For DENIC as part of the critical infrastructure in Germany, certification in accordance with ISO 27001 is not only a matter of course, it is also a fundamental basis for providing proof of compliance with KRITIS requirements. In 2022, the international standard for an Information Security Management System (ISMS) was comprehensively revised and expanded to include eleven new security measures. Technological, organizational, physical and human requirements are taken into account. The new topics of “threat intelligence” - closely linked to the KRITIS requirements from the BSIG (systems for attack detection), information security for the use of cloud services and measures to prevent data leaks - are particularly important.
Reason enough for DENIC to prepare for these new requirements and to make use of the already proven cooperation with the neighboring registries nic.at (Austria) and SWITCH (Switzerland). These meetings have been taking place since 2014 and this time the two-day internal audit took place in Frankfurt in April. The security experts reviewed the measures already implemented at DENIC on the basis of the new ISO standard and found no shortcomings. They merely gave a few helpful hints for continuous improvement, which DENIC's Information Security Team gladly accepted.
"We feel very well prepared for the official audit in September 2024 and have received good tips for optimizing our security processes thanks to the open and transparent cooperation," says Daniel Kremer, Chief Information Security Officer at DENIC.
The existing certificates according to the old standard (ISO/IEC 27001:2013) are still valid until October 2025. By then at the latest, an organisation must have undergone an audit proving its Information Security Management System (ISMS) has been converted successfully to the new version (ISO/IEC 27001:2022).