IT baseline protection from the BSI – what will be important in 2023

BSI baseline protection, also known as “IT baseline protection”, is a concept and methodology developed by the German Federal Office for Information Security (BSI). This approach aims to ensure information security in organizations, especially with regard to the IT infrastructure.

But what exactly is behind it, how can I get certified and how do I prepare for it? We answer these and other questions in this article.

What is IT baseline protection and what is it good for?

BSI IT-Grundschutz is a voluntary security standard of the German Federal Office for Information Security. Similar to ISO 27001, it is dedicated to setting up an information security management system (ISMS) to manage information security in organizations. It offers specific measures for the protection of IT systems with normal protection requirements. This generally saves companies from having to carry out their own risk analysis and enables them to use the BSI’s standard protection. The aim of the BSI is to provide companies and public institutions with a simple and practical approach to improving cyber security.

It is important to know: IT baseline protection is not mandatory. It is merely an aid to improving information security in companies and the provision of general standard measures.

Also good to know: The topic of data protection as defined by the GDPR is not fully covered by IT baseline protection. The topic is touched on, but reference is then made to the requirements of the German data protection authorities.

This is how IT baseline protection is structured

As part of IT baseline protection, there are various BSI standards that you should familiarize yourself with. These define requirements for a management system and methods for implementation. There are four different standards in total:

BSI standard 200-1: general requirements, guidelines for creating security processes and security concepts
BSI Standard 200-2: Test basis for certification, detailed specifications for design, implementation and improvement
BSI Standard 200-3: Procedure for risk analysis, guidelines for own risk assessments for objects with high protection requirements or for which no suitable basic protection module exists
BSI Standard 200-4: Business Continuity Management, specifies the requirements of the emergency management module

There is also the IT baseline protection compendium. This contains specific measures for the security of your IT infrastructure. They are divided into 10 subject areas with a total of 113 modules. Companies must decide for themselves which modules are relevant to them. You can find out more here: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/IT-Grundschutz-Kompendium/it-grundschutz-kompendium_node.html

The IT baseline protection profiles are also interesting. These are sample examples for the implementation of IT baseline protection based on various application examples. There is a suitable sample for every company.

What requirements are there?

IT baseline protection distinguishes between three variants for protecting your IT. With basic protection, a company meets the basic requirements in all IT areas. This means that IT security can be significantly improved quickly with certain measures.

The BSI recommends standard protection. This means that a company can demonstrate comprehensive protection of its own IT systems. With core protection, the standard requirements are only applied in certain areas. The focus here is on critical processes and systems.

When determining protection requirements, it is also possible that an increased need for protection is identified. IT baseline protection also contains requirements for this.

Do you meet the standard or core requirements? Great, then you can take out basic protection certification. This is an ISO 27001 certification based on IT baseline protection. All framework data such as validity period etc. are therefore the same. The only difference is that you receive a separate certificate from the BSI for basic protection. It is valid for two years.

What is the difference to ISO 27001?

BSI IT-Grundschutz offers a practice-oriented methodology for setting up an information security management system that meets the requirements of ISO 27001. In terms of the basic ISMS requirements, ISO 27001 and IT-Grundschutz are therefore largely the same. However, as IT-Grundschutz is mainly known in Germany, an ISO certificate based on IT-Grundschutz may not be recognized internationally.

The difference between ISO 27001 and IT-Grundschutz lies in their approach: The ISO standard is more abstract and focuses on general processes, while IT-Grundschutz offers users concrete steps to secure their IT through detailed measures from various building blocks. This difference is also reflected in the length of the standards: compared to ISO 27001, BSI IT-Grundschutz is far more comprehensive.

How to prepare for certification

Below we have briefly listed everything that needs to be done before certification:

Determine which areas are to be secured
Record the current status and derive measures
Determining the protection requirements of individual business processes and the necessary systems, information, etc.
Determine which of the 113 modules must be applied to which object
Risk analysis for objects with increased protection requirements
Basic protection check: target/actual comparison of the implementation status of each requirement
Concept for implementing the security measures, including budgeting, implementation sequence, deadlines and responsibilities
Maintenance and improvement through internal controls and optional independent certifications

This is how the certification process works

The certification process is basically the same as for ISO 27001. After your company has submitted an application for certification, a remote audit takes place in which the submitted documents are reviewed. These include Information security guidelines, structural analysis, protection needs assessment, modeling, IT baseline protection check, risk analysis and the measures implementation plan.

Finally, a second audit takes place on site. This checks the implementation of the security measures. The Federal Office receives the audit report and, in the best case, issues an ISO certificate based on IT baseline protection. Annual audits are then carried out for monitoring purposes.

Our solution – the BAYOOSOFT Access Manager

Identity and access management plays a crucial role in IT baseline protection. There is even a separate module for this – ORP.4 Identity and Authorization Management. But the topic is also relevant in other modules. It is therefore worth taking a closer look at the secure management of accounts and access rights.

ORP.4 in turn lists various requirements (ORP.4.A1 to ORP.4.A17) that companies must meet with regard to their authorization management. These include, for example, that inactive identifiers are deactivated and that each identifier must be uniquely assigned to a person.

The BAYOOSOFT Access Manager helps you to meet these requirements. And the tool also saves you a lot of time and effort. It standardizes the routine tasks of user and authorization management and supports the provision of IT services such as mailboxes, software distribution or telephony. Not only individual tasks, but entire process chains are optimized, which means that the use of resources and error rates are far lower than with manual processing.

Learn more

Sounds exciting, but complicated? The BSI provides an online course on IT baseline protection. This will make it easier for you to get started.

To the online course (ger)

You can find more information on the official website of the BSI.

To the website (ger)