Service Finder
IT security: Apply for certification of persons
Service Description
As the central certification body for IT security in Germany, the Federal Office for Information Security (BSI) currently offers you 9 certifications that prove your specialist knowledge of the BSI's technical guidelines. The certifications are generally aimed at employees of IT security service providers.
-
Audit team leader for ISO 27001 audits based on IT baseline protection
- As the holder of this certificate, you will audit the technical and organizational measures of authorities or companies.
- You will prepare audit reports that form the basis for the certification of authorities or companies by the BSI.
- Certification as an audit team leader is aimed at employees of accredited bodies.
-
Auditor De-Mail
- Messages and documents are sent electronically via De-Mail reliably and protected against alteration.
- With your status as a certified person, you check, among other things, whether De-Mail service providers comply with the security requirements.
- You must already be certified as an audit team leader in order to obtain certification for De-Mail audits.
-
Information security auditor (IS auditor)
- You will support organizations in the creation and implementation of security concepts and in carrying out IS audits.
-
Auditor Secure CA Operation:
- Among other things, you audit security measures for managing and issuing digital certificates (Certification Authority - CA). These are a central basis for the secure electronic exchange of encrypted documents.
-
Auditor Smart Meter Gateway Administration
- You will audit the operation and administration of smart information networks in the energy supply sector and work on a central component of the energy transition.
-
Auditor for secure e-mail transport
- Among other things, they check how e-mail service providers have implemented the relevant BSI technical guideline.
-
Auditor RESISCAN
- With replacement scanning (RESISCAN), the judiciary, authorities and businesses digitize documents such as files. The aim is that these no longer need to be kept on paper.
- Among other things, they check scanning processes and create reports on compliance with the BSI Technical Guideline.
-
IS penetration tester
- IS penetration tests examine paths and interfaces through which hacking attacks could be carried out on IT systems.
- As the holder of this certificate, you will identify configuration errors and vulnerabilities that have not yet been remedied.
-
IT baseline protection consultant
- You will advise and support companies or authorities in securing information and setting up an information security management system (ISMS).
- Tasks within the scope of IT baseline protection are, for example, security concepts or the introduction of processes.
You must submit your application for certification online or in writing to the BSI.
Process flow
You can apply for certification and recertification of a person online or in writing to the Federal Office for Information Security (BSI).
Online procedure
- Call up the online application assistant.
- The online application assistant will guide you step by step through the application and the relevant details and documents for your desired certification.
- Upload the necessary documents (e.g. certificates or external specialist certificates) as a file (PDF, maximum 5 megabytes per document).
- After logging into your citizen account and confirming with the online ID function of your ID card, you can send the application to the BSI.
- The BSI will check whether you meet the admission requirements and whether your certificates of professional competence meet the requirements.
- If you have any questions or doubts, the BSI will contact you. You can then submit additional or further evidence.
- If you meet the admission requirements, the BSI will invite you to a workshop and examination as part of the so-called competence assessment, depending on the certification you are aiming for. The appointments usually take place on site at the BSI.
- You will be informed of the test results promptly. If you do not meet the requirements, you can repeat the examination once. If you do not meet the requirements even after repeating the test or if you cancel your participation 3 times without a valid reason, the procedure will be terminated. You will then receive a fee notice for the costs incurred up to that point, and if the examination result is positive, you will receive a certificate and a fee notice from the BSI.
- Unless you object, the BSI will publish your certification, the period of validity, your name and your professional or private address on its website.
- The 3-year validity period of your certification starts. During this period, please have your services confirmed by your clients by means of proof of activity.
- For recertification, you will then submit evidence of your activities to the BSI, which will be weighted according to a points system.
- Alternatively, you can go through the initial certification process again.
- You must also prove to the BSI that you are constantly developing your professional skills and taking into account changes in practice, relevant standards and other requirements. The BSI can also assess your work (for example by accompanying an audit day).
In writing by post
- Download the application for the desired certification from the BSI website and print it out.
- Send the completed and signed application to the BSI together with the necessary documents (e.g. copies of certificates and external certificates of professional competence).
- The BSI will check whether you meet the admission requirements and whether your certificates of professional competence meet the requirements.
- If you have any questions or doubts, the BSI will contact you. You can then submit additional or further evidence.
- If you meet the admission requirements, the BSI will invite you to a workshop and examination as part of the so-called competence assessment, depending on the certification you are aiming for. The appointments usually take place on site at the BSI.
- You will be informed promptly of the test result. If you do not meet the requirements, you can repeat the examination once. If you do not meet the requirements even after repeating the test or if you cancel your participation 3 times without a valid reason, the procedure will be terminated. You will then receive a fee notice for the costs incurred up to that point.
