A state authority publishes a tender for IT services. The procurement conditions demand certification “to ISO 27001 on the basis of IT-Grundschutz” — the formal name for the German counterpart to the plain ISO certification. Without familiarity with the module concept, modelling and the table of elementary threats, preparing the bid becomes a gamble.
BSI IT-Grundschutz is the methodology for information security in Germany developed by the Federal Office for Information Security (BSI). It combines a management system (BSI Standard 200-1, compatible with ISO 27001) with a module-based concept: for each asset type the Compendium provides concrete requirements, graded by basic, standard and elevated protection needs.
What does the standard cover?
IT-Grundschutz consists of two main parts: the BSI Standards (methodology) and the IT-Grundschutz Compendium (content).
The BSI Standards 200-x
- BSI 200-1 — Management systems for information security (ISMS): describes the ISMS requirements in alignment with the main body of ISO 27001. Following 200-2 automatically fulfils the ISO 27001 requirements.
- BSI 200-2 — IT-Grundschutz methodology: defines the three approaches basic, standard and core safeguarding as well as the steps structure analysis, protection needs determination, modelling and basic security check.
- BSI 200-3 — Risk analysis on the basis of IT-Grundschutz: methodology for assets with elevated protection needs or without a matching module.
- BSI 200-4 — Business Continuity Management: a dedicated standard for BCM, aligned with the IT-Grundschutz framework.
The three approaches
- Basic safeguarding: quick entry implementing the basic requirements of all relevant modules. The result is the BSI “Basic Safeguarding” attestation, rather than full ISO 27001 certification.
- Standard safeguarding: complete implementation per 200-2 — including standard requirements of all modules. Prerequisite for certification “ISO 27001 on the basis of IT-Grundschutz”.
- Core safeguarding: starts with the business-critical “crown jewels” and expands later. Suitable for organisations with clearly identifiable core assets.
The IT-Grundschutz Compendium
The Compendium is the content substance of IT-Grundschutz. It is structured in ten layers:
- ISMS — Security management
- ORP — Organisation and personnel
- CON — Concepts and approaches
- OPS — Operations
- DER — Detection and response
- APP — Applications
- SYS — IT systems
- IND — Industrial IT
- NET — Networks and communication
- INF — Infrastructure
Each module contains a description, threat landscape, requirements (basic, standard, elevated) and references to elementary threats. The requirements are concretely worded (“MUST …” for basic, “SHOULD …” for standard).
Certification process
Certification is performed by BSI-certified lead auditors from accredited certification bodies, under formal mandate from BSI.
Phase 1 — document review. Security policies, structure analysis, protection needs determination, modelling, basic security check, risk analyses for elevated protection needs.
Phase 2 — on-site audit. Effectiveness assessment of the requirements from the modules. Auditors take samples from every module, often with technical tests (e.g. configuration reviews).
Audit report and BSI review. The audit report goes to BSI, which formally issues the certification. The certificate is valid for three years, with annual surveillance audits.
Prerequisites:
- A fully documented ISMS per BSI 200-1/200-2
- Completed structure analysis, protection needs determination and modelling
- Basic security check with documented maturity levels
- Risk analyses per 200-3 for elevated protection needs and assets without a module
- At least one completed internal audit cycle and management review
Mapping to other standards
| Standard | Relation to IT-Grundschutz |
|---|---|
| ISO/IEC 27001:2022 | BSI 200-1/200-2 fulfil ISO 27001 requirements; certificate “ISO 27001 on the basis of IT-Grundschutz” is available |
| ISO/IEC 27002:2022 | Requirements from IT-Grundschutz modules map to Annex A controls; official mapping tables from BSI |
| ISO/IEC 27005:2022 | BSI 200-3 as the German counterpart to risk analysis |
| ISO 22301 | BSI 200-4 as the German BCM standard |
| C5 (BSI) | Cloud requirements, complementing IT-Grundschutz for cloud deployments |
| NIS 2 Directive / KRITIS | IT-Grundschutz is a recognised methodology for demonstrating security requirements |
| BSI TR-03161 | Secure apps; complements IT-Grundschutz for mobile applications |
Implementation effort
SMEs (10-50 people): 8-14 months build, 0.3-0.7 FTE for operation. Higher than ISO 27001 because each module has greater depth.
Mid-sized companies (50-500 people): 14-24 months build, 1-2 FTE for operation.
Authorities / KRITIS (variable): 18-36 months build, permanently 2-10 FTE in the IT security team, supplemented by decentralised responsibilities per department.
Tool recommendation: plain Excel maintenance breaks down for standard safeguarding at 50 assets or 30+ modules at the latest. Established GRC tools or specialised Grundschutz tools (e.g. verinice) are widely used.
Related standards
- ISO/IEC 27001: International alternative; the “ISO 27001 on the basis of IT-Grundschutz” certificate bridges both worlds.
- ISO/IEC 27002: Implementation guidance for Annex A controls; mapping with modules available.
- ISO/IEC 27005: International risk management methodology as an alternative to BSI 200-3.
- BSI C5: Cloud requirements, complementing IT-Grundschutz for cloud topics.
Sources
- BSI: IT-Grundschutz — official overview
- BSI Standards 200-1, 200-2, 200-3, 200-4 — methodology documents (free of charge)
- IT-Grundschutz Compendium — modules (free of charge)
- BSI: Certification per ISO 27001 on the basis of IT-Grundschutz — certification scheme