## Introduction
BSI IT-Grundschutz is Germany's comprehensive methodology for information security, developed and maintained by the Bundesamt fur Sicherheit in der Informationstechnik (BSI), the German Federal Office for Information Security. It has been a cornerstone of information security in German public administration and critical infrastructure for decades.
Unlike ISO 27001, which is principles-based and leaves many implementation details to the organization, Grundschutz provides highly detailed, prescriptive guidance. The Grundschutz Compendium contains hundreds of specific recommendations organized into modules (Bausteine) that cover everything from server room security to mobile device management.
## The Grundschutz Methodology
BSI Grundschutz follows a structured approach with three qualification levels:
### Basis-Absicherung (Basic Protection)
The entry level, designed for organizations that are just starting with systematic information security. It covers fundamental security measures and helps establish a baseline. This is where most SMBs should begin.
### Standard-Absicherung (Standard Protection)
The recommended level for most organizations. It involves a complete security assessment based on the Grundschutz Compendium and aligns with ISO 27001. Organizations can pursue a combined ISO 27001 certification "auf Basis von IT-Grundschutz" at this level.
### Kern-Absicherung (Core Protection)
A focused approach that concentrates on the organization's most critical business processes and assets. Useful when resources are limited and you need to protect the crown jewels first.
## Understanding the Grundschutz Compendium
The Grundschutz Compendium is the heart of the methodology. It contains Bausteine (modules) organized into 10 layers:
- **ISMS**. Information security management
- **ORP**. Organization and personnel
- **CON**. Concepts and procedures
- **OPS**. Operations (IT operations, third-party operations)
- **DER**. Detection and response
- **APP**. Applications (web, email, databases, directory services)
- **SYS**. IT systems (servers, clients, mobile devices, IoT)
- **IND**. Industrial IT / OT systems
- **NET**. Networks (architecture, firewalls, VPN, WLAN)
- **INF**. Infrastructure (buildings, data centers, workspaces)
Each Baustein contains:
- A description of the topic and its relevance
- Threat scenarios specific to that module
- Requirements at three levels: Basis (basic), Standard, and Erhoht (elevated)
- Cross-references to other related Bausteine
## Step-by-Step: Starting Your Grundschutz Project
### Step 1: Define the Information Domain (Informationsverbund)
Your Informationsverbund is similar to the ISMS scope in ISO 27001. It defines which business processes, IT systems, applications, networks, and physical locations are covered.
For a first project, start focused. A single department or one critical business process is more manageable than trying to cover the entire organization at once.
### Step 2: Conduct Structural Analysis (Strukturanalyse)
Map out all components within your Informationsverbund:
- Business processes and their dependencies
- Applications and IT services
- IT systems (servers, clients, network devices)
- Communication links and network segments
- Physical locations (buildings, rooms)
Group similar components to keep the analysis manageable. For example, if you have 50 identical workstations, they can be treated as one group.
### Step 3: Protection Needs Assessment (Schutzbedarfsfeststellung)
For each component, determine the protection needs across three dimensions:
- **Confidentiality**. What happens if information is disclosed?
- **Integrity**. What happens if information is altered?
- **Availability**. What happens if the system is unavailable?
Rate each dimension as normal, high, or very high based on the potential business impact.
### Step 4: Modeling (Modellierung)
Map the appropriate Bausteine to your components. For example:
- A Linux server gets Bausteine for SYS.1.1 (General Server) and SYS.1.3 (Linux Server)
- Your office gets INF.1 (General Building) and INF.7 (Office Workspace)
- Your web application gets APP.3.1 (Web Applications)
The BSI provides a modeling guide that recommends which Bausteine apply to which component types.
### Step 5: IT-Grundschutz Check
For each applicable Baustein, work through the requirements and assess your implementation status:
- **Yes**. The requirement is fully implemented
- **Partially**. Some aspects are implemented
- **No**. The requirement is not implemented
- **Not applicable**. The requirement does not apply (with justification)
This produces your compliance gap report. Focus on closing gaps in Basis requirements first, then move to Standard requirements.
### Step 6: Supplementary Risk Analysis
For components with high or very high protection needs, a supplementary risk analysis is required. The standard Grundschutz measures may not be sufficient for these critical assets.
Identify additional threats beyond what the Bausteine cover, assess their risk, and define additional security measures.
## Grundschutz vs. ISO 27001
A common question is whether to pursue Grundschutz or ISO 27001. The good news: they are compatible.
- **ISO 27001 alone**. More flexibility, internationally recognized, widely accepted by customers and partners worldwide
- **BSI Grundschutz alone**. More prescriptive, strong in German public sector and critical infrastructure contexts
- **ISO 27001 auf Basis von IT-Grundschutz**. Combined certification that uses Grundschutz's detailed methodology while achieving international ISO 27001 recognition
For German organizations, especially those working with public sector clients or operating critical infrastructure, the combined approach often provides the most value.
## Tools and Resources
The BSI provides several free resources:
- **Grundschutz Compendium**. The complete catalog, updated annually
- **BSI Standards 200-1, 200-2, 200-3, 200-4**. The methodology documents
- **IT-Grundschutz Profile**. Pre-built templates for common use cases
Platforms like KaitoSec come with the Grundschutz Compendium pre-loaded, including all Bausteine, requirements, and cross-references. This eliminates the need to manually navigate the BSI's extensive documentation and lets you focus on assessment and implementation.
## Getting Started Today
The best way to start is to pick a limited scope, work through the Basis-Absicherung requirements, and build from there. You do not need to boil the ocean on day one. A structured, incremental approach will get you to a solid security baseline faster than trying to implement everything at once.
KaitoSec