LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What are the trade-offs between certifying with native ISO 27001 versus "ISO 27001 based on IT-Grundschutz"?

Native ISO gives freedom but an uncertain security level; Grundschutz-based certification gives a "guaranteed", comparable level but requires detailed structure analysis and modeling.

ISO 27001 native:

  • Effort drivers: identifying assets, full risk analysis, deriving protection measures yourself
  • Advantages: high degree of freedom, can evolve gradually
  • Risks: completeness of measures is on you; the achieved security level depends heavily on individual execution

ISO 27001 based on IT-Grundschutz:

  • Effort drivers: structure analysis, modeling, working through detailed requirements
  • Advantages: comparability, thorough documentation, a standardized "guaranteed" security level, often a prerequisite for public-sector contracts in Germany

Hybrid approach (common in practice): certify ISO 27001 natively, but add a risk analysis and orient implementation on the GS-Kompendium where it fits (e.g. for medium/high-risk areas), mixing generic and detailed requirements.

Tip: Native ISO = "design your own security and prove it makes sense"; Grundschutz = "implement a proven design and prove you did it."

Go deeper:

From Quiz: ISM / IT-Grundschutz (BSI) | Updated: Jul 05, 2026