Compliance & Standards
BSI IT-Grundschutz für KMU: Einstieg ohne BSI-Berater
Oskar Braun9 Min.
BSI Standard · Germany
BSI IT-Grundschutz:
Germany's National Security Standard
The BSI IT-Grundschutz Compendium is Germany's most comprehensive security framework for information security. With over 200 building blocks, three protection levels and a recognized certification scheme, it forms the backbone of information security in government agencies, KRITIS companies and increasingly in the private sector. Internationally, it is Germany's equivalent to ISO 27001 - but with far more prescriptive implementation guidance.
Last updated: March 2026 Reviewed by certified experts
Current Version
2023
Updated annually by BSI
Layers
10
ISMS to INF - complete coverage
Certification
ISO/IEC
27001 certificate based on IT-Grundschutz possible
BSI License
Free
Compendium freely available at bsi.bund.de
- Building Blocks
- 200+
- Protection Levels
- 3
- BSIG Obligation
- §8a
- Published by
- BSI
Overview
What is BSI IT-Grundschutz?
BSI IT-Grundschutz is a security framework developed by Germany's Federal Office for Information Security (BSI). Introduced in the early 1990s and continuously updated, it combines a structured methodology ("the path to information security") with a comprehensive catalog of specific security controls - the IT-Grundschutz Compendium.
Unlike ISO 27001, which primarily defines a management framework, IT-Grundschutz also delivers detailed, practice-oriented implementation guidance. For each system component, process and infrastructure element, there is a specific building block with concrete requirements and implementation hints - from email security to hardening Windows servers to physical security of server rooms.
IT-Grundschutz has a legal basis: §8a(1) BSIG requires KRITIS operators to implement "technical and organizational measures corresponding to the state of the art" - and the BSI explicitly recognizes IT-Grundschutz as suitable evidence of compliance. For German federal agencies, IT-Grundschutz is mandatory via the BSI Grundschutz minimum requirements.
Core Components of IT-Grundschutz
COMP
IT-Grundschutz Compendium
Over 200 building blocks with requirements and implementation guidance, organized in ten layers. Updated annually.
METH
Methodology
Structured process from security concept development through modeling and IT-Grundschutz check to certification.
CERT
Audit Scheme & Certification
BSI-certified auditors assess implementation; upon success, ISO 27001 certificate based on IT-Grundschutz.
TOOL
Tools & Resources
ISMS tool "VERINICE", BSI guides, sample policies, checklists - all freely available.
BSI
Publisher & Maintenance
Federal Office for Information Security, Bonn. Regular updates, transparent change history.
Structure
IT-Grundschutz Compendium: The 10 Layers
The IT-Grundschutz Compendium is organized in ten layers covering all relevant aspects of an organization's information security - from ISMS processes to physical building security.
ISMS 1 building block
Security Management
Cross-cutting ISMS processes: security policy, organization, concepts, revision.
ORP 5 building blocks
Organization & Personnel
Organizational structure, personnel, data privacy, identity and access management.
CON 10 building blocks
Concepts & Methodologies
Cryptography concept, data privacy, backups, software development, outsourcing.
OPS 5 building blocks
Operations
Proper IT operations, patch management, malware protection, logging.
DER 4 building blocks
Detection & Response
Detection of security-relevant events, incident handling, forensics, emergency management.
APP 60+ building blocks
Applications
Email, web applications, office communication, ERP systems, databases, identity management.
SYS 50+ building blocks
IT Systems
Linux/Windows servers, desktop systems, mobile devices, IoT, printers, storage systems.
IND 10 building blocks
Industrial IT
ICS/SCADA systems, OT security, process control systems, industrial networks.
NET 15 building blocks
Networks & Communications
Network architecture, VPN, WLAN, VoIP, network management, firewalls, DNS.
INF 10 building blocks
Infrastructure
Building security, data centers, server rooms, home offices, mobile workplaces.
Source: BSI IT-Grundschutz Compendium, Edition 2023. Available at bsi.bund.de/grundschutz - free of charge, no login required.
Methodology
The 3 Protection Levels of IT-Grundschutz
Since the IT-Grundschutz modernization in 2017, three protection levels offer different entry points and security levels.
Level 1
Basic Protection
Quick start
Basic Protection is the entry level to IT-Grundschutz. It covers the most important security requirements - the "must-have" controls. Suitable for organizations beginning systematic IT security work for the first time, or as an immediate remediation measure when deficiencies are identified.
