Excel spreadsheet instead of Word lists: This is IT-Grundschutz++

Contents

At the IT security trade fair it-sa, the BSI presented the new edition of IT-Grundschutz for the first time: BSI President Claudia Plattner announced the revision at the press conference for the trade fair and at an extra event during the trade fair, members of the IT-Grundschutz team presented the details of IT-Grundschutz++. The IT-Grundschutz compendium provides authorities and companies with guidelines for setting up an information security management system (ISMS), which companies and authorities can use to take a structured approach to their security efforts. An audited ISMS forms the basis for security certifications such as ISO 27001. The deadline for the new edition is January 1, 2026.

The BSI's aim is to make basic protection more user-friendly and to reduce effort and redundancy, particularly in terms of documentation. To this end, the BSI is relying on a machine-readable syntax of the basic protection modules as JSON objects in IT-Grundschutz++, which can then be distributed or updated more easily via Git, for example. To make the implementation of basic protection measurable, IT-Grundschutz++ works with scores in the categories of confidentiality, integrity and availability for the building blocks, which will be called practices in future. The priority and value of the measures are important here. The practices themselves fall into five levels, which are divided into "Anyone can do" to "Increased need for protection". IT security at the "state of the art" is the fourth level. Authorities and companies can then measure their progress at each of these levels; the BSI still wants to develop threshold values for certification.

Role model: the path to basic protection (WiBA)

The BSI is currently working on extensions for AI and cloud applications for the current basic protection compendium. These are also to be incorporated into the BSI guidelines by 2026. However, authorities and companies that are currently implementing the baseline protection can continue to use the old baseline protection in parallel with the new version for the time being: The BSI promises a transition period of several years here.

The model for the simplified implementation of IT-Grundschutz++ is the Way to Basic Protection (WiBA) project, which has been in place since 2023 to help local authorities that are unable to meet the requirements of IT-Grundschutz. The WiBA is intended to gradually lead to basic protection and reduces the current 111 building blocks to 67 building blocks in 19 checklists, which contain an effort estimate for quick wins – The claim is "little effort, lots of effect". To this end, the WiBA offers an explanation of the procedure, a recommended sequence, a management summary that explains the concepts and relevance to the institute management, Excel lists and a tool so that you don't have to work exclusively with Word lists. A light version for fire departments now also exists.

Machine readability and streamlined documentation

IT-Grundschutz++ is structured in a similar way to the mapping table and the Excel tool for WiBA, except that all practices (formerly building blocks) are no longer described as continuous text, but instead consist of a short sentence with action words whose components can all be combined as JSON objects. This is based on requirements engineering at the BSI. The practices can be mapped in a structured way as an Excel spreadsheet, but can also be shared and revised via Git – The BSI intends to offer a GitHub repository for this purpose. It should then also help tool manufacturers who offer apps for tracking or implementing IT baseline protection. However, the cross-reference tables of the current baseline protection will probably not be compatible with this new version.

The BSI is aware that the current documentation effort of IT-Grundschutz is complicated, convoluted and redundant in some parts. For this reason, IT-Grundschutz++ will contain the documentation information directly in the practices. The thematic structure of the documentation effort is based on a document pyramid provided by the BSI as an aid. The BSI is currently presenting an Excel overview of the expected scope of documentation for the current IT-Grundschutz as a community draft.

Feedback welcome!

The concept of IT-Grundschutz++ has not yet been finalized. Following the initial presentation at it-sa, the BSI now wants to enter into discussions with partners and the security community, work on the points system and the threshold values and generally obtain feedback for practical implementation. The audience at the information event at it-sa was immediately keen to discuss – However, the reorientation of IT baseline protection seemed to be generally well received by the audience from authorities, insurance companies and the business community. The official starting date for IT-Grundschutz++ is January 1, 2026 – On this date, the BSI is obliged to officially revise the basic protection in accordance with the upcoming NIS2UmsuCG. IT-Grundschutz++ will thus form the basis for IT security in the federal administration.

Further information on IT-Grundschutz++ can be found in the press release and on the BSI website.

(pst)