To receive an IT-Grundschutz Certificate, a licensed auditor must have confirmed that those standard security safeguards described in the IT Baseline Protection Manual which are relevant to the IT assets under consideration have been implemented. This procedure requires trained auditors to ensure that the results of an IT-Grundschutz Audit are reproducible and correct.
Auditors must therefore demonstrate that they have the necessary technical expertise and are familiar with and adhere to the prescribed scheme. Auditors must be licensed personally by the BSI. To become an IT-Grundschutz Auditor, auditors must first of all prove that they possess the relevant technical competence. This requires that a sound knowledge of IT-Grundschutz and the qualification scheme is demonstrated. They must provide evidence of at least two years' professional experience in the area of IT security and have handled a minimum of three projects relating to IT-Grundschutz. In addition, prospective auditors must attend a training course on the qualification scheme. At the end of this course, the BSI tests the knowledge acquired and, if the candidate is successful, a licence is issued.
The IT-Grundschutz Auditor's licence also presupposes that a licensing contract has been concluded with the BSI. This contract regulates the rights and duties of the auditor and other legal aspects.
A licence is valid for a period of five years. During this period the BSI makes provision for the annual exchange of experiences between IT Baseline Protection Auditors so as to ensure the uniformity of the procedure and help develop the IT-Grundschutz certification scheme further. A licence issued by the BSI can be revoked if the auditor fails to attend the required number of experience sharing events or is proved to have negligently contravened the Audit Scheme for Auditors.
Acceptance of the auditor
The demand from IT security experts wishing to become approved IT-Grundschutz-Auditors has been very high from the start and is showing no signs of dropping off. There are several reasons for this:
- Licensing as an IT-Grundschutz Auditor is so far the only form of official qualification for IT security experts in Germany that is issued by a government agency.
- The title of auditor can enhance the external reputation of both the auditor and also the company that employs the auditor.
- The auditor's qualification ensures standard, reproducible results when performing IT security analyses.
- The methodology underlying the qualification is generally accepted.
- Experience shows that organisations are more enthusiastic about implementing security measures if a licensed auditor can be involved.
The large number of active IT-Grundschutz Auditors naturally also means that in many companies they have provided the incentive to carry out security audits with the aim of achieving an IT-Grundschutz qualification.