Select Page

ISO 27001 vs. ISO 27001 based on IT-Grundschutz

ISO 27001 and ISO 27001 based on IT-Grundschutz (IT baseline protection) define a framework and describe a concept for implementing an information security management system (ISMS). The standards are similar in principle but have significant differences in detail.

Reading Time: .

At one
look


01

What is an ISMS and why is it important?

An information security management system defines rules, methods, processes, and tools to ensure information security in companies, government agencies, and critical infrastructure sector companies (e.g., energy, healthcare, finance, and insurance). This includes the introduction of concrete procedures and the implementation of organizational and technical measures that must be continuously controlled, monitored, and improved. The goal is to ensure, beyond the IT department, an appropriate level of protection for the confidentiality, availability, and integrity of information within the entire organization or the defined scope, and to minimize information security risks.

Thus, the ISMS provides the basis for systematic implementation of information security within a company and for compliance with security standards. ISO 27001 and/or ISO 27001 based on IT-Grundschutz help in designing an ISMS and introducing all necessary security measures.

02

What is included in ISO 27001 and ISO 27001 based on IT-Grundschutz?

Companies are generally free to choose whether to implement and, if necessary, certify their ISMS in accordance with the international ISO/IEC 27001 standard or the ISO 27001 based on IT-Grundschutz standard developed by the German Federal Office for Information Security (BSI).

ISO 27001 specifies the requirements for setting up, implementing, operating, monitoring, evaluating, maintaining, and improving a documented ISMS in terms of general business risks. The standard takes a top-down approach, focusing on processes and implementing the necessary security measures on the basis of an individual risk analysis.

ISO 27001 based on IT-Grundschutz describes a systematic method for identifying and implementing the necessary IT security measures in companies in order to achieve a moderate, appropriate, and adequate level of protection. BSI standards 200-1 (Information Security Management Systems (ISMS), 200-2 (IT-Grundschutz Methodology), 200-3 (Risk Analysis based on IT-Grundschutz), and 100-4 (Business Continuity Management) provide best practices for this, while the IT-Grundschutz Compendium provides detailed requirements. Following a bottom-up approach, the focus is on specific measures to secure IT systems.

03

What do ISO 27001 and ISO 27001 based on IT-Grundschutz have in common?

Both ISO 27001 and ISO 27001 based on IT-Grundschutz are intended to increase general IT security in companies. Both standards represent a high, officially recognized level of security and are considered equivalent in this respect. An ISMS operated in accordance with ISO 27001 and/or ISO 27001 based on IT-Grundschutz makes it possible to identify potential risks at an early stage and minimize them by means of tailor-made countermeasures. This enables companies to ensure the confidentiality, availability, and integrity of any and all information.

Both methods view information security as a process that must be continuously adjusted, for example, to changes in internal processes, changes in the legal framework, new technology, or previously unknown threats. For this reason, they recommend a PDCA cycle (also known as a Deming cycle), consisting of the phases Plan (planning security measures), Do (implementing measures), Check (monitoring success through continuous monitoring), and Act (continuous improvement).

ISO 27001 and ISO 27001 based on IT-Grundschutz are also similar in that they assign overall responsibility for an appropriate ISMS to top management. Their duties include initiating the security process, defining objectives and general conditions, setting up an organizational structure, and providing resources.

04

What are the differences between ISO 27001 and ISO 27001 based on IT-Grundschutz?

The biggest differences between ISO 27001 and ISO 27001 based on IT-Grundschutz are in the approach and methodology as well as the scope of implementation.

ISO 27001 takes a generic, process-oriented approach and provides only abstract general conditions and requirements. Although this gives companies leeway to implement and design their ISMS individually, it requires a considerable degree of initiative and expertise. It always starts with a complete risk analysis, which involves a great deal of effort and includes the potential for errors. Based on this analysis, companies must then develop and implement suitable procedures and security measures on their own.

On approx. 30 pages, the international standard describes the ISMS with conceptual requirements for the organization, processes, and documents. Annex A lists over 100 controls and their objectives for infrastructure, technology, processes, and documents. Best practice recommendations and guidelines for their practical implementation are included in ISO 27002.

ISO 27001 based on IT-Grundschutz is compatible with ISO 27001 and complements it. The requirements are stricter and much more comprehensive, which means more effort is required for implementation. However, ISO 27001 based on IT-Grundschutz takes users by the hand with its measures-based approach. The BSI standards and the IT-Grundschutz Compendium, which is based on a modular principle, provide more than a thousand pages of specific procedures, recommendations, and descriptions of measures with instructions for implementing them. However, companies only need to include and apply the modules whose components they actually use. Clear guidelines effectively rule out errors during implementation.

Another difference and benefit of ISO 27001 based on IT-Grundschutz over ISO 27001 is that no separate risk analysis has to be done for normal protection needs. The BSI has already defined suitable countermeasures for typical threats to business IT, saving companies from having to perform time-consuming analyses and develop their own appropriate security measures. Only in the case of an increased need for protection is a supplementary security and risk analysis required.

ISO/IEC 27001

  • Complete risk analysis required
  • Complete risk analysis required
  • > 30-page standard, Approx. 90 pages describing measures
  • General requirements and abstract general conditions
  • A lot of individual initiative needed to develop appropriate measures
  • Top-down method

ISO 27001 auf Basis von IT-Grundschutz 

  • Measures-oriented approach
  • No risk analysis (only required in the case of increased protection needs)
  • > 800-page IT-Grundschutz Compendium, Approx. 800 pages describing measures
  • Specific requirements and implementation aids
  • Close guidance based on clear guidelines
  • Bottom-up method
05

What are the advantages of a service provider certified according to ISO 27001 based on IT-Grundschutz?

Companies can have the security measures they have implemented certified by an official ISO 27001 or ISO 27001 based on IT-Grundschutz certificate. This shows that they meet defined safety standards, creating trust among customers and partners.

ISO 27001 based on IT-Grundschutz has some advantages. One is that there are specific requirements for the security measures that need to be implemented and how it should be done. Thus, successful certification according to ISO 27001 based on IT-Grundschutz not only indicates that an ISMS is in place, but also how it was designed in detail. Clients, partners, and customers of a service provider certified according to ISO 27001 based on IT-Grundschutz are thus able to assess existing security measures from outside. ISO 27001 certification alone does not allow this assessment, as the general requirements are not implemented uniformly.

By having a service provider certified according to ISO 27001 based on IT-Grundschutz, outsourcing companies can be sure that their information is well protected there.

06

Myra is certified according to ISO 27001 based on IT-Grundschutz

Myra Security has successfully implemented all the protective measures defined by the BSI against typical threats to corporate IT. The certificate (no. BSI-IGZ-0338-2018) confirms that Myra’s information security management system ensures the confidentiality, availability, and integrity of all information through suitable technical and organizational measures.