BSI IT-Grundschutz - Definition & Explanation

The BSI IT-Grundschutz is an information security framework developed by the Federal Office for Information Security (BSI). It provides German government agencies and companies with a structured, prescriptive methodology that includes specific implementation guidelines—in contrast to the risk-based, principle-oriented approach of ISO 27001. The BSI IT-Grundschutz Compendium is updated annually and currently comprises over 200 modules.

Definition and Objectives

IT-Grundschutz was introduced in 1994 and has been continuously developed since then. Since 2017, it has been harmonized with ISO 27001 and enables ISO 27001 certification based on IT-Grundschutz. The goal is to provide government agencies and companies with a comprehensive methodology that encompasses both risk management and specific technical and organizational measures.

Structure of the IT-Grundschutz Compendium

The compendium is divided into 10 layers:

Layer	Abbreviation	Contents
ISMS	ISMS	Security management (fundamentals)
Applications	APP	Office software, email, web browsers, ERP systems
Systems	SYS	Servers, clients, mobile devices, IoT
Infrastructure	INF	Buildings, data centers, cabling
Networks and Communication	NET	Network architecture, Wi-Fi, VPN
Industrial IT	IND	SCADA, ICS, automation technology
Operations	OPS	Patch management, data backup, logging
Detection and Response	DER	Monitoring, Forensics, Incident Management
Security Concept	CON	Cryptography, Data Protection, Outsourcing
Personnel	ORP	Organization, Awareness, Human Resources Management

Each module contains: a description of the threat landscape, requirements at three levels (Basic, Standard, Enhanced), and implementation guidelines.

The 3 Security Levels

BSI IT-Grundschutz distinguishes three security levels based on the protection requirements of the information to be secured:

Basic Security: Quick start for SMEs. Covers the most important security requirements with minimal effort. Suitable as a starting point or for systems with normal protection requirements.
Standard Protection: Full implementation of all Basic and Standard requirements. Basis for ISO 27001 certification based on IT-Grundschutz.
Core Protection: Protects particularly critical assets (so-called "crown jewels") with increased effort. Suitable when not all systems can be fully secured immediately.

BSI IT-Grundschutz vs. ISO 27001

Criterion	BSI IT-Grundschutz	ISO 27001
Approach	Prescriptive – specific catalogs of measures	Risk-based – principle-oriented
Origin	German BSI	International standard
Measures	~800 specific requirements	93 controls (Annex A)
Target Audience	Government agencies, KRITIS operators, German companies	Internationally active companies
Effort	Very high (complete documentation)	Scalable depending on scope
Certification	ISO 27001 possible based on IT-Grundschutz	ISO 27001 directly

Section 8a BSIG and KRITIS Obligation

Operators of critical infrastructure (KRITIS) pursuant to §8a of the BSI Act (BSIG) are required to implement security measures in accordance with the state of the art and to provide evidence of this to the BSI. IT-Grundschutz is the most important German reference for this evidence. KRITIS operators must pass an audit by the BSI or accredited auditors every two years.

BSI Basic Protection Certification

BSI Basic Protection certification is conducted in three stages:

Basic Protection Check: Self-assessment against all basic requirements – no external audit
Basic Certificate: Audit by a BSI-certified auditor against standard security measures
ISO 27001 Certificate based on IT-Grundschutz: Full certification by an accredited certification body – internationally recognized

AWARE7 recommends that companies without significant government involvement pursue the direct ISO 27001 path, as it is internationally recognized and meets broader market requirements with the same effort.