Published under Risk Management

IT-Grundschutz (IT Baseline Protection Manual)

Product identity card

General information
Basic information to identify the product

Method or tool name : IT-Grundschutz (Former English name: IT Baseline Protection Manual)
Vendor name : Federal Office for Information Security (BSI)
Country of origin : Germany

Level of reference of the product
Details about the type of initiator of the product

National Standardization body : BSI (Germany)

Specify the phases this method supports and a short description

R.A. Method phases supported

  • Risk identification : Each IT-Grundschutz module contains a list of typical threats. Threats are also classified in 5 threat catalogues. Identification of additional threats takes place during the supplementary risk analysis.
    Risk characterization is the result of the assessment of protection requirements. For this purpose, protection requirement categories are defined and potential damage scenarios are assigned to these protection requirement categories. A further risk characterization is provided within the supplementary risk analysis, where risks are characterized with the help of the assigned decision of how to handle them (see Risk Analysis based on IT-Grundschutz, chapter 6, “Handling threats”).
  • Risk analysis : To each threat, contained in a module, a detailed description of the thread is provided.
  • Risk evaluation : An exposure assessment is made within the assessment of the protection requirements with the help of damage scenarios. For threats identified within the scope of a supplementary risk analysis, the exposure assessment takes place during the phase of threats assessment.

R.M. Method phases supported

  • Risk assessment: See RA method phases
  • Risk treatment : Catalogues of recommended safeguards. Detailed description of safeguards assigned to each IT-Grundschutz module. Assignment of safeguards to the threats considered (cross reference tables). Risk treatment alternatives, see Risk Analysis based on IT-Grundschutz, chapter 6, "Handling threats" in part C.
  • Risk acceptance : Risk analysis based on IT-Grundschutz, "Handling threats" in part C.
  • Risk communication : Risk communication is part of the module "IT security management" and especially handled within the safeguards S 2.191 "Drawing up of an Information Security Policy" and S 2.200 "Preparation of management reports on IT security"

Brief description of the product

  • IT-Grundschutz provides a method for an organization to establish an Information Security Management System (ISMS). It comprises both generic IT security recommendations for establishing an applicable IT security process and detailed technical recommendations to achieve the necessary IT security level for a specific domain. The IT security process suggested by IT-Grundschutz consists of the following steps:
    • Initialization of the process:
    • Definition of IT security goals and business environment
    • Establishment of an organizational structure for IT security
    • Provision of necessary resources
    • Creation of the IT Security Concept:
    • IT-Structure Analysis
    • Assessment of protection requirements
    • Modeling
    • IT Security Check
    • Supplementary Security Analysis
    • Implementation planning and fulfillment
    • Maintenance, monitoring and improvement of the process
    • IT-Grundschutz Certification (optional)
    The key approach in IT-Grundschutz is to provide a framework for IT security management, offering information for commonly used IT components (modules). IT-Grundschutz modules include lists of relevant threats and required countermeasures in a relatively technical level. These elements can be expanded, complemented or adapted to the needs of an organization.

Date of the first edition, date and number of actual version

Date of first release : 1994
Date and identification of the last version : 2005

Useful links
Link for further information

Official web site :
User group web site : N/A
Relevant web site :

List the available languages that the tool supports

Availability in European languages : German, English

Specify the price for the method

  • Free

Page top


Target organisations
Defines the most appropriate type of organisations the product aims at

  • Government, agencies
  • Large companies
  • SME
  • Commercial CIEs
  • Non commercial CIEs

Specific sector : N/A

Geographical spread
Information concerning the spread of this tool

Used in EU member states : Many
Used in non-EU member states : N/A

Level of detail
Specify the target kind of users

  • Management
  • Operational
  • Technical

License and certification scheme
Specify the licensing and certification schemes available for this method

Recognized licensing scheme : Yes
Existing certification scheme : Yes

Page top

Users viewpoint

Skills needed
Specify the level of skills needed to use and maintain the solution

  • To introduce : Standard
  • To use : Standard
  • To maintain : Standard

Consultancy support
Specify the kind of support available

Consultancy : Open market & Company specific

Regulatory compliance
There is a given compliance of the product with international regulations

  • KonTraG (German Act on Control and Transparency in Businesses)
  • Basel II
  • TKG (German Telecommunications Act)
  • BDSG (German Federal Data Protection Act)

Compliance to IT standards
There is a compliance with a national or international standard

Trial before purchase
Details regarding the evaluation period (if any) before purchase of the product.

Availability : Product is free

Maturity level of the Information system
The product gives a means of measurement for the maturity of the information system security

It is possible to measure the I.S.S. maturity level : Yes (three levels)

Tools supporting the method
List of tools that support the product

Non commercial tools

Commercial tools

  • HiSolutions AG HiScout SME
  • inovationtec - IGSDoku
  • Kronsoft e.K. - Secu-Max
  • Swiss Infosec AG - Baseline-Tool
  • WCK - PC-Checkheft

Technical integration of available tools
Particular supporting tools (see C-7) can be integrated with other tools

Tools can be integrated with other tools : No

Organisation processes integration
The method provides interfaces to existing processes within the organisation

Method provides interfaces to other organisational processes : Quality management, IT revision, Data Protection, SLA management, Project management

Flexible knowledge databases
It is possible to adapt a knowledge database specific to the activity domain of the company.

Method allows use of sector adapted databases : Yes

Browse the Topics

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies