ISO/IEC 27001 and IT baseline protection (IT-Grundschutz)
AMGAD MAHMOUD, Philipps-University, Germany
FELIX SCHMIDT, Philipps-University, Germany
GERD SIEBERT, Philipps-University, Germany
ABSTRACT - ISO/IEC 27001 and BSI IT-Grundschutz were developed in
different ways. But especially since 2005, due to the harmonization of BSI
IT-Grundschutz based on ISO/IEC 27001, there are many things in common.
However, there are still significant differences, too.
CCS Concepts: • Security and privacy → Formal security models.
Additional Key Words and Phrases: ISO/IEC 27001, IT baseline protection,
IT-Grundschutz, ISMS, security standards
1 INTRODUCTION
A number of different security standards exist and it is difficult
to choose the right one for a particular project or to evaluate if the
right standard was chosen for a certification. These standards are
often long and complex texts, whose reading and understanding
takes up a lot of time. This paper provides a management overview
of the security standards ISO 27000 and the German IT-Grundschutz
standard. In particular, it explains which information and what level
of detail a system document according to those certain security
standard contains.
2 ISO/IEC 27001
ISO/IEC 27001 is the important international standard to imple-
ment an ISMS.
2.1 Overview
Security breaches that involve the disclosure of sensitive data be-
came more severe. Because the issues associated with cyber-attacks
and data breaches continue to increase along with the public dis-
closure laws in over 100 countries around the world[1], they can
harm both the public image of businesses and lead to penalties
by government agencies. A practical approach should help defend
against both external attacks and threats posed from those within
the organization, such as accidental breaches and human error[2, 3].
2.2 Characteristics
ISO/IEC 27001 is the international standard that provides the
specification to keep information assets secure for an information
security management system (ISMS) for organizations to expect.
ISO/IEC 27001 is a systematic approach consisting of people, pro-
cesses and technology that enables companies to get certified against
the standard. This grants that information security is being strictly
applied and managed by an internationally recognized organiza-
tional standard, which helps to protect and manage the information
through risk management[4].
Implementation compliance with ISO/IEC 27001 is optional, whereas
coordination and compliance with current data protection and pri-
vacy laws are mandatory such as the General Data Protection Regu-
lation GDPR and the network and information systems regulations
1
(NIS regulations) [5].
ISO/IEC 27001 allows meeting the guideline of information se-
curity management requirements that ensure three key aspects of
information:
• Confidentiality, which refers to the limiting information
access to authorized people entities or processes and prevents
it otherwise
• Integrity, which is property of accuracy and completeness
• Availability, which is being accessible and usable on demand
by an authorized entity[6]
These procedures help organizations keep their information as-
sets secure by offering a set of specifications codes of conduct and
best practice guidelines to ensure reliable information security man-
agement, for example:
ISO/IEC 27001 ensures that information in all its forms is secure, as
ISMS helps protect all forms of information, whether digital paper-
based or stored in virtual clouds through some security procedures that
consider such potential incidents [7].
The central point of ISO/IEC 27001 is the requirement for:
• Planning
• Implementation
• Operation
• Continuous Monitoring and Improvement
of a process-oriented ISMS that must be verified for certification
according to this standard. The approach should be along with the
Plan-Do-Check-Act (PDCA) cycle [8].
ISO/IEC 27001 also increases attack-resilience through imple-
menting and maintaining an ISMS. It also responds to the growing
security threat landscape due to the ISMS constant adaptation to
changes both in the threat environment and inside the organization,
guaranteeing that information security risks are effectively ensured
over time.
2.3 Summary
Because ISO/IEC 27001 is not only entirely applicable to the IT-
sectors, as IT cannot fully secure information. Instead, it brings
together Physical security, HR management, organizational issues
and legal protection, and IT is required to secure the information.
The standard requires organizations to compare the measures they
have implemented with the Annex A controls such as Information
Security Policies as well as Human Resource Security, Cryptogra-
phy, access control physical and Environmental Security besides
Operations and Communications Security. They’re then expected
to implement the missing controls or else provide and document a
reason that those controls are not applicable to them [9].
