The Fede­ral Office for Natio­nal Eco­no­mic Sup­p­ly (FONES) has a legal Not direct­ly bin­ding mini­mum stan­dard for impro­ving “ICT resi­li­ence”. has been published. It is based on exi­sting stan­dards (see below), but its con­tent is less far-rea­ching and is inten­ded as a “recom­men­da­ti­on and pos­si­ble gui­de­line” for impro­ving ICT resi­li­ence. It is aimed in par­ti­cu­lar at ope­ra­tors cri­ti­cal infras­truc­tures[note]Cf. List of con­cer­ned sec­tors based on the Natio­nal Stra­tegy for Cri­ti­cal Infras­truc­tu­re Pro­tec­tion 2018 – 2022.[/note], but is Basi­cal­ly appli­ca­ble for any com­pa­ny or orga­nizati­on and free­ly available.

The mini­mum stan­dards include three parts:

1. Basics: Refe­rence work with back­ground infor­ma­ti­on on ICT security;
2. Frame­word: It descri­bes imple­men­ta­ti­on mea­su­res of an orga­nizatio­nal and tech­ni­cal natu­re, struc­tu­red accor­ding to the five sub­ject are­as “Iden­ti­fy”, “Pro­tect”, “Detect”, “Respond” and “Reco­ver”.
3. Self-assess­ment and eva­lua­ti­on tool (Excel): This allo­ws the imple­men­ta­ti­on sta­tus of the mea­su­res to be assessed.

In addi­ti­on, sec­to­ral recom­men­da­ti­ons are applied (see below).

Basics

The mini­mum stan­dard is based on the NIST Cyber­se­cu­ri­ty Frame­work Core. The NIST Cyber­se­cu­ri­ty Frame­work is a set of recom­men­ded prac­ti­ces published by the U.S. Natio­nal Insti­tu­te of Stan­dards and Tech­no­lo­gy (as of V1.1, 4/16/18) that inclu­des stan­dards, gui­de­lines, and prac­ti­ce recom­men­da­ti­ons for addres­sing cyber­se­cu­ri­ty risks. It is dif­fe­rent (than, for exam­p­le, the ISO stan­dards) available free of char­ge and con­sists of three main components:

1. The “Frame­work Core” descri­bes mea­su­res that – like the mini­mum stan­dards of the BWL – are divi­ded into five “Functions”[note]I.e., five pha­ses along a cyber­se­cu­ri­ty inci­dent: “iden­fi­fy”, “pro­tect”, “detect”, “respond” and “reco­ver”. They are rela­tively gene­ral and cla­im appli­ca­bi­li­ty to all cri­ti­cal infrastructure[/note].
2. The “Imple­men­ta­ti­on Tiers” descri­be dif­fe­rent levels of deal­ing with cyber­se­cu­ri­ty risks.
3. The “Frame­work Pro­fi­le” descri­bes how a com­pa­ny deals with cyber­se­cu­ri­ty risks in con­cre­te terms and what steps it intends to take in this regard in the future.

The mini­mum stan­dards of the BWL take into account addi­tio­nal standards:

• the NIST Gui­de to Indu­stri­al Con­trol Systems (ICS) Secu­ri­ty;
• the stan­dards of the ISO 2700x series;
• the COBIT (ori­gi­nal­ly “Con­trol Objec­ti­ves for Infor­ma­ti­on and Rela­ted Technology”);
• the ENISA Good Prac­ti­ce Gui­de on Natio­nal Cyber Secu­ri­ty Stra­te­gies;
• the “IT-Grund­schutz approach” of the Ger­man Fede­ral Office for Infor­ma­ti­on Secu­ri­ty (BSI).

Nevert­hel­ess, the mini­mum stan­dard of the BWL under­stands itself

[…] expli­ci­t­ly not as com­pe­ti­ti­on to exi­sting inter­na­tio­nal stan­dards, but is com­pa­ti­ble with them, with a redu­ced scope at the same time. It is inten­ded to pro­vi­de a simp­ler intro­duc­tion to the sub­ject while still ensu­ring a high level of protection.

Sec­tor-spe­ci­fic standards

The FCA is deve­lo­ping sup­ple­men­ta­ry sec­tor-spe­ci­fic stan­dards that are some­what more detail­ed, but are also not direct­ly legal­ly bin­ding. So far, stan­dards are available for the power sup­p­ly and food sup­p­ly sec­tors; stan­dards are said to be in the works for other sectors.[note]According to NZZ is expec­ted to set mini­mum stan­dards for drin­king water sup­p­ly, natu­ral gas and oil sup­p­ly, and food sup­p­ly by the end of 2018 as well.[/note]