LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How do IT-Grundschutz requirements compare to ISO 27001 controls in concreteness and granularity?

Grundschutz requirements are far more concrete — a single generic ISO control can map to a dozen detailed Grundschutz requirements.

Two illustrative mappings:

1:1 example — physical entry control: ISO 27001 Annex A has one short control; the Grundschutz block INF.1 (general building) expresses the same theme as explicit MUSS/SOLL/KANN requirements with concrete expectations.

1:n example — backup: ISO 27001 Annex A contains essentially one backup control. The Grundschutz block CON.3 (Datensicherungskonzept / backup concept) breaks the same topic into 12+ requirements, e.g.:

  • CON.3.A1 survey of influencing factors
  • CON.3.A5 regular backups (Basis)
  • CON.3.A8 functional tests and restore verification (Standard)
  • CON.3.A12 suitable storage of backup media
  • CON.3.A13 cryptographic protection of backups (high protection need)

So the requirements of a Grundschutz block roughly correspond in depth to the implementation guidance of ISO 27002, not just the control text of 27001.

Tip: ISO tells you "do backups properly"; Grundschutz tells you the 12 things "properly" actually means.

Go deeper:

From Quiz: ISM / IT-Grundschutz (BSI) | Updated: Jul 05, 2026