Philipps-University, Marburg, July 12, 2020
3 IT BASELINE SECURITY (IT-GRUNDSCHUTZ)
Following the BSI IT-Grundschutz with its two essential parts
will be explained.
3.1 Overview
In German-speaking countries, the IT-Grundschutz of the Bun-
desamt für Sicherheit in der Informationstechnik (BSI) plays an
important role for ministries and public bodies as well as for
companies and other institutions. On the one hand, IT-Grundschutz
offers one possibility to effectively and efficiently deal with the
IT security tasks. On the other hand, IT-Grundschutz offers the
possibility to prove the implementation of an Information Security
Management System (ISMS) and the implementation of specific
organizational and technical security measures (controls).
3.2 Characteristics
In the following subsections a brief description of the character-
istics of IT-Grundschutz is given.
3.2.1 ISMS components. In the context of IT-Grundschutz, the pro-
cess becomes "information security management" to control infor-
mation security in companies and authorities. Important compo-
nents of an ISMS according to BSI are:
• BSI Standards 200-x - Series and 100-4
• IT-Grundschutz Compendium
The Information Security System is clearly defined by these com-
ponents of the IT-Grundschutz.
3.2.2 Four BSI Standards and the Compendium. The documents of
IT-Grundschutz consists mainly of the four BSI Standards and the
IT-Grundschutz Compendium, supplemented by tools, guide-
lines and other materials.[10] The IT-Grundschutz Compendium
contains the modules, measures and risks (Gefährdungen).
The BSI Standards 200-x and the BSI Standard 100-4 define
the framework and describe the general approaches and con-
ditions for IT-Grundschutz and contain the following informa-
tion:
• IT Management Systems for Information Security (200-1)
• IT-Grundschutz Methodology (200-2)
• Risk Mangagement (200-3)
• Business Continuity Management (100-4)
The BSI Standard 200-1 defines general requirements for a
management system for information security (ISMS). It is also
compatible with ISO/IEC Standard 27001 and takes into account
the recommendations of other ISO/IEC Standards such as ISO/IEC
27002.
The BSI Standard 200-2 forms the basis of the proven BSI
Methodology for establishing a solid information security man-
agement system (ISMS). It establishes three new approaches to
implementing IT-Grundschutz.
• Basic Protection
• Core Protection (if increased protection is necessary)
• Standard Protection (if increased protection is necessary)
2
Amgad Mahmoud, Felix Schmidt, and Gerd Siebert
Companies can rely on this, depending on the size and level of
their information security.
For the first time, the BSI Standard 200-3 bundles all risk-
related work steps in the implementation of IT-Grundschutz. The
advantage for the user is a significantly reduced effort to achieve
the desired level of security [11].
The BSI Standard 100-4 shows a systematic way to set up
emergency management in an authority or a company to ensure
the continuity of business operations. In the event of a failure or in
the event of a major damage the emergency management tasks are:
• Increase the reliability
• Prepare the institution for emergencies and crises
• Resume quickly the most important business processes
• Minimize damage from emergencies or crises
• Ensure the existence of the authority or the company
Remark. The BSI Standard 100-4 will be replaced by the new BSI
Standard 200-4 until end of 2020 [12].
3.2.3 IT-Grundschutz Compendium. Since 2017 the IT-Grundschutz
Compendium replaces the IT-Grundschutz Catalogs. The Com-
pendium is now the basic publication of IT-Grundschutz. To-
gether with the BSI Standards, it forms the basis for anyone who
wants to deal with information security. The IT-Grundschutz Com-
pendium defines the information security requirements that com-
panies have to meet. It focuses on the so-called IT-Grundschutz
Modules. They are divided into two module layers with 10 main
modules:
• Process-oriented Modules
– ISMS (Security Management)
– ORP (Organisation and Personnel)
– CON (Concepts and Approaches)
– OPS (Operation)
– DER (Detection and Reaction)
• System-oriented Modules
– APP (Applications)
– SYS (IT-Systems)
– IND (Industrial IT)
– NET (Networks and Communication)
– INF (Infrastructure)
The detailed structure of the IT Grundschutz Compendium and
its 10 main modules with currently 96 sub-modules the so called
"Bausteine" (as of February 2020) will be shown on the BSI website[13].
