77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
BSI IT-Grundschutz vs ISO 27001: Which framework suits your organisation
IT Security & NIS-2

BSI IT-Grundschutz vs ISO 27001: Which framework suits your organisation

9 June 202613 min readBy Lena Vogt
CIVAC

Both frameworks lead to a certifiable ISMS, but solve different problems. This article systematically compares scope, depth, effort and audit logic and provides a decision-making logic for German medium-sized companies.

The BSI IT-Grundschutz and ISO/IEC 27001:2022 are the two dominant frameworks for an information security management system (ISMS) in Germany. Both lead to certifiable systems, both are recognised by regulators, both address confidentiality, integrity and availability. However, they differ significantly in methodology, level of detail, form of audit and cost structure. Anyone who chooses the wrong framework either creates bureaucracy that no one maintains or gaps that become apparent in the audit or NIS 2 verification.

This article directly compares both frameworks: from structure to risk methodology to certification. You will learn when ISO 27001:2022 makes more sense, when BSI IT-Grundschutz shows its strengths and how the two can be combined (ISO 27001 based on IT-Grundschutz). We also show how the CIVAC platform and Officer-as-a-Service operationally translates the chosen framework into audit templates, control catalogue and reporting line.

Key Takeaways

  • ISO 27001:2022 is risk-based and internationally compatible, BSI IT-Grundschutz is compendium-based and preferred in German authorities and KRITIS contexts.
  • Annex A of ISO 27001:2022 has 93 controls, the BSI compendium contains over 100 building blocks, each with several requirements, which leads to different levels of implementation.
  • ISO 27001 based on IT-Grundschutz combines both ways; the CIVAC platform provides pre-configured audit templates and reporting lines for both frameworks.

Two frameworks, one goal: What both achieve

ISO/IEC 27001:2022 and the BSI IT-Grundschutz pursue the same goal: They establish a documented, practiced and auditable management system for information security. Both require top management commitment, a risk process, a control portfolio, training, incident management, continuous improvement and audits. Both result in an accredited certification with a three-year validity, annual monitoring and recertification.

They differ methodologically. ISO 27001 is primarily risk-based: you identify risks, evaluate them according to probability of occurrence and extent of damage, and select controls from Annex A or equivalent measures to reduce risks to an acceptable level. The BSI IT-Grundschutz is compendium-based: you model your information network with components from the IT-Grundschutz compendium and implement the requirements contained therein. The risk assessment only takes full effect if the need for protection goes beyond normal.

Both frameworks are suitable for meeting the risk management requirements in accordance with Section 8a BSIG for KRITIS and in accordance with the NIS 2 Implementation Act for particularly important and important institutions. Which framework is suitable depends on the industry, maturity and audit partner. You can find more background on the transition phase in the CIVAC Overview of the ISO 27001:2022 transition.

ISO 27001:2022 at a glance

ISO/IEC 27001:2022 was published in October 2022 and replaced the 2013 version. The most important change: Annex A was reduced from 114 to 93 controls and divided into four topics (organisational, personnel, physical, technological). Eleven controls are new, including Threat Intelligence (A.5.7), Information Security for Cloud Services (A.5.23) and Secure Coding (A.8.28). The transition period ended on October 31, 2025.

The structure consists of the main part (clauses 4 to 10), which structurally describes the ISMS: context, leadership, planning, support, operation, evaluation, improvement. These clauses are mandatory. Annex A provides the reference controls; Their applicability is documented in a Statement of Applicability (SoA).

Auditing is carried out by an accredited certification body in two levels: Level 1 (document review), Level 2 (implementation review on site or remotely). The certification is valid for three years with annual surveillance audits. Effort for the initial certification in medium-sized companies: typically six to twelve months of preparation. In the CIVAC platform and Officer-as-a-Service, the 93 controls are available as a control catalogue, linked to audit templates and responsibility matrix.

BSI IT-Grundschutz at a glance

The BSI IT-Grundschutz consists of the BSI standards 200-1 (ISMS), 200-2 (approach), 200-3 (risk analysis) and 200-4 (business continuity) as well as the IT-Grundschutz compendium. The latter includes around a hundred building blocks that address typical structural elements of an information network, such as OPS for operational processes, APP for applications, SYS for systems, IND for industrial control systems.

