LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do native ISO 27001, the new IT-Grundschutz-Kompendium, and the old IT-Grundschutz catalogs differ in their degree of prescriptiveness?

ISO 27001 is process-oriented (prescribes the method), the new Grundschutz is requirement-oriented (prescribes the WHAT), the old catalogs were measure-oriented (prescribed the HOW).

ISO process-oriented, new Grundschutz requirement-oriented, old catalogs measure-oriented; freedom decreasing.

* Prescriptiveness axis — ISO prescribes the method, the new Kompendium the WHAT, the old catalogs the HOW. *

Picture an axis from "maximum freedom" to "concrete implementation rules":

Approach Orientation Prescribes
ISO 27001/27002 native process-oriented the method ("in what way?") — most freedom
IT-Grundschutz-Kompendium (new) requirement-oriented the requirements ("what?"), but no binding measures ("how?")
IT-Grundschutz catalogs (old) measure-oriented binding measures ("how?") — least freedom

The new Kompendium deliberately sits in the middle: concrete enough to be comparable and certifiable, flexible enough to allow modern, environment-specific implementations.

Tip: Remember the three orientations as method → what → how, with freedom decreasing at each step.

From Quiz: ISM / IT-Grundschutz (BSI) | Updated: Jul 14, 2026