BSI publishes first guide for IT Basic Protection++

The Federal Office for Information Security (BSI) has published the first version of its guide to the IT Basic Protection++ methodology. The corresponding catalog was already released on January 1, 2026. With this, the BSI fulfills its obligation, as stipulated in the NIS2 Implementation Ordinance, to define a new “state of the art” that is mandatory for all important and particularly important organizations. The previous version of IT Basic Protection, however, remains valid until the end of 2028.

The BSI has thus delivered punctually and comprehensively, but it must also be noted that not everything is finished yet. Anyone who wants to start migrations now with the guide and the user catalog should better have some patience. The guide is explicitly only for pilot projects and not for the migration of information networks that currently operate an Information Security Management System (ISMS) according to Basic Protection Edition 2023.

Less effort thanks to machine readability

The BSI now has until the end of 2028 to learn from the pilot projects and further develop the methodology, implementation aids, the auditing scheme, and everything else users need. A migration path and the necessary tools are also particularly important, as Basic Protection++ no longer consists of PDF files, each containing a module, but of three OSCAL catalog files (methodology, kernel, and the combination of both, the user catalog). In addition, there are instructions, for example, on which controls the organization must apply to a host system (formerly: server). By using a machine-readable standard, the BSI also aims to simplify the management of security requirements.

iX Workshop: IT Basic Protection Practitioner with Certificate

In this workshop, information security officers will learn how to apply the BSI's IT Basic Protection methodology in practice to systematically implement and improve information security in their company. The workshop imparts the necessary fundamental knowledge and enables the direct acquisition of the BSI certificate.

Registration and dates at: heise.de/s/8oGlz

The guide, released today, Wednesday, already explains a lot – useful for everyone who wants to prepare early for the migration or, as a NIS2-affected entity, wants to build an ISMS according to the “state of the art” defined by the BSI. However, changes are still to be expected. What is unlikely to change significantly are the three catalogs mentioned. Here, users will find all the controls they can already orient themselves by today. The guide supports understanding. In case of doubt, however, what the catalog specifies always applies.

For the curious, the “AG 3 User-Generated Content” of the current Phase 2 of community commenting has provided several tools. The “GSpp-Viewer.html” displays the catalog and the target object categories. The other one-page HTML apps map all work steps according to NIST OSCAL 1.1.3.

(mma)