- If the examination result is positive, you will receive a certificate and a fee notice from the BSI.
- Unless you object, the BSI will publish your certification, the period of validity, your name and your professional or private address on its website.
- The 3-year validity period of your certification starts. During this period, please have your services confirmed by your clients by means of proof of activity.
- For recertification, you will then submit evidence of your activities to the BSI, which will be weighted according to a points system.
- Alternatively, you can go through the initial certification process again.
- You must also prove to the BSI that you are constantly developing your professional skills and taking into account changes in practice, relevant standards and other requirements. The BSI can also assess your work (for example by accompanying an audit day).
- for processing the application: usually about 3 months from application to certificate issue.
Requirements
Applications can be submitted by
- natural persons
Further requirements:
-
Audit team leader:
-
You have
- completed relevant vocational training (e.g. degree in IT or information security) and/or comparable in-service training or
- at least 8 years of professional experience in the field of IT, including at least 5 years in the field of information security.
- You work as an auditor for an accredited certification body in the field of ISO 27001 and have conducted at least 1 ISO 27001 certification audit within the last 3 years.
-
You can demonstrate the following practical experience:
-
Variant 1: In the past 3 years you have
-
4 certification audits in the area of information security with at least 3 person days each as an auditor, trainee or technical expert under the following conditions:
- At least 1 audit was carried out consistently in accordance with BSI Standard 200-2 "IT-Grundschutz approach".
- The total scope of your practical or audit experience comprises at least 20 person days.
- You were involved in the entire audit for at least 3 of the audits.
-
4 certification audits in the area of information security with at least 3 person days each as an auditor, trainee or technical expert under the following conditions:
-
Variant 2: In the past 3 years you have
-
at least 6 first-party audits or second-party audits in the area of information security with at least 3 person-days each under the following conditions:
- At least 1 audit for which you were responsible was carried out consistently in accordance with BSI Standard 200-2 "IT-Grundschutz approach".
- The total scope of your practical or audit experience comprises at least 20 person days.
- You were involved in the entire audit for all audits.
-
at least 6 first-party audits or second-party audits in the area of information security with at least 3 person-days each under the following conditions:
-
Variant 1: In the past 3 years you have
- You have successfully participated in a 3-day IT-Grundschutz training course within the last 3 years.
- You have successfully completed at least 5 days of training as an auditor for ISO 27001.
- You have passed the written exam for audit team leaders (90-minute test).
-
You have
-
Auditor De-Mail:
- You are already certified as an audit team leader.
- You have conducted at least 3 complete certification audits in the area of ISO 27001 on the basis of IT-Grundschutz in the past 3 years.
-
IS auditor or IS auditor:
- You are already certified as an audit team leader.
- You have deepened your expertise (one-day BSI training course) and passed a written and oral examination as part of the training course.
-
Auditor Secure CA Operation:
- Requirements as for certification as audit team leader
- Additionally: You have passed a written test of the BSI.
-
Auditor Smart Meter Gateway Administration
- Requirements as for certification as audit team leader
- Additionally: You have passed a written examination of the BSI (60-minute test).
-
Auditor for secure e-mail transport:
- You have completed relevant professional training (for example, a degree in IT or information security) and/or appropriate in-service training.
- You have at least 4 years of professional experience in IT in the last 8 years, of which at least 2 years in the field of information security.
-
If training or further training does not apply to you, you can also provide evidence of the following:
- You have at least 6 years of professional experience in the field of IT, including at least 4 years in the field of information security.
- You have passed a two-part BSI examination (60-minute multiple-choice test, 120-minute practical test using a test system).
-
Auditor RESISCAN:
- You have completed relevant professional training (e.g. a degree in IT or information security) and/or appropriate in-service training.
- You have at least 3 years of professional experience in the field of IT in the last 5 years, of which at least 2 years in the field of information security.
-
If training or further training does not apply to you, you can also provide evidence of the following:
- You have at least 5 years of professional experience in the field of IT, including at least 3 years in the field of information security.
- You are licensed as an auditor by an accredited certification body in the area of ISO 27001 or
- You are already certified as an audit team leader.
- You have conducted at least 1 ISO 27001 certification audit or 1 certification audit in the area of BSI TR03138 within the last 3 years.
- You have passed a written examination of the BSI (multiple-choice test). If you have already carried out certification audits in the RESISCAN area, the BSI can waive the written test.
-
Penetration tester:
-
You have specialized, practical professional experience in the field of IT or information security.
- system administration,
- network protocols,
- programming languages,
- IT security products (e.g. firewalls, intrusion detection systems),
- application systems.
- You are employed by a BSI-certified IT security service provider in the field of penetration testing.
-
As part of a project day at the BSI, your practical expertise and personal requirements were tested. For example
- Your specialist knowledge,
- the handling of tools and vulnerability scanners and
- your creative approach to carrying out penetration tests.