The procedure according to BSI standard 200-2 provides for three levels: basic protection (quick stabilization), core protection (concentration on crown jewels), standard protection (complete ISMS). Protection needs are classified into three levels: normal, high, very high. The module requirements are sufficient for normal needs; If the need for protection is high or very high, a supplementary risk analysis is carried out in accordance with BSI Standard 200-3.

ISO 27001 is certified on the basis of IT-Grundschutz by accredited certification bodies under the supervision of the BSI. The audit includes document and on-site inspection, audit report and certificate valid for three years. Strength of the approach: high specificity of the requirements, many example measures. Weakness: high maintenance costs for the modelling. The CIVAC platform and Officer-as-a-Service provides a mapping between ISO Annex A controls and BSI components so that both worlds are maintained in one workspace.

Risk methodology in direct comparison

ISO 27001 requires systematic risk identification and assessment in clause 6.1. The choice of method depends on the organisation; asset-based or scenario-based approaches are common, with or without a quantitative component. The result is a risk matrix with prioritised risks to which measures from Annex A or equivalent controls are assigned. The SoA records which controls are applicable and which are not, with justification.

The BSI IT-Grundschutz reverses the logic. Instead of modelling risks first, model the information network with building blocks first. Each building block has its own requirements. The risk analysis according to BSI 200-3 is only carried out if there is a high or very high need for protection, if specific features are not shown or if there are additional threats. Advantage: less discussion about risk methodology, clearly defined building blocks, low hurdle at the beginning.

In practical terms, this means: In heavily IT-driven, clearly structured organisations with a manageable application landscape, BSI Grundschutz is often productive more quickly. For highly process-driven, international or service-oriented organisations, ISO 27001 has more impact with its risk and process orientation. Both paths require a mapping to NIS 2 risk management requirements, which the CIVAC platform provides audit-proof, documented, § 30 BSIG-proof.

Effort, costs and schedule

There are no reliable general figures, but there are empirical values. Initial certification ISO 27001 for a medium-sized company with one to three locations: six to twelve months of preparation, internal effort four to ten person-months, external consulting zero to two person-months, certification costs twelve to fifty thousand euros depending on size and number of locations, follow-up costs annually around forty percent of the initial costs.

BSI IT-Grundschutz based on basic protection can have its first effect in three to six months, one ISO 27001-based Grundschutz certification typically requires twelve to eighteen months. The maintenance effort for the modelling is higher because every change to the information network has to be updated. In return, the concreteness of the measures is higher and the discussion with the auditor is usually shorter.

Hidden costs arise in both worlds through tooling, training, dry runs before the audit, evidence of suppliers and cloud services. Anyone who starts without a platform builds shadow IT in the form of SharePoint collections and Excel trackers. The CIVAC platform and Officer-as-a-Service replaces this collection with a structured workspace with 490 ready-to-use audit templates and the appointment certificate of the Information Security Officer, signed, filed, verifiable.

Connectivity: NIS-2, KRITIS, supply chain

The NIS 2 Implementation Act formulates requirements for risk management, security incident reporting (24-hour early warning, 72-hour follow-up notification), managing director responsibility and supply chain security. Both ISO 27001:2022 and BSI IT-Grundschutz provide the majority of the building blocks. Important: The reporting obligations and training requirements are taken into account in both frameworks, but must be linked to the specific reporting path according to BSIG.

KRITIS operators are subject to Section 8a BSIG. BSI IT-Grundschutz is traditionally established here because the BSI works with industry-specific security standards (B3S), which often connect to Grundschutz modules. ISO 27001 is also recognised, but requires proof that the KRITIS-specific requirements are covered.

In supply chains, major customers are increasingly demanding ISO 27001 as a minimum standard, especially for international connectivity. Cloud providers, software providers and industrial service providers position themselves with ISO. Anyone who serves both worlds (German authorities plus international industrial customers) chooses ISO 27001 based on IT-Grundschutz, which combines both paths in one certification. The auditor calls, the evidence is ready.; the CIVAC platform provides the mapping.

Decision logic: Which framework suits you

Six key questions help you make a decision. First: Which customer groups require which certificate? When international industrial or tech customers determine the market, the route usually leads via ISO 27001. Secondly: Are you KRITIS or do you belong to an industry with B3S? Then basic protection or the combination is obvious.

Third: How mature is your IT documentation? Very unstructured landscapes benefit from the building block approach of basic protection as a structure provider. Fourth, how large is your maintenance and audit team? Basic protection needs more continuous maintenance, ISO 27001 needs more methodological competence in the risk process.

