The question is often asked which German laws in the context of information security have a particular influence on the information security management system (ISMS). This question is not easy for information security officers to answer, especially if they have not studied law or have avoided the relevant literature to date. However, knowledge of these laws is of central importance if you have to write appropriate specifications, concepts and guidelines for an ISMS. I have often used the following laws when creating my guidelines and recommend them as reading tips. Of course, you have to make your own appropriate selection.
The following overview and information is of a general nature and intended for educational purposes only. It is not intended to be exhaustive, does not constitute legal advice, and should not be construed as such.
Abbreviation | Title / Article / Paragraph | Remarks | Integration into the ISMS (if applicable) |
---|---|---|---|
AktG | Stock Corporation Act § 91 para. 2 | Updated | Requirements for risk management systems, especially with regard to IT risks, must be integrated into the ISMS processes. |
BDSG | Federal Data Protection Act | The new BDSG is again referred to as the BDSG; the law has been amended several times, most recently in the course of the GDPR. | Data protection management must be integrated into the ISMS, including measures to ensure compliance with the BDSG. |
BSI-KritisV | BSI-Kritis Regulation | Still exists | Requirements for securing critical infrastructures must be included in the ISMS policies and measures. |
BSIG | Law on the Federal Office for Information Security | Was supplemented by the IT Security Act 2.0. | Minimum requirements for IT security measures must be taken into account in the ISMS, especially for KRITIS operators. |
Federal Constitutional Court | Works Constitution Act | Still exists | Works councils must be involved in safety processes, particularly when introducing monitoring measures. |
EU GDPR | European General Data Protection Regulation | Still exists and, together with the BDSG, forms the basis of data protection in Germany. | The I SMS must implement measures to comply with the GDPR, including data processing, backup and deletion. |
GeschGehG | Law on the protection of trade secrets | Still exists | The protection of secrets must be ensured in the ISMS through measures such as access controls, encryption and access restrictions. |
GG | Basic Law Article 2, 10 | Still exists | Rights to data protection and personal freedom must be taken into account when planning ISMS processes. |
GmbHG | GmbH Law §43 Para. 1 | Still exists | Management responsibilities with regard to IT security must be defined in the ISMS process. |
GoB | Principles of proper accounting | Still exists | Accounting processes in the ISMS must ensure the integrity and availability of data. |
GoBD | Principles for the proper management and storage of books, records and documents in electronic form and for data access | Still exists | Electronic storage and access processes in the ISMS must be designed in such a way that they comply with the GoBD. |
GoDV | Principles for proper data processing | Still exists | ISMS must ensure that data processing processes are GoDV compliant through documentation and regular audits. |
HGB | Commercial Code § 37a in conjunction with § 257 HGB or §§ 145-147 AO, §§ 238-239, 257-261 | Still exists | Data integrity and availability in IT systems must be ensured in the ISMS according to the German Commercial Code (HGB). |
IT-SiG 2.0 | IT Security Act 2.0 | Expands and updates the previous IT security laws, introduced in 2021. | The ISMS must take into account extended requirements of the IT Security Act, especially for KRITIS operators. |
KonTraG | Law on Control and Transparency in the Corporate Sector | Still exists | Risk management and transparency requirements must be integrated into the ISMS strategy. |
Supply Chain Due Diligence Act | Law on corporate due diligence obligations in supply chains | New law since December 2021, which combines aspects of the GDPR and the BDSG with regard to telemedia and telecommunications. | Protection of user data and compliance with communication regulations must be taken into account in the ISMS. |
NIS2 | NIS-2 Directive | Still needs to be converted into national law. Currently not directly applicable in Germany, but expected by 2024/2025. | Future integration into the ISMS, particularly to meet extended security requirements and reporting obligations. |
SGB | Social Code I § 35, X §§ 67-78 | Still exists | Protecting social data requires specific data protection measures in the ISMS. |
Criminal Code | Criminal Code § 202a, § 202b, § 202c, § 206, § 263a, §§ 268-274, § 303a, § 303b, § 317 | Still exists | Security measures to prevent and respond to cybercrime must be taken into account in the ISMS. |
SÜG | Security Clearance Act | Still exists | Where applicable, employees with access to sensitive information must undergo security clearances. |
TKG | Telecommunications Act | Has been updated several times, most recently in 2021, to incorporate, among other things, new EU requirements. | Requirements for the security of telecommunications services must be implemented in the ISMS. |
TKÜV | Telecommunications Surveillance Ordinance | Still exists | The ISMS must ensure that telecommunications surveillance is carried out legally correctly and securely. |
TMG | Telemedia Act | Still exists, but has recently been slightly adapted in view of the GDPR. | The I SMS must ensure requirements for the protection of personal data in telemedia. |
TTDSG | Telecommunications-Telemedia-Data Protection Act | New law since December 2021, which combines aspects of the GDPR and the BDSG with regard to telemedia and telecommunications. | Protection of user data and compliance with communication regulations must be taken into account in the ISMS. |
Copyright Act | Copyright Act §§ 69a ff, § 106 | Still exists, most recently supplemented by the Copyright Service Provider Act (UrhDaG) and further amendments. | Protection of intellectual property and software must be ensured in the ISMS through appropriate security measures. |
Administrative Procedure Act | Administrative Procedure Act § 30 | Still exists | ISMS processes must ensure that government administrative procedures are carried out safely and correctly. |
... | |
It is often forgotten that in addition to the laws themselves, other requirements must also be taken into account when creating appropriate guidelines. Examples of this could be:
Abbreviation | title |
B3S | Industry-specific safety standards |
BAIT | Banking supervisory requirements for IT |
IT-SiKat | IT security catalogue according to EnWG § 11 1a/1b |
VAIT | Insurance supervisory requirements for IT |
... | |
But contractual requirements, such as mandatory security measures, reports or reporting deadlines, also play an important role. Many companies (e.g. VW, BMW, Porsche, etc.) specify specific reporting deadlines and reporting channels for relevant security incidents in their purchasing conditions. Also the ENX and DEKRA require to be informed of relevant changes in the company.
For this reason, the chief information security officer must always deal with the contents of the customer contracts and incorporate the relevant requirements into his processes, concepts and guidelines.
In summary, it can be said that at least the legal, regulatory and contractual requirements that have a direct impact on the security objectives, regulations, risk assessments, measures, deadlines and escalation and reporting channels must be recorded, documented, evaluated and taken into account in the ISMS. Because if the information security officer neither knows nor takes into account this relevant information, there is a great risk that the ISMS will ultimately not adequately fulfill its purpose.
Comments