-
You have specialized, practical professional experience in the field of IT or information security.
-
IT basic protection consultant
- You have already successfully qualified as an IT baseline protection practitioner (at least 3-day IT baseline protection basic training course with subsequent examination at a training provider).
- You have at least 5 years of subject-specific, practical professional experience in the IT field within the last 8 years, of which at least 2 years in the field of information security.
- You have at least 5 years of experience in the implementation of IT baseline protection requirements.
-
You have worked in a leading role on consulting projects in the past 3 years. At the same time
- implementation of IT baseline protection was an essential component and
- the total scope of the applicant's work amounted to at least 40 person days.
-
The objectives of your consulting projects were
- the complete introduction of an information security management system (ISMS) in accordance with BSI Standard 200-2 or
- the creation of IT security concepts, emergency concepts or
- risk documentation in accordance with IT baseline protection.
- You have taken part in an advanced training course to become an IT-Grundschutz consultant with a training provider.
- You have passed the examination to become an IT baseline protection consultant at the BSI.
Which documents are required?
The following must be achieved when submitting the application:
-
Audit team leader:
- Certificate of your training qualification in the field of IT or information security or
- Certificate of your training qualification and certificates of participation in further training or
-
Certificate or confirmation from a third party (e.g. your employer) about your professional experience
- The certificate or confirmation must indicate the nature and scope of your activities (e.g. by means of a brief description of your activities)
- Certificates obtained from your certification audits or
-
Brief reports on your practical experience confirmed by the client or employer
-
The short reports must show
- the main objectives and the subject of the audit,
- the audit procedure (document review, on-site review, audit report),
- the distribution of roles in the audit, in particular your position/responsibility,
- the period and scope (man-days) of the audit.
-
The short reports must show
- Confirmation of your employment as an auditor
- Proof of DAkkS accreditation of your employer or the commissioning certification body (e.g. copy of the accreditation certificate)
- Attendance certificates, examination certificates or certificates obtained for basic IT security training and auditor training for ISO 27001
-
Auditor for De-Mail:
- Documents as for the certification as audit team leader
- additionally: valid audit team leader certificate
-
IS auditor or IS auditor:
- Certificate of your training qualification and certificates of participation in further training courses or
- Certificate of your educational qualification in the field of IT or information security or
- Certificate or signed confirmation from a third party (e.g. your employer) of your professional and audit experience
- Your certificates or evidence must show the nature and scope of your activities (e.g. by means of a brief description of your activities)
-
Brief reports on your audit experience confirmed by the client or employer
-
The short reports must show
- the main objectives and the subject matter of your audits
- the audit procedure
- the distribution of roles in the audit
- Your position/responsibility in the audit
- the period and scope (person days) of the audit
-
The short reports must show
- if available: valid audit team management certificate
-
Auditor Secure CA Operation:
- Certificate of your training qualification in the field of IT or information security or
- Certificate of your training qualification and certificates of participation in further training courses or
-
Certificate or signed confirmation from a third party (e.g. your employer) of your professional experience in the field of IT and information security
- The certificate or confirmation must indicate the nature and scope of your activities (e.g. by means of a brief job description)
- Proof of DAkkS accreditation of your employer or the commissioning certification body (e.g. copy of the accreditation certificate)
- Proof of your approval as an auditor or
- valid audit team management certificate
-
Auditor Smart Meter Gateway Administration:
- Certificate of your training qualification in the field of IT or information security or
- Certificate of your training qualification and certificates of participation in further training courses or
-
Certificate or signed confirmation from a third party (e.g. your employer) regarding your professional experience
- The certificate or confirmation must indicate the nature and scope of your activities (e.g. by means of a brief job description)
- Certificates obtained from your certification audits or
-
Brief reports on your practical experience confirmed by the client or employer
-
The short reports must show
- the main objectives and the subject of the audit,
- the audit procedure (document review, on-site review, audit report),
- the distribution of roles in the audit, in particular your position/responsibility,
- the period and scope (man-days) of the audit.
