IT Security Regulatory Update | March 2023
FOCUS: IT-GRUNDSCHUTZ COMPENDIUM, CYBERSECURITY MATURITY LEVEL, BAFIN-FAQ OUTSOURCING NOTIFICATIONS
Highlight from March 2023
Preview of IT-Grundschutz
At its 1st IT-Grundschutz Day, the BSI presented what we can expect with regards to IT-Grundschutz during the year as well as in the next year. It includes a preview of ISO 27001:2022, BSI Standard 200-4 and the IT-Grundschutz-Compendium in the 2024 edition.
What awaits us in IT-Grundschutz in the future
In March 2023, the 1st IT-Grundschutz Day of the Federal Office for Information Security (BSI) took place in Kassel. Among other topics, the eponymous IT-Grundschutz was addressed in general.
The current edition 2023 of the IT-Grundschutz-Compendium was already published in February as presented here. The changes made were picked up and explained again in the course of the BSI event: the changes to the moduls as such, the textual adjustments and the revision of the cross-reference tables.
In addition, the BSI addresses the adjustments to ISO 27001:2022 in the context of IT-Grundschutz, which are primarily reflected in the catalog of measures (Annex A). The number of controls as well as the subject areas were reduced here.
The completion of the mapping table between ISO 27001 and ISO 27002 and the BSI’s IT-Grundschutz is still ongoing.
In addition to the usual revision cycles, the BSI is presenting an external project that deals with reducing the documentation effort for IT-Grundschutz. This should contribute to reduced complexity and relieve the burden on small institutions in particular. Thus, it should make it possible to implement IT-Grundschutz even without extensive know-how.
In his presentation, the head of the BSI Standards and IT-Grundschutz unit also discusses the changes to BSI Standard 200-4, which is available in its second community draft version. Here, particular attention was paid to user feedback, resulting in many small and large improvements.
In this context, the mandatory and target requirements of a standard Business Continuity Management System (BCMS) were summarized in an Excel spreadsheet and adapted to the second Community Draft.
Finally, the BSI also ventures a look into the future. Accordingly, we can expect only a minor revision and minor new inclusions of modules in the 2024 edition of the IT-Grundschutz-Compendium. In the future, the structure of the modules will be optimized, and there will be a corresponding commenting and piloting phase for editions from 2025 onwards. Furthermore, the BSI intends to take a closer look at the points of contact between IT-Grundschutz and ISO 27001.
You can find the BSI presentation here on its website.
Source: Federal Office for Information Security – BSI, bsi.bund.de
Do you know your cybersecurity maturity level?
The European Union Agency for Cybersecurity (ENISA) wants to make it easier for small and medium-sized enterprises in particular to determine their level of maturity in the context of cybersecurity. To this end, it has published a tool to simplify the assessment.
Like many businesses, SMEs are affected by the current geopolitical situation and related rising cybersecurity risks and challenges. Unlike larger companies, however, they often struggle to adequately assess their cybersecurity and maintain or further establish it accordingly. ENISA’s maturity assessment tool is therefore primarily aimed at SMEs.
It is intended to make it possible to identify the risks to which companies are exposed. In addition, the tool enables the creation of an action plan that includes personalized follow-up actions based on the company’s evaluation. These measures stem from best practices and are suggested by ENISA’s tool. In this way, cybersecurity levels can be improved on an individual basis.
The assessment using the tool includes the human, technological, and process levels of cybersecurity and allows for assessment at all three levels.
The ENISA tool and further information can be found here on the ENISA website.
Source: European Union Agency for Cybersecurity (ENISA) – enisa.europa.eu
BaFin answers questions about the outsourcing notification procedure
In February, BaFin informed KWG- and ZAG-regulated institutions, investment companies and securities institutions as well as insurance companies and institutions for occupational retirement provision about the obligation to notify outsourcing (for details, see our February IT Security Update).
Numerous questions were asked about the MVP portal and the notification process, which BaFin had already addressed in its presentation at the event. Now, in addition, it has published an FAQ website on these issues. It uses the website to address issues from the following categories:
- Submission: Questions about submitting the notification via the MVP portal
- Instructions for filling in the form: Questions around the information contained in the notification
- Notifications of intention and execution: questions around content and timing of the notification
- Significant changes: Questions around corrections and changes
- Serious Incidents: Issues around the reporting of serious incidents in the course of an outsourcing matter
- Post-reporting: Questions around outsourcing executed before the reporting deadline
- Portfolio questions: questions around the sample survey regarding the portfolio of outsourcings
You can find the FAQ website of BaFin here.
Source: © German Federal Financial Supervisory Authority / www.bafin.de
The planned simplification of IT-Grundschutz will make it easier for many companies to access and implement the basic requirements for IT security. In all likelihood, it is not only small companies that will benefit from the proposed revisions. It has the potential to bring about relief for all businesses that is worth looking at.
In the course of implementing IT-Grundschutz, we at ADWEKO are happy to provide you with our expertise.
The current regulatory developments can be found here.
- BSI publishes checklist with FAQ around the verification according to §8a BSIG
- BSI publishes presentation documents on the practical perspective in the context of risk assessment and hazard analysis
- BSI shares presentation documents on IT-Grundschutz as the basis for holistic information security
- ENISA presents cybersecurity certificates
- BSI publishes list of DDoS mitigation service providers
- ENISA updates its market analysis framework based on a view of the cloud and cybersecurity market