Basic
CON.1 Cryptographic Concept
Cryptography is a widely used means of ensuring information security with respect to the protection objectives of confidentiality, integrity and …
DER.1 Detection of Security-Relevant Events
To protect IT systems, security-relevant events must be detected and handled in a timely manner. To achieve this, institutions must plan, implement, …
IND.1 Process Control and Automation Technology
Process control and automation technology (Operational Technology, OT) is hardware and software that monitors and controls physical devices, …
INF.1 General Building
A building encloses all stationary workplaces, the information processed therein, and the installed information technology. It thus provides …
ISMS.1 Security Management
(Information) security management refers to the planning, control, and oversight tasks required to establish and continuously implement a …
ORP.1 Organisation
Every institution requires a responsible department to manage and regulate general operations and to plan, organise, and carry out administrative …
APP.1.1 Office Products
The group of office products primarily comprises applications used to create, edit, or view documents. These include the free application LibreOffice …
NET.1.1 Network Architecture and Design
Most institutions today require data networks for their business operations and the fulfillment of their professional tasks, through which, for …
SYS.1.1 General Server
A "General Server" refers to IT systems with any operating system that provide services to users and other IT systems...
OPS.1.1.1 General IT Operations
IT Operations represents an organizational unit and the associated business process within information technology. The process describes the tasks …
OPS.1.1.2 Proper IT Administration
IT administration refers primarily to activities within IT Operations that require administrative rights and that modify the configuration of IT …
OPS.1.1.3 Patch and Change Management
It is a major challenge to update the IT components deployed in an institution correctly and in a timely manner. In practice, it is evident that …
OPS.1.1.4 Protection Against Malware
Malware consists of programs that typically execute harmful functions on an IT system without the knowledge and consent of the users. These harmful …
OPS.1.1.5 Logging
To ensure reliable IT Operations, IT systems and applications should log either all or at least selected operationally and security-relevant events, …
OPS.1.1.6 Software Testing and Approvals
The use of IT in institutions requires that automated data processing functions as error-free as possible, since the individual results can in most …
OPS.1.1.7 System Management
Reliable system management is a fundamental prerequisite for the secure and efficient operation of modern networked systems. For this purpose, a …
APP.1.2 Web Browsers
Web browsers are application programs that can retrieve, process, display, output, and store (hypertext) documents, images, video, audio, and other …
NET.1.2 Network Management
Reliable network management is a fundamental prerequisite for the secure and efficient operation of modern networks. For this purpose, it is necessary …
OPS.1.2.2 Archiving
Archiving plays a special role in the document management process. On the one hand, it is expected that digital documents will be available until the …
SYS.1.2.2 Windows Server 2012
With Windows Server 2012, Microsoft brought to market in September 2012 a server operating system that includes various security improvements over …
SYS.1.2.3 Windows Server
With Windows Server, Microsoft offers a server operating system. The major versions 2016, 2019, and 2022 of Windows Server are so-called long-term …
OPS.1.2.4 Telework
Telework refers to any activity supported by information and communications technology that is performed wholly or partly outside the premises and …
OPS.1.2.5 Remote Maintenance
The term remote maintenance refers to time-limited access to IT systems and the applications running on them, carried out from another IT system. The …
OPS.1.2.6 NTP Time Synchronization
Networked IT systems often require synchronized states. The system time usually serves as a reference. However, the internal clock of IT systems can …
SYS.1.3 Servers Running Linux and Unix
Server systems frequently run the Linux or Unix operating systems. Examples of classic Unix systems include the BSD family (FreeBSD, OpenBSD, and …
APP.1.4 Mobile Applications (Apps)
Smartphones, tablets, and similar mobile devices are now widespread even in government agencies and companies. Employees can access the institution's …
SYS.1.5 Virtualization
In the virtualization of IT systems, one or more virtual IT systems are run on a physical IT system. Such a physical IT system is called a …
SYS.1.6 Containerization
The term containerization refers to a concept in which the resources of an operating system are partitioned to create execution environments for …
SYS.1.7 IBM Z
Systems of the "IBM Z" type belong to the server systems generally referred to as mainframes. Mainframes have evolved from classic standalone …
SYS.1.8 Storage Solutions
The steady growth of digital information and the increasing volume of unstructured information mean that institutions use central storage solutions...