- No complete protection needs assessment required
- Focus on the most urgent baseline requirements
- Quickly implementable - typically 3-6 months
- No BSI certificate achievable at this level
- Good starting point for SMEs without a dedicated security team
Level 2
Standard Protection
Complete security baseline
Standard Protection is the complete IT-Grundschutz approach. It encompasses the full methodology with structural analysis, protection needs assessment, modeling, IT-Grundschutz check and risk analysis where necessary. It is the basis for the BSI Grundschutz certificate and maps most closely to ISO 27001.
- Complete structural analysis of the information domain
- Protection needs assessment for all target objects
- Modeling with IT-Grundschutz building blocks
- IT-Grundschutz check (interview-based target/actual comparison)
- Basis for ISO 27001 certificate based on IT-Grundschutz
Level 3
Core Protection
Protect critical assets
Core Protection focuses on the organization's "crown jewels" - the most critical information assets with the highest protection requirements. Suitable for organizations with very limited resources who need to prioritize first, or as a supplementary approach for particularly sensitive areas.
- Identification of and focus on few critical assets
- Significantly deeper protection level for these assets
- No complete information domain required
- No BSI Grundschutz certificate at this level
- Supplementary to Standard Protection for high-risk assets
Comparison
IT-Grundschutz vs. ISO 27001: Differences and Relationship
Both standards target information security - but their approach, depth and application context differ significantly. An ISO 27001 certification based on IT-Grundschutz combines the strengths of both.
| Criterion | BSI IT-Grundschutz | ISO/IEC 27001 |
|---|---|---|
| Publisher | BSI (Federal agency, Germany) | ISO/IEC (international standards bodies) |
| Geographic Scope | Germany - especially government, KRITIS | International - recognized worldwide |
| Approach | Methodology + detailed control catalog | Management framework - "What", not "How" |
| Control Depth | Very detailed: concrete implementation guidance per building block | Abstract: 93 controls, own interpretation |
| Flexibility | Lower - building blocks predefined | High - Statement of Applicability (SoA) freely selected |
| Certification | BSI Grundschutz Certificate (equivalent to ISO 27001) | ISO 27001 certificate by accredited auditors |
| Compendium Cost | Free (bsi.bund.de) | Paid (ISO standard text approx. EUR 170) |
| KRITIS Compliance | Explicitly recognized (§31 BSIG) | Recognized as equivalent standard |
| Entry Level | Basic Protection as low-threshold entry point | No formal entry level, direct full implementation |
| Recommendation | Government, KRITIS, public sector | Internationally operating companies, industry, SMEs |
Combined Approach: An "ISO 27001 certification based on IT-Grundschutz" is officially recognized and combines the international validity of ISO 27001 with the methodological depth of IT-Grundschutz. The BSI offers its own certification scheme for this. We advise you on which approach provides the better ROI for your organization.
Regulation
IT-Grundschutz for KRITIS: Requirements under §31 BSIG
Critical infrastructure operators (KRITIS) under §8a(1) BSIG are legally required to implement appropriate technical and organizational security measures and demonstrate this to the BSI every two years. This proof can be provided through IT-Grundschutz or a comparable standard.
KRITIS sectors include: Energy (electricity, gas, oil, district heating), Water (drinking water, wastewater), Food, IT and Telecommunications, Health (hospitals, laboratories, pharmaceuticals), Finance and Insurance, Transport and State and Administration. Applicability thresholds are sector-specific and regulated in the BSI KRITIS Ordinance (BSI-KritisV).
The IT Security Act 2.0 (ITSiG 2.0, 2021) expanded the KRITIS concept and introduced the new status "Companies of Special Public Interest" (UNBI/UBI), bringing additional security obligations even without reaching KRITIS thresholds.
KRITIS Sectors and Examples
Energy
Municipal utilities, grid operators, biogas plants, district heating
Water
Waterworks, sewage treatment plants, water supply companies
IT & Telecom
Data centers, internet exchanges, telecom carriers, DNS resolvers
Health
Hospitals with 30,000+ cases/year, blood donation services, laboratories
Finance
Banks, stock exchanges, payment systems, insurance companies
Transport
Ports, airports, rail infrastructure, canal management systems
Food
Food manufacturers and distributors with high supply relevance
State & Admin
Federal agencies, certain state and municipal authorities
Source: §2(10) BSIG in conjunction with BSI-KritisV (last amended 2022). Applicability check recommended - specific thresholds are regulated in Annex 1 of the BSI-KritisV.
