1. Recognize critical functions and risks

Asset management is a key component for CRITIS operators:
It must be possible to understand which systems, facilities and processes are in use, what role they play in the operation of critical services, how high their protection requirements are and what risks arise from them.

Structured asset recording fully maps these requirements:
All relevant information assets - from technical components and network segments to applications, locations and operating processes through to external service providers and responsibilities - are centrally recorded, logically linked and assessed according to their criticality.
On this basis, the risk analysis cannot be carried out in the abstract, but in the real system and process context .

Threats, vulnerabilities and effects are assigned directly to the respective objects, so that the assessment is not based on tables or gut feeling, but on the actual operational dependency.

Advantages:

• KRITIS-compliant asset management: All relevant system components, business and operating processes and responsibilities are recorded in a complete, structured and auditable manner.
• Risk analysis on the object: Threats, vulnerabilities and effects can be assessed directly on assets, process chains or critical functions - instead of in isolated lists.
• Assignable measures: Technical and organizational security measures can be assigned directly to the affected assets, risks or processes.
• Integrated determination of protection requirements: Criticality and impact on availability, integrity and confidentiality are assessed centrally and are automatically incorporated into risk and measure decisions.
  
  

Requirements can be defined for different assets and asset groups.

2. Plan, implement and demonstrate measures

For KRITIS operators, identified risks and vulnerabilities must be addressed through appropriate technical and organizational measures.
These measures must be implemented effectively, comprehensibly and in line with real systems, operating processes and dependencies - not as theoretical specifications.

This is exactly what a structured measures management system makes possible:
Measures are recorded centrally, assigned to the relevant risks, systems or processes and documented in an audit-proof manner.
This makes it possible to see at any time which measures have been implemented, checked, adapted or are still open - and what impact they have on the operational safety of critical services.

Advantages:

• KRITIS-compliant measure management: Technical and organizational measures are systematically recorded, prioritized and implemented - instead of being scattered in lists or individual projects.
• Audit-proof documentation: Every change, evaluation and effectiveness check is historicized - reliable for internal controls and external audits.
• Responsibilities & deadlines integrated: Each measure is assigned responsible parties, due dates and status; delays can be escalated and verifiably addressed.
• Proof of effectiveness: Measures are not only defined, but also regularly checked for effectiveness - including adjustments and lessons learned.
• Direct link to assets & risks: Measures are attached to real systems, processes or service provider chains - not abstract or isolated.

Implementation status of your ISO 27001 catalog of measures including verification requirements

3. Manage policies and procedures in an audit-proof manner

For KRITIS operators, structured, traceable and version-controlled documentation of all security-relevant content is absolutely essential - from guidelines and operating procedures to emergency and restart concepts through to tests, measures and proof of effectiveness.
This documentation must be clearly assigned, up-to-date and effective in the context of the actual systems, processes and risks.

A central documentation management system fulfills precisely these requirements:
Guidelines, processes, work instructions, incident logs and audit reports are managed in a standardized manner, versioned and directly linked to assets, risks, measures and responsibilities.
The result is a consistent and auditable documentation basis that stands up to KRITIS audits - without scattered folders, islands of knowledge or gaps in interpretation.

Advantages:

• Central storage of all security-relevant documents: guidelines, operating and emergency procedures, work instructions, protocols and test reports in one place.
• Versioning & historization: Changes are documented in an audit-proof manner - including the person responsible, time stamps and reason for change.
• Evidence management for KRITIS audits: Decisions, measures, incidents and effectiveness assessments are fully traceable and auditable.
• Link to assets, risks & measures: Documents are not isolated, but in the direct context of the real infrastructure, processes and responsibilities.

Implementation status of your ISO 27001 catalog of measures including verification obligations

1. Import of existing assets

Many companies already have data on systems, applications, locations, contracts or responsibilities. However, it is often scattered across Excel lists, internal repositories, monitoring information or previous inventories. Instead of manually entering this information again, existing structures can be adopted and integrated into a central information security architecture.

The import enables an orderly consolidation of all relevant assets - from technical components, cloud services and process data to roles and responsibilities. During the import process, the data is classified, responsibilities are assigned and dependencies are made visible.

On this basis, protection requirements can be determined, risks assessed and suitable measures assigned in accordance with ISO 27001.

Advantages:

• No starting from scratch: existing information is transferred instead of newly recorded
• Transparency: assets, responsibilities and dependencies are clearly visible
• Structure: classification, protection requirements and risks can be assigned directly
• Traceability: changes are versioned and documented for auditing purposes
• Future-proof: repeatable imports avoid data silos and duplicate maintenance
  
  Image shows: Import your existing assets from Excel or other third-party tools

3. Security incident management

Link processes and associated assets

Control IT service processes efficiently and transparently. With the integration of ticket systems in i-doit, you can bundle all processes in one place. From fault reports and change requests to service requests. The link to your assets, contracts and responsibilities creates a central information base for the entire IT operation.

Tickets are documented in a traceable manner, automatically classified and can be prioritized, delegated and closed using defined workflows. This creates a smooth process between technology, organization and support.

Advantages:

• Standardized control of all IT processes
• Clear responsibilities and faster response times
• Seamless traceability of changes and measures
• Direct connection to CMDB objects and documentation
• Basis for key figures, evaluations and process optimization

Image shows: Security incidents can be recorded centrally and included in the risk assessment

4. Supplier management

External service providers, hosting providers, maintenance partners or cloud services are often directly involved in critical business processes. Structured supplier management makes it possible to map their services, risks, contracts and dependencies centrally. Responsibilities, service levels, security requirements and effects on information assets are documented in a traceable manner and linked to the relevant processes and measures.

This allows companies to retain control over which suppliers have access to which information assets, which requirements apply and whether agreed protective measures are being adhered to

Advantages:

• Transparency across all security-relevant suppliers and service providers
• Traceable assignment to assets, processes, locations and risks
• Clear responsibilities, competencies and service levels
• Contractual security requirements and compliance specifications can be documented centrally
• Ready to provide evidence for audits, certifications and regulatory checks

Picture shows: The status of systems, devices and other assets is directly visible in the IT documentation.

5. Control & distribution of tasks and access

A functioning ISMS requires clear responsibilities. Who evaluates measures, who releases risks, who is allowed to change guidelines or who is only allowed to read - all of this determines security, efficiency and auditability.

Finely granulated role and authorization concepts clearly assign responsibilities: Teams, departments and individuals are given exactly the access they need for their tasks. Sensitive information remains protected, operational processes remain transparent and evidence is not diluted.

Advantages:

• Clear responsibilities: Roles and tasks are clearly assigned - no gray areas or duplication of responsibilities.
• Finely granulated access control: Authorizations for objects, categories and processes can be precisely defined.
• Protection of sensitive information: Critical data is only visible and editable for authorized users.
• Auditability through traceability: every action can be traced back in terms of time, organization and personnel.
• Reduced errors and misunderstandings: Teams only work with the information they really need.

Image shows: Audit check with direct links to standard requirements, measures and evidence - fully traceable and auditable.