DER.3.2 Revisions Based on the IS Revision Guide
A special form of revision is the information security revision (IS revision) based on the document Information Security Revision - A Guide for IS Revision...
Description
Introduction
A special form of revision is the information security revision (IS revision) based on the document Information Security Revision - A Guide for IS Revision Based on IT-Grundschutz (abbreviated as “IS Revision Guide”).
The “IS Revision Guide” is a document published by the BSI that describes the IS revision procedure. Federal authorities are required to review their information security management system (ISMS) through IS revisions. Other institutions can conduct an IS revision based on the guide instead of a regular IT revision if they wish to review the implementation of their ISMS.
The IS revision based on the guide is characterized by a holistic approach. This means that all levels of an ISMS are reviewed, from the establishment of an information security organization and personnel aspects to the configuration of IT systems and applications. In doing so, the economic efficiency and regularity that are the primary focus of classical IT revisions are only of secondary importance. Information security (including the appropriateness of security measures) is thus the primary review criterion of the IS revision.
The IS revision is an essential component of successful information security management. Only if the established measures and processes for information security are regularly reviewed can it be assessed whether they are effectively implemented, complete, current, and appropriate. The IS revision is thus a suitable tool for determining, achieving, maintaining, and continuously improving an adequate level of security in an institution.
The primary task of the IS revision is to support and accompany the management of the institution, the IS management team, and in particular the ISO, in such a way that they can achieve the highest possible level of information security in the institution.
Objective
The building block defines requirements for an IS revision with the goal of improving information security in an institution, avoiding adverse developments in this area, and optimizing security measures and processes.
Scope and Modeling
The building block is to be applied whenever an institution is obligated to conduct revisions based on the “IS Revision Guide” or wishes to do so voluntarily. The building block is to be applied to the entire information network.
It does not address how the IS revision can be integrated into an already existing, overarching audit organization of an institution (e.g., internal audit). The building block DER.3.2 Revisions Based on the IS Revision Guide is a specific implementation of the requirements generally described in building block DER.3.1 Audits and Revisions. Institutions that implement the present building block no longer need to implement building block DER.3.1 Audits and Revisions, since its requirements are fully incorporated into this building block.
The IS revision and certification of an ISMS according to ISO 27001 based on IT-Grundschutz complement each other. IS revisions can accompany the path to certification and, in contrast to this, can be carried out as early as the initiation of the security process in the institution. They show the institution where urgent action is needed and which security deficiencies should be prioritized. If individual information networks of the institution are certified according to ISO 27001 based on IT-Grundschutz, re-certification and IS revision for these information networks should be conducted together where possible. Findings from monitoring audits or certification procedures can be used for the IS revision.
If the entire institution holds an ISO 27001 certificate based on IT-Grundschutz, the monitoring audits required in the certification process replace IS revisions.
The provisions on classified information protection and the federal classified information regulation (VSA) remain unaffected and apply independently of the requirements of this building block.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block DER.3.2 Revisions Based on the Guide.
Violation of UP Bund Requirements
The “Implementation Plan for Ensuring IT Security in the Federal Administration” (UP Bund 2017) is established as a guideline for information security in the federal administration. Federal authorities are therefore part of a cross-departmental management for information security, in which each authority is responsible for creating and implementing its specific security concept. Not only federal authorities, but also other institutions may be obligated by legal, contractual, or other regulations to implement UP Bund 2017. UP Bund 2017 expressly stipulates that the BSI’s standards for information security and IT-Grundschutz and the standard protection approach described therein must be implemented as a minimum requirement. Furthermore, UP Bund 2017 mandatorily requires all obligated institutions to regularly review the status of their own ISMS — for example through an appropriate IS revision — and to use the “Guide for Information Security Revision” in doing so. If this is not done, these institutions are in violation of the UP Bund requirements.
Suspension of Security Measures
The security level of institutions is influenced by whether security measures are fully and correctly implemented. Particularly during the critical phase of projects or under certain conditions, security measures are frequently suspended temporarily. In some cases, however, they are then forgotten to be reactivated, resulting in a persistently low level of security.
Ineffective or Uneconomical Implementation of Security Measures
If security measures are implemented without taking existing practical aspects into account, these measures may under certain circumstances be ineffective. For example, it is pointless to secure an entrance area with turnstiles if employees can instead enter the building through an open side entrance.