Why AWARE7 for IT-Grundschutz
Was uns von anderen Anbietern unterscheidet
Reine Awareness-Plattformen testen keine Systeme. Reine Beratungskonzerne sind zu weit weg. AWARE7 verbindet beides: Wir hacken Ihre Infrastruktur und schulen Ihre Mitarbeiter - mittelstandsgerecht, persönlich, ohne Enterprise-Overhead.
Forschung und Lehre als Fundament
Rund 20% unseres Umsatzes stammen aus Forschungsprojekten für BSI und BMBF. Unsere Studien analysieren Millionen von Websites und Zehntausende Phishing-E-Mails - publiziert auf ACM- und Springer-Konferenzen. Drei unserer Führungskräfte sind gleichzeitig Professoren an deutschen Hochschulen.
Digitale Souveränität - keine Kompromisse
Alle Daten werden ausschließlich in Deutschland gespeichert und verarbeitet - ohne US-Cloud-Anbieter. Keine Freelancer, keine Subunternehmer in der Wertschöpfung. Alle Mitarbeiter sind sozialversicherungspflichtig angestellt und einheitlich rechtlich verpflichtet. Auf Anfrage VS-NfD-konform.
Festpreis in 24h - planbare Projektzeiträume
Innerhalb von 24 Stunden erhalten Sie ein verbindliches Festpreisangebot - kein Stundensatz-Risiko, keine Nachforderungen, keine Überraschungen. Durch eingespieltes Team und standardisierte Prozesse erhalten Sie einen klaren Zeitplan mit definiertem Starttermin und Endtermin.
Ihr fester Ansprechpartner - jederzeit erreichbar
Ein persönlicher Projektleiter begleitet Sie vom Erstgespräch bis zum Re-Test. Sie buchen Termine direkt bei Ihrem Ansprechpartner - keine Ticket-Systeme, kein Callcenter, kein Wechsel zwischen wechselnden Beratern. Kontinuität schafft Vertrauen.
Für wen sind wir der richtige Partner?
Mittelstand mit 50–2.000 MA
Unternehmen, die echte Security brauchen - ohne einen DAX-Konzern-Dienstleister zu bezahlen. Festpreis, klarer Scope, ein Ansprechpartner.
IT-Verantwortliche & CISOs
Die intern überzeugend argumentieren müssen - und dafür einen Bericht mit Vorstandssprache brauchen, nicht nur technische Findings.
Regulierte Branchen
KRITIS, Gesundheitswesen, Finanzdienstleister: NIS-2, ISO 27001, DORA - wir kennen die Anforderungen und liefern Nachweise, die Auditoren akzeptieren.
Mitwirkung an Industriestandards
LLM
OWASP · 2023
OWASP Top 10 for Large Language Models
Prof. Dr. Matteo Große-Kampmann als Contributor im Core-Team des international anerkannten OWASP LLM-Sicherheitsstandards.
BSI
BSI · Allianz für Cyber-Sicherheit
Management von Cyber-Risiken
Prof. Dr. Matteo Große-Kampmann als Mitwirkender des offiziellen BSI-Handbuchs für die Unternehmensleitung (dt. Version).
„BSI IT-Grundschutz is not a bureaucratic rulebook - it is a proven guide that shows German government agencies and organizations how to systematically and transparently implement information security. Those who apply it consistently create real security.“
Chris Wojzechowski
IT-Grundschutz Practitioner (TUV) · AWARE7 GmbH
Frequently Asked Questions about BSI IT-Grundschutz
Answers to the most important questions about IT-Grundschutz implementation, certification and KRITIS requirements.
What is BSI IT-Grundschutz and who should use it?
BSI IT-Grundschutz is a security framework published by Germany's Federal Office for Information Security (BSI). It comprises the IT-Grundschutz Compendium with over 200 building blocks, the IT-Grundschutz methodology and the BSI certification scheme. Internationally, it is most closely comparable to ISO 27001 - but whereas ISO 27001 provides a management framework describing "what" is required, IT-Grundschutz also prescribes "how" through detailed, practical implementation guidance. IT-Grundschutz is particularly suited for German government agencies, KRITIS operators, organizations with public sector contracts, and organizations operating within the German legal framework. An ISO 27001 certification based on IT-Grundschutz is possible and recognized.
What is the difference between BSI IT-Grundschutz and ISO 27001?
