IT Security Catalogue pursuant to Section 11 (1a) EnWG – Certification of your Information Security Management System (ISMS) for network operators
On this page
- What is the IT Security Catalogue pursuant to Section 11 (1a) EnWG?
- Benefits of certification to the IT Security Catalogue pursuant to Section 11 (1a) EnWG
- Process of a certification procedure
- Your path to certification to the IT Security Catalogue pursuant to Section 11 (1a) EnWG
- Certification by RSM Certification
- Get in touch without obligation
- FAQ – your questions about the IT Security Catalogue pursuant to Section 11 (1a) EnWG answered
What is the IT Security Catalogue pursuant to Section 11 (1a) EnWG?
To protect against threats to the telecommunications and electronic data processing systems necessary for secure network operation, minimum standards are set out in the so-called "IT Security Catalogues". The IT Security Catalogue pursuant to Section 11 (1a) EnWG applies specifically to operators of electricity and gas networks.
With the adoption of the IT Security Catalogue pursuant to Section 11 (1a) EnWG, network operators were required to introduce and have audited an ISMS to ISO/IEC 27001 in conjunction with ISO/IEC 27002 and ISO/IEC TR 27019. Clauses 4–10 of ISO/IEC 27001 set out the guidelines and principles for initiating, implementing, operating and improving the ISMS, while the Annex to ISO/IEC 27001 and ISO/IEC 27019 set out the controls that must be implemented.
Responsibility for implementing the requirements of the IT Security Catalogue lies exclusively with the operators of an electricity or gas network (listed with the Federal Network Agency under a corresponding operating number). This applies regardless of whether a network operator operates an electricity or gas network as owner or under a lease model. This means that operators of energy supply networks whose systems, applications and components fall within the scope of the IT Security Catalogue, but which are operated entirely by one or more third parties, must be certified.
Benefits of certification
Process of a certification procedure
The general certification cycle is designed for three years due to the validity of the certificates and consists of the following phases:
- Initial certification
- Stage 1 audit (document review / adequacy review of the ISMS)
- Stage 2 audit (effectiveness review of the ISMS)
- First surveillance audit (no later than 12 months after the certificate is issued)
- Second surveillance audit (approx. 24 months after the certificate is issued)
Your path to IT Security Catalogue pursuant to Section 11 (1a) EnWG
Submit an enquiry and optionally arrange an introductory meeting via video call at short notice
Quotation
Complete our basic data as a basis for an initial understanding of your organisation and for preparing the quotation
Place the order with RSM Certification GmbH and jointly coordinate the next steps (including scheduling)
Only for an initial certification: to gain a better understanding of your organisation and your ISMS, we usually carry this out in a joint remote session. Aim: to determine certification readiness
Conducting the Stage 2 audit / recertification audit, the effectiveness review of your ISMS
Technical review of the auditor(s)' documentation and the certification decision by RSM Certification GmbH
Issuing the certificate
Handover of the audit report, the certificate and the certification seal
Reviewing the continuous development of the ISMS as part of the surveillance audits
Certification by RSM Certification GmbH
Would you like us to certify you? Feel free to get in touch with us without obligation.
Get in touch without obligation
FAQ
The requirements for the effort calculation under the IT Security Catalogue are very similar to those of ISO/IEC 27001. However, the IT Security Catalogue gives rise to specific requirements for electricity and gas networks that must be taken into account accordingly. These requirements can be found in the "Conformity assessment programme for the accreditation of certification bodies". These include, for example, the auditing of so-called unmanned operating sites.