Introduction of an information security management system
As an operator of critical infrastructures within the meaning of the BSI Act and the BSI CritisV, VTA Leipzig is obliged to provide evidence of the existence of an appropriate level of information security.
In 2020, secunet was commissioned with a security audit in the sense of verification and subsequent conception and introduction of an information security management system (ISMS), taking into account ISO/IEC 27001 and DIN VDE 0832-700 (industry-specific security standard for traffic control and guidance systems in municipal road traffic).
In 2020, secunet was commissioned with a security audit in the sense of a verification test and the subsequent design and introduction of an information security management system (ISMS), taking into account ISO/IEC 27001 and DIN VDE 0832-700 (industry-specific security standard for traffic control and guidance systems in municipal road traffic).
The project was divided into three phases: Phase I (analysis phase) included a detailed inventory including the preparation of a project plan for all planned activities as well as the review or adaptation of the scope and the preparation of the proof according to § 8a BSIG.
Phases II and III (conception and implementation phase) included the implementation of the planned activities and thus the establishment of an ISMS. In particular, the secunet ISMS construction kit was used to create the framework and rules. This enabled the ISMS guideline, the ISMS organizational guideline and other documents of the set of rules, including an ISMS manual with a description of the continuous improvement process, to be created in a short time.
Risk Management
For the management of information security risks, a uniform and transparent risk management system was implemented that meets the requirements of ISO/IEC 27001 and B3S - DIN VDE V 0832-700 (for example, in terms of the hazards to be considered).
To determine the values to be analyzed, the physical infrastructures encompassed by the ISMS application area, employ staff, systems and components with the technologies used and their communication links were considered. The risk analyses were carried out and the results were transferred to a risk treatment plan, which was handed over to the office management for approval.
Security Awareness
As part of the project, the content of an e-learning module on information security was reviewed for appropriateness. In addition to the e-learning, webinars were implemented in which employees were sensitized to the legal background (§ 8a BSI Act), the topic of CRITIS and the resulting consequences for the VTA Leipzig and with regard to the introduction of an ISMS.
Internal audit
An internal audit was planned and implemented to conclude the project and prepare for the next verification audit in accordance with Section 8a BSIG. To ensure the objectivity and impartiality of the audit process, the internal audit was conducted by secunet employees who were not involved in the ISMS implementation project. The result of the internal audit was provided to VTA Leipzig in the form of an audit report. Finally, a project completion workshop was held. In this workshop, the development of the ISMS was presented based on the findings of the first verification audit and the internal audit report. The workshop also provided an outlook on topics to be considered and clarified which existing gaps should be addressed as a matter of priority.
Send us an inquiry via the contact form. We are happy to help.
