Regulatory requirements on KRITIS and business continuity management intertwine

Mr. Hörter, what are the framework conditions for the implementation of the KRITIS regulation in the pharmaceutical industry?

The statutory KRITIS (critical infrastructure operators) requirements place the focus on the information security management system (ISMS). The topic is becoming very important with the advancing digitalization of processes in the pharmaceutical industry. At the same time, the ISMS is an important element of the business continuity management system (BCMS), which is also required by law. This is where the standards and regulations of the BSI, which focuses on both topics, intertwine. In the pharmaceutical industry, it is therefore a matter of coordinating the ISMS with the BCMS and effective crisis management in order to make the company's critical business processes more resilient.

What exactly does that mean?

Where a computerized system with its functions replaces a manual process, there must not be a drop in process quality. In other words, the law requires that pharmaceutical digitalization must not lead to an increase in overall process risk with regard to patient safety, product quality and data integrity. The desired goal of the IT design is a fully automated and validated process configured in such a way that human intervention is reduced to a minimum. Compared to a manual approach, there is significantly less data integrity risk. Data integrity is a key ISMS protection objective. In addition, if a computer system is used to support critical pharmaceutical processes, it is required by law that the availability of the system must also be ensured. Therefore, in addition to KRITIS requirements and the ISMS, the pivotal point in the pharmaceutical industry is above all the legal requirement for business continuity management. And this in turn has a strong pillar in the ISMS. For the ISMS-BCMS combination, the BSI now offers a binding and easily applicable implementation framework with its updated 200-x series guidelines.

So the statutory KRITIS requirements can be combined with existing specifications in the industry?

Yes, exactly. An industry-specific standard (B3S) was defined as part of the KRITIS regulatory framework. The pharmaceutical industry developed this standard through its industry associations. Pharmaceutical companies subject to the KRITIS regulation that exceed the threshold of 4.65 million packages placed on the market per year are guided by this industry-specific security standard, which makes use of many existing elements from the statutory pharmaceutical requirements, when implementing the BSI guidelines.

What about companies that are below the threshold but have a high criticality for the entire value chain?

In law, they are not obliged to comply with the KRITIS and business continuity requirements. But in practice, it can be assumed that their customers will hold them accountable as service providers. This is because they must also operate risk management as a fixed element of the BSI methodology, which also focuses on third-party services. Wholesalers and manufacturers in the pharmaceutical industry must ensure that these more than 4.65 million packages placed on the market can also be produced and delivered. To do this, they must safeguard the entire value chain and impose conditions on partners that are very close to their own standards. Ultimately, the goal is that the chain can be restored within a certain time in the event of a disruptive event.

Both topics are therefore becoming increasingly urgent for the majority of companies in the pharmaceutical and medical technology sectors. Even if most of them are not directly legally obligated to meet the requirements due to the rather medium-sized structure of the industry.

In the pharmaceutical and medical technology sectors, are KRITIS or business continuity requirements driving this development?

Both of them are. For companies that are subject to the BSI-KRITIS regulation due to their business activities, taking into account the threshold values, an ISMS is mandatory. This system requires a BCMS as a logical continuation due to the underlying risk considerations and thus leads to strengthening the overall resilience of the non-digitalized process areas as well. However, an ISMS/BCMS combination also serves to cover the requirement of European pharmaceutical legislation for continuity of business operations for all companies not subject to KRITIS:

‘Where computerized systems support critical processes, provisions should be in place to ensure the continued support of these processes in the event of a system failure (e.g., through a manual or alternate system). The time required to bring these alternative procedures into operation should be determined in each case for a particular system and the processes supported, based on risk. These procedures should be adequately documented and tested.’

When securing these critical processes, it is necessary to consider a large number of resources in addition to IT, the availability of which must be ensured: Buildings, equipment, operating personnel, third-party services, but of course also IT and thus the ISMS. This is also the reason why the BSI's joint approach to the two topics for the pharmaceutical industry and medical technology also makes sense from an industry perspective.

How do the msg industry advisors support this?

In accordance with the new BSI standards, we enable industrial companies in the pharmaceutical industry and medical device sector to make their business processes more resilient, which they must do either based on legal requirements or for reasons related to their customer relationships. The new BSI standard gives us the necessary implementation methodology for this. We can therefore offer an implementation for these companies according to a graduated and tailored methodology described in BSI standard 200-4. This offers the possibility to start small with the most important processes (“Reactive BCMS”) and then to develop the BCMS as needed up to a possible ISO 22301 certification. In any case, the goal is to improve the overall resilience of the company based on its ability to be prepared for disruptive events. Our implementation model, based on industry and BSI standards, enables pharmaceutical and medical technology companies to increase their crisis resilience quickly and in a targeted manner.