In line with BSI law, the Federal Office for Security in Information Technology (BSI) is tasked with certifying information technology products, components as well as systems. Audits in the context of these certifications are performed by BSI-accredited auditors or certified agents.
The BSI can additionally certify IT security service providers. IABG was recently recertified by the BSI as one of only ten accredited auditors in Germany.
An acknowledgment as auditor or certification as IT security service provider is performed upon request of the operator of an audit institution with the BSI. Basic condition is the fulfilment of the DIN EN ISO/IEC 17025:2005 requirements. Important elements are an effective quality management system (QMS), special expertise in the requested areas of application and an effective information security management system. The necessary specialised competence is substantiated by at least two certified IS auditors. The ISMS must either be certified according to ISO 27001 on IT baseline protection basis, or by successful completion of a so-called IS-Kurzrevision performed by the BSI. The latter applies to the certified IABG body. The audit covered all IT baseline protection layers:
- Superordinate aspects of IT baseline protection (e.g. security guideline, security management, treatment of security incidents)
- Aspects of IT baseline protection infrastructure (access and exits, fire and incident protection systems, gate and/or security management centre, server area, distributer area, auxiliary installation, UPS, offices)
- Networks, network components, network and system management, security gateway
- Server and client systems
- Applications (e.g. email, active directory)
The QMS system audit was performed by two BSI employees.
Unique Selling Point (USP)
With IABG’s certification as IT security service provider, the BSI confirms that IABG meets the outlined requirements. Authorities in particular often make the certification as IT security service provider a precondition in special areas of application for certain activities or tenders.
In addition to that, the certification as IT security service provider acts as a recommendation for the private business sector, which translates into competitive advantages for IABG. It is frequently a precondition for participating in tenders in the security area, such as recently during the successfully acquired contract continuation with the Bavarian State Ministry of the Interior for Construction and Transport (StMI) covering work for Bavaria’s Integrated Control Centres.
Due to their respective personal certifications, staff of the audit department are entitled to perform audits in line with various regulations, for instance:
- IT baseline protection on ISO 27001 basis
- International standard IS0 27001
- BSI TR 03109-6 Smart Meter Gateway Administration
- BSI TR 03145 Secure CA Operation
- Sec. 11 para. 1a ENWG [German Electricity and Gas Supply Act] (“IT security catalogue for power suppliers“)
- Sec. 8a para. 3 BSIG (“IT security in critical infrastructures“)
In the area of certified security service providers for IS consultation and IS audits, numerous projects were and are being implemented by IABG, e.g.
- IS audits for all integrated BRK control centres, for a national grid as well as for a Federal Institution in the financial area
- Certification audit with ILS Munich as well as for various companies, a federal authority in the security area, several power suppliers and in a high-security data centre
- Advisory activities for authorities and companies (e.g. control centres and power suppliers).