What Is the BSI IT Baseline Protection? 

The IT Baseline Protection is a methodology developed by the Federal Office for Information Security (BSI) to establish information security in a systematic, transparent, and audit-ready manner. 
It consists of two key elements: 

  • BSI Standards 200-1 to 200-4 (Management System, Methodology, Risk Analysis, Business Continuity Management)
  • The IT Baseline Protection Compendium, featuring more than 100 practical modules and requirements 

Together, they form the foundation of an effective Information Security Management System (ISMS) — nationally recognized and fully compatible with ISO/IEC 27001.

The IT Baseline Protection Compendium

The Compendium is a consolidated collection of modules that systematically outline requirements, recommendations, and measures for information security. It is updated annually on February 1st to reflect emerging threats and evolving technological developments.

Purpose and Scope

The aim is to help organisations and public authorities protect their IT systems, processes, and data against risks such as cyberattacks, data loss, or system failures.
The Compendium currently comprises 111 modules (Edition 2023), structured into 10 layers (e.g., Applications, Networks, Security Management).

Each module includes:

  • A description of the topic

  • An analysis of potential threats

  • Security requirements

  • Implementation guidance (where available)

The modular design allows organisations to combine the components according to their specific needs. This creates a flexible framework that can be tailored to the protection requirements and structure of any organisation.

 

The Three Pillars of IT Baseline Protection

BSI Standards (200-1 to 200-4)
  • 200-1 – Information Security Management System (ISMS): Framework, roles, and processes designed to ensure continuous improvement in information security.
  • 200-2 – IT Baseline Protection Methodology: A systematic approach based on three protection levels (basic, core, and standard protection).
  • 200-3 – Risk Analysis and Risk Management: Identifying, assessing, and treating risks in a structured manner.
  • 200-4 – Business Continuity Management (BCM): Establishing a BCMS to ensure operational continuity.
Certivation Cybersecurity
IT Baseline Protection
  • Compendium Over 100 modules covering a wide range of security topics
  • Concrete threat analyses and defined security requirements
  • Proven, practice-oriented measures for various application areas
Certification 
  • Internationally recognised certification
  • Evidence of a fully functioning ISMS
  • Regular surveillance audits
Certivation Globe with numbers

Connection to ISO 27001 

The Compendium also serves as a foundation for ISO/IEC 27001 certifications based on IT Baseline Protection - a pathway particularly relevant for organisations with elevated security requirements. 

To obtain an ISO 27001 certificate on the basis of IT Baseline Protection, an assessment must be carried out by a BSI-certified ISO 27001 Baseline Protection Auditor. Their responsibilities include reviewing the organisation’s reference documentation, conducting an on-site assessment, and preparing a comprehensive audit report. 

This audit report is submitted to the BSI for evaluation. Based on this review, the BSI decides whether to issue the certificate. The certificate is valid for three years and requires annual surveillance audits as part of its maintenance.

Benefits of BSI IT Baseline Protection

Rosenxt Icon white gear with an upward arrow
Process Efficiency 


 Clear structures and well-defined processes

Risk Reduction 
 

Standardised measures and structured risk analysis

Building Trust 
 

Recognised BSI certification

Compatibility

 

Enables an ISO/IEC 27001 certificate based on IT-Grundschutz

Future-proofing

 

 Updated annually, KRITIS- and NIS2-compliant

Three approaches to implementation 

The BSI offers three approaches to introducing IT Baseline Protection:

  1. Basic Protection - for small/medium-sized organisations; focuses on minimum safeguards (e.g., firewalls, access controls)
  2. Core Protection - focuses on particularly sensitive areas (“crown jewels”)
  3. Standard Protection - comprehensive protection of the entire IT architecture

Legal framework (Germany)

General obligation: There is no universal legal requirement to implement IT Baseline Protection. However, critical infrastructure (KRITIS) operators are subject to specific requirements under § 8a BSIG (appropriate technical and organisational measures). Since 1 May 2023, this includes intrusion detection systems (SzA); evidence must be submitted to the BSI at regular intervals.

NIS2 implementation (outlook): On 30 July 2025, the German Federal Cabinet adopted the draft NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG); it is expected to enter into force at the end of 2025. IT Baseline Protection helps organisations efficiently meet future requirements.

Note: The General Data Protection Regulation (GDPR) requires “appropriate technical and organisational measures” (Art. 32(1)). IT Baseline Protection is an established and widely accepted approach for fulfilling this requirement—particularly within German organisations. The Compendium is updated annually (each year on 1 February) to reflect the state of the art and emerging threat landscapes.

Please feel free to contact us:

Patrick Rischar

Head of Audit Service Management

prischar@certivation.com+49 5908 9344 204

Check our other services

DIN EN ISO 27001

Always secure with an ISO/IEC 27001 certified ISMS.

Read more

DIN EN ISO 42001

A comprehensive framework to ensure that AI systems are ethical, transparent and reliable.

Read more
Always secure with an ISO/IEC certified ISMS

DIN EN ISO 9001

Your first step towards an effective business development.

Read more