Holistic & systematic: information security with "IT-Grundschutz"
As the threat of cybercrime and data breaches continues to grow, a robust information security strategy is essential.
With “IT-Grundschutz”, the German Federal Office for Information Security (BSI) provides companies with a methodology with which they can comprehensively securing their data, systems and information and successfully implementing an information security management system (ISMS).
Evidence of holistic information security
The holistic approach supports you in comprehensively protect information, data and existing IT and business processes.
Prevention instead of rehabilitation
By implementing “IT-Grundschutz”, you can prevent IT outages and data loss - and the associated financial and reputational damage.
Tailor-made ISMS thanks to the modular principle
The modular structure of "IT-Grundschutz" allows flexible adaptation to the specific requirements of your company.
What is “IT-Grundschutz”?
"IT-Grundschutz" is a systematic approach developed by the German Federal Office for Information Security (BSI) to help companies and public authorities to set up and establish a tailor-made information security management system (ISMS) for the long term.
It takes a holistic approach to information security, focusing not only on technical aspects but also on infrastructural, organizational and personnel issues.
"IT-Grundschutz" is made up of:
- the BSI standards, which contain best practices for setting up an ISMS, and
- the IT-Grundschutz compendium, which contains specific security requirements.
“IT-Grundschutz”: An overview of the BSI standards
BSI-Standard 200-1
Defines general requirements for an information security management system (ISMS)
- Components of an ISMS
- Tasks of the management level
BSI-Standard 200-2
Explains how an ISMS can be built based on one of three different approaches:
- "Basic protection"
- "Standard protection"
- "Core protection"
BSI-Standard 200-3
Contains all risk-related tasks
- Risk-related work steps in the implementation of “IT-Grundschutz”
BSI-Standard 200-4
Provides practical guidance on how to set up & successfully establish a Business Continuity Management System (BCMS) in a public authority or company
“IT-Grundschutz”: Benefits at a glance
Fulfillment of BSI requirements
You implement the well-founded recommendations of the Federal Office for Information Security.
Reduction of IT outages
By uncovering vulnerabilities, you minimize IT security risks & their potential consequences such as outages.
Sustainable protection
With “IT-Grundschutz” you protect sensitive information and data as well as existing IT and business processes.
Holistic information security
The systematic approach covers technical, infrastructural, organizational and personnel aspects.
Increased trust
By fulfilling the “IT-Grundschutz” requirements, you increase the trust of your customers and business partners.
Raising employee awareness
The implementation of “IT-Grundschutz” raises awareness of information security within the company.
Modular structure
The large number of modules in “IT-Grundschutz” enables flexible adaptation to your own company.
Long-term cost savings
The optimization of processes & the prevention of security incidents lead to long-term cost savings.
Our services for “IT-Grundschutz”
Assessment of the IT security situation in your organization
Analysis & evaluation of information security management according to “IT-Grundschutz”
Outperformance of gap analyses to determine deviations
ISMS assessments by licensed & experienced ISMS auditors
Planning & performing of “IT-Grundschutz” audits as a basis for ISO 27001 certifications
Planning & execution of supplier audits
"IT-Grundschutz" modules according to the "IT-Grundschutz" compendium
The IT-Grundschutz methodology consists of 10 different modules that contain the most important requirements and recommendations for securing individual and complex systems and processes. Users can select the modules that are relevant to their organization. The current 2023 edition was published in February 2023 (The current English version is from 2022).
