Professional Documents
Culture Documents
ISO/IEC 27001 and IT Baseline Protection (IT-Grundschutz) : Amgad Mahmoud, Felix Schmidt, Gerd Siebert
ISO/IEC 27001 and IT Baseline Protection (IT-Grundschutz) : Amgad Mahmoud, Felix Schmidt, Gerd Siebert
ISO/IEC 27001 and IT Baseline Protection (IT-Grundschutz) : Amgad Mahmoud, Felix Schmidt, Gerd Siebert
1
Philipps-University, Marburg, July 12, 2020 Amgad Mahmoud, Felix Schmidt, and Gerd Siebert
3 IT BASELINE SECURITY (IT-GRUNDSCHUTZ) Companies can rely on this, depending on the size and level of
Following the BSI IT-Grundschutz with its two essential parts their information security.
will be explained.
For the first time, the BSI Standard 200-3 bundles all risk-
3.1 Overview related work steps in the implementation of IT-Grundschutz. The
advantage for the user is a significantly reduced effort to achieve
In German-speaking countries, the IT-Grundschutz of the Bun-
the desired level of security [11].
desamt für Sicherheit in der Informationstechnik (BSI) plays an
important role for ministries and public bodies as well as for
The BSI Standard 100-4 shows a systematic way to set up
companies and other institutions. On the one hand, IT-Grundschutz
emergency management in an authority or a company to ensure
offers one possibility to effectively and efficiently deal with the
the continuity of business operations. In the event of a failure or in
IT security tasks. On the other hand, IT-Grundschutz offers the
the event of a major damage the emergency management tasks are:
possibility to prove the implementation of an Information Security
Management System (ISMS) and the implementation of specific • Increase the reliability
organizational and technical security measures (controls). • Prepare the institution for emergencies and crises
• Resume quickly the most important business processes
3.2 Characteristics • Minimize damage from emergencies or crises
• Ensure the existence of the authority or the company
In the following subsections a brief description of the character-
istics of IT-Grundschutz is given. Remark. The BSI Standard 100-4 will be replaced by the new BSI
Standard 200-4 until end of 2020 [12].
3.2.1 ISMS components. In the context of IT-Grundschutz, the pro-
cess becomes "information security management" to control infor- 3.2.3 IT-Grundschutz Compendium. Since 2017 the IT-Grundschutz
mation security in companies and authorities. Important compo- Compendium replaces the IT-Grundschutz Catalogs. The Com-
nents of an ISMS according to BSI are: pendium is now the basic publication of IT-Grundschutz. To-
gether with the BSI Standards, it forms the basis for anyone who
• BSI Standards 200-x - Series and 100-4
wants to deal with information security. The IT-Grundschutz Com-
• IT-Grundschutz Compendium
pendium defines the information security requirements that com-
The Information Security System is clearly defined by these com- panies have to meet. It focuses on the so-called IT-Grundschutz
ponents of the IT-Grundschutz. Modules. They are divided into two module layers with 10 main
3.2.2 Four BSI Standards and the Compendium. The documents of modules:
IT-Grundschutz consists mainly of the four BSI Standards and the • Process-oriented Modules
IT-Grundschutz Compendium, supplemented by tools, guide- – ISMS (Security Management)
lines and other materials.[10] The IT-Grundschutz Compendium – ORP (Organisation and Personnel)
contains the modules, measures and risks (Gefährdungen). – CON (Concepts and Approaches)
– OPS (Operation)
The BSI Standards 200-x and the BSI Standard 100-4 define – DER (Detection and Reaction)
the framework and describe the general approaches and con- • System-oriented Modules
ditions for IT-Grundschutz and contain the following informa- – APP (Applications)
tion: – SYS (IT-Systems)
• IT Management Systems for Information Security (200-1) – IND (Industrial IT)
• IT-Grundschutz Methodology (200-2) – NET (Networks and Communication)
• Risk Mangagement (200-3) – INF (Infrastructure)
• Business Continuity Management (100-4) The detailed structure of the IT Grundschutz Compendium and
The BSI Standard 200-1 defines general requirements for a its 10 main modules with currently 96 sub-modules the so called
management system for information security (ISMS). It is also "Bausteine" (as of February 2020) will be shown on the BSI website[13].
compatible with ISO/IEC Standard 27001 and takes into account Remark. Therefore, the BSI IT-Grundschutz Compendium corre-
the recommendations of other ISO/IEC Standards such as ISO/IEC sponds as equivalent to the recommendations for actions of ISO/IEC
27002. 27002 [14].
