What is the BSI IT basic protection?

The IT-Grundschutz is a procedure that was launched in 1994 by the Federal Office for Information Security (BSI). It defines a procedure for determining security measures in information technology and their implementation.

The aim of IT-Grundschutz is to provide users with a flexible and modular solution that enables them to maximize the security of information technology in the private sector and in public administration. The latest version also addresses the requirements and needs of small and medium-sized companies in particular.

Information Security Guidance

The catalog published by the Federal Office for Information Security shows in the most efficient and methodical way how to proceed to ensure adequate data security. This requires the use of an information security management system (ISMS) based on the globally recognized ISO 27001 standard. Organizations that are ISO 27001 certified are required to use an IT baseline protection system, while other companies can use it on a voluntary basis.


The following four criteria serve as the basis for this system:

1. Management systems for the protection of sensitive information
2. IT Security Standard Operating Procedures
3. A risk analysis based on the most fundamental aspects of IT protection
4. Emergency Management

The BSI specifies a concept of security measures for various operating environments that is based on these standards. This concept is presented in connection with the IT-Grundschutz catalogue. Sufficient precautions are in place to ensure that information is handled securely. The implementation is modular, with each module reflecting the typical business processes in an organization.

aspects of IT security

Basic aspects of the company’s IT security, presented using examples
Companies that adhere to the ISO 27001 standard find a way to integrate it with the fundamental aspects of IT security. However, non-certified companies can also benefit from the implementation of these changes. The documentation is built around modules that contain risk scenarios and recommendations for countermeasures. These modules are very detailed and cover a wide range of subjects due to their comprehensive nature.

The catalog is an important source of knowledge for information security officers, administrators and IT managers because, among other things, it contains a large number of contract templates. Two concrete examples were chosen. However, there are other helpful documents and tools, such as tools, forms and checklists, examples and templates, aids, studies and documentation, information for security officers and even more interesting tips and information. These can all be found on the internet.


Media disposal procedures
All outdated data carriers with sensitive data must be disposed of in such a way that unauthorized persons do not have access to the data. In the event that a disposal company is commissioned to remove these data carriers, there are two contract examples in IT-Grundschutz.

HR issues

Sample employment contract for the position of IT security officer
An IT security officer must be appointed in a company or an authority if certain requirements are met. These terms can be either voluntary or mandatory. In Germany, for example, the federal authorities are obliged to fulfill this requirement. At the time of appointment, the responsibilities and powers must be very clearly defined in the contract. For this reason, there is a document of the same name in IT-Grundschutz.

Standard computer protection measures and the most effective way to use them
IT-Grundschutz consists of building blocks and precautions that should build on one another. Thanks to the standards, the organization now has a methodological framework to follow when implementing the information security management system. The following method has proven to be successful in practice:

Many steps for information security

  • First step: raising employee awareness
    While the safety procedure is still being set in motion, the foundations for the following essential procedures are being laid at the same time. The company is responsible for providing the necessary financial resources to enable employees to participate in the procedures to be carried out.
  • The second step is the development of security concepts.
    The second phase is about putting into practice the basic protection categories and components that resulted from the study. The protection requirement determined in advance determines the necessary measures.
  • Step 3: Conduct an initial inspection of the security features.
    The next step in the basic security assessment is to determine the extent to which the security measures have been implemented. In addition, a security analysis is carried out, which allows for a more detailed examination of the most important systems and components. Vulnerabilities are identified and incorporated into the overall security strategy. Additional security precautions may be taken as a direct result of certain events.
  • Step 4: Maintaining information security during ongoing operations
    Even if only the most basic form of IT protection has been set up, information security must be regularly checked and controlled during operation. This means that analysis must be carried out continuously and business processes must be changed or improved.

Basic information technology security

A useful knowledge base even for companies that are not ISO-certified
Companies aiming for ISO certification must implement a certain minimum level of IT security. To ensure a high level of information security, this method follows a structured approach. A basic level of IT security is even required by law for public institutions. The concept developed by the BSI is not just an introductory suggestion and a knowledge base for users that can be used at no cost, because the accompanying documentation is extensive and thorough.