Discovered, explained

IT-Grundschutz

With IT-Grundschutz, the German Federal Office for Information Security (BSI) provides companies with a methodology with which they can comprehensively secure their data, systems and information and successfully implement an information security management system (ISMS).

Information security according to IT-Grundschutz

IT baseline protection is a systematic approach developed by the German Federal Office for Information Security (BSI) that enables companies and public authorities to set up a customised information security management system (ISMS) and establish it in the long term.

IT baseline protection pursues a holistic approach to information security that takes into account technical aspects as well as infrastructural, organisational and personnel issues.

IT baseline protection is made up of

the BSI standards, which contain best practices for setting up an ISMS, and
the IT baseline protection compendium, which contains specific security requirements.

Holistic information security

The holistic approach supports you in comprehensively protecting information, data and existing IT and business processes.

Prevention instead of rehabilitation

By implementing IT-Grundschutz, you can prevent IT failures and data loss - and the associated financial and reputational damage.

Customised ISMS

The modular structure of IT-Grundschutz enables flexible customisation to the specific requirements of your company.

Special features of IT-Grundschutz

Specialisation in the German market & the specific requirements of organisations in Germany
Comprehensive catalogue of security measures that provides specific recommendations for the implementation of information security
Flexibility through a modular approach based on a building block principle
Support through clear guidelines

IT-Grundschutz: An overview of the BSI standards

BSI standard 200-1
Defines basic requirements for an information security management system (ISMS)
- Components of an ISMS
- Tasks of the management level
BSI Standard 200-2
Establishes 3 procedures for the implementation of IT-Grundschutz:
- Basic protection
- Standard protection
- Core protection

BSI Standard 200-3
Provides a simplified procedure for risk analysis
- Risk-related work steps in the implementation of IT baseline protection
BSI Standard 200-4
Provides practical guidance on how to set up & successfully establish a Business Continuity Management System (BCMS) in a public authority or organisation

IT-Grundschutz: An overview of the BSI standards

Defines basic requirements for an information security management system (ISMS)

Components of an ISMS
Tasks of the management level

Establishes 3 procedures for the implementation of IT baseline protection:

Basic protection
Standard protection
Core protection

Represents a simplified procedure for risk analysis

Risk-related work steps in the implementation of IT baseline protection

Provides practical guidance on how to set up and successfully establish a Business Continuity Management System (BCMS) in a public authority or company

We will support you – no matter what

Get started at last!

We advise you

TÜV NORD IT Secure Communication I Berlin

To the consulting services Contact us

Goal achieved?

We check that

TÜV Informationstechnik I Essen

To the test offers Contact us

Standards in comparison

IT-Grundschutz vs. ISO 27001

Both IT-Grundschutz and ISO 27001 aim to increase IT security in companies and public authorities. Nevertheless, there are differences between the two standards.

IT baseline protection

Specialisation in the German market & the specific requirements of organisations in Germany
Comprehensive catalogue of security measures that provides specific recommendations for the implementation of information security
Flexibility through modular approach based on building blocks
Stronger support through clear guidelines

ISO 27001

Internationally recognised standard with worldwide applicability
Defines basic, conceptual requirements, but does not contain any specific, technical security measures
Flexibility in the individual implementation & design of the ISMS
Generic design requires companies to take greater initiative

Focus on information security

Basic IT security: Overview of benefits

Fulfilment of BSI requirements
You implement the sound recommendations of the German Federal Office for Information Security.
Reduction of IT outages
By uncovering vulnerabilities, you minimise IT security risks & their potential consequences such as outages.
Sustainable protection
With IT baseline protection, you protect sensitive information and data as well as existing IT and business processes.
Holistic information security
The systematic approach covers technical, infrastructural, organisational and personnel aspects.
Increased trust
By fulfilling the IT baseline protection requirements, you increase the trust of customers and business partners.
Sensitisation of employees
The implementation of IT baseline protection raises awareness of information security within the company.
Modular structure
The large number of building blocks of IT-Grundschutz enables flexible customisation to your own company.
Long-term cost savings
The optimisation of processes and the prevention of security incidents lead to long-term cost savings.

Frequently Asked Questions (FAQ)

What you need to know about BSI IT-Grundschutz
IT-Grundschutz modules according to the IT baseline protection compendium

What you need to know about BSI IT-Grundschutz

IT-Grundschutz is not directly mandatory for companies. However, there are some legal regulations that require an implemented ISMS in accordance with ISO 27001 or IT-Grundschutz. Examples of this are the requirements of the NIS-2 Directive, the BSI Criticism Ordinance or the DiGAV.

In view of the increasing cyber threat situation, a minimum level of IT security is also generally advisable in order to prevent failures, financial damage or loss of reputation. Here, IT-Grundschutz offers organisations very good assistance in improving their own IT security.

Basic protection: Basic protection enables the most important security requirements to be implemented promptly. The aim is to achieve broad, basic initial protection across all relevant business processes. Basic protection is particularly suitable for smaller institutions that are still at the beginning of their security process.
Core protection: Core protection focusses on a small but very relevant part of an information network that is to be protected as a priority. It primarily addresses companies with a few business processes that are essential for the continued existence of the organisation.
Standard protection: Standard protection refers to the classic IT-Grundschutz approach in accordance with BSI Standard 100-2 and aims to provide comprehensive and in-depth protection for an organisation.

IT-Grundschutz profiles contain the individual steps of a security process for a defined area of application, e.g. for industries or sectors. They serve as templates that companies can use to effectively secure their business processes with reduced effort.

You can find an overview of the current IT-Grundschutz profiles on the BSI website.

Yes, IT-Grundschutz also covers the topic of data protection, but not to the extent that is required for the General Data Protection Regulation (GDPR), for example. Companies that implement IT-Grundschutz can benefit from the security measures it contains, but must also take other data protection requirements into account.

IT-Grundschutz modules according to the IT baseline protection compendium

The IT-Grundschutz methodology consists of 10 different building blocks that contain the most important requirements and recommendations for securing individual and complex systems and processes. Users can select the building blocks that are relevant to their organisation. The current 2023 edition was published in February 2023.