Loading
Access Manager
  • Solution
    • Join the orange side of life – Solution
      • Freedom for IT-Administrators
      • Permanent compliance with Data Protection Provisions
      • Greater Efficiency in IT Infrastructure
      • Who, What, How? Auditors Review Your Permission Situation
      • It’s all about the money!
    • Explore the Orange Side of Life
      • Ondal Medical Systems GmbH – Time and Cost Savings
      • ETECTURE GmbH – Higher Transparency in Access Management
      • University of Leipzig Medical Center – no Chance for Hackers
      • University Hospital Tübingen – Password Resets 24/7
      • Federal City of Bonn – efficient user account management
      • City of Cologne – optimised user management
      • Paris Lodron University Salzburg – Information security for thousands of users
      • Reiser Simulation and Training GmbH – efficient access management
      • Oberaigner Group – Access Rights Management and Documentation at the Push of a Button
      • Jörg Vogelsang GmbH & Co. KG – Self Service Access Management
      • Stadtwerke Wolfenbüttel GmbH – no longer an authorisation jungle
  • Modules & Features
    • Modules
      • Fileserver Management
      • SharePoint Management
      • 3rd Party Management
      • Fileserver Accounting
      • REST API
      • Password Reset
      • Identity Management
      • Easy Desktop
      • NTFS Permission Analyzer
    • Features
      • Automated Access Management
      • Autocorrect of Permissions
      • Self Service for End Users
      • Profile Management
      • Reapproval Process
      • GDPR Compliant
      • Transparency by Reporting
      • User Provisioning
      • Audit-proof Documentation
  • Services
    • Services
      • Individual Services
      • Permission Audit
      • Starter Package for Automated Access Management
      • Premium-Support
      • Licensing Model
      • System Requirements
    • Contact Us
      • Get your Trial
      • Request your Product Presentation
  • Company
    • BAYOOSOFT
      • About us
      • We think proactively
    • Get Our Partners
      • Get to know our Partners
      • Become a Partner
  • Events
  • TRIAL
  • Customer Center
  • Search
  • Menu Menu

IT baseline protection from the BSI – what will be important in 2023

BSI baseline protection, also known as “IT baseline protection”, is a concept and methodology developed by the German Federal Office for Information Security (BSI). This approach aims to ensure information security in organizations, especially with regard to the IT infrastructure.

But what exactly is behind it, how can I get certified and how do I prepare for it? We answer these and other questions in this article.

What is IT baseline protection and what is it good for?

BSI IT-Grundschutz is a voluntary security standard of the German Federal Office for Information Security. Similar to ISO 27001, it is dedicated to setting up an information security management system (ISMS) to manage information security in organizations. It offers specific measures for the protection of IT systems with normal protection requirements. This generally saves companies from having to carry out their own risk analysis and enables them to use the BSI’s standard protection. The aim of the BSI is to provide companies and public institutions with a simple and practical approach to improving cyber security.

It is important to know: IT baseline protection is not mandatory. It is merely an aid to improving information security in companies and the provision of general standard measures.

Also good to know: The topic of data protection as defined by the GDPR is not fully covered by IT baseline protection. The topic is touched on, but reference is then made to the requirements of the German data protection authorities.

This is how IT baseline protection is structured

As part of IT baseline protection, there are various BSI standards that you should familiarize yourself with. These define requirements for a management system and methods for implementation. There are four different standards in total:

  • BSI standard 200-1: general requirements, guidelines for creating security processes and security concepts
  • BSI Standard 200-2: Test basis for certification, detailed specifications for design, implementation and improvement
  • BSI Standard 200-3: Procedure for risk analysis, guidelines for own risk assessments for objects with high protection requirements or for which no suitable basic protection module exists
  • BSI Standard 200-4: Business Continuity Management, specifies the requirements of the emergency management module

There is also the IT baseline protection compendium. This contains specific measures for the security of your IT infrastructure. They are divided into 10 subject areas with a total of 113 modules. Companies must decide for themselves which modules are relevant to them. You can find out more here: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/IT-Grundschutz-Kompendium/it-grundschutz-kompendium_node.html

The IT baseline protection profiles are also interesting. These are sample examples for the implementation of IT baseline protection based on various application examples. There is a suitable sample for every company.

What requirements are there?

IT baseline protection distinguishes between three variants for protecting your IT. With basic protection, a company meets the basic requirements in all IT areas. This means that IT security can be significantly improved quickly with certain measures.

The BSI recommends standard protection. This means that a company can demonstrate comprehensive protection of its own IT systems. With core protection, the standard requirements are only applied in certain areas. The focus here is on critical processes and systems.

When determining protection requirements, it is also possible that an increased need for protection is identified. IT baseline protection also contains requirements for this.

Do you meet the standard or core requirements? Great, then you can take out basic protection certification. This is an ISO 27001 certification based on IT baseline protection. All framework data such as validity period etc. are therefore the same. The only difference is that you receive a separate certificate from the BSI for basic protection. It is valid for two years.