Remark. Therefore, the BSI IT-Grundschutz Compendium corre-
sponds as equivalent to the recommendations for actions of ISO/IEC
27002 [14].
3.3 Summary
IT-Grundschutz follows the approach of using standard mea-
sures (controls) for objects in information, combined with normal
protection requirements, in order to easily achieve an appropriate
level of security. The BSI standards play an important role. The
standards are supplemented by the very extensive collection of the
IT-Grundschutz Compendium with essential IT security measures.
ISO/IEC 27001 and IT baseline protection (IT-Grundschutz)
IT-Grundschutz provides a procedure for implementing ISO/IEC
27001. IT-Grundschutz is continuously being developed. Both, the
standards and the compendium are updated, the content revised and
new modules added. The IT-Grundschutz Compendium is published
annually in February in a new edition.
4 COMPARISON
The following section tries to compare the ISO/IEC 27001 and the
BSI IT-Grundschutz. Both Methodologies have their origin in the
1990s and are based on former approaches to standardized an infor-
mation security management system. The ISO/IEC 27001 derivated
from the British Standard BS 7799 of the British Standards Insti-
tution, which used to be a national standard, comparable to the
current german BSI IT-Grundschutz [15].
The most obvious difference between these two standards is the
geographical scope, which can already be seen in the title. The
ISO/IEC 27001 is an internationally focused Standard devel-
oped and published by the ISO, whereas the IT-Grundschutz is an
approach addressed to the DACH region, especially Germany
resulting from the fact, the IT-Grundschutz is developed and pub-
lished by the Bundesamt für Sicherheit in der Informationstechnik
(BSI).
Although both standards pursue the same goal, the two approaches
differ in their scope and structure. According to the Fact, that the
ISO/IEC 27001 can get along with less than 200 pages, it shows the
more general scope of this concept. Whereas the IT-Grundschutz
needs more than 1000 pages to build an extensive concept.
So the ISO/IEC 27001 gives an organization more freedom to
implement the approach to fit their needs best. This abstract con-
cept leads to the fact that both companies and authorities of all sizes
can adopt ISO/IEC 27001. The more specific and comprehensive ba-
sic IT-Grundschutz provides a large catalog of certain technical
suggestions. This approach leaves less room for maneuver, but at
the same time offers a good guide along which an organization can
work [15–17].
Another difference between these two standards is the treat-
ment of risk analysis. It is part of both approaches, but it is only
required and an essential part of the concept in ISO/IEC 27001.
IT-Grundschutz recommends a risk analysis only in special cases.
This is the reason why ISO/IEC 27001 is seen as the top-down
method and IT-Grundschutz as the bottom-up method, which
shows how different the approach of both concepts is.
One last point, which may seem minor in view of the potential
costs in the case of a security breach, can be important, especially for
small businesses and non-profit organizatigons. The ISO/IEC 27001
standard itself costs around 100€ whereas the basic IT- Grund-
schutz is publicly available for free [18, 19].
Philipps-University, Marburg, July 12, 2020
The following overview compares the two standards [20]:
ISO/IEC 27001 BSI IT-Grundschutz
International standard Mainly in German-language
speaking countries (DACH)
Less than 200 pages More than 1000 pages
Generic approach Concrete approach
Risk analysis necessary Risk analysis only if increased
protection level is necessary
Top-down methodology Bottem-up methodology
Approx. 100 € fee Open access - free of charge
Table 1. ISMS comparison
REFERENCES
[1] Global Investigative Journalism Network. https://gijn.org/, 2020. – [Online; ac-
cessed 10-June-2020]
[2] Buckley, O. ; Nurse, J. R. C. ; Legg, P. A. ; Goldsmith, M. ; Creese, S.: Reflecting
on the Ability of Enterprise Security Policy to Address Accidental Insider Threat.
In: 2014 Workshop on Socio-Technical Aspects in Security and Trust, 2014, S. 8–15
[3] Estimating the market impact of security breach announcements on firm values.