-
The short reports must show
- Confirmation of your employment as an auditor
- Proof of DAkkS accreditation of your employer or the commissioning certification body (e.g. copy of the accreditation certificate)
- Attendance certificates, examination certificates or certificates obtained for basic IT security training and auditor training for ISO 27001
-
Auditor for secure e-mail transport:
- Certificate of your training qualification in the field of IT or information security or
- Certificate of your training qualification and certificates of participation in further training courses
- Certificate or confirmation from a third party (e.g. your employer) of your professional experience with an overview of the activities carried out
- Proof of your accreditation as an auditor
-
Auditor RESISCAN:
- Certificate of your training qualification in the field of IT or information security or
- Certificate of your training qualification and certificates of participation in further training courses
-
Certificate or confirmation from a third party (e.g. your employer) about your professional experience
- The certificate or confirmation must indicate the nature and scope of your activities (e.g. by means of a brief description of your activities)
- Certificates obtained and short reports confirmed by the client or employer
- Proof of DAkkS accreditation of your employer or the commissioning certification body (e.g. copy of the accreditation certificate)
- Proof of your approval as an auditor or
- valid audit team management certificate
-
Penetration tester:
- Certificate or confirmation from a third party (e.g. your employer) and/or
- further proof of your professional, practical and project experience as well as your specialist knowledge in the field of penetration testing (e.g. training certificates)
-
The evidence must show:
- the nature and scope of your specific experience (for example, by means of a brief job description)
-
Proof of certification from your employer:
- BSI certificate of the IT security service provider (copy) or
- Copy of the application for certification as an IT security service provider
-
IT-Grundschutzberaterin or IT-Grundschutzberaterin:
- Curriculum vitae (education, work and project history)
- Certificate of the last educational qualification
- Certificate or confirmation from a third party (e.g. your employer) of your professional experience in the field of IT, information security and the implementation of IT baseline protection requirements
-
Brief reports on your practical experience confirmed by the client or employer
-
The documents must show
- the main objectives of your consulting activities
- the basis of your consulting activities (e.g. the relevant BSI standards)
- the distribution of roles in the project, in particular your position and responsibilities
- the period and scope (person days) of the project
-
The documents must show
- Proof that you have passed the IT-Grundschutz practitioner examination (e.g. final test)
- Certificate of participation in the advanced training course for IT-Grundschutz consultants
Note:
Please refer to the procedure description and the program on the BSI website for the current and legally binding information on the evidence to be provided.
What are the fees?
- Certifications are charged on a time and material basis. Please refer to the Fee Ordinance for exact details.
What deadlines do I have to pay attention to?
- for the application for personal certification: none
- for the application for recertification: at the earliest 6 months before expiry of the 3-year period of validity and at the latest 6 weeks before expiry of your certification complete with supporting documents
Processing duration
- for processing the application: usually about 3 months from application to certificate issue.
Legal basis
- § Section 9 (2) of the Act on the Federal Office for Information Security (BSI Act - BSIG)
- Special Fee Ordinance of the Federal Ministry of the Interior, Building and Community for individually attributable public services in its area of responsibility (BMIGebV)
- Ordinance on the procedure for issuing security certificates and recognitions by the Federal Office for Information Security (BSI Certification and Recognition Ordinance - BSIZertV)
- Annex 1 Part A Section 1 Number 1 of the General Fees Ordinance (AGebV)
Applications / forms
- Contradiction
Appeal
Forms: yes
Online procedure possible: yes
Written form required: yes
Personal appearance required: yes
- Application for (re-)certification as audit team leader on the website of the Federal Office for Information Security
- Application for (re-)certification as a De-Mail auditor on the website of the Federal Office for Information Security
- Application for (re-)certification as an IS auditor on the website of the Federal Office for Information Security
- Application for (re-)certification as an auditor for Secure CA Operations on the website of the Federal Office for Information Security
- Application for (re-)certification as an auditor for Smart Meter Gateway Administration on the website of the Federal Office for Information Security
- Application for (re-)certification as an auditor for secure e-mail transport on the website of the Federal Office for Information Security
- Application for (re-)certification as an auditor RESISCAN on the website of the Federal Office for Information Security
- Application for (re-)certification as a penetration tester on the website of the Federal Office for Information Security
- Application for (re-)certification as an IT baseline protection consultant on the website of the Federal Office for Information Security
Further Information
Author
The text was automatically translated based on the German content.
- Certification of persons Issuance
Remark: Display of performance in the source portal
Technically approved by
Federal Ministry of the Interior, Building and Community (BMI)
Professionally released on
26.05.2021
Source: Zuständigkeitsfinder Thüringen (Linie6PLus)
Competent Authority
Bundesamt für Sicherheit in der Informationstechnik (BSI)
Address
53175 Bonn, Stadt
Postal address
53111 Bonn, Stadt
Opening times
Call times:
Monday 08:00 - 18:00
Tuesday 08:00 - 18.00
Wednesday 08:00 - 18.00
Thursday 08:00 - 18.00
Friday: 08:00 - 18.00
Bank account
Recipients: Bundeskasse Trier
Bank: Deutsche Bundesbank, Filiale Saarbrücken
BIC: MARKDEF1590
IBAN: DE81590000000059001020
Notes on the intended use:
You will find the reference number in your cost assessment notice.
Further Authorities
Postal address
53111 Bonn, Stadt