How do native ISO 27001, the new IT-Grundschutz-Kompendium, and the old IT-Grundschutz catalogs differ in their degree of prescriptiveness?
ISO 27001 is process-oriented (prescribes the method), the new Grundschutz is requirement-oriented (prescribes the WHAT), the old catalogs were measure-oriented (prescribed the HOW).
* Prescriptiveness axis — ISO prescribes the method, the new Kompendium the WHAT, the old catalogs the HOW. *
Picture an axis from "maximum freedom" to "concrete implementation rules":
| Approach | Orientation | Prescribes |
|---|---|---|
| ISO 27001/27002 native | process-oriented | the method ("in what way?") — most freedom |
| IT-Grundschutz-Kompendium (new) | requirement-oriented | the requirements ("what?"), but no binding measures ("how?") |
| IT-Grundschutz catalogs (old) | measure-oriented | binding measures ("how?") — least freedom |
The new Kompendium deliberately sits in the middle: concrete enough to be comparable and certifiable, flexible enough to allow modern, environment-specific implementations.
Tip: Remember the three orientations as method → what → how, with freedom decreasing at each step.