Similarly, it can happen that individual measures are taken that are not economically sensible. For the protection of information with normal protection needs regarding confidentiality, an appropriately implemented rights and roles concept is more sensible and cost-effective than establishing complex, certificate-based encryption on the file server.
Inadequate Implementation of the Information Security Management System
In many institutions, the ISO themselves checks whether security measures are implemented. Often, however, the review of the actual ISMS is forgotten in this context, since the ISO, as part of the ISMS, cannot be impartial. As a result, the processes of an ISMS may have been implemented inefficiently or inappropriately, which could have led to an unintentionally low security level in the institution.
Insufficient Qualification of the Review Team
If the review team is not sufficiently qualified or prepares inadequately for the reviews, it may incorrectly assess the security status of an institution during an IS revision. Under certain circumstances, it may then recommend in its report measures that are not needed or even incorrect. In this case, it can happen that information is protected in an uneconomical or very risky manner.
Bias of Internal IS Revision Teams
Within institutions, IS revision teams can be formed from internal personnel. If these teams are not sufficiently separated from other processes, they could be influenced or biased. This is particularly the case when members of the IS revision team are or were involved in the planning or implementation of the ISMS.
Lack of Long-Term Planning
If IS revisions are not planned long-term and centrally, it can happen that some organizational units of an institution are reviewed very frequently and others not at all. It is also possible that changes to the ISMS are not adequately examined if reviews are only conducted irregularly. In this case, it is very difficult or even impossible to appropriately assess the security status of the entire information network.
Inadequate Planning and Coordination When Conducting IS Revisions
If an IS revision has been poorly planned and not coordinated with the responsible personnel of the institution, the right people may not be available during the on-site review. As a result, it may be impossible to review individual areas at all. Also, if the time slots for reviewing individual areas are set too tightly and insufficient time has been planned, it may happen that the institution is only reviewed superficially.
Failure to Involve the Employee Representatives
In the context of IS revisions, aspects may be examined from which conclusions could be drawn about how individuals behave in their work and how productive they are. These reviews could therefore be treated as a conduct and performance assessment. If the employee representatives are not involved, the on-site review can be delayed or even discontinued.
Deliberate Concealment of Deviations or Problems
Persons may fear that an IS revision will expose their own errors. To avoid this, they could conceal security problems and convey a false picture of the actual security status. Security deficiencies would thus go undetected and could not be corrected. In addition, Top Management could incorrectly assess the risk associated with this security deficiency.
Loss of Confidentiality of Information Worthy of Protection
During an IS revision, confidential information (e.g., vulnerabilities and potential attack vectors) is gathered by the IS revision team. Deficiencies in the information security of the audited institution may also be identified. If these deficiencies become known to unauthorized third parties, they could be used to attack the institution or damage its reputation.
Requirements
The following are the specific requirements of building block DER.3.2 Revisions Based on the IS Revision Guide. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These should be filled insofar as this is reasonable and appropriate.
| Responsibilities | Roles |
|---|---|
| Primary responsibility | Information Security Officer (ISO) |
| Additional responsibilities | IS Revision Team, Top Management |
Exactly one role should be primarily responsible. In addition, there may be additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not indicate how many people should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
DER.3.2.A1 Designation of Responsible Parties for the IS Revision (B) [Top Management]
The institution MUST designate a person responsible for the IS revision. This person MUST plan and initiate IS revisions and track their results.
DER.3.2.A2 Creation of an IS Revision Manual (B)
An IS revision manual MUST be created for the IS revision that contains the intended objectives, applicable legal requirements, information about the organization, resources, and framework conditions. In addition, the archiving of documentation MUST be described therein. The manual MUST be formally approved by Top Management.
DER.3.2.A3 Definition of the Review Basis (B)
BSI Standards 200-1 through 200-3 and the IT-Grundschutz Compendium MUST serve as the review basis for the IS revision. The IT-Grundschutz standard protection approach SHOULD be used. These review bases MUST be known to all parties involved.
DER.3.2.A4 Creation of a Plan for the IS Revision (B)
If the institution is not certified according to ISO 27001 based on IT-Grundschutz, it MUST be ensured that at least every three years a short IS revision or cross-sectional IS revision is conducted. In addition, further revisions SHOULD be planned if the information network is substantially changed.
A multi-year rough plan for revision activities SHOULD be created. This SHOULD then be further detailed through an annual detailed plan.
