In accordance with the BSI Act [BSIG], the Federal Office for Information Security (BSI) is assigned the task of performing certifications of information technology systems.

To perform these tasks, the BSI operates certification programmes, which respectively define and describe the rules (applicable scopes, needs-based testing criteria, requirements and records), the process itself as well as management activities for performing the certification.

Management systems are certified in response to an application for certification. Certification is conditional on completion of an audit according to the criteria or technical guidelines published in the certification programme.

The procedure for performing certifications in accordance with ISO 27001 on the basis of IT-Grundschutz is described in the process description Certification according to ISO 27001 on the basis of IT-Grundschutz - certification scheme.

The procedure in relation to TR is described in the document Process description for the certification of products [PD (process description) Products], which is supplemented by the requirements document Requirements for applicants for the certification of products to technical guidelines [TR Products].

Some TRs are based on ISO/IEC 27001. Certifications for these TRs are not normally performed by the BSI but by certificate bodies accredited for the certification of management systems according to ISO/IEC 27001. The applicable underlying system is described in " Hinweis für Zertifizierungsstellen von sektorspezifischen Managementsystemen basierend auf ISO/IEC 27001".

The "Directories" document includes the main breakdown for all references (main list of current documents) as well as a glossary.