The BSI Standard 200-2 forms the basis of the proven BSI 3.3 Summary
Methodology for establishing a solid information security man- IT-Grundschutz follows the approach of using standard mea-
agement system (ISMS). It establishes three new approaches to sures (controls) for objects in information, combined with normal
implementing IT-Grundschutz. protection requirements, in order to easily achieve an appropriate
• Basic Protection level of security. The BSI standards play an important role. The
• Core Protection (if increased protection is necessary) standards are supplemented by the very extensive collection of the
• Standard Protection (if increased protection is necessary) IT-Grundschutz Compendium with essential IT security measures.
2
ISO/IEC 27001 and IT baseline protection (IT-Grundschutz) Philipps-University, Marburg, July 12, 2020
IT-Grundschutz provides a procedure for implementing ISO/IEC The following overview compares the two standards [20]:
27001. IT-Grundschutz is continuously being developed. Both, the
standards and the compendium are updated, the content revised and ISO/IEC 27001 BSI IT-Grundschutz
new modules added. The IT-Grundschutz Compendium is published International standard Mainly in German-language
annually in February in a new edition. speaking countries (DACH)
Less than 200 pages More than 1000 pages
Generic approach Concrete approach
4 COMPARISON Risk analysis necessary Risk analysis only if increased
The following section tries to compare the ISO/IEC 27001 and the protection level is necessary
BSI IT-Grundschutz. Both Methodologies have their origin in the Top-down methodology Bottem-up methodology
1990s and are based on former approaches to standardized an infor- Approx. 100 € fee Open access - free of charge
mation security management system. The ISO/IEC 27001 derivated Table 1. ISMS comparison
from the British Standard BS 7799 of the British Standards Insti-
tution, which used to be a national standard, comparable to the
current german BSI IT-Grundschutz [15].
REFERENCES
[1] Global Investigative Journalism Network. https://gijn.org/, 2020. – [Online; ac-
The most obvious difference between these two standards is the cessed 10-June-2020]
geographical scope, which can already be seen in the title. The [2] Buckley, O. ; Nurse, J. R. C. ; Legg, P. A. ; Goldsmith, M. ; Creese, S.: Reflecting
ISO/IEC 27001 is an internationally focused Standard devel- on the Ability of Enterprise Security Policy to Address Accidental Insider Threat.
In: 2014 Workshop on Socio-Technical Aspects in Security and Trust, 2014, S. 8–15
oped and published by the ISO, whereas the IT-Grundschutz is an [3] Estimating the market impact of security breach announcements on firm values.
approach addressed to the DACH region, especially Germany In: Information + Management 46 (2009), Nr. 7, S. 404 – 410
resulting from the fact, the IT-Grundschutz is developed and pub- [4] Disterer, Georg: ISO/IEC 27000, 27001 and 27002 for Information Security
Management. (2013)
lished by the Bundesamt für Sicherheit in der Informationstechnik [5] Team, I.P.: EU general data protection regulation (GDPR): an implementation and
(BSI). compliance guide. IT Governance Ltd
[6] 27000:2018(E), ISO/IEC: Information technology — Security techniques — Informa-
tion security management systems — Overview and vocabulary, 5. Edition. 2018
Although both standards pursue the same goal, the two approaches [7] Bahria University Journal of Information & Communication Technologies Vol. 10,
differ in their scope and structure. According to the Fact, that the Special Issue. September 2017
ISO/IEC 27001 can get along with less than 200 pages, it shows the
[8] Fenz, Stefan ; Goluch, Gernot ; Ekelhart, Andreas ; Riedl, Bernhard ; Weippl,
Edgar: Information Security Fortification by Ontological Mapping of the ISO/IEC
more general scope of this concept. Whereas the IT-Grundschutz 27001 Standard. In: Proceedings of the 13th IEEE Pacific Rim International Sympo-
needs more than 1000 pages to build an extensive concept. sium on Dependable Computing (PRDC 07), Springer, 2007, 381–388. – Vortrag:
13th Pacific Rim International Symposium on Dependable Computing (PRDC 07),
Melbourne, Australia; 2007-12-17 – 2007-12-19
So the ISO/IEC 27001 gives an organization more freedom to [9] Annex A controls. https://www.isms.online/iso-27001/annex-a-controls/.
