The German IT-Grundschutz forms the basis for IT security in Germany and is internationally recognised. This is a collection of recommendations that help IT systems to be protected against security threats. In this blog article, I would like to take a closer look at the origin, international acceptance and structure of the German IT-Grundschutz.
The information presented below has been researched from various sources on the internet and may also contain personal experiences of the author from his or her day-to-day professional life. It should be noted that this is not legal advice, and no liability is accepted for actions or non-actions taken as a result of the information published here. It is possible that the information may be out of date or incomplete due to rapid changes in case law. For this reason, the information on this website should not be used as a complete or accurate source of advice or information on legal matters. We recommend that you always consult a qualified lawyer for legal advice before making any decision.
Origin of the German IT-Grundschutz
The German IT-Grundschutz was developed by the federal administration in the 1990s. At that time, there was an increasing need for IT security as more and more processes were automated. The aim was to ensure the security of IT systems and associated data in the federal administration. Based on this development work, the German IT-Grundschutz was finally created.
International acceptance of German IT-Grundschutz
In the meantime, the German IT-Grundschutz has also gained international importance. The internationalisation took place through the adoption of the standard in the ISO/IEC 27001 standard. This is a globally recognised certification model for information security management systems (ISMS). This means that companies and organisations outside Germany can also use the German IT-Grundschutz as the basis for their IT security and have this certified.
In 2018, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik – or BSI). The intention is that this will help the standard become better known in other countries and that more companies and organisations will use it.
Structure of the German IT-Grundschutz
Basic IT protection is a valuable tool that supports companies and institutions in securing their information and systems. The integrated approach of IT-Grundschutz takes into account technical, organisational, infrastructural and personnel aspects of information security. The IT-Grundschutz Compendium and the IT-Grundschutz Profiles are particularly useful for small and medium-sized enterprises that have their own IT operations.
The BSI standards
The BSI standards are a central component of the IT-Grundschutz methodology and offer users from government agencies and companies as well as manufacturers and service providers recommendations on methods, processes and measures for information security. The BSI standards 200-1, 200-2 and 200-3 replaced the previous BSI standards of the 100-x series in October 2017. Companies can create additional trust among customers and partners with an ISO 27001 certificate based on IT-Grundschutz.
BSI Standard 200-1 defines general requirements for an information security management system (ISMS) that is compatible with ISO Standard 27001 and other ISO standards. It is independent of the method and compatible with the IT-Grundschutz approach.
BSI Standard 200-2 forms the basis for establishing an information security management system (ISMS) and establishes three new procedures for implementing IT-Grundschutz. The two streamlined and modular procedures, basic and core protection, make it easier for those responsible in small and medium-sized companies in particular to get started.
BSI Standard 200-3 bundles all risk-related steps in the implementation of IT-Grundschutz and enables a targeted security level with significantly reduced effort.
BSI Standard 200-4 offers practical guidance for a Business Continuity Management System (BCMS) in one’s own institution. It is not yet certifiable, but helps inexperienced BCM users in particular to find an easy introduction to the subject. The requirements catalogue follows the BCMS process in terms of structure and sorting. Aids such as document templates or further aspects for coping are continuously published on the website. During the community draft phase, the existing BSI Standard 100-4 remains valid until a definitive version of BSI Standard 200-4 is published.
The IT-Grundschutz Compendium
The IT-Grundschutz Compendium is an important source for all those who deal with the topic of information security. It consists of the IT-Grundschutz building blocks, which are assigned to ten different subject areas, as well as an introduction to the topic. In addition to technical aspects, security aspects relating to infrastructure, organisation and personnel are also taken into account. The building blocks consist of basic and standard requirements as well as requirements for increased protection needs. In addition, users can read in the implementation notes how they can implement the requirements in practice. The IT-Grundschutz Compendium is updated every year and thus offers up-to-date and practice-oriented expertise on the most important topics of information security.
The IT-Grundschutz profile is a documentation of the steps of a security process for a specific application area. These documents are created jointly by various institutions and are usually supported by industry associations. Companies with similar security requirements can effectively secure their processes on this basis, while reducing the effort required. The profiles are published for different sectors, such as craft enterprises or local governments. Together with the Alliance for Cyber Security, the IT-Grundschutz team supports interested users in creating IT-Grundschutz profiles. A manual on the BSI website guides users through the creation process. With IT-Grundschutz profiles, a company can increase its security and thus reduce risks.