SYS.1.9 Terminal Server
A terminal server is a server on which client applications (applications for short) are executed directly and which only forwards their graphical …
CON.2 Data Protection
Unlike information security, which primarily serves to protect the data-processing institution itself, the task of data protection is to protect …
INF.2 Data Center and Server Room
Today, almost all strategic and operational functions and tasks are significantly supported by information technology (IT) or cannot be carried out …
ORP.2 Personnel
The personnel of a company or authority play a decisive role in the success or failure of the institution. Employees have the important task of …
APP.2.1 General Directory Service
A directory service makes information about any objects available in a defined manner within a data network. An object can store associated …
DER.2.1 Security Incident Handling
To limit damage and prevent further harm, detected security incidents must be handled quickly and efficiently. To this end, a predefined and tested …
IND.2.1 General ICS Component
An ICS component is an electronic component that controls or regulates a machine or plant. It is thus part of an industrial control system (ICS) or, …
NET.2.1 WLAN Operation
Wireless LANs (WLANs) can be used to build wireless local area networks or to extend existing wired networks. To this day, almost all WLAN components …
SYS.2.1 General Client
A "General Client" refers to an IT system with any operating system that allows the separation of users and is not intended to provide server …
APP.2.2 Active Directory Domain Services
Active Directory (AD) is a collective term for various server roles developed by Microsoft for Windows Server. The server role Active Directory Domain …
DER.2.2 Precautions for IT Forensics
IT forensics is the strictly methodical analysis of data on storage media and in data networks to investigate security incidents in IT systems.
NET.2.2 WLAN Use
Wireless LANs (WLANs) can be used to build wireless local area networks or to extend existing wired networks. To this day, almost all WLAN components …
OPS.2.2 Cloud Use
Cloud computing refers to the demand-driven provision, use, and billing of IT services over a network. The range of services offered within the …
SYS.2.2.3 Clients Running Windows
With Windows 10, Microsoft adapted its Windows client operating system to a new corporate strategy. In particular, the fundamental philosophy changed …
APP.2.3 OpenLDAP
OpenLDAP is a freely available directory service that makes information about any objects — such as accounts, IT systems, or configurations — …
DER.2.3 Remediation of Extensive Security Incidents
Advanced Persistent Threats (APTs) are targeted cyber attacks on selected institutions and organizations. Attackers gain persistent access to a …
IND.2.3 Sensors and Actuators
Sensors are transmitters implemented as electronic components with a microprocessor and software that convert a physical quantity into an electrical …
OPS.2.3 Use of Outsourcing
In outsourcing, institutions (outsourcing users) outsource business processes or activities wholly or partly to one or more external service companies …
SYS.2.3 Clients Running Linux and Unix
In addition to Windows, Linux or less commonly Unix-based operating systems are being installed on an increasing number of clients. Examples of …
IND.2.4 Machine
A machine is a technical device that performs automated tasks. A typical example is a machine tool that processes workpieces in a predefined manner. …
SYS.2.4 Clients Running macOS
macOS is a client operating system from Apple. macOS is based on Darwin, Apple's freely available Unix operating system, which in turn is built on the …
SYS.2.5 Client Virtualization
Client virtualization refers to the virtualized provisioning of clients. Clients can be virtualized both locally on a physical client and through a …
SYS.2.6 Virtual Desktop Infrastructure
A Virtual Desktop Infrastructure (VDI) controls and manages standardized virtual clients. This allows individual applications (e.g., office programs) …