DER.3.2.A5 Selection of a Suitable IS Revision Team (B)
An IS revision team consisting of at least two persons MUST be assembled or commissioned. The IS revision team MUST be granted unrestricted rights of information and access for its activities. In the case of internal IS revision teams, individual members MUST be impartial. Members of an IS revision team MUST NOT be involved or have been involved in the planning or implementation of the ISMS.
DER.3.2.A6 Preparation of an IS Revision (B) [IS Revision Team]
An IS revision team MUST be commissioned to conduct an IS revision. The IS revision team MUST establish which reference documents are required for an IS revision. The institution to be reviewed MUST hand over the security concept and all other required documents to the IS revision team.
DER.3.2.A7 Conducting an IS Revision (B) [IS Revision Team]
Within the scope of an IS revision, both a document review and an on-site review MUST be conducted by the IS revision team. All results of these two reviews MUST be documented and summarized in an IS revision report.
Before a cross-sectional IS revision is conducted for the first time, a short IS revision MUST be selected as the IS revision procedure. The short IS revision MUST be completed with a positive result before a cross-sectional IS revision is conducted.
DER.3.2.A8 Retention of IS Revision Reports (B)
The institution MUST securely retain the IS revision report and the underlying reference documents for at least ten years from the date of delivery of the report, unless other applicable laws or regulations specify otherwise. The institution MUST ensure that only authorized persons can access IS revision reports and reference documents.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be fulfilled.
DER.3.2.A9 Integration into the Information Security Process (S)
The institution SHOULD ensure that IS revisions are a part of the security process. In addition, the results of IS revisions SHOULD feed back into the ISMS and contribute to its improvement.
Furthermore, the results of IS revisions as well as the activities to eliminate deficiencies and improve quality SHOULD be included in the regular report of the ISO to Top Management.
DER.3.2.A10 Communication Arrangements (S)
It SHOULD be clearly regulated how information is to be exchanged between the IS revision team and the institution being reviewed. It SHOULD be ensured that this information remains confidential and integral.
DER.3.2.A11 Conducting a Kick-Off Meeting for a Cross-Sectional IS Revision (S) [IS Revision Team]
For a cross-sectional IS revision, a kick-off meeting SHOULD be conducted between the IS revision team and the institution being reviewed. The following content SHOULD be discussed therein:
- The explanation and presentation of the IS revision procedure,
- the introduction of the institution (areas of focus and overview of the IT in use), and
- the handover of reference documents to the IS revision team.
DER.3.2.A12 Creation of a Review Plan (S) [IS Revision Team]
Before an IS revision, the IS revision team SHOULD create a review plan. If it becomes necessary during the IS revision to expand or otherwise adjust the planned procedures, the review plan SHOULD be adjusted accordingly. The review plan SHOULD also be included in the final IS revision report.
For the short IS revision, the mandatory review topic list established by the BSI SHOULD replace the review plan.
DER.3.2.A13 Review and Examination of Documents (S) [IS Revision Team]
During the document review, the IS revision team SHOULD check the requirements established in the review plan. The IS revision team SHOULD verify whether all relevant documents are current and complete. When checking for currency, the granularity of the documents SHOULD be taken into account. It SHOULD be ensured that all key aspects are covered and appropriate roles have been assigned.
Furthermore, it SHOULD be checked whether the existing documents and the decisions made therein are comprehensible. The results of the document review SHOULD be documented and, where useful, feed into the on-site review.
DER.3.2.A14 Selection of Target Objects and Requirements to Be Reviewed (S) [IS Revision Team]
In a cross-sectional IS revision or partial IS revision, the IS revision team SHOULD select the building block target objects for the on-site review based on the results of the document review. The information security management building block (see ISMS.1 Security Management) of the IT-Grundschutz Compendium, including all associated requirements, SHOULD however always be reviewed in full. A further thirty percent of the modeled building block target objects SHOULD be selected for review on a risk-oriented basis. The selection SHOULD be documented in a comprehensible manner. Of the building block target objects selected in this way, thirty percent of the respective requirements SHOULD be reviewed in the IS revision.
In addition, the requirements criticized in previous IS revisions SHOULD be taken into account when selecting the building block target objects to be reviewed. All requirements with serious security deficiencies from previous IS revisions SHOULD also be reviewed.
DER.3.2.A15 Selection of Appropriate Review Methods (S) [IS Revision Team]
The IS revision team SHOULD ensure that appropriate review methods are used to investigate the matters to be reviewed. All reviews SHOULD be proportionate.
