Certify your ISMS to ISO 27001 based on IT-Grundschutz
On this page
- What is an ISMS to ISO 27001 based on IT-Grundschutz?
- Benefits of certification to ISO 27001 based on IT-Grundschutz
- Process of a certification procedure
- Your path to ISO 27001 certification based on IT-Grundschutz
- Certification by RSM Certification
- Get in touch without obligation
- AQ – your questions about ISO 27001 based on IT-Grundschutz answered
What is an ISMS to ISO 27001 based on IT-Grundschutz?
ISO 27001 based on IT-Grundschutz describes a method for identifying and implementing information security measures to raise the level of protection, developed by the German Federal Office for Information Security (BSI). The IT-Grundschutz Compendium contains the IT-Grundschutz modules, each of which sets out threats and security requirements. ISO 27001 certification based on IT-Grundschutz is carried out on the basis of this IT-Grundschutz Compendium, which is published in a new edition each year in February.
With certification to ISO 27001 based on IT-Grundschutz, you can demonstrate the status and quality of your established ISMS through us as an independent conformity assessment body. Certification to ISO 27001 based on IT-Grundschutz is particularly suitable if you work with public authorities, are a service provider in this area, or are even a KRITIS organisation.
Benefits of certification to ISO 27001 based on IT-Grundschutz
Process of a certification procedure
The general certification cycle is designed for three years due to the validity of the certificates and consists of the following phases:
- Initial certification
- Stage 1 audit (document review / adequacy review of the ISMS)
- Stage 2 audit (effectiveness review of the ISMS)
- First surveillance audit (no later than 12 months after the certificate is issued)
- Second surveillance audit (approx. 24 months after the certificate is issued)
Your path to ISO 27001 certification based on IT-Grundschutz
Submit an enquiry and optionally arrange an introductory meeting via video call at short notice. You will then receive a quotation promptly.
Order placement
Place the order with RSM Certification GmbH and jointly coordinate the next steps (including scheduling)
Submit the certification application and the auditors' declaration of independence to the BSI / assignment of the certification ID by the BSI / handover of the reference documents to the auditor
As part of the optional pre-audit, individual aspects can be selected and checked on a sample basis. This audit can also be used to determine whether certification readiness has been achieved.
Document review / preparation of the on-site audit / preparation of the audit plan for the implementation review
On-site implementation review / review of corrective actions / preparation of the audit report
Handover of the audit report and the reference documents to the BSI certification body
If applicable, follow-up requests regarding the audit report / if applicable, correction of reference documents
Issuing of the certificate by the BSI and, if desired, listing on the BSI website
Certification by RSM Certification GmbH
Would you like us to certify you? Feel free to get in touch with us without obligation.
Get in touch without obligation
FAQ
The aim of the document review is to determine certification capability, the maturity of the management system, threats and risks, legal and regulatory aspects, and the site-specific conditions. This is a pure adequacy review of the management system. RSM Certification GmbH must be granted access to documents as part of the document review. Therefore, at least the following information must be provided in advance of the document review:
- Information security policies (A.0)
- Structure analysis (A.1)
- Protection needs assessment (A.2)
- Modelling of the information domain (A.3)
- Result of the IT-Grundschutz check (A.4)
- Risk analysis (A.5)
- Implementation plan (risk treatment plan) (A.6)
In accordance with the audit scheme, the auditor carries out an IT-Grundschutz check. This checks whether the modules used from the valid IT-Grundschutz Compendium match those in the modelling of the information domain.
The IT-Grundschutz Compendium is a collection of a wide range of requirements in so-called "modules" in the field of information security. It represents the structured and comprehensive possible requirements base for your ISMS if this is to be built according to IT-Grundschutz. The Compendium defines the so-called "modules" of the ISMS and their implementation requirements, with which the ISMS is modelled according to your organisation's activity and process environment. These modules cover different topics – for example: ISMS module: Security management; INF module: Infrastructure; NET module: Networks and communication. To implement an ISMS, taking into account the specifications from the Compendium, the organisation must draw on the modules (currently 10) and implement them in accordance with the respective requirements of each module. Figuratively speaking, the IT-Grundschutz Compendium is a kind of toolbox from which your organisation can select the appropriate tool according to its activities and core processes. Which modules are implemented depends, among other things, on the activity and core processes of your organisation. The selected modules of the Compendium form the audit basis for an audit to ISO 27001 based on IT-Grundschutz. The IT-Grundschutz Compendium is updated and published annually by the BSI.
Which standard is better suited to your organisation is a highly individual question and decision that you have to make yourself. To simplify things, however, you can orient yourself by your customer demographics and the demands of your industry. If you operate nationally and internationally, the recognition and acceptance of ISO/IEC 27001:2022 speak more in favour of this standard than of IT-Grundschutz. This is not intended to diminish IT-Grundschutz – however, it is not widely used beyond Germany's borders. If you operate purely nationally, a great deal depends on your industry and possibly also on your customer base. IT-Grundschutz enjoys a high reputation in Germany, although it is also known that meeting the requirements of IT-Grundschutz is generally more extensive than those of an ISO/IEC 27001 certification. This is due solely to the firmly defined requirements of IT-Grundschutz, whereas ISO/IEC 27001 leaves more scope to integrate the process into your existing process landscape. With regard to your customer base, it can be important to know what requirements your customers set. Some place greater emphasis on IT-Grundschutz certification than on ISO/IEC 27001 certification. If in doubt, this requires coordination on your part. The preference may also differ by industry; for example, in the public sector there is more of a need for an IT-Grundschutz certificate.
The first key difference lies in responsibility. The body in charge of the procedure for ISO 27001 based on IT-Grundschutz is the German Federal Office for Information Security (BSI). For ISO/IEC 27001:2022 audits by accredited conformity assessment bodies, DAkkS is the central accreditation body in Germany. Another key difference is the audit basis. Where this is ISO/IEC 27001:2022 in an ISO 27001 audit, for ISO 27001 based on IT-Grundschutz it is the IT-Grundschutz Compendium. IT-Grundschutz also goes deeper in terms of the requirements in information technology. In addition, in its respective modules, the BSI defines specific and more comprehensive requirements for your ISMS compared with ISO/IEC 27001. There are also various differences in the formal requirements. The BSI has its own prerequisites that must be met for audit team leaders. Audit team leaders certified by the BSI who carry out ISO 27001 audits based on IT-Grundschutz are listed on the BSI website. Auditors permitted to carry out ISO/IEC 27001 audits through RSM Certification GmbH are not automatically permitted to carry out IT-Grundschutz audits, and vice versa. The ISO 27001 audit based on IT-Grundschutz must also be officially applied for at the BSI, including a declaration of independence from the auditor(s). The applying organisation then receives an ID, which must be used in future communication with the BSI. For certification to ISO/IEC 27001:2022, no application to DAkkS is required; commissioning the certification body is sufficient to begin the certification process. The two procedures therefore differ fundamentally.