Quiz Entry - updated: 2026.07.05
What are the trade-offs between certifying with native ISO 27001 versus "ISO 27001 based on IT-Grundschutz"?
Native ISO gives freedom but an uncertain security level; Grundschutz-based certification gives a "guaranteed", comparable level but requires detailed structure analysis and modeling.
ISO 27001 native:
- Effort drivers: identifying assets, full risk analysis, deriving protection measures yourself
- Advantages: high degree of freedom, can evolve gradually
- Risks: completeness of measures is on you; the achieved security level depends heavily on individual execution
ISO 27001 based on IT-Grundschutz:
- Effort drivers: structure analysis, modeling, working through detailed requirements
- Advantages: comparability, thorough documentation, a standardized "guaranteed" security level, often a prerequisite for public-sector contracts in Germany
Hybrid approach (common in practice): certify ISO 27001 natively, but add a risk analysis and orient implementation on the GS-Kompendium where it fits (e.g. for medium/high-risk areas), mixing generic and detailed requirements.
Tip: Native ISO = "design your own security and prove it makes sense"; Grundschutz = "implement a proven design and prove you did it."
Go deeper:
ISO 27001-Zertifizierung auf Basis von IT-Grundschutz (BSI) — Offizielle Beschreibung des Grundschutz-basierten Zertifizierungsschemas.
ISO/IEC 27001 (Wikipedia DE) — Die native ISO-Zertifizierung als Vergleichsbasis.