“BSI IT-Grundschutz, Curse or Blessing?” – a statement

The BSI IT-Grundschutz, the German standard for the establishment of an information security management system (ISMS) in a company or an institution, has become more widely recognized, not least as a result of the IT Security Act and the associated KRITIS Ordinance for companies operating so-called critical infrastructures.

It is often associated with features such as “bulky, difficult to manage, unpractical, costly” and an audit is perceived as a burdensome obligation. Are these descriptions justified?

Safety is “inconvenient and costly”

Safety considerations in general, whether for an individual product or a company, always involve additional effort beyond the intended functionality of the product or the “normal operation” of a company. Ensuring security is sometimes inconvenient, because restrictions or additional actions prevent the “simple” implementation.

In addition, security is not a restricted subject or a one-off event. The firewall installed by the company is as ineffective on its own as one-off security training for employees. A certain level of security can only be achieved and maintained after a complex interplay of various factors.

Methodology and nomenclature provide guidance

In spite of the individuality of a company or an institution, it is necessary to clarify similar issues everywhere with a certain degree of abstraction and to derive measures from them to ensure this level of security. To avoid having to rethink these considerations individually and repeatedly, there are standards that formulate them universally. With a process model and as a collection of empirical values, they can help individuals to find effective solutions.

These can be found on an international level under the ISO standard 27001, the BSI IT-Grundschutz builds on it and expands it.

Basic IT protection is what you make of it

Where the international standard is formulated in a more general and abstract way, thus giving the implementer greater “freedom”, the requirements of IT-Grundschutz are considerably more detailed and more concrete. This need not be a disadvantage – the greater granularity is not to be seen as a curtailment, but rather as a facilitation (especially for beginners). The IT-Grundschutz is a kind of guide where ISO 27001 expects its own creativity.

Apart from companies for which certification is obligatory, there is nothing to oppose the introduction of IT-Grundschutz as a methodology without having its results verified externally immediately. This can be supplemented later as an additional confirmation of one’s own approach.

In order to reduce the effort involved in the work that is undoubtedly to be performed, there are, in addition to the process model of full standard protection:

• the basic safeguard, which is characterised by a low depth of consideration of the basic business processes and thus above all represents a lower barrier to entry (for which an official certificate can be issued after examination),
• the core protection, which is limited to those business processes considered to be particularly critical and is therefore “leaner” (which is also eligible for certification).

In conclusion, the BSI IT-Grundschutz is to be understood as a tool, a tool which – when used correctly – allows to overcome the complex challenge of “security” in the company due to its methodology and system. SPIRIT/21 can advise you not only in theory, but also, above all, with extensive practical experience, accompany the implementation.

For more detailed information, please use the BSI websites.