In: Information + Management 46 (2009), Nr. 7, S. 404 – 410
[4] Disterer, Georg: ISO/IEC 27000, 27001 and 27002 for Information Security
Management. (2013)
[5] Team, I.P.: EU general data protection regulation (GDPR): an implementation and
compliance guide. IT Governance Ltd
[6] 27000:2018(E), ISO/IEC: Information technology — Security techniques — Informa-
tion security management systems — Overview and vocabulary, 5. Edition. 2018
[7] Bahria University Journal of Information & Communication Technologies Vol. 10,
Special Issue. September 2017
[8] Fenz, Stefan ; Goluch, Gernot ; Ekelhart, Andreas ; Riedl, Bernhard ; Weippl,
Edgar: Information Security Fortification by Ontological Mapping of the ISO/IEC
27001 Standard. In: Proceedings of the 13th IEEE Pacific Rim International Sympo-
sium on Dependable Computing (PRDC 07), Springer, 2007, 381–388. – Vortrag:
13th Pacific Rim International Symposium on Dependable Computing (PRDC 07),
Melbourne, Australia; 2007-12-17 – 2007-12-19
[9] Annex A controls. https://www.isms.online/iso-27001/annex-a-controls/.
Version: Jun 2020. – [Online; accessed 10-June-2020]
[10] Informationstechnik, Bundesamt für Sicherheit in d.: IT-Grundschutz-
Kompendium. Köln : Bundesanzeiger Verlag, 2020. – ISBN 978–3–846–20906–6
[11] Bundesamt für Sicherheit in der Informationstechnik. https://www.bsi.bund.de/DE/
Themen/ITGrundschutz/ITGrundschutzStandards/ITGrundschutzStandards_
node.html, 2020. – [Online; accessed 10-June-2020]
[12] Bundesamt für Sicherheit in der Informationstechnik. https://www.bsi.bund.de/DE/
Themen/ITGrundschutz/ITGrundschutzStandards/Standard04/ITGStandard04_
node.html, 2020. – [Online; accessed 10-June-2020]
[13] Bundesamt für Sicherheit in der Informationstechnik. https://www.bsi.bund.de/
SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/Struktur_2020.
pdf?__blob=publicationFile&v=2, 2020. – [Online; accessed 10-June-2020]
[14] BSI - IT-Grundschutz - Startseite - Zuordnungstabelle ISO zum modernisierten
IT-Grundschutz. https://www.bsi.bund.de/SharedDocs/Downloads/DE/
BSI/Grundschutz/Kompendium/Zuordnung_ISO_und_modernisierter_IT_
Grundschutz.html, . – [Online; accessed 10-July-2020]
[15] Kersten, Heinrich ; Klett, Gerhard ; Reuter, Jürgen ; Schröder, Klaus-Werner:
2016. – 1 S.
[16] Disterer, Georg: ISO/IEC 27000, 27001 and 27002 for Information Security
Management. In: Journal of Information Security 04 (2013), Nr. 02, 92–100. http:
//dx.doi.org/10.4236/jis.2013.42011. – DOI 10.4236/jis.2013.42011
[17] Benedikt Pirzer, Iryna W.: Managementsysteme für Informationssicherheit:
Marktübersicht. Vorgehensmodell. Handlungsempfehlungen / Fraunhofer Re-
search Institution AISEC. 2012. – Forschungsbericht
[18] BSI - IT-Grundschutz - Bezugsquellen. https://www.bsi.bund.de/DE/Themen/
ITGrundschutz/ITGrundschutzAbout/bezug/bezugsquellen_node.html, . – [On-
line; accessed 15-June-2020]
[19] ISO/IEC 27001:2013. https://www.iso.org/standard/54534.html. Version: Jun 2019.
– [Online; accessed 15-June-2020]
[20] IT-Sicherheit für den Mittelstand: Besser nach ISO/IEC 27001 oder IT-Grundschutz
zertifizieren? https://sued-it.de/unternehmen/news-presse/52-it-sicherheit-fuer-
den-mittelstand-besser-nach-iso-iec-27001-oder-it-grundschutz-zertifiziere, . –
[Online; accessed 15-June-2020]