IND.2.7 Safety Instrumented Systems
Safety Instrumented Systems (SIS) form a subgroup of Industrial Control Systems (ICS). SIS are used to avert hazards to technical plants, the …
CON.3 Data Backup Concept
Institutions store ever increasing amounts of data and are simultaneously ever more dependent on it. If data is lost, e.g. due to defective …
ORP.3 Information Security Awareness and Training
Employees are an important success factor for a high level of information security in an institution. It is therefore important that they know the …
APP.3.1 Web Applications and Web Services
Web applications provide specific functions and dynamic (changing) content. For this purpose, web applications use the internet protocols HTTP …
DER.3.1 Audits and Revisions
Audits and revisions are fundamental to every successful information security management system (ISMS). Only if established security measures and …
NET.3.1 Routers and Switches
Routers and switches form the backbone of today's data networks. A failure of one or more of these devices can lead to the complete standstill of the …
SYS.3.1 Laptops
A laptop (also called a notebook) is a PC that can be used mobile. It has a compact form factor, integrates peripheral devices such as a keyboard and …
APP.3.2 Web Servers
A web server is the core component of every web offering; it receives requests from clients and returns the corresponding content. Data is typically …
DER.3.2 Revisions Based on the IS Revision Guide
A special form of revision is the information security revision (IS revision) based on the document Information Security Revision - A Guide for IS …
IND.3.2 Remote Maintenance in Industrial Environments
The operational technology (OT) of an institution often has a decentralized infrastructure. Various areas of OT can be geographically far apart from …
NET.3.2 Firewall
A firewall is a system of software and hardware components used to securely couple IP-based data networks. For this purpose, a firewall structure is …
OPS.3.2 Providing Outsourcing
In outsourcing, institutions (outsourcing users) outsource business processes or activities wholly or partly to one or more external service companies …
SYS.3.2.1 General Smartphones and Tablets
Smartphones are IT systems designed for mobile use with an adapted interface that can be operated with a large, typically touch-sensitive screen …
SYS.3.2.2 Mobile Device Management (MDM)
Smartphones, tablets, and phablets are an indispensable part of many employees' work. IT Operations must provide more and more such devices in many …
SYS.3.2.3 iOS (for Enterprise)
Due to modern, simple operating concepts and their high performance, smartphones and tablets are widely used today. This includes mobile devices …
SYS.3.2.4 Android
A widely used operating system for smartphones and tablets is Android from Google. Since version 4, Android has been gradually expanded for enterprise …
APP.3.3 File Servers
A file server is a server in a network that centrally provides files from (internal) hard drives or network drives for all persons and clients with …
NET.3.3 VPN
Virtual Private Networks (VPNs) can be used to transmit sensitive data over untrusted networks such as the Internet. A VPN is a virtual network that …
SYS.3.3 Mobile Phone
The mobile phones considered in this building block, also called 'feature phones' or 'dumbphones', have fewer features than a smartphone but offer …
APP.3.4 Samba
Samba is a freely available and full-featured Active Directory Domain Controller (ADDC) that can provide authentication, file, and print services, …
NET.3.4 Network Access Control
Network Access Control (NAC) secures network access at the end device level through identity verification (authentication) and regulation …
APP.3.6 DNS Server
The Domain Name System (DNS) is a network service used to translate hostnames of IT systems into IP addresses. DNS can be compared to...
ORP.4 Identity and Access Management
Access to an institution's protected resources must be restricted to authorised users and authorised IT components. Users and IT components must be...
