LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is the defining philosophy of BSI IT-Grundschutz?

Skip the detailed risk analysis at the start — instead apply standardised baseline protection (Grundschutz) against a catalogue of "pauschale Gefährdungen" (generic threats), then add risk analysis only for the bits that need more.

Two flows: classic ISMS does detailed risk analysis first; BSI Grundschutz applies a standard baseline first and only adds risk analysis for elevated protection needs

* Grundschutz inverts the classic order: baseline catalogue first, risk analysis only for erhöhter Schutzbedarf. *

The classic ISMS approach is: identify assets → assess risks → derive controls. That's heavy. BSI inverts it: assume every standard IT setup faces the same standard threats, and apply a standard control catalogue. Save the expensive risk analysis for the few systems with erhöhter Schutzbedarf (elevated protection needs).

As Wikipedia puts it:

"Basis eines IT-Grundschutzkonzepts ist der initiale Verzicht auf eine detaillierte Risikoanalyse. Es wird von pauschalen Gefährdungen ausgegangen und dabei auf die differenzierte Einteilung nach Schadenshöhe und Eintrittswahrscheinlichkeit verzichtet."

Why this is powerful: the IT-Grundschutz-Kompendium ships 80+ Bausteine (building blocks: Sicherheitsmanagement, ORP, CON, OPS, DER, IND, APP, SYS, NET, INF), each already mapped to threats and controls. A new project can pick the building blocks that apply, and 80% of the security work is done.

Tip: Grundschutz is the antidote to "we'll do security after risk analysis." It lets you deploy a defensible baseline on day one, then refine.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 05, 2026