implement the approach to fit their needs best. This abstract con- Version: Jun 2020. – [Online; accessed 10-June-2020]
[10] Informationstechnik, Bundesamt für Sicherheit in d.: IT-Grundschutz-
cept leads to the fact that both companies and authorities of all sizes Kompendium. Köln : Bundesanzeiger Verlag, 2020. – ISBN 978–3–846–20906–6
can adopt ISO/IEC 27001. The more specific and comprehensive ba- [11] Bundesamt für Sicherheit in der Informationstechnik. https://www.bsi.bund.de/DE/
sic IT-Grundschutz provides a large catalog of certain technical
Themen/ITGrundschutz/ITGrundschutzStandards/ITGrundschutzStandards_
node.html, 2020. – [Online; accessed 10-June-2020]
suggestions. This approach leaves less room for maneuver, but at [12] Bundesamt für Sicherheit in der Informationstechnik. https://www.bsi.bund.de/DE/
the same time offers a good guide along which an organization can Themen/ITGrundschutz/ITGrundschutzStandards/Standard04/ITGStandard04_
node.html, 2020. – [Online; accessed 10-June-2020]
work [15–17]. [13] Bundesamt für Sicherheit in der Informationstechnik. https://www.bsi.bund.de/
SharedDocs/Downloads/DE/BSI/Grundschutz/Kompendium/Struktur_2020.
Another difference between these two standards is the treat- pdf?__blob=publicationFile&v=2, 2020. – [Online; accessed 10-June-2020]
[14] BSI - IT-Grundschutz - Startseite - Zuordnungstabelle ISO zum modernisierten
ment of risk analysis. It is part of both approaches, but it is only IT-Grundschutz. https://www.bsi.bund.de/SharedDocs/Downloads/DE/
required and an essential part of the concept in ISO/IEC 27001. BSI/Grundschutz/Kompendium/Zuordnung_ISO_und_modernisierter_IT_
IT-Grundschutz recommends a risk analysis only in special cases.
Grundschutz.html, . – [Online; accessed 10-July-2020]
[15] Kersten, Heinrich ; Klett, Gerhard ; Reuter, Jürgen ; Schröder, Klaus-Werner:
This is the reason why ISO/IEC 27001 is seen as the top-down 2016. – 1 S.
method and IT-Grundschutz as the bottom-up method, which [16] Disterer, Georg: ISO/IEC 27000, 27001 and 27002 for Information Security
Management. In: Journal of Information Security 04 (2013), Nr. 02, 92–100. http:
shows how different the approach of both concepts is. //dx.doi.org/10.4236/jis.2013.42011. – DOI 10.4236/jis.2013.42011
[17] Benedikt Pirzer, Iryna W.: Managementsysteme für Informationssicherheit:
Marktübersicht. Vorgehensmodell. Handlungsempfehlungen / Fraunhofer Re-
One last point, which may seem minor in view of the potential search Institution AISEC. 2012. – Forschungsbericht
costs in the case of a security breach, can be important, especially for [18] BSI - IT-Grundschutz - Bezugsquellen. https://www.bsi.bund.de/DE/Themen/
small businesses and non-profit organizatigons. The ISO/IEC 27001 ITGrundschutz/ITGrundschutzAbout/bezug/bezugsquellen_node.html, . – [On-
standard itself costs around 100€ whereas the basic IT- Grund-
line; accessed 15-June-2020]
[19] ISO/IEC 27001:2013. https://www.iso.org/standard/54534.html. Version: Jun 2019.
schutz is publicly available for free [18, 19]. – [Online; accessed 15-June-2020]
[20] IT-Sicherheit für den Mittelstand: Besser nach ISO/IEC 27001 oder IT-Grundschutz
zertifizieren? https://sued-it.de/unternehmen/news-presse/52-it-sicherheit-fuer-
den-mittelstand-besser-nach-iso-iec-27001-oder-it-grundschutz-zertifiziere, . –
[Online; accessed 15-June-2020]