Homepage » Robin Data ComplianceOS® » Inspection according to 8a BSIG
We take over the complete inspection in accordance with § 8a BSIG including audit and create your official verification document for the BSI. Get advice now."
Definition of test basis and scope, preparation of the test plan.
Document review, GAP analysis and evaluation of the measures.
On-site inspection including technical tests and effectiveness checks.
Final report, list of defects & official verification document for the BSI.
The IT Security Act requires operators of critical infrastructures to secure their IT systems according to the state of the art. According to BSIG proof must be submitted to the BSI every three years. Traditional certifications such as ISO 27001 or BSI IT-Grundschutz are not sufficient for this. Robin Data supports you with the Testing in accordance with BSIG and BSI-KRITIS.
We work closely with you to define the scope of the audit and draw up a detailed plan. We analyse your documentation, carry out a gap analysis and evaluate your measures. The audit includes an on-site inspection and technical tests. Finally, you receive a report with a list of deficiencies and the official BSI verification document.
Robin Data takes the pressure off your organisation and ensures that you are compliant and verifiably set up.
Determination of test basis, definition of test scope and area of application, implementation of GAP analysis
Evaluation of safety measures, review of documentation, review of implementation on site
Preparation of audit report for BSI, recording and evaluation of weak points and deficiencies
Documentation in the test report, recommendation to rectify defects, preparation for the next test
Our audit process - explained in a structured way
Request a quote for testing in accordance with § 8a BSIG and for official BSI verification
We will be happy to provide you with an offer that suits your needs.
Combine your desired compliance fields and functions
Implement GDPR-compliant documentation, use templates
Establish standards, increase information security
Improve processes, increase effectiveness and efficiency
Increase legal certainty and reduce liability risks
Identify, assess and manage risks
Assess protection needs and minimise failures
Conduct audits, continuously improve processes
Establish a court-proof reporting office for whistleblowers
Keeping an eye on key figures, evaluating performance
Record supplier risk, avoid grievances
Optimise workflows and automate processes
Connecting external systems and interacting across the board
Manage employee health and safety
Minimise environmental risks and raise environmental awareness
"We wanted a modern and digital implementation of our data protection management system. Robin Data convinced us with the functions, the many templates, the automation options and the very competent and friendly service as well as the cooperation with a partner nearby."
Data Protection Officer of Westpfalz-Klinikum GmbH
Who is authorised to carry out the audit?
The audit can only be carried out by specially qualified, independent "auditing bodies". These must provide certified auditors and provide evidence of the required test procedure expertise in accordance with Section 8a (3) BSIG.
Who is obliged to carry out an audit in accordance with BSIG and BSI-KRITIS?
All operators of so-called "critical infrastructures" (e.g. energy suppliers, waterworks, hospitals, telecommunications companies) are required by law to provide regular proof of their IT security. Whether you are affected depends, among other things, on your industry and company size.
How often does the proof have to be provided?
According to the BSIG, operators must submit proof of the effectiveness of their IT security measures to the BSI every three years. This applies on an ongoing basis, so you should plan for the next audit in good time to ensure that deadlines are met.
Is ISO 27001 certification or BSI IT-Grundschutz sufficient proof?
No. Certifications such as ISO 27001 or IT-Grundschutz are important foundations, but do not fulfil the formal requirements of BSI verification. An audit in accordance with BSIG & BSI-KRITIS, which fulfils the legal requirements, is mandatory.
What does the BSIG and BSI-KRITIS audit cost?
The costs for the audit depend on factors such as the size of the organisation. We therefore refer you to our free initial consultationin which the requirements are clarified. You will then receive a non-binding offer with an exact price that is specifically adapted to your needs.
How long does an audit usually take?
The duration depends on the size and complexity of your organisation. As a rule, you should allow several weeks, starting with the analysis phase and ending with the preparation of the final report. We create a customised schedule for you to ensure that all deadlines are met.
What advantages do I have if I carry out the audit with a specialised provider?
An experienced provider relieves your internal resources, carries out the audit efficiently and ensures that all legal requirements are met. You also benefit from practical recommendations for action that will strengthen your IT security beyond the audit period.
What happens if defects are found during the inspection?
Defects are not uncommon and can be rectified through targeted measures. We support you with structured defect management, document the improvements and thus optimally prepare you for the next inspection.
What is GAiN 2.1 and when does it apply?
GAiN (Common requirements in the verification procedure) defines the binding rules for verifications in accordance with Section 8a BSIG. From the 1 April 2025 Version 2.1 comes into force. It introduces more structured test reports, stricter requirements for checking the effectiveness of safety measures and clearer documentation of defects. In addition, in future, inspections may only be carried out by qualified inspectors with special inspection procedure expertise.
What impact does GAiN 2.1 have for critical infrastructure operators?
For operators, GAiN 2.1 means more extensive and detailed checks. IT security measures must not only be documented, but also tested in practice and proven to be effective. As evidence is required every two years It is advisable to carry out internal GAP analyses now, adapt processes and involve experienced auditors in order to avoid additional claims or sanctions.
The Robin Data GmbH team will advise you on our solutions without obligation and free of charge and answer your questions by phone or e-mail.
In the one-hour appointment, we present a function of our software solutions, such as the deletion concept or the TOMs, to you in detail.
Information Robin Data solutions, events and developments in compliance, data protection and information security.
Find out more about the functions of our Robin Data software and legal texts in the area of data protection in our Help Centre.
 |
 |
 |
 |
 |
