal Office for Information Security (BSI) led the consortium, while the BVMW took on the deputy leadership. A total of almost 20 other partners were involved, including the German Institute for Standardization (DIN), business development agencies, a subsidiary of the German Insurance Association, IT baseline protection experts, auditors, and experts on data protection and IT service providers.

The project was funded by the German Federal Ministry for Economic Affairs and Climate Protection as part of the "Mittelstand Digital" program. The result of the consortium's eight-month work is DIN SPEC 27076 "IT Security Consulting for Small and Micro Enterprises" and the CyberRiskCheck based on it. This enables SMEs to obtain standardized advice from IT service providers that is specifically tailored to their needs. The DIN SPEC also standardizes the recommendations for action for SMEs. This means that both the client and the contractor know what service is to be expected and provided.

Conducting the CyberRisikoChecks

In the CyberRisikoCheck, an IT service provider asks a company about its IT security in a one- to two-hour interview. In this interview, 27 requirements from six topic areas are examined to determine whether the company meets them. Points are awarded for the answers in accordance with the DIN SPEC specifications. As a result, the company receives a report containing, among other things, the score and a recommendation for action for each requirement that was not met. The recommendations for action are structured according to urgency and are given indications of which governmental support measures (at federal, state and municipal level) the respective company can take advantage of.

The CyberRiskoCheck is not an IT security certification. It does, however, enable a company to determine its own IT security level and shows which specific measures a company should implement or commission from an IT service provider.

The procedure for qualifying the IT service providers who conduct the survey is currently being developed.

Benefits for all involved

The cost of a CyberRiskCheck is equivalent to the cost of one consultant's day. At the federal level, the check and subsequent recommendations for action are already subsidized by 50 percent through the "go-digital" program. Several German states have also signaled their willingness to provide funding. Since the BSI will receive the anonymized survey data from the CyberRisikoChecks, the National IT Situation Center will be able to access valid data on the cyber security of SMEs for the first time in the future and include it in the BSI reports on the cyber security situation. The CyberRisikoCheck thus contributes to the further development of preventive offerings by the federal, state and local governments.

The DIN SPEC 27076 can be downloaded free of charge by IT service providers and other interested parties from Beuth-Verlag after prior registration.