Federal agencies in Germany are required to fully implement IT-Grundschutz according to the specifications of the Federal Implementation Plan. In addition to being required to create and implement a security concept, they are also required to follow the specifications in BSI standards 100-1 [BSI1] and 100-2 [BSI2] as well as to check the success of their implementation through IS audits. In order to maintain and continuously improve information security. The organisation’s management is responsible for the initiation and management of the information security process, including IS audits as integral part of the information security management process