The Federal Office for National Economic Supply (FONES) has a legal Not directly binding minimum standard for improving “ICT resilience”. has been published. It is based on existing standards (see below), but its content is less far-reaching and is intended as a “recommendation and possible guideline” for improving ICT resilience. It is aimed in particular at operators critical infrastructures[note]Cf. List of concerned sectors based on the National Strategy for Critical Infrastructure Protection 2018 – 2022.[/note], but is Basically applicable for any company or organization and freely available.
The minimum standards include three parts:
- Basics: Reference work with background information on ICT security;
- Frameword: It describes implementation measures of an organizational and technical nature, structured according to the five subject areas “Identify”, “Protect”, “Detect”, “Respond” and “Recover”.
- Self-assessment and evaluation tool (Excel): This allows the implementation status of the measures to be assessed.
In addition, sectoral recommendations are applied (see below).
Basics
The minimum standard is based on the NIST Cybersecurity Framework Core. The NIST Cybersecurity Framework is a set of recommended practices published by the U.S. National Institute of Standards and Technology (as of V1.1, 4/16/18) that includes standards, guidelines, and practice recommendations for addressing cybersecurity risks. It is different (than, for example, the ISO standards) available free of charge and consists of three main components:
- The “Framework Core” describes measures that – like the minimum standards of the BWL – are divided into five “Functions”[note]I.e., five phases along a cybersecurity incident: “idenfify”, “protect”, “detect”, “respond” and “recover”. They are relatively general and claim applicability to all critical infrastructure[/note].
- The “Implementation Tiers” describe different levels of dealing with cybersecurity risks.
- The “Framework Profile” describes how a company deals with cybersecurity risks in concrete terms and what steps it intends to take in this regard in the future.
The minimum standards of the BWL take into account additional standards:
- the NIST Guide to Industrial Control Systems (ICS) Security;
- the standards of the ISO 2700x series;
- the COBIT (originally “Control Objectives for Information and Related Technology”);
- the ENISA Good Practice Guide on National Cyber Security Strategies;
- the “IT-Grundschutz approach” of the German Federal Office for Information Security (BSI).
Nevertheless, the minimum standard of the BWL understands itself
[…] explicitly not as competition to existing international standards, but is compatible with them, with a reduced scope at the same time. It is intended to provide a simpler introduction to the subject while still ensuring a high level of protection.
Sector-specific standards
The FCA is developing supplementary sector-specific standards that are somewhat more detailed, but are also not directly legally binding. So far, standards are available for the power supply and food supply sectors; standards are said to be in the works for other sectors.[note]According to NZZ is expected to set minimum standards for drinking water supply, natural gas and oil supply, and food supply by the end of 2018 as well.[/note]