German laws in connection with IT-Grundschutz
In recent years, several laws related to IT security have been passed or announced in Germany. Here are some examples:
Law on the implementation of the NIS Directive / NIS2
In May 2018, the law was introduced to implement the NIS Directive, which was launched by the European Union to ensure the IT security of critical infrastructures in Europe. The corresponding German law stipulates that operators of “critical infrastructures” (e.g. energy suppliers, waterworks, hospitals) must guarantee a certain level of security and report serious cyber-attacks.
From 2023, the NIS2 (2022/2555) will apply, which sets minimum standards for information security and cyber security. Companies belonging to certain particularly critical sectors with more than 50 employees and a turnover of more than 10 million euros per year must implement these standards from 2014. Non-compliance could result in penalties of up to 10 million euros.
NIS2 may also be implemented as a revision of the IT Security Act.
IT Security Act 2.0
The IT Security Act 2.0 is a modification of the IT Security Act (“Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme”) that has been in force since 2015. The goal of the IT Security Act is to increase the security of critical infrastructures in Germany, primarily in order to prevent or at least ward off attacks on these infrastructures. So far, this has mainly affected operators of energy grids and waterworks as well as companies from the “information technology and telecommunications” segments. With the revision of the law, even more critical infrastructures are to come into focus.
The IT Security Act 2.0: Why was it revised?
In the digital world, the importance of information security and data protection continues to increase. At the same time, the threats from cyber-attacks are also increasing. These are no longer just small hacker attacks, but highly professional attacks by criminal organisations or foreign states that specifically target large institutions such as electricity suppliers or financial institutions. A cyber-attack here can already have far-reaching consequences and, in the worst case, even paralyse the functioning of an entire region.
The IT Security Act 2.0 is intended to address precisely this issue and increase the protection of infrastructures against possible attacks. To this end, the law focuses on increased cooperation between authorities, companies and organisations as well as on better education of the general public on the topic of cybersecurity. The possibility of state intervention, for example in the event of a serious cyber-attack on critical infrastructures, is also to be expanded.
The key points of the IT Security Act 2.0:
An improved reporting obligation: Operators of critical infrastructures must inform the corresponding federal and state authorities within 24 hours in the event of cyberattacks that affect their networks.
Creation of competence centres: The establishment of competence centres is intended to enable effective defence against cyber-attacks. For this purpose, the experts of the federal and state authorities are to cooperate more closely and be able to draw on specific expertise.
A cyber security council: The newly created cyber security council is to improve cooperation between the individual actors as well as to advance the education of the general public.
Increasing penalties: Penalties for violations of the IT Security Act are to be increased. Imprisonment is also possible in the case of particularly serious violations.
Security audits: Companies must be audited at regular intervals by an independent body to ensure compliance with IT security guidelines.
The IT Security Act 2.0: What are the implications for companies?
The innovations of the IT Security Act 2.0 primarily affect operators of critical infrastructures. They must prepare for significantly stricter IT security requirements and should already begin to secure and check their systems accordingly. Companies that do not fall into this category must also deal with the issue. They, too, are responsible for keeping their systems free of potential vulnerabilities and regularly checking their own network security.
The Federal Office for Information Security (BSI) is the central authority in Germany dealing with IT security. The BSI Act specifies what tasks and powers the BSI has and how it works.
These laws are just a few examples of how German legislation addresses the issue of IT security. In times of increasing cyberattacks and cyberthreats, the topic is likely to remain a high priority.
The German IT-Grundschutz forms an important basis for IT security. Due to its modularity, it can also be introduced by smaller companies or adopted as a guideline.
The IT-Grundschutz Compendium (the current German edition is Edition 2023, dated 01.02.2023 – the last English edition is 2022) is available free of charge as a PDF from the BSI. It includes 858 DIN A4 pages. The individual modules are also available free of charge as PDFs.
My tip: The BSI also offers a free online training course on IT-Grundschutz, but only in German.