Guide To Basic Protection Based On IT | Basic Security

Cybersecurity is a wide, abstract term. However, filling it with life starts in the smallest organization. Not only the government can contribute to cybersecurity in Germany, but also every company – regardless of the size – must make a contribution. With the IT-Grundschutz, the BSI has been providing a proven method and an extensive offer for many years which is successfully used in the administrative and industry sectors. Many government agencies and large companies are – also due to their financial and personnel resources – well positioned when it comes to information security.

However, the exchange with small and medium-sized enterprises mostly – still – reveals a different picture. Even though the awareness for information security issues is given, there is often a lack of trained personnel and financial resources for a sustained and reasonable implementation of the necessary safeguards.

As the national cyber security authority, it is our claim to design the information security in the digitalization and to increase Germany’s resistance against cyber threats. The design also involves to offer feasible and target-oriented solutions. This is exactly where this guide to “Basic Protection“ starts: As part of the complete IT-Grundschutz Methodology, Basic Protection provides an entry point for all companies who would like to look into the safeguarding of their IT systems and data for the first time. The guide explains in a comprehensible manner the steps required for reviewing the existing information security level as well as safeguards that can be quickly implemented with minimum financial investment and a few employees. In addition to technical aspects, infrastructural, organizational and personnel issues will be considered in line with a holistic management system for information security.

I hope you find this a stimulating read that adequately addresses your questions about information security, and most of all that it leads you to a successful implementation of the safeguards described.


The challenges for authorities and companies to protect sensitive data and communication processes from unauthorized access are constantly increasing. Today’s technologies such as Smart Home, Internet of Things and the ongoing digitalization of all areas of work and life forces organizations of all sizes to invest more and more resources in maintaining the information security.

Building a security level for all business processes, information and IT systems that meets the actual needs requires more than procuring anti-virus programs, firewalls or data backup systems: A holistic concept is the basis and the starting point for developing a sustainable security management. Information security management, or short IS management, is the element of general risk management that aims to ensure the confidentiality, integrity and availability of information, business processes, applications and IT systems. This is a continuous process in which strategies and safeguards are constantly reviewed and adjusted to changing requirements.

Information security is not only a question of technology but rather depends substantially on the organisational and personnel environment. The IT-Grundschutz takes this into account by describing both technical and non-technical security requirements for typical business areas, applications and systems according to the state of the art in the publications. In this context the focus is on practical security requirements with the objective of keeping the initial barriers to the security process as low as possible and avoiding too complex approaches.

Table of contents
Foreword 3
1 Introduction 5
2 Information security management with IT-Grundschutz 7
3 Drawing up of a security concept according to the Basic Protection approach 9
3.1 Initiation of the security process… 9
3.1.1 Management decision: Responsibility of management…9
3.1.2 Central role: The Information Security Officer (ISO)…10
3.1.3 Scope for the security concept: the information system…11
3.1.4 Drawing up a policy for information security…13
3.2 Organization of the security process… 15
3.2.1 Establishment of an organization for information security…15
3.2.2 Designing and planning the security process…17
3.3 Implementing the security process… 20
3.3.1 Selection and prioritization of the modules (modelling)…21
3.3.2 IT-Grundschutz Check for Basic Protection…24
3.3.3 Implementation of the security concept…27
4 Information security is a process: Follow-up options 32
5 Appendix 34
5.1 The IT-Grundschutz Compendium – Everything you need to know at a glance…34
5.2 References… 37
5.3 Glossary… 38


Happy learning!

Friendly Websites