Discover our tailor-made Security-as-a-Service solutions for IT infrastructures and web applications.
03
What do ISO 27001 and ISO 27001 based on IT-Grundschutz have in common?
Both ISO 27001 and ISO 27001 based on IT-Grundschutz are intended to increase general IT security in companies. Both standards represent a high, officially recognized level of security and are considered equivalent in this respect. An ISMS operated in accordance with ISO 27001 and/or ISO 27001 based on IT-Grundschutz makes it possible to identify potential risks at an early stage and minimize them by means of tailor-made countermeasures. This enables companies to ensure the confidentiality, availability, and integrity of any and all information.
Discover our tailor-made Security-as-a-Service solutions for IT infrastructures and web applications.
04
What are the differences between ISO 27001 and ISO 27001 based on IT-Grundschutz?
The biggest differences between ISO 27001 and ISO 27001 based on IT-Grundschutz are in the approach and methodology as well as the scope of implementation.
ISO 27001 takes a generic, process-oriented approach and provides only abstract general conditions and requirements. Although this gives companies leeway to implement and design their ISMS individually, it requires a considerable degree of initiative and expertise. It always starts with a complete risk analysis, which involves a great deal of effort and includes the potential for errors. Based on this analysis, companies must then develop and implement suitable procedures and security measures on their own.
On approx. 30 pages, the international standard describes the ISMS with conceptual requirements for the organization, processes, and documents. Annex A lists 93 controls and their objectives for infrastructure, technology, processes, and documents. Best practice recommendations and guidelines for their practical implementation are included in ISO 27002.
ISO 27001 based on IT-Grundschutz is compatible with ISO 27001 and complements it. The requirements are stricter and much more comprehensive, which means more effort is required for implementation. However, ISO 27001 based on IT-Grundschutz takes users by the hand with its measures-based approach. The BSI standards and the IT-Grundschutz Compendium, which is based on a modular principle, provide more than a thousand pages of specific procedures, recommendations, and descriptions of measures with instructions for implementing them. However, companies only need to include and apply the modules whose components they actually use. Clear guidelines effectively rule out errors during implementation.
Another difference and benefit of ISO 27001 based on IT-Grundschutz over ISO 27001 is that no separate risk analysis has to be done for normal protection needs. The BSI has already defined suitable countermeasures for typical threats to business IT, saving companies from having to perform time-consuming analyses and develop their own appropriate security measures. Only in the case of an increased need for protection is a supplementary security and risk analysis required.
Complete risk analysis required
Complete risk analysis required
> 30-page standard, Approx. 90 pages describing measures
General requirements and abstract general conditions
A lot of individual initiative needed to develop appropriate measures
Top-down method
Measures-oriented approach
No risk analysis (only required in the case of increased protection needs)
> 800-page IT-Grundschutz Compendium, Approx. 800 pages describing measures
Specific requirements and implementation aids
Close guidance based on clear guidelines
Bottom-up method
Want to learn more about our solutions, use cases and best practices for attack defense? In our download area you will find product sheets, fact sheets, white papers and case studies.