BSI TR-03185: Secure updates without the stress of recertification

Software must continuously evolve. Security vulnerabilities, regulatory requirements and functional improvements make regular updates essential. At the same time, certified products used to face a dilemma: every update could require a new conformity test - with corresponding time and cost expenditure.

With the technical guideline BSI TR-03185 "Secure Software Lifecycle", the German Federal Office for Information Security (BSI) has now created a new approach. TÜVIT now offers audits in accordance with this guideline and supports manufacturers in providing security updates more quickly and in compliance with regulations - without the worry of unnecessary re-certifications.

From product to process security: a paradigm shift

Until now, certification was always linked to a specific product version. Any change - even a security-critical patch - could result in the tested version no longer being considered compliant. There was a clear conflict of objectives, especially where security gaps had to be closed at short notice.

This is precisely where the BSI's new procedure comes in:
Instead of checking each individual version again, the quality of the development and change processes takes centre stage.

Certification in accordance with TR-03185 proves that:

• Security requirements are systematically implemented throughout the entire software life cycle
• changes are made in a controlled, traceable and quality-assured manner
• Updates meet the defined security standards even after delivery

This means that software updates can continue to be considered compliant without having to go through a complete recertification process every time.

Particularly relevant for DiGA manufacturers (TR-03161)

This approach is particularly important for manufacturers of digital health applications (DiGA). With regard to existing or planned certifications in accordance with BSI TR-03161, TR-03185 offers clear advantages:

• Significantly reduced recertification, maintenance and change efforts
• Faster provision of security-relevant updates, even during ongoing operations
• More planning security for further developments and releases

It is worthwhile for affected manufacturers to familiarise themselves with the requirements of TR-03185 at an early stage.

Added value beyond the healthcare sector

TR-03185 is not limited to DiGA. All software manufacturers whose products are subject to high security requirements benefit from certification:

• Proof of a structured, secure software development process
• Increased trust among customers, partners and supervisory authorities
• Scalable basis for future updates and product versions

This makes TR-03185 a strategic instrument for combining security, agility and compliance.

With TR-03185, the BSI takes away manufacturers' worries that necessary software updates will become a certification trap. Instead, a modern, process-orientated proof of security is being created - and this is precisely where TÜVIT's new audit offer comes in.