BSI IT-Grundschutz
The BSI IT-Grundschutz is a framework developed by the Federal Office for Information Security that provides companies and government agencies with a systematic methodology for implementing information security—featuring highly detailed, practical components.
Table of Contents (6 sections)
The BSI IT-Grundschutz is the best-known German security framework and is published and maintained by the Federal Office for Information Security (BSI). It offers companies, government agencies, and institutions a systematic, highly practical methodology for implementing and operating an information security management system (ISMS). Unlike ISO 27001, IT-Grundschutz contains concrete, detailed implementation recommendations—not an abstract framework regulation.
History and Development
IT-Grundschutz was introduced in 1994 as the “IT-Grundschutz Handbook.” Over the years, it evolved from a collection of specific measures into a comprehensive ISMS methodology. The current modernized version (since 2017) has been fundamentally revised and is structured into four BSI standards that supplement the IT-Grundschutz Compendium.
The BSI Standards
BSI Standard 200-1: ISMS
Describes general requirements for an ISMS—compatible with ISO 27001. Specifies how an ISMS should be established, operated, and improved. This standard serves as the strategic foundation; technical implementation is covered in 200-2.
BSI Standard 200-2: IT-Grundschutz Methodology
The core component. Describes three approaches for applying IT-Grundschutz, depending on protection needs and available resources:
Basic Protection Quick start for companies with limited resources or as a first step. Focus on the most important basic protection requirements. Not a complete ISMS, but significantly better than no system at all.
Standard Protection Complete IT-Grundschutz methodology with structural analysis, protection needs assessment, and modeling according to the IT-Grundschutz Compendium. Suitable for the vast majority of companies. Basis for ISO 27001 certification based on IT-Grundschutz.
Core Protection Focuses on a company’s particularly critical assets (“crown jewels”). Ideal when not all systems can or should be included in the scope immediately.
BSI Standard 200-3: Risk Analysis
Complements the standard protection with a comprehensive risk analysis for systems requiring enhanced protection that go beyond the IT-Grundschutz modules.
BSI Standard 200-4: Business Continuity Management
Describes the implementation of a BCM system according to BSI methodology, compatible with ISO 22301.
The IT-Grundschutz Compendium
The IT-Grundschutz Compendium (updated annually) is the actual working library. It contains modules—structured security requirements for specific subject areas. The 2023 Compendium comprises over 100 modules across ten layers:
| Layer | Example Modules |
|---|---|
| ISMS | ISMS.1 Security Management |
| ORP | ORP.1 Organization, ORP.2 Personnel, ORP.4 Identity and Authorization Management |
| CON | CON.1 Cryptographic Concept, CON.7 Information Security During International Travel |
| OPS | OPS.1.1.2 Proper IT Administration, OPS.2.2 Cloud Usage |
| DER | DER.1 Detection of Security-Related Events, DER.2.1 Incident Management |
| APP | APP.3.1 Web Applications, APP.4.3 Relational Database Systems |
| SYS | SYS.1.1 General Server, SYS.2.2.3 Windows Clients |
| IND | IND.2.1 General ICS Component (Critical Infrastructure) |
| NET | NET.1.1 Network Architecture, NET.3.2 Firewall |
| INF | INF.1 General Building, INF.8 Home Workplace |
Each module contains:
- Threats: What can go wrong?
- Requirements: What must be implemented? (Basic / Standard / Enhanced)
- Implementation Guidelines: How is it implemented in practice?
IT-Grundschutz vs. ISO 27001
| Feature | IT-Grundschutz | ISO 27001 |
|---|---|---|
| Publisher | BSI (Germany) | ISO/IEC (international) |
| Level of detail | Very high (specific measures) | Low (requirements, no how) |
| Target audience | Primarily Germany, government agencies | Global, all industries |
| Language | German (+ English translation) | English (+ translations) |
| Recognition | Strong in Germany, especially among government agencies | International standard |
| Effort | Higher (due to level of detail) | Lower for entry-level |
| Certification | ISO 27001 certificate based on IT-GS | ISO 27001 certificate |
Important: The BSI offers ISO 27001 certification based on IT-Grundschutz. This is accredited by DAkkS and is highly regarded in German government and industry. The IT-Grundschutz certificate itself (without ISO 27001) is available in three levels: Entry Level, Intermediate Level, and Certificate.
Who should use IT-Grundschutz?
Recommended for:
- Federal and state authorities (often mandatory)
- Companies working with public sector clients
- KRITIS operators (critical infrastructure)
- Companies seeking to comply with ISO 27001 and German regulatory requirements
- Defense contractors and VS-NfD processing
Better suited for ISO 27001 directly:
- Internationally active companies
- Companies serving customers in industries with no connection to Germany
- Startups with limited resources (basic security measures are still advisable as a starting point)
Practical tip: Get started with the IT-Grundschutz Check
The BSI provides a free IT-Grundschutz Check that assesses an organization’s maturity level. A good starting point is the Basic Security Check from BSI Standard 200-2, which can be conducted as a one-day workshop and identifies immediate quick wins.
Further information: BSI IT-Grundschutz training courses from AWARE7 | ISO 27001 consulting
Sources & References
- [1] BSI IT-Grundschutz-Kompendium 2023 - Bundesamt für Sicherheit in der Informationstechnik
- [2] BSI-Standard 200-1 - ISMS - Bundesamt für Sicherheit in der Informationstechnik
- [3] BSI-Standard 200-2 - IT-Grundschutz-Methodik - Bundesamt für Sicherheit in der Informationstechnik
Questions about this topic?
Our experts advise you free of charge and without obligation.
About the Author
Dipl.-Math. (WWU Münster) und Promovend am Promotionskolleg NRW (Hochschule Rhein-Waal) mit Forschungsschwerpunkt Phishing-Awareness, Behavioral Security und Nudging in der IT-Sicherheit. Verantwortet den Aufbau und die Pflege von ISMS, leitet interne Audits nach ISO/IEC 27001:2022 und berät als externer ISB in KRITIS-Branchen. Lehrbeauftragter für Communication Security an der Hochschule Rhein-Waal und NIS2-Schulungsleiter bei der isits AG.
3 Publikationen
- Different Seas, Different Phishes — Large-Scale Analysis of Phishing Simulations Across Different Industries (2025)
- Self-promotion with a Chance of Warnings: Exploring Cybersecurity Communication Among Government Institutions on LinkedIn (2024)
- Exploring the Effects of Cybersecurity Awareness and Decision-Making Under Risk (2024)
