Federal Office for Information Security (BSI)

IT-Grundschutz Certification process

The IT-Grundschutz Certificate or a self-declaration offers companies and agencies the possibility of making transparent their efforts regarding IT security. This can serve as a quality feature with which to impress both customers and business partners and thus can bring competitive advantage. After consulting with registered IT-Grundschutz users and IT security experts, the BSI has defined three variants of the IT-Grundschutz qualification: the IT-Grundschutz Certificate and the self-declarations "IT-Grundschutz entry level" and "IT-Grundschutz higher level".

The legal basis for the proceedings is the Act for the Establishment of the Federal Office for Information Security (BSI) and an implementing directive from the Federal Ministry of the Interior dated 6 February 2001.

Issue of the IT-Grundschutz Certificate is based on an audit carried out by an external auditor licensed with the BSI. The outcome of the audit is an audit report which is submitted to the certification authority that decides on the issue of IT-Grundschutz Certificates. The baseline set of criteria on which the procedure is based is the latest version of the BSI's IT-Grundschutz Manual. The "Audit Scheme for Auditors" describes the audit procedure followed, the audit report, the decision and issue of the IT-Grundschutz Certificate.