Fifth: Are you subject to the NIS 2 Implementation Act and do you need a platform that maps both 24h and 72h reporting paths as well as risk management and supply chain testing? Sixth: Which consulting and audit resources are available regionally?

A pragmatic rule: medium-sized companies with an international supply chain and fewer than two hundred and fifty employees usually start with ISO 27001:2022 ISMS and use the Grundschutz Compendium as a quarry of measures. Organisations and government-related contractors that are subject to KRITIS often choose the BSI path. Others run compliance like a filing cabinet. We run it like software.

Combined path: ISO 27001 based on IT-Grundschutz

The BSI has been offering a combined path for years. You run an ISMS according to BSI standards 200-1 and 200-2, implement the requirements from the relevant modules and at the end receive an ISO 27001 certificate based on IT-Grundschutz, issued by an accredited certification body under the supervision of the BSI. This means you have an internationally recognised certificate and a German basic protection level in one go.

Strengths: Maximum specificity, high acceptance in German authorities, and at the same time international connectivity. Weaknesses: Highest effort of the three methods, longest preparation phase, demanding audit. Particularly suitable for organisations with a mixed clientele, with authorities and international clients.

The ISO 27001 Annex A mapping to BSI modules is stored in the CIVAC platform and Officer-as-a-Service, so that a requirement is only documented once, but appears in both frameworks. The reporting line to management is provided with a monthly status overview: number of risks, maturity level per module, open measures, audit status. Licence the workspace for your internal representatives, or have our representatives order it.

Implement operationally: ISMS workspace or ISB order

No matter what the framework, success depends on three factors: clear responsibility, lived routine and reproducible evidence. Without a named information security officer with an appointment certificate, signed, filed, verifiable, without a monthly status report to management and without audit preparation during ongoing operations, every ISMS becomes a paper exercise.

The CIVAC platform and Officer-as-a-Service deliver preconfigured workspaces for both frameworks. For ISO 27001:2022, the 93 controls are stored as a control catalogue with responsibilities, types of evidence and audit questions. The building block model with the respective requirements is available for BSI IT-Grundschutz. Both worlds share risk management, incident management, supplier auditing, training and awareness measures, all in EU data residency.

You have two options: licence the workspace for your internal representatives, or have our representatives order it. In the second model, CIVAC provides an external information security officer, appointment within two working days instead of the classic two to six weeks, monthly status report, preparation of internal and external audits. The 490 ready-to-use audit templates cover both frameworks.

Turn reading into an assignment. Write to info@civac.de or use the contact form on civac.de if your organisation would like to choose the appropriate framework or set up the ISMS auditfest.

FAQ

Which framework is cheaper: ISO 27001 or BSI IT-Grundschutz?

ISO 27001 often has lower initial costs for pure IT organisational issues. BSI IT-Grundschutz requires more maintenance, but is often more efficient during audits because the requirements are more specific. Only an estimate based on the specific information network is reliable.

Can an organisation do both in parallel?

Yes, the ISO 27001 variant based on IT-Grundschutz with a combined certificate is common. Pure parallel certifications are rare because the maintenance effort is doubled. Control mapping in a workspace significantly reduces the effort.

Does ISO 27001:2022 fully meet NIS 2 requirements?

ISO 27001:2022 covers the majority of NIS-2 risk management requirements. In addition, the specific reporting path of 24-hour early warning and 72-hour follow-up reporting as well as specific training obligations of the management must be explicitly documented, as ISO does not prescribe them in detail.

How long does an initial certification take?

With good preparation, an initial ISO 27001:2022 certification takes six to twelve months. An ISO 27001-based Grundschutz certification typically takes twelve to eighteen months. Preparation during ongoing operations with the platform and 37 audit templates measurably shortens both paths.

What role does the information security officer play?

The ISB coordinates the ISMS, manages risks, oversees audits and reports to management. A proper appointment with clearly defined tasks, authorities and reporting lines is a prerequisite and part of every audit in both frameworks.

How does CIVAC support when changing or building a framework?

The CIVAC platform delivers preconfigured control catalogues, audit templates and reporting lines for ISO 27001:2022 and BSI IT-Grundschutz. In the officer-as-a-service model, the external ISB is appointed within two working days and takes over modelling, risk management and audit preparation.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles