Skip to main content

Critical Infrastructure Audits

  • The IPG method for meeting critical infrastructure requirements
  • Check permissions and how they are assigned
  • Successful critical infrastructure audits per §8a (3) BSIG
  learn more

Critical infrastructure audits per §8a (3) BSIG For organizations that operate critical infrastructure as defined in the German Information Security Act (BSIG), IPG's standardized methodology based on the B3S Guidelines can ensure these infrastructures can withstand any audit.

Guaranteed availability

Operators of critical infrastructure have two essential obligations:
a) To avoid disruptions in service by taking adequate precautions
b) To report significant material disruptions to the Federal Information Security Office (BSI)

The overarching objective is to guarantee the availability of this critical infrastructure. The measures taken are checked not to determine their economic efficiency, but instead to ensure that they are effective in achieving this overall objective. Specifically, "Organizational and technical precautions are appropriate if the effort involved is not disproportionate to the consequences of a failure or impairment of the affected critical infrastructure."

Industry-specific security standards

Critical infrastructure audits per §8a (3) BSIG examine how well companies have met these required precautions. When this requirement was established, the lawmakers granted industry associations to set up industry-specific security standards (B3S) for BSI approval. If a company implements these guidelines and passes an internal audit every two years, the BSI will assume that all the requirements have been met.

IPG's methods based on the BSI B3S guidelines ensures that your infrastructure will be ready for these audits. IPG also provides experienced IT experts and auditors with extended qualifications to perform §8a (3) BSIG audits.


  • IPG's methods for appropriate technical and organizational measures
  • Ensuring problem-free critical infrastructure audits
  • Expanding client expertise with regard to BSIG matters

Our services

IPG's methodology uses three closely interlinked elements to protect against threats:

  • Information security management processes (ISMS) appropriate for SMEs
  • Role-based rights modeling and automation with authorization checks
  • Supplementary protection of areas with increased or high protection requirements through multi-factor authentication as well as monitoring and control of privileged access (by in-house or third-party employees)

IPG has internal auditors with supplementary §8a (3) BSIG audit expertise who can help you perform your required critical infrastructure every two years.

Publications on the subject KRITIS