Has anyone integrated full KRITIS compliance package framework as specified in Germany by the BSI (Federal Office for Information Security)?
Hello Andrew,
what exactly are you looking for from the BSI?
At the moment, I’m working on the compliance package for the BSI-Gesetz (https://www.gesetze-im-internet.de/bsig_2025/BJNR12D0B0025.html#BJNR12D0B0025BJNG000500000).
The aim is to map the implementation of NIS-2 via the national BSI-G in german language.
It’s not quite finished yet; I’m working on it alongside my other tasks and am considering whether all the regulatory sections should be included or just Part 3…
Regards,
Carsten
1 Like
Hi Carsten, our company falls under critical infrastructure providers and get audited as per BSI-Kritisverordnung - BSI-KritisV here as reference: https://www.gesetze-im-internet.de/bsi-kritisv/BJNR095800016.html.
There are 135 requirements that are (partially) mapped to NIS2 or ISO-27001:2022. I am looking around if someone has already formatted these 135 requirements in an eramba compliance package.
----and yes I am working on this in German language and already have a first blueprint.
OK, so it looks as though we’re both working on different topics.
The only thing I can offer you is the file structure – or parts of it – showing how I’ve organised the chapters, paragraphs and sub-sections.
Hi, yes would be nice if you shared your file structure. Thanks
Based on the BSI-law, we had to consider how granular the structure should be.
Following the example of another framework, we decided to take a middle ground:
1 element per paragraph.
This provides a certain level of granularity without making the structure too fine-grained.
I tried to color-code the assignments for each field (I hope the assignments are clear).
(see figures under Source → Table Structure)
One downside remains:
When mapping controls to internal measures, you may need to map a paragraph multiple times.
For example, in the “Compliance Analysis,” the reference applies when mapping cryptography measures to BSI Act §30(2), 8. ,
another one to BSI Act §30(2), 6. and so on..
Important for the import:
Use a comma “,” as a separator, not a semicolon
It is best to enclose all fields in “quotation marks”
Feel free to send me a pm if you have further questions,
Carsten
(german version at the bottom)
Tablestructure:
Results:
Details:
Ausgehend vom BSI-Gesetz stand die Ăśberlegung an, wie feingranular das Ganze sein soll.
In Anlehnung an ein anderes Framework haben wir uns dafĂĽr entschieden einen Zwischenweg zu gehen:
1 Element pro Paragraph.
Man bekommt eine gewisse Granularität, aber keine zu feine Struktur.
Die Zuordnung je Feld habe ich versucht farblich zuzordnen (ich hoffe man erkennt zu Zuordnung).
(siehe Abbildungen Quelle → Tabellenstruktur)
1 Wehmutstropfen bleibt:
beim Mappen der Controls auf interne MaĂźnahmen muss man ggf. mehrfach auf einen Paragraph mappen.
D.h. bei der “Compliance-Analyse” gilt der Verweis z.B. beim Mapping von Maßnahmen der Kryptographie auf BSI-Gesetz $30(2), 8.
ein anders auf BSI Act §30(2), 6. usw.
Wichtig fĂĽr den Import:
als Trennzeichen ein Komma “,”, keine Semikolon
Alle Felder am besten in “Anführungszeichen” setzen
Gerne auch PN an mich bei weitergehenden Fragen,
Carsten
1 Like
Hi Carsten, I really appreciate your feedback and the screenshots. Indeed we are on the same page and using your template as reference, I now have a workable blueprint:
Note: eramba appears to sort alphabetically (lexicographically) rather than numerically, so I added numbering using zero-padding (leading zeros) in the required “Item Additional Info” field to make them properly sortable.
Now the challenge is how to create controls such that each control is verifiable/audit-proof and free of SOA narrative text (and potentially reusable across multiple frameworks).
If I have to assign one control to each of the 135 requirements, that would already be a very large number, especially since individual requirements may require multiple controls. I need to look for a way to define these controls in a way that sensibly reduces their number without compromising completeness. Perhaps even creating a group of priority controls that create a baseline for KRITIS.
1 Like