LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How did the IT-Grundschutz procedure change from BSI 100-2 (old) to BSI 200-2 (new)?

The old approach prescribed fixed MEASURES per building block; the new one defines REQUIREMENTS and lets you choose the measures — moving Grundschutz closer to ISO 27001.

Old 100-2 prescribing measures vs new 200-2 with modeling and requirement-based GS-Check.

* From BSI 100-2 (prescribed Maßnahmen) to BSI 200-2 (Modellierung + requirement-based GS-Check). *

Old procedure (BSI 100-2): Structure analysis → protection needs assessment → selection and adaptation of measures → basic security check → implementation of missing measures. The building blocks contained predefined measures — what to do was largely dictated.

New procedure (BSI 200-2): Structure analysis → protection needs assessment → Modellierung (modeling)GS-Check (which requirements are fulfilled, and how?) → target/actual comparison and measure planning.

The key shift: blocks now state requirements ("what must be achieved"), and the organization freely chooses suitable measures ("how to achieve it"). Implemented measures are identified and evaluated against the requirements.

This requirement orientation is exactly how ISO 27001 works — hence the slide's conclusion: convergence of the Grundschutz and ISO 27001 methodologies.

Go deeper:

From Quiz: ISM / IT-Grundschutz (BSI) | Updated: Jul 05, 2026