Federal Office for Information Security (BSI)


As a sound and sustainable management system for information security (ISMS), IT-Grundschutz covers technical, organisational, infrastructural and personnel aspects in equal measure. With its broad foundation, IT-Grundschutz offers a systematic approach to information security that is compatible to ISO/IEC 27001.

Whether the information security officer of a public authority, the CISO of a large company or the managing director of a small or medium-sized enterprise: With IT-Grundschutz they can all find information that suits the security requirements of their respective institutions.

BSI Standards and Certification

With the BSI Standards, IT-Grundschutz offers essential publications for all kinds of institutions who want to set up an ISMS:

  • BSI Standard 200-1 defines the general requirements for an ISMS
  • BSI Standard 200-2 explains how an ISMS can be built based on one of three different approaches
  • BSI Standard 200-3 contains all risk-related tasks
  • BSI Standard 100-4 is covering Business Continuity Management (BCM)

In order to make the successful implementation of IT-Grundschutz transparent to the outside world, companies or public authorities can be certified according to ISO 27001 on the basis of IT-Grundschutz. This certificate confirms that the IT security concept meets the requirements of ISO 27001.


BSI Standards 200-X

BSI Standards 100-X

IT-Grundschutz Compendium

The different modules of the IT-Grundschutz Compendium contain security recommendations on a wide variety of topics. Detailed advice and safeguards in the implementation guidelines for the IT-Grundschutz modules make it easier for information security officers to apply information security in their day-to-day work.

The speed of development in information security requires IT-Grundschutz to be constantly updated. Therefore, existing publications are reviewed and new modules are added on a regular basis. Additionally, IT-Grundschutz users can contribute their experience and know-how from professional practice to all publications and thus enrich them.

This is the English version of the IT-Grundschutz modules of the Compendium 2019.
The introductory chapters will follow soon.
English versions are published only as drafts and may contain errors or differences to the German versions. Thus, only the German version can be used as a basis for certification.

IT-Grundschutz profile

An IT-Grundschutz profile is a template for a selected scenario (information system or business process) via which the IT-Grundschutz implementation is specified for this area. An IT-Grundschutz profile is used to prepare various steps of the information security process for a defined application area in such a manner that it can be adapted as a framework for security concepts. The objective of IT-Grundschutz profiles is to offer sample scenarios for certain applicationareas, which facilitate individual users in these areas when mapping the security process according to IT-Grundschutz to their individual framework conditions.