DER.3.2.A16 Creation of a Schedule for the On-Site Review (S) [IS Revision Team]
Together with the institution being reviewed, the IS revision team SHOULD develop a schedule for the on-site review. The results SHOULD be documented together with the IS review plan.
DER.3.2.A17 Conducting the On-Site Review (S) [IS Revision Team]
During the on-site review, the IS revision team SHOULD investigate and establish whether the selected measures meet the requirements of IT-Grundschutz appropriately and in a manner suitable for practice.
The review SHOULD begin with an opening meeting. All requirements of the review plan or all topic areas of the review topic list selected for review SHOULD then be checked. The designated review methods SHOULD be used for this purpose. If deviations from the documented status are found in a selected sample, the sample SHOULD be expanded on a needs basis until the matter is clarified.
During the on-site review, the IS revision team SHOULD NEVER actively intervene in IT systems or provide instructions for changes to the subject of the revision.
All key facts and information regarding requests for sources, information, and documents, as well as meetings conducted, SHOULD be recorded in writing.
In a closing meeting, the IS revision team SHOULD briefly present key findings to the reviewed institution. In doing so, the IS revision team SHOULD refrain from making concrete assessments of the findings, but instead provide indications of any deficiencies and describe the further procedure. This closing meeting SHOULD also be recorded in minutes.
DER.3.2.A18 Conducting Interviews (S) [IS Revision Team]
Interviews conducted by the IS revision team SHOULD be structured. Questions SHOULD be formulated concisely, precisely, and in an easily understandable manner. Appropriate questioning techniques SHOULD also be used.
DER.3.2.A19 Review of the Selected Risk Treatment Options (S) [IS Revision Team]
The IS revision team SHOULD examine whether the residual risks remaining for the information network are appropriate and acceptable, and whether they are bindingly supported by Top Management. The IS revision team SHOULD verify by sampling whether and to what extent the selected risk treatment options have been implemented.
DER.3.2.A20 Follow-Up of the On-Site Review (S) [IS Revision Team]
After the on-site review, the information gathered SHOULD be further consolidated and evaluated by the IS revision team. After the potentially requested documents, documentation, and supplementary information have been evaluated, the reviewed requirements SHOULD be finally assessed.
DER.3.2.A21 Creation of an IS Revision Report (S) [IS Revision Team]
The IS revision team SHOULD compile the results obtained into an IS revision report and document them in a comprehensible manner. A draft version of the report SHOULD be transmitted to the reviewed institution in advance. It SHOULD be verified whether the facts established by the IS revision team have been correctly recorded.
The reviewed institution SHOULD ensure that all affected parties in the institution receive the sections of the IS revision report that are important and necessary for them within an appropriate timeframe. In particular, the contents SHOULD be communicated to Top Management, those responsible for the IS revision, and the ISO.
IS revision reports SHOULD be given an appropriate confidentiality classification due to the information worthy of protection they contain.
It SHOULD be considered presenting the results of the IS revision to Top Management in the form of a presentation by the IS revision team.
DER.3.2.A22 Follow-Up of an IS Revision (S)
The deviations identified in the IS revision report SHOULD be corrected by the institution within an appropriate timeframe. The corrective actions to be taken SHOULD be documented with responsibilities, implementation dates, and the respective status. Implementation SHOULD be continuously tracked and the implementation status updated.
In principle, it SHOULD be examined whether additional IS revisions are necessary. The institution SHOULD adjust the rough and detailed plan for the IS revision.
Requirements for High Protection Needs
The following are exemplary proposals for requirements that go beyond the level of protection corresponding to the state of the art for this building block. The proposals SHOULD be considered when there are elevated protection needs. The specific determination is made within the framework of an individual risk analysis.
DER.3.2.A23 DISCONTINUED (H)
This requirement has been discontinued.
Additional Information
Good to Know
The Federal Office for Information Security (BSI) describes in its guide “Information Security Revision: A Guide for IS Revision Based on IT-Grundschutz” how an IS revision must be conducted.
The Federal Office for Information Security (BSI) describes in its document “Mandatory Review Topics for the Short IS Revision” which topics are to be reviewed in a short IS revision.
The Federal Office for Information Security (BSI) provides a template manual for IS revision with the “Revision Manual for Information Security according to UP Bund”.
The Federal Ministry of the Interior (BMI) describes in the Classified Information Regulation (VSA) which requirements must be observed when handling classified information.