BIC BSI Grundschutz was developed based on the IT-Grundschutz compendium and can be used to implement and operate an ISMS. The German Federal Office for Information Security (BSI) designed the IT-Grundschutz so that it can be used in all types of industries. Its recommendations, which cover typical security requirements and dangers, are suitable for companies of all sizes. Thanks to its predefined components and implementation instructions, it is easy to understand and can be used immediately.
In 2021, the BSI re-published the IT-Grundschutz compendium in the 2021 edition. This replaced the 2020 edition. As part of the revision, modules (asset types) were renamed or combined and security requirements (controls) were adapted to the state of the art. These changes were incorporated into BIC BSI Grundschutz.
The practical experience from numerous implementation projects was decisive for the implementation of BIC BSI Grundschutz. Our solution is based on the following basic process.
The individual components of BSI IT-Grundschutz cover all relevant aspects of information security in typical business processes and applications. They are structured into applications, IT systems, industrial IT, networks and communication, infrastructure, security management, organization and human resources, concept design and approach, detection, and reaction as well as operations. You can identify your own assets and assign them to the components contained in BIC BSI Grundschutz.
A security requirements analysis for your information security goals concerning trust, integrity and availability can be defined for the assets identified in BSI IT-Grundschutz. The objective of the security requirements analysis is to determine how suitable the protection is for the information or information technology that is used.
BIC BSI Grundschutz contains the security requirements control catalog from BSI IT-Grundschutz in all three protection levels (basic, standard and higher security requirements) as well as their instructions for designing a security concept. These security requirements are already mapped to the components – and, therefore, the relevant assets – in line with the recommendations in BSI IT-Grundschutz. The measures recommended in the control catalogs are compared here with the measures that have already been implemented in your company and evaluated based on their implementation status. This makes it possible to implement the recommended security requirements accordingly, document variances, and present them transparently for certifications.
If you have not fulfilled the security requirements sufficiently, you can create risks and evaluate them based on their probability of occurrence and impact of damages. BIC BSI Grundschutz offers a choice of qualitative and quantitative evaluations. The Elementary Dangers of the BSI IT-Grundschutz, which are contained as a risk catalog in BIC BSI Grundschutz are mapped based on BSI recommendations to the applicable security requirements and enable you to create risks in the right context depending on vulnerabilities and requirements. Furthermore, you can create, document and track measures based on their implementation levels, costs, requirements as well as any reductions in damages or the probability of their occurrence.
Since the implementation instructions and design of BSI IT-Grundschutz are very similar to ISO/IEC 27001:2013, you can map the requirements from BSI IT-Grundschutz and the measure catalog from Annex A of the ISO standard in BIC BSI Grundschutz. Due to this mapping, the solution will automatically calculate the fulfillment level of the measures from Annex A of ISO 27001 following the calculation of the BSI IT-Grundschutz security requirements. This list of the fulfillment level of Annex A is also available as a printable management report.
The fulfillment levels of the respective BSI security requirements are listed by components and, therefore, assigned to their assets. You can view them clearly in the dashboard and navigate them individually. By clicking on a specific implementation status, you can drill into the control assessment and process your evaluations further. You benefit by gaining access to information on the fulfillment or completion levels at any time and creating reports for management or auditors much more easily.