What is the defining philosophy of BSI IT-Grundschutz?
Skip the detailed risk analysis at the start — instead apply standardised baseline protection (Grundschutz) against a catalogue of "pauschale Gefährdungen" (generic threats), then add risk analysis only for the bits that need more.
* Grundschutz inverts the classic order: baseline catalogue first, risk analysis only for erhöhter Schutzbedarf. *
The classic ISMS approach is: identify assets → assess risks → derive controls. That's heavy. BSI inverts it: assume every standard IT setup faces the same standard threats, and apply a standard control catalogue. Save the expensive risk analysis for the few systems with erhöhter Schutzbedarf (elevated protection needs).
As Wikipedia puts it:
"Basis eines IT-Grundschutzkonzepts ist der initiale Verzicht auf eine detaillierte Risikoanalyse. Es wird von pauschalen Gefährdungen ausgegangen und dabei auf die differenzierte Einteilung nach Schadenshöhe und Eintrittswahrscheinlichkeit verzichtet."
Why this is powerful: the IT-Grundschutz-Kompendium ships 80+ Bausteine (building blocks: Sicherheitsmanagement, ORP, CON, OPS, DER, IND, APP, SYS, NET, INF), each already mapped to threats and controls. A new project can pick the building blocks that apply, and 80% of the security work is done.
Tip: Grundschutz is the antidote to "we'll do security after risk analysis." It lets you deploy a defensible baseline on day one, then refine.
Go deeper:
BSI IT-Grundschutz (official) — BSI's own description of the baseline methodology and the 200-x standards.
IT baseline protection — the cookbook approach that skips initial detailed risk analysis in favour of standard building blocks.