ISO 27001 is the international standard for Information Security Management Systems (ISMS) - it describes the "what" (requirements) but provides limited guidance on the "how". BSI IT-Grundschutz is the German approach that delivers both: a methodological framework (methodology) and a comprehensive control catalog (Compendium) with concrete implementation guidance for over 200 building blocks. ISO 27001 is more flexible and internationally recognized; IT-Grundschutz is more detailed and is the dominant reference in German government and KRITIS environments. An ISO 27001 certification based on IT-Grundschutz ("ISO 27001 based on IT-Grundschutz") combines both approaches and is officially recognized by the BSI.
Who is required to implement IT-Grundschutz under §31 BSIG?
Critical infrastructure operators (KRITIS) under §31 BSIG are legally required to implement appropriate organizational and technical measures to prevent disruptions to their critical services and demonstrate compliance to the BSI every two years. IT-Grundschutz (or an equivalent standard such as ISO 27001) is accepted as a recognized compliance framework. KRITIS operators span sectors including energy, water, food, IT and telecommunications, health, finance, transport, and state and administration - above sector-specific thresholds.
What are the 3 protection levels of IT-Grundschutz?
The IT-Grundschutz Compendium distinguishes three protection levels: (1) Basic Protection (Basis-Absicherung): Entry-level IT-Grundschutz with the most important security measures - the "must have" controls. Suitable for organizations beginning systematic security work, or as an immediate remediation measure. (2) Standard Protection (Standard-Absicherung): Full implementation of the IT-Grundschutz methodology with protection needs assessment and risk analysis - the reference point for most applications and the basis for BSI Grundschutz certification. This level maps most closely to ISO 27001. (3) Core Protection (Kern-Absicherung): Focus on the organization's "crown jewels" - the most critical information assets with the highest protection requirements. Suitable for organizations with very limited resources who need to prioritize their most critical assets first.
What is the BSI IT-Grundschutz Compendium and how is it structured?
The IT-Grundschutz Compendium is the core document of BSI IT-Grundschutz - a regularly updated collection of security requirements and implementation guidance. It is organized into ten layers (ISMS, ORP, CON, OPS, DER, APP, SYS, IND, NET, INF) and contains over 200 building blocks. Each building block describes a system component or process, formulates basic and standard requirements plus requirements for elevated protection needs, and provides concrete implementation guidance. The Compendium is updated annually and is freely available on the BSI website - unlike ISO standards which require purchase.
How does the BSI Grundschutz certification process work?
BSI Grundschutz certification proceeds through several phases: (1) Structural Analysis: documentation of all IT systems, applications and rooms within the information domain. (2) Protection Needs Assessment: evaluation of protection needs for all target objects in confidentiality, integrity, availability. (3) Modeling: assignment of appropriate IT-Grundschutz building blocks to all target objects. (4) IT-Grundschutz Check: target/actual comparison of all measures through interviews with responsible personnel. (5) Risk Analysis: for target objects with elevated protection needs or missing building blocks. (6) Implementation: implementing the identified measures. (7) Audit by BSI-certified auditor and issuance of the Grundschutz certificate.
What does IT-Grundschutz implementation cost?
Costs for BSI IT-Grundschutz implementation vary significantly by organization size, scope of the information domain and target protection level. For a medium-sized government agency or SME (50-200 employees) targeting Standard Protection, consulting costs of EUR 30,000-80,000 over 9-15 months are realistic. BSI Grundschutz certification audit costs are additional (EUR 10,000-25,000). For organizations with an existing ISO 27001 ISMS, costs are significantly lower as approximately 70% of requirements overlap. We provide a binding fixed-price proposal after a free initial consultation.
How are IT-Grundschutz and NIS2 related?
NIS2 (Directive EU 2022/2555) requires affected entities to implement a cybersecurity risk management system with specific measures - including incident management, business continuity, supply chain security and procurement security. An IT-Grundschutz-compliant information domain (Standard Protection) fulfills the essential NIS2 requirements for technical and organizational measures. For KRITIS operators under §31 BSIG, IT-Grundschutz is explicitly recognized as a compliance framework. AWARE7 advises on both IT-Grundschutz and NIS2 implementation.
Request IT-Grundschutz Consulting
Whether starting with Basic Protection, preparing for the KRITIS audit obligation under §31 BSIG, or seeking certification support - we provide a binding fixed-price proposal within 24 hours.
Kostenlos · 30 Minuten · Unverbindlich
