Adaptation of the workflows

The current situation in Germany with regard to the corona virus also requires some modified workflows in the certification body for IT-Grundschutz procedures.
We therefore request that you submit all certification documents (e.g. certification application, declaration of independence, accepted audit report) digitally by e-mail to gs-zert@bsi.bund.de until further notice. If submitted as sender-confirmed De-Mail to the De-Mail address (embedded), the additional sending of the paper form can be omitted.

The BSI Standards contain methods and procedures for a wide variety of topics in the field of information security and, together with the IT-Grundschutz Compendium, represent a de facto standard for IT security.

The BSI Standard 200-1 defines the general requirements of an information security management system (ISMS). With the BSI Standard 200-2 on IT-Grundschutz methodology, a solid ISMS can be established. Standard protection is provided by the proven IT-Grundschutz approach. It is supplemented by the basic protection, which enables basic initial protection across the board, as well as core protection, which is dedicated to protecting an organisation's sensitive data. The BSI Standard 200-3 on risk management contains risk-related work steps for the implementation of the IT-Grundschutz.

The IT-Grundschutz Compendium contains the IT-Grundschutz modules, each of which clearly explains threats and security requirements for an information security topic on about ten pages. The IT-Grundschutz modules are divided into ten subject layers.

ISO 27001 certification on the basis of IT-Grundschutz is possible both for standard protection and for core protection. The BSI offers an attestation for proof of successful implementation of Basic Protection.

However, the attestations may only be issued by an auditor certified by the BSI.

The prerequisite for receiving an ISO 27001 certificate based on IT-Grundschutz is an examination by an ISO 27001 IT-Grundschutz auditor certified by the BSI. The tasks of an ISO 27001 IT-Grundschutz auditor include inspecting the reference documents created by the organisation, conducting an on-site examination, and creating an audit report. To be awarded an ISO 27001 certificate, this audit report must be submitted to the BSI for review. Based on the audit report, the BSI decides whether to issue a certificate.