Posted inInformation Security Statistics

Security Maturity of critical infrastructure operators in Germany, 2024

Introduction

Germany’s BSI (Federal Office for Information Security) is responsible for identifying and managing Critical Infrastructures (KRITIS) that are vital for public safety.

Critical infrastructure operators must prove to the BSI every two years that their IT security is up to date.

Maturity Level Definitions

Compliance with these requirements is evaluated through an audit based on the following maturity model:

  • Maturity level 1: An ISMS / BCMS is planned but not yet established.
  • Maturity level 2: An ISMS / BCMS is largely established.
  • Maturity level 3: An ISMS / BCMS is established and documented.
  • Maturity level 4: In addition to maturity level 3, the ISMS / BCMS was regularly reviewed for effectiveness.
  • Maturity level 5: In addition to maturity level 4, the ISMS / BCMS was regularly improved.

The BSI publishes a summary of KRITIS audit results in its KRITIS in Zahlen page. It’s a great initiative to bringing transparency and I wish government agencies across the world adopt this best practice.

You can find information about the official definition of these maturity levels here.

Infographic

The BSI publishes a summary of KRITIS audit results in its KRITIS in Zahlen page. After reviewing the data, I created an infographic (focused on ISMS maturity levels) based on this information:

My 2 Cents

  • The Maturity Levels are pretty straightforward
  • IT & Telecom, Finance & Insurance and Water have a good percentage of entities in the highest level: Level 5
  • Transport & Traffic appears to be lagging
  • Water and IT & Telecom seem to have the highest sectoral average1

How You Can Use This

You can use adopt the same Maturity level definitions for your individual controls… something like:

  • Maturity level 1: Control is planned but not yet implemented.
  • Maturity level 2: Control is largely implemented.
  • Maturity level 3: Control is implemented and documented.
  • Maturity level 4: In addition to maturity level 3, the control is regularly reviewed for effectiveness.
  • Maturity level 5: In addition to maturity level 4, the control is regularly improved.

If you have a Cybersecurity Maturity program, you get a sense of where you are in comparison to these sectors, especially in Germany.

You might also like…

  • If you are interested in doing a Cybersecurity Maturity Assessment, I have a template based on NIST CSF 2 here.
  • You can modify the maturity levels in the template based on the above approach.
  • I wrote about SAP’s achieving Tier 3 maturity here.

Dataset

I extracted data from the BSI site into Excel for analysis. Feel free to download it for your own use.

Excel: KRITIS operators ISMS maturity levels 2024
  1. This is from my own calculation. BSI does not do any sectoral averages. ↩︎