1. recognize critical functions and risks

Asset management is a central element of B3S:
KRITIS operators need to know comprehensibly which systems and components they use, where they are located, what function they fulfill in the supply, what protection requirements exist and what risks arise from them.

Our solutions fully map these requirements by centrally recording, structuring and logically linking all relevant information values - from systems, networks and applications to locations, operating processes and service providers through to roles and responsibilities.
On this basis, the risk analysis can be carried out in a targeted manner.

Threats, vulnerabilities and effects are applied directly to the respective objects so that the risk assessment does not remain abstract, but is carried out specifically on the basis of the real system and process landscape.

Advantages:

• B3S-compliant asset management: All relevant system components, operating processes and responsibilities are recorded in a complete, structured and verifiable manner.
• Risk analysis on the object: Threats, vulnerabilities and effects can be assessed directly on assets, processes or critical functions - not in tables or Excel lists.
• Assignable measures: Technical and organizational measures (TOMs) can be assigned directly to the affected assets, risks or processes.
• Integrated determination of protection requirements: Criticality, confidentiality, integrity and availability are assessed centrally and are automatically incorporated into risk and action decisions.

2. plan, implement and verify measures

ISO 27001 requires that identified risks are dealt with by means of suitable measures. Measures from Annex A serve as the basis for this, which can be selected depending on the risk or supplemented by your own measures.

Our tools allow you to fully map this process: Measures are recorded in a structured manner, assigned to the relevant risks and assets and documented in an audit-proof manner. This makes it possible to see at any time which controls have been implemented, checked or are still open.

Advantages:

• Coverage of all Annex A controls: Measures can be structured and assigned directly in accordance with ISO 27001:2022.
• Audit-proof documentation: every change is historicized - ideal for internal and external audits
• Responsibilities & deadlines: Each control is assigned a responsible person, due dates and status
• Integrated effectiveness check: PDCA cycle with regular review and verification.
• Direct link to assets & risks: Measures do not take effect in the abstract - they are linked to the actual system or process.

3. manage guidelines and procedures in an audit-proof manner

The B3S requires structured, traceable and version-controlled documentation of all security-relevant information - from guidelines and operating procedures to emergency concepts and proof of testing and effectiveness. All documents must have clear responsibilities, be kept up to date and have a verifiable effect in the context of critical services.

With our tools, these documents can be managed centrally, assigned to responsible parties, versioned and linked directly to assets, risks, measures and processes.
This creates a consistent, auditable documentation basis that meets the requirements of the B3S audit procedures.

Advantages:

• Central storage of all safety-relevant documents: guidelines, operating and emergency procedures, work instructions, logs and test reports in one place.
• Versioning & historization: Changes are stored in an audit-proof manner - including the person responsible, time stamps and reason for change.
• Evidence management for B3S audits: Decisions, measures, audits and effectiveness assessments are fully traceable.
• Link to assets, risks & measures: Documents do not exist in isolation, but in the context of the actual infrastructure, processes and KRITIS responsibilities.

1. import of existing assets

Many companies already have data on systems, applications, locations, contracts or responsibilities. However, it is often scattered across Excel lists, internal repositories, monitoring information or previous inventories. Instead of manually entering this information again, existing structures can be adopted and integrated into a central information security architecture.

The import enables an orderly consolidation of all relevant assets - from technical components, cloud services and process data to roles and responsibilities. During the import process, the data is classified, responsibilities are assigned and dependencies are made visible.

On this basis, protection requirements can be determined, risks assessed and suitable measures assigned in accordance with ISO 27001.

Advantages:

• No starting from scratch: existing information is transferred instead of newly recorded
• Transparency: assets, responsibilities and dependencies are clearly visible
• Structure: classification, protection requirements and risks can be assigned directly
• Traceability: changes are versioned and documented for auditing purposes
• Future-proof: repeatable imports avoid data silos and duplicate maintenance
  
  
  

3. security incident management

Link processes and associated assets

Control IT service processes efficiently and transparently. With the integration of ticket systems in i-doit, you can bundle all processes in one place. From fault reports and change requests to service requests. The link to your assets, contracts and responsibilities creates a central information base for the entire IT operation.

Tickets are documented in a traceable manner, automatically classified and can be prioritized, delegated and closed using defined workflows. This creates a smooth process between technology, organization and support.

Advantages:

• Standardized control of all IT processes
• Clear responsibilities and faster response times
• Seamless traceability of changes and measures
• Direct connection to CMDB objects and documentation
• Basis for key figures, evaluations and process optimization

4. supplier management

External service providers, hosting providers, maintenance partners or cloud services are often directly involved in critical business processes. Structured supplier management makes it possible to map their services, risks, contracts and dependencies centrally. Responsibilities, service levels, security requirements and effects on information assets are documented in a traceable manner and linked to the relevant processes and measures.

This allows companies to retain control over which suppliers have access to which information assets, which requirements apply and whether agreed protective measures are being adhered to

Advantages:

• Transparency across all security-relevant suppliers and service providers
• Traceable assignment to assets, processes, locations and risks
• Clear responsibilities, competencies and service levels
• Contractual security requirements and compliance specifications can be documented centrally
• Ready to provide evidence for audits, certifications and regulatory checks

5. control & distribution of tasks and access

A functioning ISMS requires clear responsibilities. Who evaluates measures, who releases risks, who is allowed to change guidelines or who is only allowed to read - all of this determines security, efficiency and auditability.

Finely granulated role and authorization concepts clearly assign responsibilities: Teams, departments and individuals are given exactly the access they need for their tasks. Sensitive information remains protected, operational processes remain transparent and evidence is not diluted.

Advantages:

• Clear responsibilities: Roles and tasks are clearly assigned - no gray areas or duplication of responsibilities.
• Finely granulated access control: Authorizations for objects, categories and processes can be precisely defined.
• Protection of sensitive information: Critical data is only visible and editable for authorized users.
• Auditability through traceability: every action can be traced back in terms of time, organization and personnel.
• Reduced errors and misunderstandings: Teams only work with the information they really need.