"State of the art"
"State of the art" in IT security
When the German IT Security Act came into effect in July 2015, the IT Security Association Germany (TeleTrusT) launched the Task Force “State of the art” to provide interested parties with recommended actions and guidelines on the “state of the art” required for technical and organisational measures. To meet this difficult challenge, the Task Force established the following principles for developing, evaluating and updating the guidelines:
Basic understanding of the document
These guidelines are intended to provide companies using it and providers (manufacturers, service providers) alike with assistance in determining the “state of the art” within the meaning of the IT Security Act (ITSiG) and the General Data Protection Regulation (GDPR). The document can serve as a reference for contractual agreements, procurement procedures or the classification of security measures implemented.
These guidelines are considered a starting point for identifying statutory IT security measures. They are not a replacement for technical, organisational or legal advice or assessment in individual cases.
Responsibility for development, evaluation and updating
The Task Force “State of the art” and the TeleTrusT working group “Law” are dedicated to answering the question of how to determine the state of the art within the meaning of the law in relation to technical and organisational measures and how to implement statutory requirements.
Understanding the approach
The Task Force achieves its results in a transparent process and puts the recommended actions and guidance up for public discussion in a regular updating procedure.
The Task Force bases its evaluation on a standardised method that is filled out and published for the individual measures under consideration. The method for evaluating the technology level of technical measures is described in chapter 2.2.
In order to keep pace with technological progress, regular updates and issues of these guidelines are scheduled. Currently the goal is to publish a new version of the guidelines every two years. Small adjustments and additions to the guidelines (such as new contributions to technical measures) during the year will appear in the form of revisions to the guidelines. These guidelines are considered a starting point for determining statutory IT security measures that correspond to the state of the art. They are not a replacement for technical, organisational or legal advice or assessment in individual cases.