ISO/IEC 27019 & IT Security Catalog

Your path to
sector-specific ISMS certification

Implementing information security effectively in the energy sector – step by step towards fulfilling BNetzA requirements.
We support you from the initial analysis to the final audit and develop an ISMS tailored to your technical and regulatory needs.

ISO 27019 & IT Security Catalog
Key Facts at a Glance

The IT Security Catalog of the Federal Network Agency (BNetzA) and the ISO/IEC 27019 standard together form the sector-specific framework for information security in the energy industry.
While ISO 27019 translates the requirements of ISO 27001 to the specific conditions of the energy sector, the IT Security Catalog concretizes these requirements for electricity and gas network operators in Germany.

The goal of both frameworks is to protect IT and OT systems – from corporate IT to control centers, remote-control technology, and SCADA systems – against cyberattacks, manipulation, and outages, thereby ensuring security of supply on a sustainable basis.

An ISMS in line with ISO 27019 and the IT Security Catalog offers you:

  • Tailored security requirements for the energy sector
  • Compliance with legal obligations (EnWG, BNetzA requirements, NIS2)
  • Protection of critical infrastructures and operational processes
  • Greater trust from customers, partners, and regulatory authorities

ISO 27019 & IT Security Catalogue made simple

ISO 27019 provides guidelines and recommendations for implementing information security measures in the energy sector. It covers organizational, technical, and physical measures – from risk analysis and control system protection to employee training.

The IT Security Catalogue of the BNetzA is based on ISO 27019 and requires network operators to implement a certified Information Security Management System (ISMS). It covers, among other things:

  • Network and system architecture – secure segmentation of IT and OT
  • Access and authorization management – clear roles and authentication procedures
  • Data integrity and availability – protection against loss, manipulation, and outages
  • Physical security – access controls and protection of critical facilities

How an ISMS works according to ISO 27019 & the IT Security Catalogue

First, all relevant systems, facilities, and processes are recorded – from corporate IT to control centers and operating equipment. This is followed by a risk analysis in which threats and vulnerabilities are assessed.

Based on this, targeted protective measures are implemented, such as:

  • Multi-level access controls for critical systems

  • Network segmentation between office IT and control technology

  • Securing remote access with VPN and strong authentication

  • Regular emergency drills and recovery plans

Through continuous review and improvement, the ISMS remains up-to-date and effective at all times.

The path to Implementation

    
  • Planning – define goals, form project team, assign responsibilities
  • Gap Analysis – compare existing measures with ISO 27019 and BNetzA requirements
  • ISMS Development/Expansion – implement policies, processes, and controls
  • Integration – embed into operational and control system processes
  • Monitoring – ongoing monitoring, internal audits, and tests
  • Certification/Evidence – assessment by accredited bodies, reporting to BNetzA

Typical Challenges

The implementation of ISO 27019 and the IT Security Catalogue presents industry-specific and organizational challenges for many companies. The following issues occur particularly often:

  • Meeting strict regulatory deadlines

  • High technical requirements for OT security

  • Coordination between IT, network operations, and compliance teams

  • Dependence on manufacturers for security-relevant updates

Our Support

As experienced experts in information security for the energy industry, we support you from the initial assessment to successful certification and proof of compliance to the BNetzA.

Our services include:

  • Analysis of your current IT and OT security level

  • Establishment or expansion of an ISO 27001/27019-compliant ISMS

  • Implementation of the requirements of the IT Security Catalogue

  • Training and awareness measures for your staff

  • Preparation for internal audits and external assessments

This way, you not only meet legal requirements but also sustainably increase the security and resilience of your energy infrastructure.

Contact us

Do you have any questions or would you like a customized offer? Contact us – we will advise you personally and work with you to find the optimal solution.

Our address

Am Schönblick 14,
71229 Leonberg

Phone & Email

+497152-56958-0
info@secopan.de

Opening hours

Monday to Friday
8:00 a.m. to 4:00 p.m.