BSI IT-Grundschutz · ISMS · Certification
BSI IT-Grundschutz: Consulting, Implementation and Certification
BSI IT-Grundschutz is the leading information security framework in the German public sector and among KRITIS operators. We support build, implementation and certification – with proven experience from demanding reference projects.
What is BSI IT-Grundschutz?
BSI IT-Grundschutz is the information security management framework developed by the German Federal Office for Information Security (BSI). Its centrepiece is the IT-Grundschutz Compendium — a structured catalogue describing concrete security requirements for specific system classes, processes and infrastructures: from server systems through WLAN infrastructures to physical security and cloud usage.
This catalogue-based approach is fundamentally different from ISO 27001: where ISO 27001 is risk-based and openly phrased, IT-Grundschutz prescribes concrete measures – the so-called building blocks (Bausteine) with their basic, standard and elevated requirements. For organisations that prefer a clear, prescribed implementation path – or are regulatorily required to follow one – this is a decisive advantage.
For German federal authorities, IT-Grundschutz is mandatory by law. For many KRITIS operators, state authorities and public-sector-adjacent organisations it is the de-facto standard. Private-sector organisations with a strong public-sector nexus or demanding security requirements also increasingly choose it — not least because it can be assessed directly by BSI-accredited auditors and evidenced through an official certificate.
The three IT-Grundschutz methodologies
The BSI distinguishes three methodologies that differ in depth, scope and certifiability:
Basic Protection (Basis-Absicherung)
A fast entry with baseline security measures across the whole organisation. Covers only the basic requirements of the relevant IT-Grundschutz building blocks. Suitable as a first step or for organisations with limited resources. IT-Grundschutz certification is not possible on this basis.
Core Protection (Kern-Absicherung)
Focused on the particularly worth-protecting business processes and assets — the so-called crown jewels. Full implementation depth (basic, standard and elevated requirements) within a deliberately bounded scope. Faster to deliver than standard protection and the basis for an IT-Grundschutz Attestation.
Standard Protection (Standard-Absicherung)
Full IT-Grundschutz implementation for the entire organisation with all relevant building blocks and all requirement levels. The most demanding but also the most comprehensive methodology — and the only basis for the BSI IT-Grundschutz Certificate.
IT-Grundschutz Attestation and IT-Grundschutz Certificate
Evidence of IT-Grundschutz implementation can be provided in two ways — depending on the chosen methodology and the targeted maturity:
IT-Grundschutz Attestation
External evidence on the basis of core or basic protection. An IT-Grundschutz auditor assesses the implementation and confirms the level achieved. The attestation is graded into three levels — entry, build-up and operation — enabling phased evidence of implementation progress.
- Based on core protection
- Three attestation levels (entry, build-up, operation)
- External auditor assessment
- Faster to achieve than the certificate
IT-Grundschutz Certificate
The highest form of evidence of IT-Grundschutz implementation. Requires full standard protection and is assessed by an auditor certified by the BSI. For federal authorities and demanding KRITIS evidence requirements, the certificate is the sought-after standard.
- Full standard protection
- BSI-certified auditor
- Regular recertification
- Recognised for federal authorities & KRITIS
IT-Grundschutz or ISO 27001 — which framework fits?
Both frameworks address information security management but with different approaches and for different target groups:
| Criterion | BSI IT-Grundschutz | ISO 27001 |
|---|---|---|
| Approach | Catalogue-based, prescriptive | Risk-based, flexible |
| Target group | Authorities, KRITIS, public sector | International, private sector |
| Measures | Prescribed (building blocks) | Self-selected from Annex A |
| Evidence | Attestation or BSI certificate | ISO 27001 certificate (accredited) |
| Entry path | Structured path prescribed | Flexible, requires more own work |
| Combination | Complementary use possible | Complementary use possible |
Many organisations combine the two frameworks: ISO 27001 provides the internationally recognised certification basis; the IT-Grundschutz building blocks deliver the technical depth for specific system classes. We help you make this decision based on your concrete regulatory obligations and strategic goals.
ISMS build and external CISO for the official nora emergency app
nora is Germany’s official emergency call app — a safety-critical application in the area of public services of general interest with the highest demands on availability, confidentiality and regulatory conformance.
Blackfort Technology built the complete ISMS in line with BSI IT-Grundschutz for nora, supported the subsequent certification and provided the external CISO for the duration of the project. The engagement included the selection and implementation of relevant IT-Grundschutz building blocks, production of the complete security documentation, preparation for the external audit and the operational leadership of the information security function in a highly sensitive, publicly exposed environment.
