Skip to main content

BSI-Standard 200-2: IT-Grundschutz-Methodology

The BSI-Standard 200-21 provides a methodology for the effective implementation and management of information security. The standard complements BSI-Standard 200-1 and thus aligns with ISO/IEC 27001.

Whereas 200-1 only describes general methods for initiation and management of an information security management system (ISMS), 200-2 provides concrete guidance for its practical implementation. It does so by introducing three distinct protection levels, tailored to the specific risk profile of an organization:

Protection LevelDescriptionProsCons
Basic ProtectionBroad and initial safeguard for organizations just getting started with IT-Grundschutz, with no significantly increased risk.low effort, quick to achieveonly a low level of security
Core ProtectionTargets business processes and assets exposed to specific security risks; focuses on securing what is essential to operations.focuses on crown jewels2may overlook other vulnerabilities impacting overall security
Standard ProtectionClassic IT-Grundschutz approach for organizations where security incidents would result in financial loss or productivity impact; assumes sensitive data handling.highest level of protection, considers all assetshigh implementation and maintenance effort and cost

Security Policy

The standard provides guidance on how to achieve these defined protection levels within an organization and outlines how to document then in a Security Policy. The policy should include

  • the scope of the policy
  • the security objectives
  • the overall strategy to achieve the protection level
  • the organizational structure of the ISMS

Systematic Approach

In order to establish the ISMS in an organization, BSI 200-2 proposes a systematic, multi-stage approach, as illustrated in Figure 1.

The figure also highlights the Plan-Do-Check-Act-cycle3 as part of an iterative methodology, underlining the need to continuously re-evaluate both potential risks and the effectiveness of available ISMS controls. Accordingly, the security concept must be audited at regular intervals - or reactively in response to specific system compromises.

Figure 1 Systematic approach for establishiing an ISMS according to BSI-Standard 200-2. (Source: adapted from BSI-Standard 200-2, Figure 1)

Initiation of the security process

The process must be initiated by the organization's management. As the standard emphasizes, it is essential that the management demonstrates its commitment to the ISMS - this includes delegating responsibilities and providing adequate financial and human resources for both planning and implementation.

Drawing up of an Information Security Policy

The Security Policy serves as an "essential basis for the design of the security process" and defines both the security objectives and the level of protection targeted by the organization. As a means to raise awareness within the organization, the policy also includes the rationale behind the security efforts. Furthermore, it specifies the safeguards and structural measures intended to achieve the defined protection level.

Design of a suitable organisational structure

To effectively steer and manage the ISMS, a suitable organizational structure has to be established. This includes appointing an Information Security Officer, who serves as the "main contact person [...] for all aspects of information security". The role includes managing the security process, coordinating related tasks, and reporting directly to management on all security-related issues.

Drawing up of a security concept

The security concept is developed on the basis of the modules provided in the IT-Grundschutz Compendium. BSI-Standard 200-2 emphasizes that when protection requirements are significally higher, a risk analysis should be conducted. The risk analysis can be carried out following the guidance of BSI-Standard 200-3.

Implementation of security concepts

The necessary safeguards to mitigate the identified risks are implemented in order to achieve the intended level of protection.

Maintenance and continuous improvement of information security

The security process and the implemented safeguards must be regularly re-evaluated - both at predefined intervals and in response to security incidents or system compromises. The effectiveness of the safegaurds should be assessed in this context, which may lead to the removal of ineffective or unnecessary measures, the addition of new ones, or adjustments to the organizational structure of the ISMS.


Footnotes

  1. BSI-Standard 200-2: IT-Grundschutz-Methodology: en / de (retrieved 21.05.2025)

  2. assets existentially important for an organisation

  3. see BSI-Standard 200-1