BSI – Federal Office for Information Security

What does the Federal Office for Information Security (BSI) do?

The BSI is the central cyber security authority in Germany and is responsible for protecting the IT systems and digital security of the federal government, as well as citizens, the economy and critical infrastructures. It develops security standards, analyzes and evaluates threats and vulnerabilities in IT systems and advises both public and private stakeholders. The BSI is also an important authority in the area of incident response, i.e. the response to cyber attacks. In detail:

  • Advice and support: The BSI advises authorities, companies and citizens on all information security issues.
  • Creation of security standards: Among other things, the BSI develops IT baseline protection, a collection of recommendations for securing IT infrastructures.
  • Certification: Companies and products can be certified by the BSI for security requirements.
  • Crisis management: In the event of major IT security incidents, such as the “Wannacry” attack, the BSI provides crisis management and supports the authorities and affected companies.

Which IT security standards does the BSI recommend?

The BSI recommends a series of IT security standards that are recognized at national and international level. The most important of these are

  • BSI IT-Grundschutz: A comprehensive set of rules that is particularly suitable for setting up and operating an information security management system (ISMS). It includes the structuring of IT security processes and helps to identify and eliminate vulnerabilities.
  • ISO/IEC 27001: This standard describes how a company or organization implements an information security management system (ISMS). It focuses on systematic risk management and continuous improvement.
  • KritisV and KRITIS protection: Extended security requirements apply to critical infrastructures, which are specified in the BSI’s KRITIS regulation.

In addition to these core standards, the BSI also issues industry-specific recommendations and guidelines, for example for the healthcare, energy supply and financial sectors.

How does the BSI protect critical infrastructures (KRITIS)?

Critical infrastructures (KRITIS) are systems and facilities whose failure could have a serious impact on society – such as energy supply, transportation or healthcare services. The BSI protects these systems in several ways:

  • Legal requirements: Operators of critical infrastructures are legally obliged to meet certain security standards. The BSI reviews these requirements and supports companies in implementing suitable protective measures.
  • KRITIS monitoring and early warning systems: The BSI monitors threats in real time and warns companies of potential dangers at an early stage, e.g. through the CERT-Bund (Computer Emergency Response Team), which issues security alerts.
  • Audits and certifications: Companies can be certified by the BSI to ensure that they meet the required IT security standards.
  • Crisis coordination: In the event of major attacks or disruptions, the BSI coordinates emergency measures and is in close contact with other national and international security authorities.

What is BSI basic protection?

BSI baseline protection is a comprehensive IT security framework that helps companies and authorities to systematically protect their IT systems. It is based on a modular structure and contains recommendations on how typical IT infrastructures can be secured. Important elements of BSI baseline protection are

  • Building blocks: These are specific recommendations for action for different IT systems (networks, servers, applications, etc.).
  • Threat catalog: A collection of potential threats that may be relevant for different building blocks.
  • Catalog of measures: Detailed instructions on how hazards can be addressed and minimized.

BSI baseline protection is particularly helpful for companies that want to implement an information security management system (ISMS) in accordance with ISO/IEC 27001.

How can I report a security vulnerability to the BSI?

The BSI has special procedures for reporting security vulnerabilities. Companies or IT security researchers in particular can use these to report vulnerabilities in software, systems or critical infrastructures. The process usually looks like this:

  • Contact: Security vulnerabilities can be reported by e-mail or via a special reporting form. Important information such as the type of vulnerability, affected systems and possible avenues of attack should be included.
  • Confidentiality: The BSI treats such reports confidentially to ensure that the vulnerability does not become public before it is fixed.
  • Coordination: The BSI coordinates with the affected companies or software manufacturers to rectify the vulnerability.

For larger incidents, there is also the CERT-Bund, which deals specifically with the response to IT security incidents in government and KRITIS networks.

What role does the BSI play in cyber attacks?

The BSI is the central authority in Germany when it comes to defending against and managing cyber attacks. Its role encompasses several aspects:

  • Monitoring and threat analysis: The BSI continuously monitors the national IT network for threats and carries out analyses of cyberattacks.
  • Coordination of defense measures: In the event of large-scale attacks – for example on critical infrastructures – the BSI coordinates emergency measures with the affected organizations, other authorities (e.g. the police or the Federal Office for the Protection of the Constitution) and international partners.
  • Advice and prevention: The BSI provides information on how companies and authorities can prevent cyberattacks or at least minimize their impact.
  • Crisis management: In the event of a crisis, the BSI conducts detailed analyses in cooperation with CERT-Bund and other stakeholders and initiates immediate measures.

What recommendations does the BSI make for the protection of private data?

The BSI provides numerous tips for protecting personal data in everyday life. The most important ones include:

  • Strong passwords: Use of long, complex passwords and the use of a password manager.
  • Updating software: Regular updates of operating systems and applications to close known security gaps.
  • Two-factor authentication: Activate this function wherever possible, e.g. for email services, social media or online banking.
  • Beware of phishing: Recognize fraudulent e-mails that want to steal personal data and do not click on suspicious links.
  • Encryption of data: Use encryption tools to protect particularly sensitive data, e.g. when communicating by email or storing data on external hard drives.

What is the “BSI warning” and where can I find it?

The BSI regularly issues security alerts when it identifies new vulnerabilities or threats in the IT world. These can relate to software products (e.g. Windows, iOS), hardware or specific threats (e.g. ransomware campaigns). You can find the latest warnings on the BSI website in the “Security warnings” section or in the CERT-Bund Twitter feed. You can also sign up for email newsletters to receive the latest warnings directly.

How can my company become BSI-certified?

In order to obtain BSI certification, companies must go through a special process. There are various certificates, e.g. for IT products or information security management systems (ISMS). The process usually includes:

  • Auditing by the BSI or authorized auditors.
  • Compliance with the requirements set out in the relevant guidelines, such as IT baseline protection or ISO/IEC 27001.
  • Regular audits to ensure compliance with standards.

What services does the BSI offer for companies?

The BSI offers many services for companies, especially in the area of IT security:

  • Consulting and training: Companies can benefit from advice on improving their IT security measures and take part in training courses or webinars.
  • Certification and audits: The BSI offers certifications that companies can use as proof of their IT security standards.
  • Security alerts and threat information: Companies are given access to the latest security alerts and can access the BSI’s expertise in the field of threat analysis.

Cookie Consent with Real Cookie Banner