A concretization of this Act is the IT Security Requirements Catalog published by the Federal Network Agency, which defines a minimum level of IT security that should prevail in a company. The core requirement of the IT security catalog is to introduce an information security management system (ISMS) in accordance with DIN ISO / IEC 27001 “information technology – security techniques – information security management systems – requirements” and to have it certified by an independent agency approved for this purpose. A certification must be submitted to the Federal Network Agency by January 2018.
The IT Security Act applies to critical infrastructure operators; these are companies that:
- belong to the sectors of energy, information technology and telecommunications, transport and traffic, health, water, food, finance and insurance;
- are of great importance for the functioning of the community, because of their failure or their impairment, significant shortages of supply or threats to public security would occur.
Affected operators or companies are precisely identified by a separate regulation. A large part of EXXETAs customers are affected by the regulation.
For these companies, even if the applications, systems and components covered by the IT Security Requirements Catalog are outsourced to third parties, these companies must ensure, by means of appropriate agreements with the respective service providers, that the criteria of the safety catalog are met. The responsibility for compliance with the requirements of the IT Security Requirements Catalog or the IT Security Act remains in all cases with the company.
As a service provider for our customers, we are therefore increasingly obliged to fulfill parts of the IT Security Requirements Catalog and to set the quality factor of IT security and data protection high for our services and products.
What are the Objectives of EXXETA?
IT security has not been a quality factor for EXXETAs products and services until the adoption of the IT Security Act. However, we are responding to increased customer inquiries and are pursuing an enhanced security strategy.
In addition to DIN EN ISO 9000 “quality management systems”, we also want to express this by certification according to DIN ISO / IEC 27001. The main focus in achieving this goal is to maintain our flexibility within EXXETA.
The adoption of safety guidelines by the management as well as the launch of new corporate bodies such as a Corporate Security Board and Information Security Officers are only some of the completed milestones on the way to the certified ISMS.
In addition, as the responsible persons of the ISMS of EXXETA, we are available as a technical and organizational contact for employees and customers in the area of IT security as a consultant and advisor.