Federal Office for Information Security (BSI)


The BSI Standards contain recommendations by the Federal Office for Information Security (BSI) on methods, processes, procedures, approaches and measures relating to information security. For this the BSI addresses issues that are of fundamental importance for information security in public authorities and companies and for which appropriate, practical, national or international approaches have been established.

On the one hand, BSI Standards are used to provide technical support to users of information technology. Public agencies and companies can use the BSI recommendations and adapt them to their own needs. This facilitates the secure use of information technology as trusted methods, processes or procedures are used. Manufacturers of information technology or service providers can also dispose of the BSI recommendations to make their products more secure.

On the other hand, BSI Standards are also used to depict proven approaches to co-operation. BSI Standards can be quoted, and this will contribute to establishing uniform specialist terms.

BSI Standard 100-1 Information Security Management Systems (ISMS)

BSI Standard 100-1 defines the general requirements for an ISMS. It is completely compatible with ISO Standard 27001 and moreover takes the recommendations in ISO Standards of the ISO 2700x family into consideration. It provides readers with easily understood and systematic instructions, regardless of which methods they wish to use to implement the requirements.

BSI presents the content of these ISO Standards in its own BSI Standard in order to describe some issues in greater detail and therefore facilitate a more didactic presentation of the contents. In addition, the organization was arranged to be compatible with the IT-Grundschutz approach. The common headings in the two documents make orientation easier for the reader.

BSI-Standard 100-1: Information Security Management Systems (ISMS) (PDF, 1MB, File is accessible)

BSI-Standard 100-2: IT-Grundschutz Methodology

BSI-Standard 100-2: IT-Grundschutz Methodology

The IT-Grundschutz Methodology progressively describes (step by step) how information security management can be set up and operated in practice. The tasks of information security management and setting up an security organisation are important subjects in this context. The IT-Grundschutz Methodology provides a detailed description of how to produce a practical security concept, how to select appropriate security safeguards and what is important when implementing the security concept. The question as to how to maintain and improve information security in ongoing operation is also answered.

Thus, IT-Grundschutz interprets the very general requirements of the ISO Standards of the ISO 2700x family and helps the users to implement them in practice with many notes, background expertise and examples. The IT-Grundschutz Catalogues not only explain what has to be done, they also provide very specific information as to what implementation (even at a technical level) may look like. The IT-Grundschutz approach is therefore a tested and efficient opportunity to meet all the requirements of the ISO Standards mentioned above.

BSI Standard 100-2 IT-Grundschutz Methodology (PDF, 2MB, File is accessible)

BSI-Standard 100-3: Risk Analysis based on IT-Grundschutz

The IT-Grundschutz Catalogues of the BSI contain standard security safeguards required in the organisational, personnel, infrastructure and technical areas that are generally appropriate for normal security requirements and to protect typical information domains. Many users, who are already working successfully with the IT-Grundschutz, are confronted with the question, how they are to deal with areas, whose security requirements clearly go beyond the normal measure. It is important that the basic methodology does not produce a great deal of additional effort and expense and reuses as many approaches as possible from the IT-Grundschutz.

To cover these issues, the BSI has worked out a method of analysing risks that is based on IT-Grundschutz. This approach can be used when companies or public authorities are already working successfully with the IT-Grundschutz Manual and would like to add an additional security analysis to the IT-Grundschutz analysis as seamlessly as possible. There may be different reasons for this:

  • the protection requirements of the company or the public authority go beyond the normal measure (high or very high protection requirements).
  • the institution operates important components, which are (still) not treated in the IT-Grundschutz Catalogues of the BSI
  • the target objects are operated in application scenarios, which are not designated within the framework of the IT-Grundschutz.

This approach is aimed both at the users of information technology (those responsible for information security) and at consultants and experts. However, it is usually advisable to rely on professional expertise when conducting risk analysis.

BSI Standard 100-3: Risk Analysis based on IT-Grundschutz (PDF, 893KB, File is accessible)

Risk analysis with the new threat catalogue T 0 “Elementary Threats”

The threat catalogues are fundamental for using the IT-Grundschutz methodology (BSI-Standard 100-2) and the risk analysis on the basis of IT-Grundschutz (BSI-Standard 100-3). With the twelfth supplementary release of the IT-Grundschutz catalogues, the new threat catalogue T 0 “Elementary Threats” was added to the catalogues. In order to use the elementary threats within risk analysis, the risk analysis methodology from the BSI-Standard 100-3 can be used nearly without any changes. The necessary adjustments to the risk analysis methodology are given by the BSI in the “Supplement to the BSI-Standard 100-3”. Together with this supplement to the BSI-Standard 100-3, the BSI provides here also the threat catalogue with the elementary threats.

Threats Catalogue – Elementary Threats (PDF, 722KB, File is accessible)
Supplement to BSI-Standard 100-3, Version 2.5 (PDF, 426KB, File is accessible)

BSI-Standard 100-4: Business Continuity Management

The BSI Standard 100-4 points out a systematic way to develop, establish and maintain an agency-wide or company-wide internal business continuity management system.

The goal of business continuity management is to ensure that important business processes are only interrupted temporarily or not interrupted at all, even in critical situations. To ensure the operability, and therefore the survival, of a company or government agency, suitable preventive measures must be taken to increase the robustness and reliability of the business processes as well as to enable a quick and targeted reaction in case of an emergency or a crisis.

BSI Standard 100-4: Business Continuity Management (PDF, 1MB, File is accessible)