What is the difference to ISO 27001?

BSI IT-Grundschutz offers a practice-oriented methodology for setting up an information security management system that meets the requirements of ISO 27001. In terms of the basic ISMS requirements, ISO 27001 and IT-Grundschutz are therefore largely the same. However, as IT-Grundschutz is mainly known in Germany, an ISO certificate based on IT-Grundschutz may not be recognized internationally.

The difference between ISO 27001 and IT-Grundschutz lies in their approach: The ISO standard is more abstract and focuses on general processes, while IT-Grundschutz offers users concrete steps to secure their IT through detailed measures from various building blocks. This difference is also reflected in the length of the standards: compared to ISO 27001, BSI IT-Grundschutz is far more comprehensive.

How to prepare for certification

Below we have briefly listed everything that needs to be done before certification:

  • Determine which areas are to be secured

  • Record the current status and derive measures

  • Determining the protection requirements of individual business processes and the necessary systems, information, etc.

  • Determine which of the 113 modules must be applied to which object

  • Risk analysis for objects with increased protection requirements

  • Basic protection check: target/actual comparison of the implementation status of each requirement

  • Concept for implementing the security measures, including budgeting, implementation sequence, deadlines and responsibilities

  • Maintenance and improvement through internal controls and optional independent certifications

This is how the certification process works

The certification process is basically the same as for ISO 27001. After your company has submitted an application for certification, a remote audit takes place in which the submitted documents are reviewed. These include Information security guidelines, structural analysis, protection needs assessment, modeling, IT baseline protection check, risk analysis and the measures implementation plan.

Finally, a second audit takes place on site. This checks the implementation of the security measures. The Federal Office receives the audit report and, in the best case, issues an ISO certificate based on IT baseline protection. Annual audits are then carried out for monitoring purposes.

Our solution – the BAYOOSOFT Access Manager

Identity and access management plays a crucial role in IT baseline protection. There is even a separate module for this – ORP.4 Identity and Authorization Management. But the topic is also relevant in other modules. It is therefore worth taking a closer look at the secure management of accounts and access rights.

ORP.4 in turn lists various requirements (ORP.4.A1 to ORP.4.A17) that companies must meet with regard to their authorization management. These include, for example, that inactive identifiers are deactivated and that each identifier must be uniquely assigned to a person.

The BAYOOSOFT Access Manager helps you to meet these requirements. And the tool also saves you a lot of time and effort. It standardizes the routine tasks of user and authorization management and supports the provision of IT services such as mailboxes, software distribution or telephony. Not only individual tasks, but entire process chains are optimized, which means that the use of resources and error rates are far lower than with manual processing.

Learn more

Sounds exciting, but complicated? The BSI provides an online course on IT baseline protection. This will make it easier for you to get started.

To the online course (ger)

You can find more information on the official website of the BSI.

To the website (ger)
Klingt spannend? Teilen Sie diesen Beitrag doch mit Ihrem Netzwerk.
  • Share on Facebook
  • Share on WhatsApp
  • Share on LinkedIn
  • Share by Mail

Interesting links

Here are some interesting links for you! Enjoy your stay :)

Pages

  • Access Manager auf dem Bechtle IT-Forum Rhein Main Neckar
  • Automate Access Management Successfully
  • Automate your Access & Identity Journey
  • BAYOOSOFT
  • BAYOOSOFT Berechtigungsaudit (EN)
  • Blog
  • Calendar 2020
  • Connector Matrix42
  • Contact support
  • Customer Center AM & AMPR
  • Customer Center AM Member
  • Customer Center AMPR Member
  • Customer Voices
  • Data Protection Compliance
  • Digital Flyer
  • Edit profile
  • Events
  • Exklusives Wechselangebot für 8MAN Kunden
  • Exklusives Wechselangebot für 8MAN Partner
  • Explore the Orange Side of Life
  • Features
  • Forum
  • Home
  • Interface documentation
  • Join the orange side of life
  • Legal
  • Login
  • Modules
  • Modules & Features
  • Newsletter Unsubscribe
  • NTFS Permission Analyzer
  • Password Reset
  • Password Reset Webinar 08th Dezember 2020
  • Privacy & Compliance
  • Privacy Policy
  • Privacy policy
  • Product Presentation Inquiry
  • Reset password
  • Sensitive data with peace of mind
  • Services
  • SharePoint Management
  • The Access Manager at the secIT 2021
  • The BAYOOSOFT Access Manager – Your way out of the KRITIS crux
  • TRIAL request
  • Upcoming events
  • Whitepaper: Managing authorisations securely and sustainably – Best Practice

Categories

  • Editorial
  • Events
  • General
  • News
  • Releases
  • Whitepaper
  • Privacy Policy
  • Legal
BAYOOSOFT Access Manager Password Reset version 2023.2 – now availabl...Glühbirne vor grauem Hintergrund und mit Access Manager LogoWhy shared accounts in hospitals are no longer fit for purpose
Scroll to top