OPS.1.1.2 Proper IT Administration
OPS.1.1.3 Patch and Change Management
OPS.1.1.4 Protection Against Malware
OPS.1.1.5 Logging
OPS.1.1.6 Software Tests and Approvals
OPS.1.1.7 System Management
OPS.1.2.2 Archiving
OPS.1.2.4 Teleworking
OPS.1.2.5 Remote Maintenance
OPS.1.2.6 NTP Time Synchronisation
OPS.2.1 Outsourcing for Customers
OPS.2.2 Cloud Usage
OPS.3.1 Outsourcing for Service Providers
APP.1.1 Office Products
APP.1.2 Web Browsers
APP.1.4 Mobile Applications (Apps)
APP.2.2 Active Directory
APP.2.3 OpenLDAP
APP.3.1 Web Applications and Web Services
APP.3.2 Web Servers
APP.3.3 File Servers
APP.3.4 Samba
APP.3.6 DNS Servers
APP.4.2 SAP ERP Systems
APP.4.3 Relational Database Systems
APP.4.4 Kubernetes
APP.4.6 SAP ABAP Programming
APP.5.2 Microsoft Exchange and Outlook
APP.5.3 General E-Mail Clients and Servers
APP.6 General Software
APP.7 Development of Individual Software
SYS.1.1 General Server
SYS.1.2.2 Windows Server 2012
SYS.1.3 Linux and Unix Servers
SYS.1.5 Virtualisation
SYS.1.6 Containerisation
SYS.1.7 IBM Z
SYS.1.8 Storage Solutions
SYS.2.1 General Client
SYS.2.2.2 Windows 8.1 Clients
SYS.2.2.3 Windows 10 Clients
SYS.2.3 Linux and Unix Clients
SYS.2.4 macOS Clients
SYS.3.1 Laptops
SYS.3.2.1 General Smartphones and Tablets
SYS.3.2.2 Mobile Device Management (MDM)
SYS.3.2.3 iOS (for Enterprise)
SYS.3.2.4 Android
SYS.3.3 Mobile Telephones
SYS.4.1 Printers, Copiers, and All-inOne Devices
SYS.4.3 Embedded Systems
SYS.4.4 General IoT Devices
SYS.4.5 Removable Media
INF.1 Generic Building
INF.2 Data Centre and Server Room
INF.5 Room or Cabinet for Technical Infrastructure
INF.6 Storage Media Archives
INF.7 Office Workplace
INF.8 Working from Home
INF.9 Mobile Workplace
INF.10 Meeting, Event, and Training Rooms
INF.11 General Vehicle
INF.12 Cabling
INF.13 Technical Building Management (TBM)
INF.14 Building Automation and Control Systems (BACS)
Certification according to "IT-Grundschutz"
ISO 27001 Certification based on "IT-Grundschutz"
If you have implemented an ISMS based on IT-Grundschutz, you have the option of obtaining “ISO 27001 based on IT-Grundschutz (BSI Standard 200-2: IT-Grundschutz methodology)” certification.
The certificate proves that your ISMS not only meets the general requirements of ISO 27001, but also the much more specific requirements of I"T-Grundschutz". The subject of certification does not necessarily have to be the entire company. It is also conceivable to limit certification to individual business processes, specialist tasks or organizational units.
Our BSI-certified auditors conduct audits in accordance with ISO 27001 on the basis of "IT-Grundschutz". Please feel free to contact us.
"IT-Grundschutz" vs. ISO 27001
Both "IT-Grundschutz" and ISO 27001 aim to improve IT security in companies and public authorities. However, there are differences between the two standards.
"IT-Grundschutz"
- Specialization on the German market & the specific requirements of organizations in Germany
- Comprehensive catalog of security measures with specific recommendations for the implementation of information security
- Flexibility through modular approach based on building blocks
- Stronger support through clear guidelines and guidance
ISO 27001
- Internationally recognized standard with worldwide applicability
- Defines basic, conceptual requirements, but does not contain any specific, technical security measures
- Flexibility in the individual implementation & design of the ISMS
- Generic design requires companies to take greater initiative
Frequently Asked Questions (FAQ):
IT-Grundschutz is not directly mandatory for companies. However, there are some legal regulations that require an implemented ISMS in accordance with ISO 27001 or IT-Grundschutz. An example of this is the requirements of the NIS 2 directive.
However, in view of the increasing cyber threat situation, a minimum level of IT security is also generally advisable in order to prevent downtime, financial damage or loss of reputation. IT-Grundschutz is a very good way for organisations to improve their own IT security.
- Basic protection: Basic protection enables prompt implementation of the most important security requirements. The aim is to achieve broad, basic initial protection across all relevant business processes. Basic protection is particularly suitable for smaller institutions that are still at the beginning of their security process.
- Core protection: Core protection focuses on a small but very relevant part of an information network that is to be protected as a priority. It primarily addresses companies with a few business processes that are essential for the continued existence of the organization.
- Standard protection: Standard protection refers to the classic "IT-Grundschutz" approach in accordance with BSI Standard 200-2 and aims to provide comprehensive and in-depth protection for a company.
IT-Grundschutz profiles contain the individual steps of a security process for a defined area of application, e.g. for industries or sectors. They serve as templates that companies can use to effectively secure their business processes with reduced effort.
An overview of the current IT-Grundschutz profiles can be found on the BSI website.
Yes, IT-Grundschutz also covers the topic of data protection, but not to the extent that is required for the General Data Protection Regulation (GDPR), for example. Companies that implement "IT-Grundschutz" can benefit from the security measures it contains, but must also take other data protection requirements into account.
Why we are a strong partner for you
Independence
Expertise
International network of experts
Industry experience
Tailor-made for you
You have questions? We are pleased to help!
