German companies often use ISO 27001 as a guide for information security – but with BSI IT-Grundschutz, Germany has a practical, government-approved toolkit. It provides concrete measures, is modular in design, and adapts to maturity levels and risks. In the third part of our series on Cybersecurity Awareness Month 2025, we explain where the German approach offers advantages in everyday life. And how both standards work together.
Norderstedt, October 27, 2025 – ISO/IEC 27001 is the global language of information security: internationally recognized, applicable across industries, and a reliable reference framework for globally active companies. Its greatest advantage is its comparability across countries and sectors. At the same time, ISO deliberately remains abstract: it requires verifiable processes and controls, but leaves the specific design to the organizations. “The BSI's IT baseline protection takes a different approach: less theory, more concrete, auditable requirements – and state-approved,” says Fadi Zaid, IT security and privacy expert at LHIND. Since the 1990s, IT-Grundschutz has evolved from a thick manual to a modular system. “In Germany in particular, this approach often provides authorities, regulated industries, and medium-sized companies with faster access to effective security.”
Building blocks, maturity levels, processes
At the heart of IT-Grundschutz are standards 200-1 to 200-3 for information security management systems (ISMS), methodology, and risk management, as well as the annually updated IT-Grundschutz Compendium. It has a modular structure: process building blocks – such as management system, organization and operation, as well as detection and response – are interlinked with system building blocks for applications, IT systems, networks, industrial IT/OT, and physical infrastructure.
Each building block defines the scope, typical threats, and requirements in three levels: Basic (basic hygiene), Standard (appropriate level of protection), and Enhanced (state of the art). Public authorities and institutions in particular benefit from its government recognition, as do organizations subject to high regulatory pressure, such as those in critical infrastructure sectors or finance – and it also offers clear guidance to small and medium-sized enterprises.
Implementation follows a clear process model based on the Plan-Do-Check-Act (PDCA) cycle. Once the scope has been defined, a structural analysis and protection requirements assessment are carried out, target objects are modeled, and systematically compared with the requirements in the IT baseline protection check. For particularly critical areas, a supplementary risk analysis is then performed. “Information security is not a state, but a continuous process that adapts to technology, law, and threats,” says Zaid.
Three entry paths facilitate the start: basic security as quick minimum protection, core security for an organization's crown jewels, and standard security for a consistent overall level of protection.
Evidence culture, regulation, and interaction with ISO
IT baseline protection makes responsibilities visible—from top management and ISB/CISO to specialist areas such as IT operations, purchasing, and human resources. Evidence of implemented measures is continuously collected and checked for effectiveness using a few precise key figures, such as coverage of multi-factor authentication, compliance with patch cycles, results of recovery tests, or times for detecting and resolving incidents. In practice, quick wins accelerate progress – such as multi-factor authentication (MFA) for sensitive access, consistent patch management, tested backups, and clear reporting channels in the event of an incident. Conversely, it is worth avoiding typical stumbling blocks: do not label protection requirements as “very high” across the board, do not confuse documentation with effectiveness, and do not misinterpret tools as a universal remedy.
The German modular system is not an alternative to ISO 27001, but rather a supplement to it. Companies can either proceed in the traditional manner according to ISO with their own Statement of Applicability or implement ISO “on the basis of IT baseline protection,” with the building blocks providing the evidence. This contributes to regulation: NIS2 addresses incident management, reporting channels, business continuity, and supplier security; KRITIS increases requirements for redundancy, evidence, and exercises; and the Digital Operational Resilience Act (DORA) tightens governance, risk management, scenario testing, and third-party control. “Regulation provides the framework, and the compendium delivers the operational measures. Together, they create security that is both compatible and effective,” summarizes Zaid.