Definition and purpose

The IT-Grundschutz framework aims to provide a standardized methodology for implementing and maintaining an Information Security Management System (ISMS). The framework helps organizations identify and manage risks related to their information assets, thereby enhancing the overall information security posture. The purpose is to guide organizations in establishing, maintaining, and continually improving their information security mechanisms, all while maintaining a focus on practical implementation.

This framework is widely used in Germany and is increasingly being adopted by other European countries.

Governing Body

The governing body for the IT-Grundschutz framework is the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or BSI), an agency of the German government.

Last updated

The IT-Grundschutz framework is updated periodically based on evolving cyber threats and best practices. The most recent update was released in February 2022.

Applies to

BSI IT-Grundschutz is not limited to a specific sector and can be applied broadly across various types of organizations, including government agencies, private enterprises, and non-profits. It is particularly popular in Germany but is also applicable and useful for organizations outside Germany, especially those operating within the European Union.

Controls and requirements

The IT-Grundschutz framework is extensive and comprises several modules that address different aspects of information security. The framework includes, but is not limited to, the following elements:

• Basic Security Checks: Preliminary risk assessment and initial security measures.
• IT System Management: Guidelines for setting up and maintaining secure IT systems.
• Network Security: Protocols and measures for secure data transmission and network monitoring.
• Access Control: Implementation of role-based access controls and authentication mechanisms.
• Data Protection: Guidelines for data classification, encryption, and secure storage.
• User Awareness and Training: Educational measures for sensitizing employees about security risks.
• Incident Management and Response: Processes for identifying and responding to security incidents.
• Compliance and Legal Requirements: Steps for ensuring legal compliance in terms of data protection and other relevant laws.
• Business Continuity Planning: Procedures for ensuring operational continuity in case of incidents.
• Security Monitoring and Auditing: Measures for ongoing monitoring and auditing of security controls.

Please refer to the official IT-Grundschutz Compendium for a detailed list of controls and requirements.

Audit type, frequency, and duration

The framework typically requires an internal or external audit, often culminating in a certification known as "BSI IT-Grundschutz Certification". Audits are usually carried out by auditors recognized by the BSI. The frequency of audits can vary depending on regulatory requirements or organizational policies, but generally, a triennial audit cycle is common. The duration of the audit can vary depending on the organization’s size and complexity but could range from a few weeks to a few months.