How do IT-Grundschutz requirements compare to ISO 27001 controls in concreteness and granularity?
Grundschutz requirements are far more concrete — a single generic ISO control can map to a dozen detailed Grundschutz requirements.
Two illustrative mappings:
1:1 example — physical entry control: ISO 27001 Annex A has one short control; the Grundschutz block INF.1 (general building) expresses the same theme as explicit MUSS/SOLL/KANN requirements with concrete expectations.
1:n example — backup: ISO 27001 Annex A contains essentially one backup control. The Grundschutz block CON.3 (Datensicherungskonzept / backup concept) breaks the same topic into 12+ requirements, e.g.:
- CON.3.A1 survey of influencing factors
- CON.3.A5 regular backups (Basis)
- CON.3.A8 functional tests and restore verification (Standard)
- CON.3.A12 suitable storage of backup media
- CON.3.A13 cryptographic protection of backups (high protection need)
So the requirements of a Grundschutz block roughly correspond in depth to the implementation guidance of ISO 27002, not just the control text of 27001.
Tip: ISO tells you "do backups properly"; Grundschutz tells you the 12 things "properly" actually means.
Go deeper:
ISO/IEC 27001 (Wikipedia DE) — Überblick zur ISO-Norm und ihren Annex-A-Controls für den Detailgrad-Vergleich.
ISO 27001-Zertifizierung auf Basis von IT-Grundschutz (BSI) — Wie BSI die konkreten Anforderungen an die ISO-Welt anbindet.