NET.4.1 PBX Systems
A telecommunications system, or PBX for short, can internally connect the telephones of an institution and externally connect them to a public …
SYS.4.1 Printers, Copiers, and Multifunction Devices
Modern printers, copiers, and multifunction devices are complex devices that, in addition to mechanical components, contain their own operating …
APP.4.2 SAP ERP System
Enterprise Resource Planning systems from SAP (SAP ERP systems for short) are used to automate and technically support internal and external business …
NET.4.2 VoIP
Voice over IP (VoIP) refers to telephony over data networks, in particular over the Internet. Special signaling protocols are used to transmit …
APP.4.3 Relational Databases
Database systems (DBS) are a frequently used tool to organize, create, modify, and manage large collections of data with IT support. A DBS consists …
NET.4.3 Fax Machines and Fax Servers
This building block examines the security aspects of transmitting information via standard fax machines and fax servers. The transmitted information …
SYS.4.3 Embedded Systems
Embedded systems are information-processing systems integrated into a larger system or product. They perform control, regulation, and data processing …
APP.4.4 Kubernetes
Kubernetes has established itself as the de facto standard for orchestrating containers in public and private clouds. Kubernetes is also used for IoT …
SYS.4.4 General IoT Device
Devices with functions from the Internet of Things (IoT) area are, unlike classic end devices, networked devices or objects that have additional …
SYS.4.5 Removable Storage Media
Removable storage media are often used to transport data, store it, or access it while mobile. Removable storage media include external hard drives, …
APP.4.6 SAP ABAP Programming
Custom developments are frequently programmed in SAP systems. The reasons are varied — business processes or reporting requirements can be …
INF.5 Room and Cabinet for Technical Infrastructure
A room for technical infrastructure contains technical components that rarely need to be operated directly on-site. However, they are indispensable …
ORP.5 Compliance Management (Requirements Management)
Every institution has relevant statutory, contractual, and other requirements, such as internal policies, that must be observed. Many of these …
APP.5.2 Microsoft Exchange and Outlook
Microsoft Exchange Server (hereinafter referred to as "Exchange") is a groupware solution for medium to large institutions. It can be used to transmit …
APP.5.3 General Email Client and Server
Email is one of the most widely used and oldest internet applications. Emails are used to send text and attached files. An email address is required …
APP.5.4 Unified Communications and Collaboration (UCC)
Unified Communications refers to a service that combines various communication services in one application and typically also one soft client. This …
APP.6 General Software
This building block encompasses all software under the term General Software, regardless of whether it is a word processor, an operating system, a …
CON.6 Deletion and Destruction
Deletion and destruction constitute an essential component of the lifecycle of information on storage media. The term storage media in this building …
INF.6 Storage Media Archive
Storage media archives are enclosed rooms within an institution in which storage media of all types are stored. These include not only storage media …
APP.7 Development of Custom Software
Many institutions face challenges that they can no longer adequately address with off-the-shelf software. The tasks associated with these challenges …
CON.7 Information Security during International Travel
Work-related travel has become part of everyday life in many institutions. In order to be able to work outside the regular working environment, it …
INF.7 Office Workplace
An office room is the area within an institution where one or more employees are present to carry out their tasks. This building block describes the …
CON.8 Software Development
Many institutions face challenges that can no longer be adequately addressed with a finished, unadapted software product. They require software …
INF.8 Home Workplace
Teleworkers, freelancers, or self-employed persons typically work from home workplaces. In contrast to the workplace in the office, these employees …
CON.9 Information Exchange
Information is transmitted between senders and recipients via different communication channels, such as personal conversations, telephone calls, …
INF.9 Mobile Workplace
Good network coverage and powerful IT devices such as laptops, smartphones, or tablets enable employees to work from almost any location. This means …
CON.10 Development of Web Applications
Web applications provide certain functions and dynamic (changing) content. For this purpose, web applications make documents and user interfaces …
INF.10 Meeting, Event, and Training Rooms
As a rule, every institution has one or more rooms in which meetings, training sessions, or other events can be held. Specially equipped rooms are …
INF.11 General Vehicle
Institutions use a wide variety of vehicles for short and long distances in many situations. In the context of this building block, vehicles are …
CON.11.1 Classified Information Protection VS-ONLY FOR OFFICIAL USE (VS-NfD)
State classified information protection encompasses all measures to maintain the secrecy of information that has been classified as classified …
INF.12 Cabling
Proper and standards-compliant cabling is the foundation for secure IT operations. A fundamental distinction must be made between electrotechnical …
INF.13 Technical Building Management
Building management (BM), also known as facility management, is responsible for all services arising during the planning and operational phases of …
INF.14 Building Automation
Building Automation (BA, English: Building Automation and Control Systems, BACS) fully or partially automates the cross-trade operation of buildings …