The project stands as an example of how we work: technical IT-Grundschutz competence, regulatory understanding and the ability to take operational responsibility in complex, publicly visible programmes.
Our services around BSI IT-Grundschutz
Gap analysis and maturity assessment
Structured assessment of current security posture against the relevant IT-Grundschutz building blocks. Identification of gaps, prioritisation by risk and derivation of a realistic implementation plan.
Scoping and methodology selection
Substantiated decision support on the choice between basic, core and standard protection and on the definition of a sensible, certifiable scope. This decision shapes the entire project.
Building-block selection, documentation and implementation support
Selection and implementation of the relevant IT-Grundschutz building blocks, production of the complete security documentation (security concept, policies, risk analyses) and support for the technical and organisational measures.
Certification preparation and audit support
Preparation for the external IT-Grundschutz audit, conduct of internal pre-audits, alignment with the auditor and specialist support during the certification assessment.
External Information Security Officer (ISO/CISO)
Taking on the ISO/CISO function on a temporary basis — from the project phase through to permanent operation. We ensure continuity of the information security function even when internal resources are missing or being built up.
→ External Information Security OfficerImplement BSI IT-Grundschutz in a structured way — with an experienced partner
Blackfort Technology supports authorities, KRITIS operators and public-sector-adjacent organisations through the build and certification under BSI IT-Grundschutz. From the initial assessment to successful certification — and where required with an external CISO throughout the engagement.
Frequently asked questions about BSI IT-Grundschutz
What is BSI IT-Grundschutz?
BSI IT-Grundschutz is an information security framework developed by the German Federal Office for Information Security (BSI). Unlike ISO 27001, which is risk-based, IT-Grundschutz provides a detailed catalogue – the IT-Grundschutz Compendium – with specific requirements and security measures for concrete system classes, processes and infrastructures. It is mandatory for German federal authorities; for many critical infrastructure (KRITIS) operators and public-sector-adjacent organisations it is the de-facto standard.
What is the difference between IT-Grundschutz and ISO 27001?
ISO 27001 is risk-based and international: it defines what an ISMS must achieve but leaves the concrete measures open. BSI IT-Grundschutz is prescriptive and catalogue-based: it specifies concrete requirements for individual building blocks (e.g. Windows servers, WLAN, cloud usage). ISO 27001 suits internationally operating organisations; IT-Grundschutz is the preferred choice for authorities, KRITIS operators and organisations with a strong German nexus. Both frameworks can be combined: ISO 27001 as the certification basis, IT-Grundschutz for technical depth.
Which methodologies does BSI IT-Grundschutz define?
The BSI distinguishes three methodologies: Basic Protection (Basis-Absicherung) provides a fast entry with baseline security measures but does not enable certification. Core Protection (Kern-Absicherung) focuses on the most critical business processes and assets ("crown jewels") and is the basis for an IT-Grundschutz Attestation. Standard Protection (Standard-Absicherung) is the full implementation of all IT-Grundschutz requirements and is the prerequisite for the IT-Grundschutz Certificate.
What is the difference between IT-Grundschutz Attestation and IT-Grundschutz Certificate?
The IT-Grundschutz Attestation (Testat) is issued by an external IT-Grundschutz auditor and confirms implementation on the basis of core or basic protection. There are three attestation levels: entry, build-up and operation. The IT-Grundschutz Certificate is the highest form of evidence: it requires full standard protection, is assessed by an auditor certified by the BSI and must be renewed regularly. The certificate is the formal evidence accepted by federal authorities and demanding KRITIS requirements.
How long does it take to introduce BSI IT-Grundschutz?
That depends substantially on the starting position, chosen scope and methodology. Core protection for a limited scope is realistically achievable in 6–12 months. A full standard protection with subsequent certification typically takes 12–24 months – depending on organisational size, IT complexity and available internal resources. Realistic project planning at the outset is decisive for project success.
Certification path
Key facts
Related topics
IT-Grundschutz consulting
From gap analysis through to certification — with proven project experience from the public sector.
Request nowKontakt aufnehmen
Bereit für den nächsten Schritt?
Sprechen Sie mit uns über Ihre Sicherheitsanforderungen – konkret, ohne Verpflichtung und auf Augenhöhe.