Skip to main content
BSI method

IT-Grundschutz Information security the BSI way

Germany's leading method for information security. With the IT-Grundschutz Kompendium (2023 edition) and the BSI 200-x standards we build a robust ISMS – all the way to ISO 27001 certification on the basis of IT-Grundschutz.

111

Modules (2023 edition)

10

Layers

3

Security levels

4

BSI standards (200 series)

The basics

What is IT-Grundschutz?

BSI IT-Grundschutz is a proven method for systematically building appropriate protection for all of an organisation's information. It bundles standards, the Kompendium and concrete module requirements into a structured framework – and is the prerequisite for ISO 27001 certification on the basis of IT-Grundschutz.

Proven method

Established for decades and widely used in public administration and critical infrastructure – with broad acceptance and clear specifications.

Module-based

111 modules across 10 layers provide concrete, immediately actionable security requirements rather than abstract principles.

ISO 27001 compatible

BSI-Standard 200-1 defines an ISMS compatible with ISO 27001 – right up to certification on the basis of IT-Grundschutz.

For every protection need

Three security levels and the supplementary risk analysis (200-3) scale from getting started to a high protection need.

The foundation

The BSI standards of the 200 series

Four coordinated standards describe the management system, the method, risk analysis and business continuity.

BSI 200-1

Information security management systems

Defines the ISMS framework – compatible with ISO 27001 – covering set-up, operation and continual improvement.

BSI 200-2

IT-Grundschutz method

Describes the basic, core and standard security approaches as a concrete implementation framework.

BSI 200-3

Risk analysis

Provides risk-based procedures for objects with a high or very high protection need.

BSI 200-4

Business Continuity Management

A guide to a complete BCMS – finalised in June 2023, replacing the earlier 100-4 standard.

The Kompendium

The 10 layers of the Kompendium

The IT-Grundschutz Kompendium (2023 edition) organises 111 modules into 10 thematic layers – from management and organisation to systems and infrastructure.

ISMS

Security management

ORP

Organisation and personnel

CON

Concepts and approaches

OPS

Operations

DER

Detection and response

APP

Applications

SYS

IT systems

IND

Industrial IT

NET

Networks and communication

INF

Infrastructure

Three routes to the goal

Security levels

IT-Grundschutz scales with your maturity. We choose the right approach for your protection need and your resources.

Basic security

A quick start: a fundamental security foundation for ISMS beginners.

Core security

The "crown jewels" first: protecting the most critical information and processes.

Standard security

The full method – an appropriate level and the basis for ISO 27001 certification.

The IT-Grundschutz method in 6 steps

1

Structure analysis

Recording the business processes, applications, systems and rooms of the information domain

2

Protection-needs assessment

Rating by confidentiality, integrity and availability based on damage scenarios

3

Modelling

Assigning the appropriate IT-Grundschutz modules to the objects of the domain

4

Grundschutz-Check

A target/actual comparison between module requirements and actual implementation

5

Risk analysis

A supplementary analysis (200-3) for objects with a high or very high protection need

6

Realisation

Prioritised implementation with clear responsibilities and accompanying review

ISO 27001 on the basis of IT-Grundschutz

The BSI certification scheme (currently v2.2) combines international ISO 27001 with detailed German IT-Grundschutz – both forms of evidence in a single audit, with the certificate valid for three years.

More about ISO 27001

Our services

End-to-end support for IT-Grundschutz

From structure analysis to certification – we guide you through the entire method.

ISMS set-up

Building an ISMS in line with BSI-Standard 200-1 and 200-2 using the right approach.

  • Scope & security objectives
  • Security policy
  • IS organisation (security officer, team)

Structure analysis & protection needs

Recording all assets and determining the individual protection need.

  • Inventory of the domain
  • Rating by C/I/A
  • Documentation

Modelling

Assigning the appropriate modules from the 2023 Kompendium to your objects.

  • Module mapping
  • Adaptation to the context
  • Cloud & service providers

Grundschutz-Check

A target/actual analysis of the implemented security level against the requirements.

  • Interviews & document review
  • Gap identification
  • Prioritised recommendations

Certification support

Preparing ISO 27001 certification on the basis of IT-Grundschutz.

  • Reference documents (scheme v2.2)
  • Coordination with the BSI auditor
  • Support during the on-site assessment

IS audits & maturity

Ongoing review and further development of the ISMS.

  • IS audits per the BSI guide
  • Metrics & maturity
  • Continual improvement

Set up IT-Grundschutz in a more modern way?

With Grundschutz++ we take BSI IT-Grundschutz further: 998 requirements across 20 thematic practices, interactive migration from the 2023 Kompendium and a powerful explorer.

Discover Grundschutz++

Ready to implement IT-Grundschutz?

We build your ISMS following the BSI method – from structure analysis to certification on the basis of IT-Grundschutz.

Related: IT security standards · ISO 27001 · Grundschutz++