German statutory health insurance funds (GKV) have a very specific ISMS world: B3S (industry-specific security standard) as binding foundation, IVDB (IT-Verbund-Datenbank) as central source for IT procedures, and KZBV/GKV-SV with their own audit routines. Anyone deploying an ISMS tool here without IVDB understanding spends the first three months copying IT procedures manually from the IVDB.
What the IVDB Integration in SecTepe.Core Delivers
- CSV/Excel import: current IVDB exports are read directly, with automatic field mapping to the internal asset/procedure model.
- Conflict detection: existing entries are merged on re-import instead of duplicated. Conflicts are presented to the user for decision.
- Live progress display: for large IVDB inventories (often 500+ procedures), the UI shows import progress, count of newly detected/changed/deleted entries.
- B3S-compliant data handling: all imported data is classified so B3S requirements (protection requirement determination, owners, retention periods) can be documented immediately.
- Future API integration: as soon as a direct IVDB API is released, the connector is prepared – CSV import remains as fallback.
What Changes Operationally for the GKV
Before: three months of asset inventory via Excel, fed from IVDB CSV, manually dumped into the ISMS tool – with the usual Excel mistakes (cells shifted, encoding broken, leftover formulas).
After: three days to configure the mapping (which IVDB field to which ISMS asset field), first import in 30 minutes, follow-up imports automated.
Integration with Other ISMS Building Blocks
- Risk module: imported procedures automatically get a risk assessment task in the queue.
- Review cycle: every IVDB procedure receives an annual review task – see review cycle management.
- Supplier mapping: procedures are linked to the corresponding processors / third parties – critical for Art. 28 GDPR.
- Audit export: the B3S auditor receives a prepared report with IVDB references, protection requirement, and measure status.
Why This Is Interesting Beyond SHI
The same problem (large, maintained, external data inventory → must enter the ISMS) exists in other regulated industries: energy utilities with IT network lists, KRITIS operators with asset registers, banks with MaRisk IT lists. The IVDB integration is reusable as a pattern – the connector is simply parameterized for the industry.
Realistic Limits
The integration saves the inventory hours, not the substantive evaluation. Protection requirement, risk, measures – that remains expert work. But: without a clean asset list no meaningful evaluation. Anyone with a frictionless data source here recovers 60–70 % of the typical ISMS build effort.
Conclusion
Industry-specific integrations decide tool acceptance in regulated markets. A GRC platform that can read IVDB CSVs cleanly and map them in a B3S-compliant way will become standard in the GKV within a few years. Anyone building today should explicitly check this criterion in tool selection – not after contract signing.