B3S and IT Security Law for KRITIS operators in the water/waste water sector


With the BSI law supplemented by the BSI-KRITIS regulation and the IT security catalog of the Federal Network Agency (BNetzA), the minimum standards for information security were established.
According to §8a BSIG, providers of critical infrastructures have to prove that their IT security meets the “state of the art”. This is possible with the implementation of the industry standard B3S water/waste water developed by the German Association of the Industry, which has already been approved by the Federal Office for Information Security in 2017.

The introduction of an ISMS (Information Security Management System) is an essential basic element of this. The introduction of such a system is not mandatory, but since procedures and rules have to be established and introduced in order to define, control, monitor and maintain information security in the long term, the introduction of an ISMS is the only way to meet these requirements safely and sustainably.

As a basis for the B3S water/waste water implementation, it is recommended to establish an information security management system according to

  • ISO 27001 and/ or
  • BSI support (IT-Grundschutz)

in which the industry-specific requirements of the B3S can be integrated.

The B3S WA forms the IT guideline for a profound risk analysis. The risk analysis carried out according to its specifications determines the probability of a risk occurring. From this, it is determined which measures must be implemented urgently and which measures may or may not be implemented at a later date.

The GRC/ISMS software QSEC offers comprehensive and sustainable support in the implementation of an information security management system and the requirements for KRITIS providers in the water/waste water sector according to the B3S WA.

The QSEC software methodically provides

  • Compliance
  • Data Protection Management
  • Risk Management
  • Security Incident Management and
  • Measures Management

and enables the implementation of the requirements from established standards such as ISO 27001 or BSI standard (IT-Grundschutz).

All other relevant industry-specific requirements from the B3S can be implemented in QSEC.

With QSEC the compliance with legal requirements by increasing the overall IT security according to B3S, can be documented in an audit proof manner. Workflow and wizard support can be used to integrate employees from the specialist departments and achieve high user acceptance for information security management.

Convince yourself of the performance of QSEC in a web demo.


References & case studies


QSEC Online-Demo