What is "state of the art" in IT security?

Back to News

ENISA and TeleTrusT - IT Security Association Germany have published their guidelines in English

In many European countries, national legislators are pursuing the objective of reducing the deficiencies in IT security. In addition, the General Data Protection Regulation (EU) 2016/679 (GDPR) with its high requirements for technical and organisational measures has been in force since 25 May 2018. Both legal sources are demanding that IT security be brought up to the level of "state of the art", but do not say what should be understood by this in detail. In Germany, TeleTrusT - IT Security Association Germany has written guidelines that are published in English in cooperation with the European Union Agency for Network and Information Security (ENISA).

Daily reports on security incidents in companies and authorities show that there is an urgent need for action to improve IT security. Article 32 of the GDPR regulates "security of processing" to ensure that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, appropriate technical and organisational measures are implemented. This provision is aimed at ensuring a level of protection appropriate to the risk.

The document published on the "state of the art" in IT security provides concrete advice and recommendations for action. These guidelines are intended to provide companies, providers (manufacturers, service providers) alike with assistance in determining the "state of the art" within the meaning of the IT security legislation. The document can serve as a reference for contractual agreements, procurement procedures or the classification of security measures implemented. They are not a replacement for technical, organisational or legal advice or assessment in individual cases.
The document will support companies in all EU countries in identifying the required level of security in the field of IT security.

Dr. Udo Helmbrecht, ENISA Executive Director: "ENISA continues its work in supporting the EU Member States by contributing to this handbook. The articles are designed to provide concrete information and recommendations on how to improve IT security. This booklet should be a useful guide to IT practitioners who have the responsibility for complying with legislation."

TeleTrusT Chairman Prof. Dr. Norbert Pohlmann: "By determining the state of the art, we will be able to adequately increase the level of IT security, strengthen our robustness against cyber attacks and thus significantly reduce the risk of ongoing digitalisation."
TeleTrusT Board Member Karsten U. Bartels: "The consideration of the state of the art is a technical, organisational and legal task for companies and authorities. The guidelines help very specifically at these three levels - both in the operative implementation and in the documentation."

English version: https://www.teletrust.de/en/publikationen/broschueren/state-of-the-art-in-it-security/
German version: https://www.teletrust.de/publikationen/broschueren/stand-der-technik/


ENISA - European Union Agency for Network and Information Security

The European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe. The Agency is located in Greece with its seat in Athens and a branch office in Heraklion, Crete. ENISA is actively contributing to a high level of network and information security (NIS) within the Union, since it was set up in 2004, to the development of a culture of NIS in society and in order to raise awareness of NIS, thus contributing to proper functioning of the internal market. The Agency works closely together with Members States and private sector to deliver advice and solutions. This includes, the pan-European Cyber Security Exercises, the development of National Cyber Security Strategies, CSIRTs cooperation and capacity building, but also studies on secure Cloud adoption, addressing data protection issues, privacy enhancing technologies and privacy on emerging technologies, eIDs and trust services, and identifying the cyber threat landscape, and others. ENISA also supports the development and implementation of the European Union's policy and law on matters relating to NIS.
https://www.enisa.europa.eu

TeleTrusT - IT Security Association Germany

The IT Security Association Germany (TeleTrusT) is a widespread competence network for IT security comprising members from industry, administration, consultancy and research as well as national and international partner organisations with similar objectives. With a broad range of members and partner organisations, TeleTrusT embodies the largest competence network for IT security in Germany and Europe. TeleTrusT provides interdisciplinary fora for IT security experts and facilitates information exchange between vendors, users, researchers and authorities. TeleTrusT comments on technical, political and legal issues related to IT security and is organiser of events and conferences. TeleTrusT is a non-profit association, whose objective is to promote information security professionalism, raising awareness and best practices in all domains of information security. TeleTrusT is carrier of the "European Bridge CA" (EBCA; PKI network of trust), the IT expert certification schemes "TeleTrusT Information Security Professional" (T.I.S.P.) and "TeleTrusT Professional for Secure Software Engineering" (T.P.S.S.E.) and provides the trust seal "IT Security made in Germany". TeleTrusT is a member of the European Telecommunications Standards Institute (ETSI). The association is headquartered in Berlin, Germany.
https://www.teletrust.de