IT-Grundschutz Information security the BSI way
Germany's leading method for information security. With the IT-Grundschutz Kompendium (2023 edition) and the BSI 200-x standards we build a robust ISMS – all the way to ISO 27001 certification on the basis of IT-Grundschutz.
Modules (2023 edition)
Layers
Security levels
BSI standards (200 series)
The basics
What is IT-Grundschutz?
BSI IT-Grundschutz is a proven method for systematically building appropriate protection for all of an organisation's information. It bundles standards, the Kompendium and concrete module requirements into a structured framework – and is the prerequisite for ISO 27001 certification on the basis of IT-Grundschutz.
-
Proven method
-
Established for decades and widely used in public administration and critical infrastructure – with broad acceptance and clear specifications.
-
Module-based
-
111 modules across 10 layers provide concrete, immediately actionable security requirements rather than abstract principles.
-
ISO 27001 compatible
-
BSI-Standard 200-1 defines an ISMS compatible with ISO 27001 – right up to certification on the basis of IT-Grundschutz.
-
For every protection need
-
Three security levels and the supplementary risk analysis (200-3) scale from getting started to a high protection need.
The foundation
The BSI standards of the 200 series
Four coordinated standards describe the management system, the method, risk analysis and business continuity.
Information security management systems
Defines the ISMS framework – compatible with ISO 27001 – covering set-up, operation and continual improvement.
IT-Grundschutz method
Describes the basic, core and standard security approaches as a concrete implementation framework.
Risk analysis
Provides risk-based procedures for objects with a high or very high protection need.
Business Continuity Management
A guide to a complete BCMS – finalised in June 2023, replacing the earlier 100-4 standard.
The Kompendium
The 10 layers of the Kompendium
The IT-Grundschutz Kompendium (2023 edition) organises 111 modules into 10 thematic layers – from management and organisation to systems and infrastructure.
Security management
Organisation and personnel
Concepts and approaches
Operations
Detection and response
Applications
IT systems
Industrial IT
Networks and communication
Infrastructure
Three routes to the goal
Security levels
IT-Grundschutz scales with your maturity. We choose the right approach for your protection need and your resources.
Basic security
A quick start: a fundamental security foundation for ISMS beginners.
Core security
The "crown jewels" first: protecting the most critical information and processes.
Standard security
The full method – an appropriate level and the basis for ISO 27001 certification.
The IT-Grundschutz method in 6 steps
Structure analysis
Recording the business processes, applications, systems and rooms of the information domain
Protection-needs assessment
Rating by confidentiality, integrity and availability based on damage scenarios
Modelling
Assigning the appropriate IT-Grundschutz modules to the objects of the domain
Grundschutz-Check
A target/actual comparison between module requirements and actual implementation
Risk analysis
A supplementary analysis (200-3) for objects with a high or very high protection need
Realisation
Prioritised implementation with clear responsibilities and accompanying review
ISO 27001 on the basis of IT-Grundschutz
The BSI certification scheme (currently v2.2) combines international ISO 27001 with detailed German IT-Grundschutz – both forms of evidence in a single audit, with the certificate valid for three years.
Our services
End-to-end support for IT-Grundschutz
From structure analysis to certification – we guide you through the entire method.
ISMS set-up
Building an ISMS in line with BSI-Standard 200-1 and 200-2 using the right approach.
- Scope & security objectives
- Security policy
- IS organisation (security officer, team)
Structure analysis & protection needs
Recording all assets and determining the individual protection need.
- Inventory of the domain
- Rating by C/I/A
- Documentation
Modelling
Assigning the appropriate modules from the 2023 Kompendium to your objects.
- Module mapping
- Adaptation to the context
- Cloud & service providers
Grundschutz-Check
A target/actual analysis of the implemented security level against the requirements.
- Interviews & document review
- Gap identification
- Prioritised recommendations
Certification support
Preparing ISO 27001 certification on the basis of IT-Grundschutz.
- Reference documents (scheme v2.2)
- Coordination with the BSI auditor
- Support during the on-site assessment
IS audits & maturity
Ongoing review and further development of the ISMS.
- IS audits per the BSI guide
- Metrics & maturity
- Continual improvement
Set up IT-Grundschutz in a more modern way?
With Grundschutz++ we take BSI IT-Grundschutz further: 998 requirements across 20 thematic practices, interactive migration from the 2023 Kompendium and a powerful explorer.
Ready to implement IT-Grundschutz?
We build your ISMS following the BSI method – from structure analysis to certification on the basis of IT-Grundschutz.
Related: IT security standards · ISO 27001 · Grundschutz++